Beach Energy Builds a Flexible, Secure IT Environment with Okta
adoption within 48 hours of deployment
reduction in password reset requests
See More from Beach Energy :Oktane21
- Scaling up
- Strategic thinking
- A consistent environment
- Success, sourced
- Next steps
When Beach Energy acquired and integrated Lattice Energy in 2017, its workforce quickly expanded from 180 to 1,000 users. The sudden growth presented a few urgent IT challenges: Beach Energy needed to merge and modernise the two environments, streamline processes to handle the influx in provisioning and IT maintenance tasks (including setting up SuccessFactors as a source), and implement strong, flexible security measures capable of supporting employees working remotely.
Beach Energy set up a head-to-head competition between their incumbent provider and Okta to see which company could provide the best solution for nine different use cases. Beach Energy selected Okta for its out-of-the-box SuccessFactors integration, its strong balance of convenience and security, and the streamlined approach to identity management that would allow the company to reduce its reliance on legacy solutions like Active Directory.
Beach Energy’s next step was to consolidate its two environments while also migrating its workforce to Office 365, integrating all SaaS apps with Okta, adopting new cloud-based solutions, and setting up Okta Single Sign-On. It also added Okta Adaptive Multi-Factor Authentication for a strong, flexible security layer across the entire environment. Within days of the deployment, the company reached 100% adoption.
With its newly consolidated infrastructure in place, Beach Energy began streamlining its processes. The company automated provisioning and deprovisioning processes by deploying Okta Lifecycle Management, and then setting up SuccessFactors as a source of people information. This not only saves the company money in terms of IT costs and productivity, it also improves Beach Energy’s security posture by reducing the chances of a former employee retaining access to sensitive information.
Beach Energy still has a few stops left on its roadmap, from integrating more applications with Okta to providing employees with more options to self-serve. This includes streamlining the provisioning process for consultants by allowing managers to request app access without having to go through IT. Finally, the company plans to fully modernise its IT by sunsetting Active Directory, and implementing Okta FastPass, which will reduce the need for a VPN.
When we were selecting our security solution, we saw that Okta placed a strong emphasis on the user experience. Managing cyber risk is obviously a concern that we need to address, but it’s rare to be able to offer a solution that people really appreciate from a user experience perspective.
Aaron Finnis, Information Security Manager at Beach Energy
Growing up fast
When a company’s workforce jumps from 180 to more than 500 users in under a year, the resulting IT challenges can be overwhelming. How do you ensure that your security remains strong? How do you provide a consistent experience to all employees, no matter where they’re working? And how do you quickly and accurately provide all employees with the tools they need to do their jobs? These are all questions that Beach Energy, an upstream oil and gas company, had to consider after purchasing and integrating Lattice Energy in 2017.
Founded in Adelaide, Australia in 1965, Beach Energy started small and local. After the Lattice Energy acquisition, the company quadrupled its workforce and expanded to five locations across Australia and New Zealand. It also joined the ranks of the 100 largest companies in Australia (ASX 100).
At the beginning of this transition, Beach Energy was operating with a lean four-person IT team. For a company with a workforce of 180 people, this was adequate—but as the workforce grew, so did the IT workload. The companies needed to streamline IT processes and merge the IT environments for both companies.
The company also needed a comprehensive security strategy that would provide all employees with the same level of protection whether they’re working in the office or off-network, on a desktop or a laptop, at home or on the road. Beach Energy quickly addressed the situation by bringing on new IT staff, including a new CIO. The company also hired Aaron Finnis, who is now Information Security Manager at Beach Energy.
An outdated IT landscape
When Finnis joined Beach Energy, he immediately saw opportunities for improvement. For starters, the security model was very desktop-heavy. “There was a lot of on-premises infrastructure,” says Finnis. “Even our email was exchanged on-premises, which I hadn't seen for a while.”
The on-premises infrastructure made it difficult for employees to work remotely. After the acquisition, however, there were employees and contractors working across 30 different sites, with some people working internationally. In those cases, employees had to log into a virtual desktop through Citrix, without the benefit of multi-factor authentication. The company had to find a way to securely support these employees.
For identity, Beach Energy relied completely on Active Directory (AD), requiring IT to perform user creation and access management tasks manually. Provisioning and deprovisioning was also manual and time-consuming; aside from the obvious challenges involved with manually adding hundreds of new employees in quick succession, it was difficult to quickly and reliably offboard users. This not only created security issues, but also resulted in wasted money due to licenses that never made it back to the pool.
“We used to do a lot of reviews because of the manual offboarding process,” says Finnis. “When we first looked at Active Directory, we discovered that 14% of our users were no longer working at Beach. And then, on every subsequent review, we found a percentage of active users who should have been offboarded. It cost us all that effort, adding significant IT costs, to conduct reviews regularly enough to reassure ourselves and meet our regulatory requirements.”
