One Simple Move to Radically Reset Your Team’s Identity Bandwidth and Increase Security Posture

Are you running instances of Ping’s software (e.g., PingFederate, PingAccess, PingDirectory, or PingCentral) in on-premises data centers? Are you running it in your public cloud environments (e.g., AWS, Google Cloud, Azure, etc.)?

If you said “yes,” to one or both of those questions, who do you have managing that infrastructure? If it’s someone in-house on your team, we have a recommendation: you should get out of the business of managing your identity infrastructure. That type of work is essential, but it’s not unique to your business, so it’s a perfect candidate for handing over to a partner you already trust, like Ping Identity.

It’s time to shift your Ping software to Ping’s cloud. Many enterprises that are long-time users of Ping’s software are upgrading to Ping’s cloud, leveraging PingOne Advanced Services. Whether you want to accelerate your digital transformation efforts, enhance the security and resiliency capabilities of your identity services, or decrease your total cost of ownership, you’ve come to the right place to learn about shifting your Ping software to Ping’s cloud.

#1: Keep Accelerating Digital Transformation, While Cutting Costs

A 2021 Accenture survey established that 90% of business and IT executives agree that to be agile and resilient, their organizations need to fast-forward their digital transformation with the cloud at its core. However, in the 2023 business environment, IT leaders are being asked to cut costs. Moving fast while cutting costs feels counter-intuitive, but it’s the challenging reality of today’s economy that leaders must do more with less. Managing infrastructure in the cloud can be just as resource intensive as managing software on-premises, so organizations should leverage managed infrastructure services wherever possible to achieve operational efficiency.

#2 Keep Up with the Increasing Threat Landscape; 26,448 Software Security Flaws and Counting

The threat landscape continues evolving, and the number of vulnerabilities being announced or reported grows daily. A record 26,448 software security flaws were reported in 2022 alone, according to an analysis by The Stack of Common Vulnerabilities and Exposures (CVEs) data. Since IAM is the front door to your business, when these vulnerabilities come out, IAM professionals need to quickly analyze what they are and see if they affect the infrastructure of our enterprises. When your enterprise is impacted, your IAM organization must quickly mitigate the threat, which slows down business operations for any new functionality and enabling capabilities for your enterprise.

#3 Hiring, Training, and Retaining Identity Expertise When 26% of Your Team Will Quit This Year

The brain drain is real. Some refer to the high rate of employees quitting during 2021 as the Great Resignation. But the U.S. Bureau of Labor Statistics shows that in the past 10 years, the percentage of workers voluntarily leaving jobs each month has been increasing steadily. Even if the rate of monthly quits holds steady at 2.5% (Jan 2023’s total rate across industries), it means that 12 months from now, 26% of your current workforce won’t be on your team anymore. What that means for IT professionals and leaders like you is the need to focus your resources on the most value-added activities for your business. 

Spoiler alert: Infrastructure and Product Operations are NOT the best use of your limited resources—your team should focus on adding value in Experience Management.

Managing your own software requires three general areas of responsibility, as illustrated below.

• You need somebody who does your administration configuration, which we call Experience Management. These folks design the user flows, manage users, applications, secrets, certificates, and policies, and validate testing. 
• You also need somebody to ensure Product Operations run smoothly by promoting across environments, managing custom integrations, understanding base configurations, and managing installation/upgrades. 
• And finally, you need somebody to manage your Infrastructure Operations, including backups, monitoring CPU, and networking. This person is especially critical for when you have a production alarm in the middle of the night.

At Ping, we work across the spectrum of global enterprises, and we have noticed that this top layer of Experience Management is unique to each business. But in the bottom two layers of Product Operations and Infrastructure Operations, 95-100% of every organization’s steps are identical to any other organization running that capability. Most of Ping Identity’s customers say these bottom two maintenance & operations layers consume about 40-60% of their resource bandwidth.

Taking advantage of Ping’s cloud translates into three key benefits for your organization:

1. Reclaim Your Time - Free up to 40-60% of your team's time to support your business by tackling other value-added projects. When an enterprise moves its Ping Identity software to Ping’s cloud, Ping takes over the responsibility and accountability for those two areas of Product Operations and Infrastructure Operations. Your team can focus on strategic efforts that move the needle in terms of delivering a better experience to your workforce and customers.
   
   
2. Reduce Your Total Cost of Ownership -  Save significant IT operational costs without compromising support for challenging enterprise use cases. The cost of operation is much lower when you consume it as a cloud service from us compared to somebody having to build and maintain everything from scratch.
   
