Header Image

Ogilvy & Mather - Web Services Security

Connecting clients worldwide through SOA

Connecting Clients Worldwide

Ogilvy & Mather has built some of the most famous brand names in history the planet since its Madison Avenue origins in 1948. Today, Ogilvy encompasses 497 offices in 162 countries. But therein lay the origins of an IT problem: while relationships are best handled locally, creativity knows no bounds. In order to facilitate collaboration between a worldwide team of creative professionals, partners and clients, Ogilvy needed a way to move extremely large media files rapidly and securely.

 


 Ogilvy by the Numbers

  • Founded in 1948
  • Approximately 16,000 employees
  • More than 497 offices serving clients in 162 countries
  • Clients include a majority of the companies in the Fortune 500
  • Composed of 7 divisions: OgilvyOne, OgilvyInteractive, Neo@Ogilvy, Ogilvy PR, Ogilvy Healthworld, OgilvyAction, and OgilvyEntertainment

 

The Business Challenge

Up until 2001, Ogilvy had been building custom web applications to give authorized personnel, partners and customers access to collaborative functionality via a Web browser. According to Andres Andreu, Technical Director of Web Engineering and Applications at Ogilvy, “We started writing [Web applications] to meet some client needs to tap into sources of data and provide them some functionality in return. We [stored] their user data [in LDAP sources] on our side so that they could use [our] applications.”

However, the solution was not scalable. Andreu: “We found ourselves writing Web based apps to facilitate these needs and I sat down one day and said ‘this is not efficient.’ It’s fine if you’re doing it for one client. But when the second, and the third, and the fourth start asking for the same thing, yet they all want it customized to their needs. That’s certainly not the right approach.”

 

Web Services to the Rescue

Web services offered a way out of the custom-built merry go round by providing a common, reusable framework that was far easier to customize for each client’s needs than modifying a Web application. Once familiar with building Web services, Ogilvy decided to tackle their next biggest issue: LDAP exports and imports. “We used the Web services framework to abstract access to our entire directory space,” explained Andreu. “Prior to that, the other side of the world had to be in tune with our schema… We bought ourselves a lot of flexibility, or loose coupling if you will, of the systems.”

So now Ogilvy had a flexible Web services-based system that could authorize users before granting them access to the shared functionality. The only problem was that once those users were on the network, they had access to everything – they just didn’t know it because the end points and formats weren’t published. ‘Security through obscurity’ is little better than no security at all, so Ogilvy began the search for a way to implement end point authentication.

 

Ensuring Security

But solutions that identity-enabled Web services were hard to come by, especially one that could meet all of Ogilvy’s requirements. As a result, they even toyed with building a solution themselves, but quickly abandoned the idea when they realized how complex an undertaking it was. Then Andreu stumbled across an offering from Layer 7 called the SecureSpan Gateway which, coupled with the SecureSpan XML VPN Client (XVC) sounded like it might be a good fit. The XVC would be the key – automatically negotiating the “handshake” between the customer and Ogilvy without requiring any IT resources on the customer’s side. Any changes Ogilvy made to their security parameters going forward (such as requiring encryption, credentials, digital signatures, and so on) would be seamlessly accounted for by the XVC. There would be no need for the customer to recode their application to take into account the new security requirements.

“I can’t stand PowerPoint presentations. Give me the box, and let’s get down,” stated Andreu. “So they came, put the box in, left us with all the information we needed, and they went back home. We wrote PERL scripts to become the consumer, and we verified everything…I threw our security team at it, and we just hammered away. And it held up. It was amazing to me, because we haven’t seen a clean Proof of Concept like that in awhile."

“Once we verified everything internally we got an external application and an external client involved for a prototype,” explained Andreu. “We had scheduled three days worth of integration time between them and us, and we were done in less than a day. Usually three days means two weeks, right? It was great because we all sat there, half a day in, [going] ‘this looks like it’s going to finish today…this is too good to be true.’ But it was true, and it’s been a success ever since.”

After three months, because the proof of concept went so well and the vendor check so smoothly, Ogilvy decided to moved Layer 7 into production at seven client locations. Because the SecureSpan SOA Gateway and XML VPN Client are able to seamlessly talk to one another and resolve all identity and security issues automatically, the customers were up and running literally in a matter of minutes after installing the Client. Customers that preferred to use their existing WSSecurity- or SAML-based solutions could also be accommodated by the SecureSpan SOA Gateway.

 

Layer 7 Cross Boundary Solution

 

The Results

Today, Layer 7 forms the security backbone not only of Ogilvy’s client interaction strategy, but also many of their internal systems, as well. “It’s one of the things we’re doing radically different now,” stated Andreu. “Let’s say an application in India has a database, and we want to keep their database synchronized with our LDAP. There’s no more batch processing scheduled. If there’s an application that triggers a change in LDAP, that will trigger a SOAP client call out to the service in India and update their database. This is one of the ways we’re using this whole framework. And that buys us the flexibility out at the edge.”

“[The Layer 7 solution has] even given us an advantage on Sarbanes-Oxley compliance, because with the web services it’s transactional,” explained Andreu. “You’re auditing each transaction one by one, so it’s simplified that entire reporting process.”