There were also productivity improvements to make. The company had a number of single sign-on solutions in place, which forced employees to sign in between eight and ten times a day just to do their jobs.
After assessing the situation, Finnis and the rest of the IT team developed a digital transformation strategy, with the aim of unifying Beach Energy’s IT environment, consolidating user identities, increasing security, and automating the provisioning and deprovisioning processes. “Enabling people to connect to cloud services quicker, more seamlessly, and more consistently was a core part of our security strategy and our digital strategy,” says Finnis.
Despite its significant growth, Beach Energy wanted to retain its agility by increasing the flexibility of its architecture. This would allow the company to scale up and down quickly, while also providing more work options to employees. “We didn't want to be dependent on a corporate network,” says Finnis. “We know that people want to connect to a number of different services. They want to work flexibly. We’ll never be able to control where people are situated, and what network they're on. We want everything we build to be centred around the user, device security, and health.”
To achieve this goal, the company needed a reputable and experienced identity provider. Beach Energy considered a number of options, but ultimately decided to do a head-to-head evaluation between their incumbent provider and Okta’s Workforce Identity solutions. Finnis had already experienced a highly successful Okta deployment at his previous workplace, Flinders University, so he wanted to assess Okta as well.
“It was a big decision to make,” says Finnis. “We came up with a detailed set of use cases. One of the use cases, for example, involved onboarding new users in SuccessFactors, which holds 90% of our users. We wanted to be able to set up SuccessFactors as a source, and immediately provision and deprovision an account. We provided about nine key use cases to Microsoft and Okta and said, ‘Come and show us how your platforms can achieve this.’”
In the end, the decision was a simple one. According to Finnis, Okta’s demonstration was one of the best he’d ever seen. The SuccessFactors results were particularly impressive. “It fits with our environment so well,” he says. “Okta's got an out-of-the-box SuccessFactors integration that does exactly what we need it to do. We were quite specific about wanting to see how it all fit together, and Okta showed us we’d be able to pick up the technology and just say, ‘All right. Here's how it'll fit into our environment with some support during that process.’"
The company also appreciated Okta’s balance of strong security and usability. “When we were selecting our security solution, we saw that Okta placed a strong emphasis on the user experience,” says Finnis. “Managing the cyber risk is obviously a concern that we need to address, but it’s rare to be able to offer a solution that people really appreciate from a user experience perspective.”
Finally, Beach Energy felt that Okta’s provisioning solutions were more mature than our incumbent provider. “For security reasons, reliability, and just future change, we didn't want to have a bunch of scripts or multiple solutions calling each other to achieve the kind of outcome we could get with Identity-as-a-Service,” says Finnis.
After the assessment, the company purchased a number of Okta Workforce solutions, including Universal Directory, Single Sign-On, Adaptive Multi-Factor Authentication, and Advanced Lifecycle Management. For the deployment, Beach Energy partnered with a company called Identifly and enlisted the Okta Customer First team based in Adelaide.
Just as Beach Energy was about to begin deploying Okta across its workforce, the COVID-19 pandemic hit. As a result, the company had to delay the initiative while it launched a Microsoft Teams rollout and gave employees time to settle into new remote work routines.
“Safety is a huge focus for Beach Energy, and keeping our people safe is absolutely critical,” says Finnis. “The business had to focus on communicating well during the pandemic, to ensure continuity of operations, including where people were working and how we were flying people into sites. Those were the most critical communications we needed to send to our people. Launching Okta during that time had to come second. So we had to delay a little bit.”
Despite the delay, the challenges created by COVID-19 presented the perfect opportunity to work on Beach Energy’s original remote work challenges. Providing laptops to all employees was one of the first steps. “We had moved away from that desktop model, which has positioned us well in the current pandemic situation,” says Finnis.
Beach Energy also started working on a Teams rollout around this time, which further disrupted the Okta deployment. “We were put in a position where we either had to defer the Okta change or come up with a new strategy,” says Finnis. "So we decided to complete the Teams migration and the Okta implementation at the same time.”
To ease the demand of the complex double rollout, Beach Energy turned to Identifly and Okta Professional Services for help and, in the end, both the Teams and the Okta initiatives were successful. “We had a lot of people working on the weekend of our main Single Sign-On cutover, when we tested things like Teams connectivity, licensing, all of those things,” says Finnis. “So we spent a lot of time just building up our test plan and carefully checking it to help us combine the Teams and Okta rollouts together. The Okta team really supported us during that time. We just needed the specialist skills.”
Once Beach Energy was able to turn its attention back to the Okta deployment, the company shifted its original strategy to prioritise projects that would serve its employees particularly well during the pandemic. This included integrating its existing cloud-based apps with Okta Single Sign-On, and increasing adoption of SaaS apps.
Before this change was made, the IT helpdesk was receiving about 30 password reset requests a week. With a holistic SSO product in place in place, those calls have been reduced by 90%, leaving administrators free to work on more strategic tasks.
