Flex streamlines app access for 20k suppliers with IAM overhaul

As a contract manufacturer for over 1,000 customers, including some of the world’s largest technology companies, Flex Ltd a few years ago needed a more secure way to manage supplier access to its systems.

The company’s thousands of supply chain partners, scattered around the globe, ranged in size from tiny mom-and-pop outfits with little more than a Gmail address to large global companies. Many used multiple accounts and systems for accessing apps at Flex and the company had no centralized way to manage passwords or for provisioning and de-provisioning supplier access to its network. Flex’s ability to detect suspicious and abnormal activity was also limited because of the highly distributed nature of its identity and access environment for suppliers. 

An IAM overhaul

With the lessons of the massive breach at Target—caused by hackers using network credentials stolen from a partner—still relatively fresh, leaders at Flex decided to overhaul the company’s identity and access management (IAM) infrastructure for suppliers.

Flex executives wanted to make sure that critical intellectual property (IP) and data belonging to customers for whom it was designing, building and distributing products remained safe on its systems. The company also wanted to ensure a better experience for suppliers accessing its cloud and on-premises apps. “We needed to set things right for more visibility and also for more user-friendliness for suppliers to engage with us,” says Fritz Wetschnig, CISO and vice president enterprise information technology at Flex.

The company decided to eliminate the multiple accounts suppliers were using to access its systems and instead implement a single sign-on (SSO) process with least-privilege access. “We also wanted visibility and transparency in access logs because if you have multiple access points it is hard to find deviations and suspicious behavior from a security perspective,” Wetschnig says. “So we wanted to have centralized logs.” 

From a technology standpoint Flex’s requirements were clear. The company wanted a software-as-a-service (SaaS) application that could provide suppliers globally with SSO access to its collection of on-premises and cloud systems. The technology needed to support SAML 2.0, adaptive multi-factor authentication (MFA), automated onboarding and offboarding of third-party user identities, and centralized log collection. The technology also needed to be versatile enough to serve as the identity foundation for Flex’s long-term goal of implementing a zero-trust authentication and access model.

Flex chose Okta as its new IAM platform. Wetschnig says Okta’s technology met all Flex’s requirements for MFA, SSO, centralized directory management and lifecycle management of supplier identities. “We had ADFS (Active Directory Federation Services) and AD, but it was all on-premise and our suppliers were 20% in SaaS applications,” Flex’s CISO says. “We thought it didn’t make any sense to continue with an on-premise platform [in an age of cloud and hybrid services],” Wetschnig says.

A simplified access model reduces help desk calls

That was about four years ago. Since then, the $25 billion Flex has moved its entire network of over 20,000 suppliers to the new IAM platform. Personnel working for these suppliers access Flex’s system via a simple webpage login. Each user has a single account and set of credentials governing access to systems they are entitled to access. Multi-factor requirements are enforced as required, typically using the user’s mobile device as a second authentication factor.

The platform has eliminated the need for users to remember multiple passwords or to maintain multiple accounts to access different systems. “It’s a very lean process” and a significant improvement in the overall user experience, Wetschnig says. “Our help desk calls have gone down significantly by 75% to 80%, which shows this is working.”

From an operational standpoint, Flex now has access to a centralized repository of logs that it can use to keep an eye on supplier access to its systems and to customer data. The completely web-based approach has eliminated the need for VPN access for suppliers. Importantly, Flex now has a far more efficient way to provision and terminate access to its system for supplier staff.

Mitigating third-party access risks

Many companies become vulnerable to compromise via third-party access. In a November 2019 report from One Identity, 94% of the over 1,000 IT professionals surveyed said their organizations gave third-party users access to the enterprise network—in many cases privileged account access. More than six in ten (61%) were not sure if those users had accessed or attempted to access unauthorized data, and only 21% had mechanisms in place for immediately revoking access for third-party users who no longer work for their company.

“Password management, onboarding, transfer and offboarding,” are all challenges that organizations encounter when dealing with supplier access, says Andras Cser, an analyst with Forrester Research. “A third party supplier has to ensure that it terminates an employee across all their systems, including the systems and identity providers that allow access to the federation partners’ apps.” Often suppliers do not terminate such access in time for departing employees, leaving the employees with continued access not just to the supplier’s apps but also to the apps of their business partners, he notes.

Okta’s approach allows Flex to directly integrate to their partner ID systems. So when a third-party employee leaves their job, or is terminated, the user access gets automatically terminated in the supplier portal as well. When a partner does not have an ID system, Flex can use Okta to provide the partner with a centralized space for storing and managing their IDs.

Following its successful B2B rollout, Flex decided to use Okta to streamline access for over 100,000 plant floor workers at its manufacturing facilities worldwide. Unlike the company’s knowledge workers, Flex’s plant floor workers needed access to only a very narrow set of apps, such as those pertaining to time and attendance and to general company information.

Because of the limited access requirements, Flex did not want to set each plant floor worker up with an AD account, Wetschnig says. “We didn’t give them an AD account because it wasn’t cost-effective,” he says. “If you are on the shop floor, you only need to access to these apps once or twice a month.”

Flex’s approach instead was to provide plant floor workers with an Okta mobile app for accessing the applications via a web login. “Okta has this great model where you get optimized pricing if you only have a limited set” of access requirements, he says. Flex has also set up kiosks on its plant floors that factory workers can use to access overtime and attendance information and other data.

Next: API access management

Flex has currently deployed its new platform enterprise-wide to streamline IAM for its employees, suppliers and its contract-manufacturing customers. The biggest challenge now, Wetschnig says, is finding the right balance between what needs to remain on premises and what can be migrated to the cloud.

Over the next few years the company is planning on using Okta to enable API access management so it becomes easier for third parties and others to access and build new application and services around its data. The company’s manufacturing plants are also getting increasingly automated, and soon Flex will need to figure out new ways to identify and configure secure access for robots and other smart devices.

As all of the change plays out, one of Flex’s big challenges will be to figure out what it needs to keep close and what it can put in the cloud. “What I have seen is that we don’t respect legacy applications enough,” Wetschnig says. “There’s a reason why we set them up in a certain way and why it is that complicated.” Sometimes, things that work in an on-premises setting are not easily replicated in the cloud.

“A lot of reports are saying are saying 90% [of applications] will be moved to the cloud, 95% will be moved to the cloud. I haven’t seen that personally,” Wetschnig notes. “There’ll always be a set of legacy apps and cloud-native apps.”