   
3. Improve Your Security Posture - With 26,448 software industry security flaws reported in just 2022 alone, staying current on software versions and maintaining optimal security configurations is critical. Ensure you’re protected effectively with the latest, automatic bug fixes and upgrades and optimal cloud security postures managed by cloud identity experts. Ping builds in best practices for cloud security and software configuration based on thousands of existing customers into our PingOne Advanced Services. Automatic upgrades also mean that, without any effort from your team, you’re taking advantage of the latest versions with bug fixes and new security features.

PingOne Advanced Services are Ping’s proven, best-of-breed IAM software products, delivered as-a-service and managed by Ping. The products available through PingOne Advanced Services are PingFederate, PingDirectory, PingAccess, and PingCentral. PingOne Advanced Services is provided as a dedicated tenant, so there are no “noisy neighbor” issues impacting your service uptime. It is built to autoscale to your workloads and auto heals to detect failed instances and recreate them automatically. 

Better Together, But Not Dependent

Since you already use Ping Identity’s software products, you’re likely already familiar with the fact that across the Ping Identity product portfolio, we provide in-depth capabilities that are highly cohesive but loosely coupled. This principle holds across our PingOne Advanced Services offerings. This helps enterprises achieve the flexibility they need because our products are not dependent on one another; e.g., you don’t have to buy authentication and directory from us. But, if you do buy multiple capabilities from us, you get the benefits of “one-plus-one-equals-two” because Ping provides out-of-the-box integrations with our services that can allow you to achieve sophisticated use cases quickly.

Stop Worrying About Usage Spikes

Here are a couple of examples to give you an idea of how scalable PingOne Advanced Services are. An American consumer electronics company that designs and sells TVs, sound bars, viewer data, and advertising has an average of about 35,000 requests per minute. During the Superbowl and the Olympics, their traffic shot up 100x to 3.5M transactions per minute, and PingOne Advanced Services was able to autoscale and address it. Ping employees didn’t even need to suddenly add additional CPUs or additional memory—our system automatically did it and all we did was closely monitor the situation. Another customer, an aircraft manufacturer, has a normal daily consumption of 80B requests.

Unlike some cloud identity service providers, PingOne Advanced Services does not throttle API requests to limit the number of transactions per second, and in the case of a usage spike, Ping won’t send you a surprise bill. So you won’t have to worry about the impact on your operations or unexpected charges.

We Give You Visibility to Monitor Your Infrastructure & Product Operations

Even though Ping is taking over your infrastructure and product operations and we are responsible for fixing any issues, you’ll still want visibility and awareness of what’s happening in your environment. We have options for you to subscribe to the PingOne Advanced Services log files and integrate them with your SIEM tools along with the rest of your stack operations and other monitoring you’d like to have. We also have options for customers to subscribe to our SMS alarming knowing fully that that is just for visibility—Ping is accountable for fixing it. We also provide you with Grafana and Kibana dashboards, which give you in-depth details on how the platform is operating.

Flexible Integration to Your Environments

Concerning the network integration options, we provide you with three different patterns:

• Internet: For customers who want to log in to an admin portal for configuration, call our authentication API or admin APIs, you don't need to build anything unique or special here. PingOne Advanced Services can be delivered entirely over the internet as a full cloud service with no additional requirements.

   

• Simple: If you need support for an LDAP endpoint, we would establish a simple network (VPN) to allow you to access the LDAP endpoint.

   

• Advanced: If you need support for UDP-based protocols (e.g., Kerberos or RADIUS), we offer an advanced networking option where we act as an extension to your on-premises footprint (or wherever your corporate environment resides). We would work with you in putting a dedicated network connection between your infrastructure and PingOne Advanced Services with requests for IP ranges from you so it is visible to your team, and it comes with a lot of additional protection to support this UDP-based protocol.

   

Regarding environments, a sandbox Dev instance and a Production instance are included in your PingOne Advanced Services license.

• Dev (Included) is a small two-node instance where developers can quickly configure PingOne Advanced Services and validate that it works. 

• Production (Included) comes with the sizing required to support your full production volume, and it can run in as many geographies and regions with as many nodes as is required. 

   

If your organization needs a standalone QA environment, you have the option of purchasing a Test environment. If you are in the practice of doing regular load and performance testing, you have the option of purchasing a Stage environment that mimics and is identical to Production with regards to the same number of geographies, regions, and nodes.

