Connecting identity to unify global IT management
In the face of poverty, disasters, and violent conflicts around the world, Mercy Corps works to alleviate suffering and oppression faced by vulnerable populations. The nonprofit organization helps people build secure, productive, and just communities in more than 35 countries through both emergency aid and long-term solution development.
Connecting and enabling more than 4,300 employees to achieve the organization’s mission is no easy feat. Mercy Corp’s IT team needs to ensure people have access to the right tools to do their jobs while maintaining strict data privacy standards across the dozens of countries they work. For years, this was made more complicated by the company’s fragmented tech stack. IT lacked visibility into user and application activity, which meant users may open potential threat vectors without oversight.
The team chose to start by securing their users with an open-source single sign-on (SSO) solution, but they quickly realized that solution wouldn’t scale because it couldn’t connect to their Human Capital Management (HCM) platform — their source of truth for employee data. And even with this SSO solution in place, these users had to maintain as many as 10 usernames and passwords, increasing their risk of credential stuffing and phishing attempts.
“Identity management isn’t just SSO, it’s all-encompassing,” says Errol Sigler, Senior Director of Information Technology. “We have to support identity from an employee’s first day to their last, and every moment in between. That’s why we needed an identity solution that connects all of our systems and helps us meet donor requirements and government regulations.”
Choosing an identity partner that supports nonprofits
When a major disaster strikes or a war breaks out, Mercy Corps may bring on hundreds of new temporary employees in the region to support people through the devastation. “It’s our job to get those people the tools they need as quickly as possible so they can respond to the event,” Sigler adds. In their search for an identity solution that could support rapid onboarding, connect to the rest of their tech stack, and provide IT with clear insights into employees’ access permissions, Mercy Corps found Okta.
The company began working with Okta for Good, which provides nonprofits with products, services, and expertise — including Technical Services for Nonprofits — to securely connect to the tools that power their missions. Mercy Corps saw both the opportunity for a deep partnership and a robust identity solution to centralize and simplify identity management.
This included consolidating all their applications into a single SSO portal for end users and empowering IT with clear insight into user access. “Centralizing identity management means we can keep track of team members, service accounts, and any other systems or APIs that may have access to our data,” Sigler says.
The Okta Integration Network (OIN), a catalog of thousands of pre-built connectors, made it easy to integrate Mercy Corps’ full app ecosystem into a single portal for their end users. “We were in the process of bringing in an enterprise HCM platform, and we needed an identity solution that could read and write to communicate with it,” says Brian Arthur, Director of Global Infrastructure. With this goal combined with Okta for Good’s complimentary technical coaching, Mercy Corps was able to make their HCM the source of truth for all accounts and have it communicate directly with Okta.
Using both Lifecycle Management (LCM) and Workflows, Mercy Corps now automates more than 80% of the process of creating new user accounts. Okta works with their HCM platform to provision and deprovision users across the organization for critical applications like Microsoft 365. And with Workflows, the team can automatically suspend access to applications on an employee’s or contractor’s last day. Additionally, any non-compliant accounts, such as users who haven’t completed required training, can be suspended immediately to maintain compliance.
“We’re on a journey to automate as much of our lifecycle management processes as we can, and knowing we have Okta in place makes all the difference,” says Arthur. “Since identity automations with Okta Workflows operate 24/7, our global team doesn’t have to rely solely on the availability of our US-based IT team.”
With universal visibility and control through Lifecycle Management, IT can easily assign and revoke licenses as soon as accounts are created or deactivated. This means the team can grant users access immediately and, on the backend, save on licensing costs by quickly removing unused seats. “Being able to assign and manage all our license allocation through Okta means we can act more quickly to save on costs that are really vital for us as a nonprofit,” Sigler shares.
Improving identity visibility to simplify IT management
In addition to gaining visibility into who has access to Mercy Corps’ network, data, and applications, the team also has one place to manage security controls, including SSO and Multi-Factor Authentication (MFA). “Bringing all of our tools under Okta has allowed us to give everyone the agency to access the systems they want while retaining governance over our systems,” Sigler says. “We’ve been able to eliminate shadow IT systems that otherwise could pose risks to our security posture.”
This consolidation has also dramatically simplified the end-user experience. Rather than the half-dozen or more credentials users had, they now have only two: Okta and their device login. The organization hopes to simplify this even further in the future by introducing biometric-based logins with a combination of Okta Device Access, Adaptive MFA, and FastPass. Together, these solutions offer a single login secured by activity-based reauthentication and the ease and security of biometrics, creating phishing-resistant access for all Mercy Corps employees.
The team is also implementing Okta Access Gateway to bring their on-premises finance system into the Okta fold. This will ensure that even a cumbersome legacy system will be secured by SSO and MFA, allowing the IT team to manage onboarding and offboarding just as easily as they do for their cloud-based applications. With a fully interconnected platform, Mercy Corps can create a unified identity security fabric through frictionless, secure, and passwordless onboarding and access processes to protect their global team.
Growing identity protections and automation
As Mercy Corps advances its identity strategy, the team will continue leveraging Okta solutions to drive digital transformation and support its global workforce. “As we look forward, I know we can continue to trust Okta for identity,” says Arthur. “Because I can’t think of examples where Okta can’t do something." This will include further expanding automations as the HCM-Okta integration grows deeper, securing potential AI solutions, and enhancing data security.
“As we scale our AI initiatives, we need a partner that matches our pace,” Sigler says. “Okta delivers the industry-leading security and expertise we require to innovate safely, and we trust them to be the foundation of our AI transformation.”
About Mercy Corps
Mercy Corps’ team of humanitarians works to find solutions to the world’s toughest challenges. To address the consequences of conflict and climate change, the organization brings together bold ideas and the lived experience of people who know their communities best, scaling what works to offer urgent disaster relief and achieve lasting, transformational change.
