Case Study: Ogilvy & Mather - Web Services Security by Layer7Tech


More Info
									  Ogilvy & Mather
  Connecting Clients Worldwide with SOA

                                    Ogilvy & Mather has built some of the most famous brand names in history the planet
Ogilvy by the Numbers
                                    since its Madison Avenue origins in 1948. Today, Ogilvy encompasses 497 offices in
Founded in 1948                     162 countries. But therein lay the origins of an IT problem: while relationships are
Approximately 16,000 employees      best handled locally, creativity knows no bounds. In order to facilitate collaboration
More than 497 offices serving       between a worldwide team of creative professionals, partners and clients, Ogilvy
clients in 162 countries            needed a way to move extremely large media files rapidly and securely.
Clients include a majority of the
companies in the Fortune 500        The Business Challenge
Composed of 7 divisions:             Up until 2001, Ogilvy had been building custom web applications to give authorized
OgilvyOne, OgilvyInteractive,        personnel, partners and customers access to collaborative functionality via a Web
Neo@Ogilvy, Ogilvy PR, Ogilvy
                                     browser. According to Andres Andreu, Technical Director of Web Engineering and
Healthworld, OgilvyAction, and
OgilvyEntertainment                  Applications at Ogilvy, “We started writing [Web applications] to meet some client
                                     needs to tap into sources of data and provide them some functionality in return. We
      [stored] their user data [in LDAP sources] on our side so that they could use [our] applications.”

      However, the solution was not scalable. Andreu: “We found ourselves writing Web based apps to facilitate these
      needs and I sat down one day and said ‘this is not efficient.’ It’s fine if you’re doing it for one client. But when the
      second, and the third, and the fourth start asking for the same thing, yet they all want it customized to their needs.
      That’s certainly not the right approach.”

      Web Services to the Rescue
      Web services offered a way out of the custom-built merry go round by providing a common, reusable framework
      that was far easier to customize for each client’s needs than modifying a Web application. Once familiar with
      building Web services, Ogilvy decided to tackle their next biggest issue: LDAP exports and imports. “We used the
      Web services framework to abstract access to our entire directory space,” explained Andreu. “Prior to that, the
      other side of the world had to be in tune with our schema… We bought ourselves a lot of flexibility, or loose
      coupling if you will, of the systems.”

      So now Ogilvy had a flexible Web services-based system that could authorize users before granting them access to
      the shared functionality. The only problem was that once those users were on the network, they had access to
      everything – they just didn’t know it because the end points and formats weren’t published. ‘Security through
      obscurity’ is little better than no security at all, so Ogilvy began the search for a way to implement end point

      Ensuring Security
      But solutions that identity-enabled Web services were hard to come by, especially one that could meet all of
      Ogilvy’s requirements. As a result, they even toyed with building a solution themselves, but quickly abandoned the
      idea when they realized how complex an undertaking it was. Then Andreu stumbled across an offering from Layer
      7 called the SecureSpan Gateway which, coupled with the SecureSpan XML VPN Client (XVC) sounded like it might
      be a good fit. The XVC would be the key – automatically negotiating the “handshake” between the customer and
      Ogilvy without requiring any IT resources on the customer’s side. Any changes Ogilvy made to their security
      parameters going forward (such as requiring encryption, credentials, digital signatures, and so on) would be
      seamlessly accounted for by the XVC. There would be no need for the customer to recode their application to take
      into account the new security requirements.
Ogilvy & Mather Case Study

“I can’t stand PowerPoint presentations. Give me the box, and let’s get down,” stated Andreu. “So they came, put
the box in, left us with all the information we needed, and they went back home. We wrote PERL scripts to become
the consumer, and we verified everything…I threw our security team at it, and we just hammered away. And it
held up. It was amazing to me, because we haven’t seen a clean Proof of Concept like that in awhile.”

“Once we verified everything internally we got an external application and an external client involved for a
prototype,” explained Andreu. “We had scheduled three days worth of integration time between them and us, and
we were done in less than a day. Usually three days means two weeks, right? It was great because we all sat there,
half a day in, [going] ‘this looks like it’s going to finish today…this is too good to be true.’ But it was true, and it’s
been a success ever since.”

After three months, because the proof of concept went so well and the vendor check so smoothly, Ogilvy decided
to moved Layer 7 into production at seven client locations. Because the SecureSpan Gateway and XML VPN Client
are able to seamlessly talk to one another and resolve all identity and security issues automatically, the customers
were up and running literally in a matter of minutes after installing the Client. Customers that preferred to use
their existing WSSecurity- or SAML-based solutions could also be accommodated by the SecureSpan Gateway.

The Results
Today, Layer 7 forms the security backbone not only of Ogilvy’s client interaction strategy, but also many of their
internal systems, as well. “It’s one of the things we’re doing radically different now,” stated Andreu. ““Let’s say an
application in India has a database, and we want to keep their database synchronized with our LDAP. There’s no
more batch processing scheduled. If there’s an application that triggers a change in LDAP, that will trigger a SOAP
client call out to the service in India and update their database. This is one of the ways we’re using this whole
framework. And that buys us the flexibility out at the edge.”

                                                            Sarbanes-Oxley                        wi
“[The Layer 7 solution has] even given us an advantage on Sarbanes Oxley compliance, because with the web
services it’s transactional,” explained Andreu. “You’re auditing each transaction one by one, so it’s simplified that
entire reporting process.”

         Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.   2

To top