Next, the company set up Okta Adaptive Multi-Factor Authentication (MFA). This enabled the company to ensure that users were being validated as often as possible. With this increased validation in place, Beach Energy was able to eliminate password requirements from a number of apps. Instead, the company gave employees the more seamless options of signing in through Okta Verify, Google Authenticator, or a YubiKey. The company also required users to create a password as a back-up, which gave Beach Energy the opportunity to enforce strong password selections.
“We’ve been able to build our Continuous Trust security model around our new portability,” says Finnis. “It’s very much a Zero Trust strategy, but I call it Continuous Trust because we want to validate users and devices constantly. We want to check they're there and there's nothing happening that’s out of character for either the person or the device, that the device is healthy, and that it's compliant with our baseline. It really positioned us well for the pandemic, and allowed us to work remotely without being too worried about it, given the tooling that we've put in place and the approach we've taken.”
Throughout this process, the company also created a strong communications plan that highlighted the benefits of its new cloud-based environment, including a streamlined remote work experience and reduced sign-on frequency. The communications strategy included sending out Okta-provided email templates designed to boost enrollment. In total, the deployment took eight weeks, and the company reached 100% adoption almost immediately.
Once the environment was successfully consolidated, the company connected SuccessFactors and Okta, using the out-of-the-box SuccessFactors integration available through the Okta Integration Network. Next, Beach Energy used Okta Lifecycle Management to set up SuccessFactors as a source of people data and automate the provisioning process. Now when HR adds, deactivates, or updates an employee file, that employee’s permissions are automatically adjusted based on their employment status and role. This also eliminates the need for admins to contact individual vendors to request access.
“If a person needed access to, say, a document management system, we would send the request through the vendor that supported that platform,” says Finnis. “We've given the business units the capability to manage their own Okta group admin, so they don't need us involved. We can just put some rules and constraints in place around how they can do it themselves. One of those systems was generating 500 tickets a year, but with self-service in place we’ve been able to get rid of all those tickets. It’s much more streamlined.”
Putting Success Factors in place as a source has also reduced the number of wasted licenses. The automated provisioning and deprovisioning process is much more accurate than the company’s original manual process. “We actually then got rid of a number of accounts and licenses that we didn't need,” says Finnis.
Of course, a more accurate offboarding process also improved the company’s security posture by reducing the chance of a former employer retaining access to sensitive apps.
A whole new world
Rebuilding an IT environment during a global pandemic posed a significant challenge, but Finnis is pleased with the results. “There's massive disruption in the business coming at us from every possible angle,” he says. “Not just with employees working from home. But also with employees moving around within the company and teams changing the way they operate. Some teams are returning back to the office. Some teams are still very much working from home for the medium term. And it has all gone so seamlessly.”
This newfound agility will also serve Beach Energy well if it decides to go through additional mergers or acquisitions. With a streamlined, automated onboarding process in place, the company will be able to add new employees quickly, securely, and accurately. “If we do make a transaction in the future, we want to be able to scale up rapidly,” says Finnis. “I think we've got the foundation there to allow us to do it, with the Okta and SuccessFactors integration in place.”
The modernisation and automated provisioning initiatives are just the beginning for Okta and Beach Energy. Next, the company will begin building on its new Okta foundation, adding new applications to the Okta dashboard and increasing self-service options.
“We've still got a lot of access request forms floating around the organisation,” says Finnis. “Our outside consultants and service providers don't exist in SuccessFactors because the relationship might only last a couple of months. So at the moment, that onboarding process is still quite manual. We want to be able to give them the apps that they need quickly.”
Beach Energy is working on a solution that will allow managers to request service provider access without having to go through IT. Once the project is complete, Okta will automatically provision access as soon as the request is approved, improving the company’s ability to scale up and down quickly.
“If we build a workflow capability that allows us to rapidly onboard users, there won’t be any forms floating between email inboxes,” says Finnis. “People will be able to get access quickly for the people who need it, and the approvals will be tracked and auditable.”
Finnis is also looking forward to implementing Okta FastPass, which supports completely passwordless access to any Okta-enabled app, from any location and any device. Once Beach Energy enables FastPass, users will no longer have to connect to a VPN. “If they're on a Beach laptop and it's healthy, they’ll just log in automatically,” says Finnis. “We’re definitely moving away from VPN, and Okta will be able to support that. In terms of alignment of visions, Okta and Beach Energy are definitely on the same path.”
Finally, Beach Energy plans to move away from Active Directory. The company has already removed helpdesk access and much of its admin access, and over the next two years, it will also be removing users from AD. Instead, it’ll rely more on Azure Active Directory for device authorisation.
“With COVID, the changes that we've made, particularly with Okta, have served us quite well and supported the business throughout this time,” says Finnis. “Particularly because Beach is very much a low-cost operator. We're a very lean business, so we're always looking for ways to automate, systemise, and improve the things that we do. And coming from such a small company, there are so many opportunities for that.”