How Orum Enforced Compliance and Reduced Login Pain at Scale

Challenge

When Roland Miller joined Orum as VP of Security and Compliance, the fully remote company was growing fast but had minimal security infrastructure in place.

“I came into the organization and we didn’t have ISO or SOC programs yet,” Miller said. “So as I started implementing controls around these regulations, I had to start deploying device management tools, password policies, password vaulting, and more. But these controls caused a lot of friction because every time the employees had to check their phones for the code as they switched applications or were logged out.”

This password-based experience was slow, painful, and incompatible with supporting productivity for a global, remote workforce. 

Miller explains, “My end users are out there trying to access their application and go to work. They don’t want to constantly be logged out and then have to login but as a business we’re trying to maintain compliance controls in the backend.”

Making the situation even more complicated, being a fully remote company means employees have the freedom to travel but under privacy laws, such as GDPR, sensitive data can only be accessed from specific locations like North America. 

“We have to be careful about not allowing certain access when people are traveling. Having tools that give me that capability is really important. It’s not like employees are coming into an office and only accessing data from a workstation.”

‍
Solution

Miller encountered Beyond Identity at RSA and immediately saw a way forward for his situation which is ensuring frictionless yet secure access for a 100% remote workforce subjected to a matrix of compliance regulations. 

“It really clicked for me that access needs to be seamless but I have to throw up all these gates because there are constant threats. It’s not all about the user either,” he adds. “It’s about the device too. There are constant threats like a zero day to your laptop, applications on your phone, or software that just isn’t patched.”

‍

With Beyond Identity, Orum deployed:

• Universal passwordless multi-factor authentication (MFA) across all operating systems without forcing the user to pick up a second device
  
• Continuous device risk checks at login to block jailbroken, unpatched, misconfigured, or otherwise risky devices
  
• Geolocation checks and enforcement to restrict access based on location per regulatory requirements for mobile devices with the ability to test policies in monitor mode prior to full enforcement‍
• Fine-grained BYOD controls for mobile devices with the ability to test policies in monitor mode prior to full enforcement

“When accessing corporate data, I want to be sure it’s not just the right person, but the right device. Everybody has an iPhone or an Android, and I can apply security controls to those to verify that the devices aren't rooted or jailbroken. If they are, my policy blocks them from being able to access data from that device. I can sleep at night knowing the devices my users are accessing through are safe.”

‍

Miller also appreciated, from the admin side, the flexibility to test policies before enforcement:

“I didn’t have to turn any policy with a binary on or off. I could set policies to monitor first, then refine. I could roll out 30+ policies gradually and tune them without locking user out.”

‍

Results

With Beyond Identity in place, Orum turned identity into a compliance and security strength without disrupting user productivity.

As Miller says, “The key benefit for me is assurance. It’s knowing that it’s my user using a trusted device that I issued or a trusted device that I know is configured to be safe.”

‍

Frictionless logins that users noticed

Employees noticed the difference.

“A new Customer Success Manager saw how her peers were logging in instantly without 2FA prompts. She came to me asking, ‘How do I get that?’ And I told her, 'It's actually really easy, the email is already in your inbox.'" As Miller recounts, “It was a lightbulb moment for her. She could finally stop pulling out her phone every five minutes.”

‍
Compliance readiness across a remote workforce

Orum enforced ISO, SOC, and GDPR requirements across a global workforce, with location- and device-based risk policies that ran silently in the background achieving compliance without sacrificing usability. 

“We handle sensitive data, PII, and our workforce operates in multiple jurisdictions. Beyond Identity lets me ensure access is restricted based on device security and location,” Miller said. 

‍

Reduced IT support load

When all logins are passwordless, there is no longer a need for passwords and password resets. In fact, password resets become a warning sign. Miller points out, “We don’t see password resets anymore. If someone is resetting a password, it probably means something else is very wrong.”

‍
Risky devices blocked in real-time, continuously

Beyond Identity denies access if a device is compromised, even on unmanaged devices. 30+ risk policies are enforced continuously for all devices to give Orum the confidence to allow remote work with BYOD. 

“I can see where users log in from, and even trace phishing attempts back to a specific location and IP address. For instance, I saw an unsuccessful login where somebody tried to register a device in Pakistan and it failed. I went to look at it, and it was an unknown device.”

Moreover, Miller identifies the importance of continuously enforcing risk-based adaptive access policies. He said, “An hour ago, my device might have been fine. But all of a sudden, my phone gets hacked in some way, they jailbreak it. And then the next time I log in Beyond Identity goes, 'Hey, this device has been jailbroken, I'm gonna deny access.'"

‍

The big picture

Orum’s team spans the globe. They access cloud applications from planes, coffee shops, and home offices. For Miller, the future of identity is about zero assumptions. Beyond Identity shifted the focus from patchwork technology to a unified prevention solution that eliminates unauthorized access outright, stopping risky logins before they ever happen. 

As Miller puts it, “Rather than trying to capture and react to incidents after the fact, it'd be better to have a tool in place that allows me to block those kinds of attacks and have an anti-phishing style identity solution in place before the attack can happen. It's hard to be 24/7 so the more I can do to prevent people from getting into trouble, the better.”

‍