When IT infrastructure provider Kyndryl was spun out of IBM in late 2021, the new company's leaders were given a two-year deadline. Per a transition service agreement (TSA) between the two enterprises, Kyndryl was legally obligated to exit all of IBM's in-house applications and platforms within 24 months or face fines and penalties.
Kyndryl's top brass saw this not as a threat but as an opportunity. It gave them the motivation to undergo a digital transformation, radically streamlining what it saw as IBM's outdated infrastructure-services business into a modern, efficient, forward-looking enterprise using the latest networking and security technologies.
"Most of the technology, infrastructure, and employee work environments Kyndryl inherited through the TSA weren't fit for purpose," wrote Michael Bradshaw, SVP and Global Practice Leader for Application, AI and Data at Kyndryl, in a company blog post. "The legacy systems and tools were unable to support our long-term vision of a lean, modern, and secure operating environment. Simply put, neither the technology systems nor the costs to operate them aligned with the type of modern organization we were trying to create."
From on-prem to zero trust
In the past three years, Kyndryl has gone from a primarily on-premises network architecture with 65 data centers to a cloud-first, SASE-based, zero-trust network model using four hyperscaler locations.
Many of Kyndryl's 90,000 employees around the world have transitioned to a hybrid workplace model, often working remotely or from home. Eighteen hundred in-house applications have been whittled down to about 360.
With the adoption of zero trust, Kyndryl naturally had to shift to an identity-based security model. Kyndryl CISO Cory Musselman says that Okta and its Workforce Identity Cloud solution have been an integral part of Kyndryl's digital transformation and are central to its networking and security architecture.
"We had to build the whole [cybersecurity] program from the ground up," Musselman told us in an interview. "The strategies, the processes, the methods, the technology, all while the business was still continuing to function."
He likened the process to rebuilding a car while it was running — but Kyndryl didn't have to rebuild the car alone.
"One of the areas we started in was in identity," Musselman said. "That's where we partnered with Okta. We had inherited twenty-six identity applications with our spin-out, and we consolidated all of that down into the Okta platform."
At the time of the spin-off, he said, every Kyndryl employee had five different identities, with five different sets of usernames and passwords, to be able to access the various legacy platforms inherited from IBM. With Okta's help, Musselman said, those five identities were reduced to one for each employee.
The core of security
Identity, and the assurance that Okta can provide, are at the heart of Kyndryl's security strategy, Musselman explained.
"Obviously, one of the main pillars of a zero-trust framework is identity," he said. "It ties everything together, especially as a cloud-first company. The days are long gone for us where you can build the moat around your perimeter and protect the perimeter."
In his blog post, Bradshaw listed two goals for Kyndryl's identity-management transformation: first, to reduce and limit the numbers of identities each employee would need; and second, to establish a role-based least-privilege framework for every user and identity.
Implementing a new identity schema from the ground up let Kyndryl erase legacy privileges and start over fresh, cutting down the chances of compromise due to excessive user permissions.
"Least-privilege birthright reduces operational risks," Bradshaw explained, "by granting employees access only to the tools and data that are essential for them to perform their jobs."
Identity-based security also lets Kyndryl function efficiently on a global scale across multiple time zones, SaaS applications and cloud environments, Musselman said, adding that Okta's identity platform feeds valuable data into Kyndryl's other security tools.
Tying it all together
"What [Okta] allows us to do from the security-stack perspective is tie the different pieces together, whether it is network security, endpoint security, our SIEM and our automation with our SOAR, whether it's the analysts who are looking at the wire for malicious activity," he said. "Identity is that common thing that crisscrosses all of that technology. If there's potential malicious activity on an employee's device, we can tie that right into their identity and either isolate their identity, isolate their device, or isolate both."
Okta also adds a tremendous amount of visibility into Kyndryl's cloud and SaaS systems, Musselman said: "Without that, you're playing a little bit of whack-a-mole."
As a global company with tens of thousands of employees, Kyndryl has to comply with dozens of legal and regulatory frameworks around the world. Musselman said Okta is essential to Kyndryl's ability to adapt to local compliance needs.
A perfect example of that flexibility, simplicity and scalability, Musselman added, is Okta's FastPass passwordless authentication solution.
"That's a technology that brings a better security outcome for my team, but it's also a better employee experience," he said. "It was one of those true win-wins when you look at it from a security perspective, because our employees were so happy to have it. At the same time, my team was so thrilled that it was in place."
Three lessons of digital transformation
Now that Kyndryl has largely completed its digital and identity transformation, what kind of lessons from the experience could Musselman share? He gave three examples:
The first lesson: Don't be overwhelmed. Every step one takes on the journey provides better security, agility and value for the company and employee experience value. "Implement them one at a time," he said. "Don't try to eat the whole elephant at once. Just do it a bite at a time."
The second lesson is to understand all the stakeholders in your environment, including vendors and shared-service providers, before embarking on the transformation. Make sure they understand you. Mutual understanding from the get-go will go a long way toward preventing potential disagreements down the road. "Understand them, their requirements, how their business functions, because you can make changes in that identity platform that can actually make your business's life harder, not easier," Musselman said. "Having that relationship and building that in will likely make you successful."
The third lesson is to reach out to other companies and organizations that have undertaken similar transformations and ask for their advice.
"You're not alone," Musselman said. "You're not the first one to walk this journey. You're not going to be the last. We've all stubbed our toes or tripped along the way. Reach out to folks who have done it. Get that advice right. Let them help you with some of those missteps so that you don't make them."