Regional Replication & Redundancy

PingOne Advanced Services is offered globally through multi-region, geo-location-based routing that helps deliver low latency login experiences worldwide. In each of the three regions, we operate in at least two data center locations:

• North America: Ohio and Portland for U.S., and Montreal for Canada
• Europe, Middle East, and Africa: Ireland and Frankfurt
• Asia Pacific: Sydney and Singapore

We understand that the global landscape and the regulations around data residency are continuing to evolve, so we allow you the flexibility to decide what’s best for your business:

• Global: You can consume your PingOne Advanced Services as a cluster across all three regions so that no matter where your customers coming from, they have the same low latency and fast response time.

   

• Multi-Region: If you have strict data residency requirements and you need, for example, data in Europe to remain only in the Europe region and not the U.S. region, you could run multi-region, clustering each of these three geographies as independent solutions, thus providing you options to meet your global residency needs.

   

Based on your data residency or localization needs, Ping sets up the appropriate footprint that supports your business, whether that means a tenant operating in a single region, multi-region environments clustered together, or even segregated tenants in each independent region.

The journey to Ping’s cloud isn’t for pioneers anymore; it’s been around for several years and is now a proven path. Let’s cover the most common questions raised by early adopters. 

Will Moving to Ping’s Cloud Break Anything?

“If it ain’t broke, don’t fix it.” One common concern is that if things are working right now, will the move to Ping’s cloud break things? What can I do to reduce the risk of interrupting my business?

Ping has proven paths for migrating Ping software to Ping’s cloud. We provide two patterns for you to migrate on your timeline: a flash cut-over or a phased migration. Our Professional Services team will help you vet your current instance and identify the optimum path to migrate into the cloud as you embark on this journey.

Option 1: Flash Cut-Over.
Take your current Ping Identity software, bring those configurations to PingOne Advanced Services, then re-point your applications to your PingOne Advanced Services environment. If your implementation is primarily out-of-the-box PingFederate, your migration could be as simple as these five steps:

1. Build your PingOne Advanced Services environment
   
   
2. Export configurations from existing PingFederate environments
   
   
3. We run your configuration through our upgrade factory to upgrade your software to the latest version in PingOne Advanced Services
   
   
4. Upload your configuration into your PingOne Advanced Services environment and migrate hostnames/TLS certifications
   
   
5. Re-point your DNS

Option 2: Phased Migration
Bring apps over in groups, so there’s no “big bang.” This calculated approach allows you to rearchitect and reimagine the identity services you provide your application owners, even adding new innovative PingOne Services from the PingOne Cloud Platform that you don’t already have.

How Much Effort Will My IAM Team Need To Exert Across the Phases of the Cloud Upgrade?

A typical project staffing is illustrated below. Assume the black line refers to your average IAM bandwidth on a day-to-day basis for you to operate your existing Ping software.

• Discovery & Design: The initial discovery and design state would require your team to dedicate more resources than usual to provide Ping’s Professional Services team with information on how you use our products.

   

• Build & Upgrade Plan: In this phase, the Ping Professional Services team will do the heavy lifting, so your team can take a breather.

   

• Testing: Your team must re-engage and validate that everything works according to your needs. 

   

• GA: During the migration, the Ping Professional Services team would do the bulk of work and you would start seeing your team's operations & maintenance work activity coming down.

   

• Operations: Post-migration, about 40-60% of your team's IAM bandwidth frees up, allowing you to accelerate other digital transformation projects.

   

What is the ROI of this Cloud Upgrade in Terms of Business Value?

While PingOne Advanced Services requires a financial investment greater than your current software-only licenses, the return on investment comes from business value captured in three areas:

1. Hardware infrastructure savings
   
   
2. Maintenance & operations savings
   
   
3. Business agility from accelerating the launch of new IAM services to more applications

Most customers break even on their initial investment in PingOne Advanced services within 6-10 months—in other words, the investment should pay for itself within 10 months. And when you look out at three years, we typically see a 200-300% return on investment.

Will We Lose Any Functionality?

There’s a reason you use Ping’s software today. As an enterprise organization, you require best-of-breed technology with deep capabilities, scalability, and resiliency. Ping’s advanced capabilities surpass most identity vendors focusing on the SMB market. You can’t lose any critical functionality or customization you have in place. 

You keep using the same software when you shift your Ping software into Ping’s cloud. You’re just consuming it as a cloud service. So you get all the benefits mentioned before without losing the sophisticated functionality your business demands. And if there is any uniqueness to your footprint regarding non-standard integration kits that you procured from Ping Identity, we would ensure that those are also available in your PingOne Advanced Services footprint.

How Quickly Do You Autoscale? Do You Need To See Prolonged Lower or Higher Usage to Autoscale?

