OkCupid Simplifies Multi-account Management Using AWS Partner Okta

Executive Summary

OkCupid simplified its multi-account identity and access management and increased security while saving time and money by using AWS. The online dating site and app began migrating from its on-premises systems to AWS, and to maintain a central point of access for its various AWS accounts, it used AWS SSO alongside AWS Partner Okta’s Universal Directory, deploying a new function of AWS SSO in two months. The solution automates user account creation and configuration, reducing the risk of human error and increasing security. Since the migration, the lean operations team can focus its time on improving the user experience for OkCupid’s millions of users making meaningful connections.

Developing a Solution to Simplify Multi-account Management

OkCupid, one of the largest free dating sites and apps, prioritizes protecting the personal data of its millions of users making meaningful connections. In 2016, the company helped secure its backend by centralizing identity and access management (IAM) with Okta Inc, a major identity and security company and Amazon Web Services (AWS) Partner. In mid-2020,
OkCupid began migrating from its on-premises system to AWS, where it developed a solution to further simplify multi-account management: using AWS Single Sign-On (AWS SSO) in conjunction with Okta’s Universal Directory.

AWS SSO centrally manages access to multiple AWS accounts and business applications. By using AWS SSO alongside Okta, end users can access all their assigned AWS accounts and applications in one location, simplifying access management for end users and administrators. Now OkCupid can scale up its AWS footprint and benefit from different services without an increase in administrative work. Using this solution, OkCupid maintains high security, saves time and money, and manages employee accounts and permissions with ease.

“AWS SSO is a powerful tool to get the maximum amount of use per staff member so that we can keep our team small.”

- Alexander Dumitriu, Chief Information Officer, OkCupid

Maintaining a Single Access Point for Multiple AWS Accounts

OkCupid operates globally and must adhere to multiple data compliance regulations like the European Union’s General Data Protection Regulation. But the company goes beyond compliance to protect user data. “To interact successfully with the app, users have to reveal their most personal selves, like gender identity and political beliefs,” explains Alexander Dumitriu, Chief Information Officer at OkCupid. “We take our mission to protect all of our users’ information very seriously.”

Before OkCupid began using Okta in late 2016, it faced challenges trying to centralize IAM for its on-premises environments. Employees previously had to log in separately to each environment, meaning they had to keep track of multiple passwords. Administrators had to repeat configurations in each account, a time-consuming process. “If you’re chasing down multiple places to add or remove a user, you’re not only wasting time but also increasing the likelihood that you’ll miss something,” says Dumitriu. “That’s a security concern.” Okta created one place where OkCupid could enforce policies, manage users, and access permissions across multiple identity silos. “We like the user experience with Okta, particularly Okta Verify’s push-based two-factor authentication,” says Dumitriu. “It’s more secure than SMS and better than figuring out other authenticator software.” By using AWS SSO and Okta, OkCupid is able to maintain the high level of usability and simplicity of maintenance it has worked hard to achieve.

When OkCupid decided to take advantage of the scale and agility possible in the cloud, the ability to integrate AWS SSO with Okta played a key role in its decision to migrate to AWS. OkCupid wanted to use the full range of AWS services, but that would lead to a complicated spread of AWS accounts that, if accessed separately, would waste time for its small team. The organizational agility of AWS SSO and Okta solved that problem. “AWS enables us to have a central account where we manage our users without the constraint to go in and configure each account one by one,” says Lou Benlahmr, senior infrastructure engineer at OkCupid. “It decreases management time and gives us more visibility and a more granular way to manage access to different accounts.”

Saving Time and Money, Increasing Agility through AWS SSO

OkCupid developed a proof of concept in two weeks and deployed its solution less than two months later. Now administrators can manage users in one location, and users do not have to worry about managing multiple credentials to access OkCupid’s AWS accounts. AWS SSO also enabled OkCupid to add more than a dozen AWS accounts to each user’s account without hindering account creation. “On AWS SSO, we have a single point of control—a single view—across everything we do,” says Dumitriu. “Our technical team can see the identity and permissions for email, internal tools, and external software-as-a-service solutions using our AWS production account. We can also see permissions that enable our office manager to make decisions, such as selecting a snack vendor. That’s huge for our lean operations team.”

Using AWS SSO, developers can deliver innovative solutions for the OkCupid platform without obstacles to account access. “We want to give developers, particularly backend developers, a sandbox where they can experiment with new AWS services on their own,” explains Dumitriu. On premises, if a developer wanted to experiment with Redis, an open-source in-memory data store, that project would have had to wait for hardware to be purchased and provisioned, which can take weeks. But using AWS SSO, OkCupid can approve the project immediately, supply the developer with $2,000 to experiment with Redis on AWS, and then productionize it if it works.

OkCupid

AWS SSO automation boosts security by reducing the chance that an administrator will introduce an error, and it saves OkCupid time and money by enabling its scrappy operations team to bypass low-level tasks. “The more processes are automated, the less opportunity there is for human error,” says Dumitriu. “We like being a smaller team. And we can continue to be lean by automating as much repetitive drudgery as possible. Otherwise, we’d have to increase our head count, which has its own security implications: a bigger team means more opportunities for bad actors and for human error. AWS SSO is a powerful tool to get the maximum amount of use per staff member so that we can keep our team small.”

In using Okta and AWS SSO together, OkCupid can satisfy its preference for open source. The company prefers using Linux to a Windows infrastructure. And it can manage its users, groups, and devices using Okta’s cloud-based Universal Directory instead of Microsoft’s Active Directory. “Having Okta in the middle makes it much simpler for us to do that because the only touchpoint is the identity integration with Okta,” says Dumitriu. “We don’t need to manage anything else from AWS or outside vendors. And it gives us much more flexibility to migrate our identity backend.”

Continuing to Modernize on AWS to Better Serve Users

In 2021 and 2022, OkCupid plans to continue its migration to AWS. The company decided to forgo a lift-and-shift process for the migration, which would rely on legacy technology. Instead, OkCupid is choosing to rewrite applications using Terraform, an open-source infrastructure-as-code software, modernizing its entire technology stack. Eventually, the company plans to operate wholly on AWS. OkCupid’s solution using AWS SSO and Okta met the company’s high security and data compliance standards—providing effective protection companywide. The solution facilitated the use of a large suite of AWS services and saves OkCupid time, money, and staff resources. “Now,” says Dumitriu, “we can spend more time architecting the infrastructure that is really unique to OkCupid to drive business.”

OkCupid

About the OkCupid

Founded in 2004, OkCupid is one of the largest free online dating sites and apps, with millions of global users. Based in New York, it uses thousands of questions to make millions of connections annually.

About Okta, Inc

A major identity and security company, Okta enables organizations to securely connect the right people to the right technologies at the right time. Okta is an AWS Advanced Technology Partner, an AWS Independent Software Vendor (ISV), and an AWS Security ISV Competency Partner.

Published July 2021