Amag Pharmaceuticals, based in Lexington, Mass., has almost eliminated its internal server network, and couldn't be happier about it. That's because the company, with about 240 employees, is now largely riding on cloud services.
Amag's almost-extinct Windows and Exchange server network had not been well-maintained, cobbled together by employees without oversight of an information-technology division at all, says Nathan McBride, the executive director of IT for the firm. He says he joined the company about three years ago with the express agreement to move the pharma company's network to the cloud.
Company employees had simply gone out and bought what they thought was needed, whether it was laptops, a T-1 line or a switch. But management of it all, especially the Exchange 2003 server, was neglected because there was no one really in charge. But McBride said his goal in becoming the founding member of the IT department wasn't to make the internal network bigger -- it was to shrink it down through a "cloud strategy."
"We call it the five-headed dragon," says McBride about the cloud strategy he put forward calling for use of cloud services for authentication and access, the file system, communications and client management. "I don't think firewalls are necessary. They prohibit work from being accomplished."
While the IT department at Amag did grow with four new technical hires, the company is on track to cut its IT budget overall by adopting cloud services. In addition to moving the Exchange server network to Google Docs, the company also found it could establish single sign-on for employees to use cloud services, whether it was expense reporting, or a specialized healthcare reporting application or SAS business applications hosted in North Carolina. "Everything is in cloud services now," says McBride.
The linchpin for these new cloud services for employees has ended up being cloud-based single-sign-on, says McBride.
He says he looked into what about half a dozen vendors were doing, including Hitachi, Symplified, Okta, IBM Tivoli, Courion and Ping Identity, with the goal the company would migrate off the Imprivata single sign-on appliance it had at the time.
After piloting Okta, Symplified and Ping Identity early last year, the final decision was to go with Okta, says McBride.
One thing Amag looked at was how easy it would be for the cloud vendors to supply specific plug-ins for more than 15 applications. These plug-ins apps would be needed to foster SSO commands between the cloud services, the employee desktops and the cloud-based applications that Amag used elsewhere. "For Okta, the ace card was that they already had it," says McBride. In addition, the CEO from Okta flew in from San Francisco to make the commitment to the SSO project and willingness to build further plug-in apps if need be.
"All the conduits sit at Okta," says McBride. "The user authenticates to Okta," and in the cloud a tunnel is created from the client Web browser to Okta to the application that's hosted in another locale altogether. Instead of storing employee information at Amag, "Okta maintains our profile" of the employee account and which of the many cloud-based services they're allowed to use.
In the new hire or termination process, the hiring manager fills out a form in Google Docs, and depending on the group they're in, they're put in a special profile by Okta, McBride says. The Okta service costs about $25 per person per month.
Any cloud-based service raises the question whether there's a danger of lock-in. Okta is definitely "the broker of trust" with its SSO service, says McBride. But if Amag wanted to transition to another SSO cloud service, it wouldn't be that hard, says McBride. "If we left Okta tomorrow, I'd just cancel my service," he says. "My users would then have to log in remotely themselves." SSO cloud security basically makes it "easier for me to deal with security," he concludes.