Thanks to the dedicated tenant environment we set up for each enterprise customer, we work with you to identify your actual load and peak and set your baseline solution to handle upwards of 125% of your peak. When your traffic reaches the peak, two things happen: 1) your 25% buffer is handling the load, and 2) when you are past peak for 3-5 minutes, it triggers the system to start spinning up additional nodes to provide you autoscaling. 

And you don’t need to wait if you know a big activity is coming. For instance, if you’re in the retail space and need to account for Black Friday and want to scale up, we can manually spin up additional nodes without waiting for the load to trigger anything.

Can We Convert our Current Software Licenses to PingOne Advanced Services?

Absolutely. PingOne Advanced Services is a different entitlement than software licenses alone, but we would not ask organizations already paying for a current software license to double-pay. We would work with you regarding an appropriate migration window (i.e., how long do you need to co-exist with on-premises environments before you fully cut over to the cloud service?) and we can explain your options for converting those licenses over into your PingOne Advanced Services tenant.

If We’re in the Software Implementation Phase With Ping, but We’re Not Yet in Production, Do You Recommend Going to the Cloud Directly?

It depends on your business’s goals. We will work with you to identify the best path forward in your case. But in most cases, yes. Starting in Ping’s cloud immediately means you don’t have to stand up your infrastructure or build your team’s understanding of all those layers. You short-circuit those steps and can start using the software’s sophisticated capabilities without worrying about operations.

Honeywell, a Fortune 100 company, had a successful experience upgrading to PingOne Advanced Services, according to Davis Arora, Senior Director of Cybersecurity on the Honeywell global security team. In a webinar called Increase Efficiency: Migrate Your Ping Software to Our Cloud, Arora describes himself as the “one throat to choke for identity” and shares how Honeywell leverages Ping Identity for authentication/authorization for both their workforce and customer revenue-generating apps. As of 2022, they had ~1,000 applications integrated with PingOne Advanced Single Sign-On.

The company had several drivers for moving its Ping software to Ping’s cloud. The biggest C-level and business stakeholder concern was to improve resilience and redundancy and to support customer revenue-generating applications and services with 99.99% availability. Although it was not impossible, the security team previously found it challenging to avoid outages for upgrades and patches and sometimes experienced outages due to dependencies on other on-premises services. Additionally, they wanted to solve the problem of resource constraints on the SSO team by forgoing bug fixes, patches, upgrades, and in-depth knowledge needed to keep the on-premise software live, available, and meeting business stakeholder demands. Another major driver was that they simply wanted to get out of the business of hosting such a critical service in their on-premises global data centers.

One of the biggest challenges was overall change management across the business. Honeywell has four distinct business groups in aerospace, building technologies, performance materials, and safety solutions. This means that the global security team caters to the diverse needs of each business group, each with its own specific set of products, services, and customer base to ensure that global identity services are scalable and flexible enough to meet their specific requirements. In preparation for this migration, the Honeywell global security team partnered with all their application teams within each of the different businesses and enterprise IT to understand their needs. They used those requirements to streamline their standard code patterns and intake forms for application owners to easily onboard apps and enroll their apps in centralized, adaptive risk-based MFA services. They delivered these instructions with significant training that helped application owners understand how they could have modern IAM services and higher availability, redundancy, availability and security with MFA everywhere.

Honeywell took a phased approach, spinning up and down different levels of support with migration for different application teams, depending on their expertise or support model. In just 90 days, they got the environment up and ready for production. Starting in January 2022, they stopped allowing any new applications to be onboarded to the on-premises PingFederate environment and instead all new applications were onboarded to PingFederate in the PingOne Advanced Services environment. Since then, they have migrated 700-750 applications that were previously leveraging the on-premises service. They also put in place an enterprise-wide request for application owners to integrate with the SSO service every time they roll out a new app to the enterprise or customers, making it easy for applications to deliver seamless authentication services using integrations like Windows Hello for business.

Honeywell completed their journey in 2022 by deprecating the on-premises PingFederate instances. The next evolution for Honeywell is currently around cross-connecting specific technologies to build a Zero Trust ecosystem, leveraging PingOne DaVinci as that orchestration layer to effectively deal with device, network, and user validation continuously.

For large global enterprises and organizations, migrating to Ping’s cloud offers the greatest flexibility with the optimal balance of security and cost and the agility needed to rapidly respond to changing priorities and support new initiatives.

With PingOne Advanced Services, you can:

• Enable digital transformation initiatives with the cloud at its core

• Reduce vulnerabilities by optimizing cloud security posture

• Reset your IAM team’s bandwidth to focus on strategic initiatives

   

To learn more about how Ping can support your business, explore our PingOne Advanced Services webpage.