The Norwegian Refugee Council (NRC), an organization that aids--and often employs-- people who have been forced to flee their homes due to war and conflict, offers aid in harder-to-reach displaced communities. Government regulations, limited connectivity, and an unwieldy provisioning workload hindered NRC’s ability to provide aid most effectively.
Partners in action
The Norwegian Refugee Council joined NetHope, a group that provides non-profit organizations with opportunities to share knowledge and collaborate with their peers . and community-minded tech companies.
NRC quickly realized that adopting a cloud-first strategy while temporarily maintaining a hybrid infrastructure was their best solution. The organization also discovered that by partnering with NetHope tech companies, the initiative could be accomplished on a small budget.
NRC placed the Okta Identity Cloud at the core of its infrastructure, allowing it to adopt and provide easy access to new cloud-based apps as well as integrate with existing on-prem solutions. By implementing Okta, users could avoid going through a VPN, which increases workers’ productivity and kept them secure despite the regulatory issues and limited bandwidth requirements in many remote locations.
A Zero Trust approach
This solution is part of a new Zero Trust strategy that puts emphasis on securing people and data, instead of a network perimeter. A strong, granular approach to security is particularly important for NRC because the people it helps are already so vulnerable, and their data is highly sensitive. By deploying Multi-Factor Authentication, NRC increased security and made it easier for workers to access the apps they need to do their jobs.
Closer to the cloud
NRC has also partnered with Okta on a new initiative: integrating VMware Workspace ONE with Okta. This new project will strengthen the organization’s Zero Trust framework by providing the organization with increased visibility into the devices being utilized in the field, the ability to help employees requesting access from new devices, and actionability to make fine-grained access policies and decisions.
A streamlined workflow
Ultimately, NRC plans to completely eliminate its on-prem technology by sunsetting Active Directory in favor of Okta’s Universal Directory. By setting up Universal Directory as its identity master, NRC will stretch its budget farther by saving on maintenance and licencing costs, as well as costs related to provisioning and other labor-intensive IT tasks.
When our staff works on a crisis, wherever they are in the world, having seamless and secure access to our applications is fundamental for communications, for quick decision-making, and, ultimately, for doing the work that we do every day. An interruption can mean you're offline for half a day, and that can really delay aid and operations.Pietro Galli, Head of ICT at Norwegian Refugee Council
- Simplified access for workers
- Increased security without the use of a VPN
- Cost savings due to Okta for Good discounts and expertise
- 2,000 hours saved in IT maintenance
- Automated provisioning and Day 1 access for workers
- Access to affordable technology partners
- Identity solution that transitions well from hybrid to cloud-only infrastructure
Reaching across borders
There are more displaced people in the world than ever before. Persecution, armed conflict, and natural disasters have forced more than 68 million people away from their homes and into extreme hardship. The Norweigan Refugee Council (NRC) is one of the non-governmental organizations offering humanitarian aid to this growing population. With a workforce of 7,000 humanitarian workers and 10,000 employees, NRC currently works in 31 countries, including Syria, Iraq, Colombia, South Sudan, and the Central African Republic.
“The main bulk of our work is direct aid,” says Pietro Galli, NRC’s Head of ICT. “We work in six core competencies. We provide food assistance, education, shelter, information, counseling, legal assistance, camp management and clean water.” In 2017 alone, NRC assisted 8,701,638 people in need, but with displaced populations at an all-time high and in a world that’s becoming increasingly turbulent, the organization is driven to help more people, and to offer aid in places other non-profits are unable to reach.
This can be an incredibly difficult task, especially since NRC focuses on people fleeing from conflict. “Staff members have been kidnapped,” says Galli. “We’re working amid bombing raids in Yemen, and in countries such as the Central African Republic where aid workers have been killed. These situations are chronic, and often get worse over time.”
Of course, technology plays an important role in achieving this goal, but NRC was struggling to balance its need to increase agility and security, with the costs and logistical challenges that could be associated with a major modernization project.
“NRC, like many other nonprofit organizations, comes from 60 or 70 years of work, and technology is definitely a new part of the way we do business,” says Galli. “We are a non-profit and the bottom line is that every dollar possible has to go to our beneficiaries. Most technology companies build for the cloud and build for the western world, or let's say the connected world. But again, we operate in places where that is not a given.”
Simply put, it can be difficult and expensive to deploy modern technologies in remote areas with significant political and geographic barriers.
Internet connectivity is often a significant issue, especially with so many people working in the field. “We have areas where you may be offline for several days while you're providing aid,” says Galli. “You can only sync up to the cloud once a week, when you come back to the office.”
This is part of a larger issue: because the roles and restrictions within NRC’s massive, scattered workforce are so varied, it’s difficult to provide workers with communication options and standard IT tools that meet everyone’s needs.
To further complicate matters, some governments may take extreme security measures during times of conflict and, as a result, censor internet use, often banning VPNs. NRC needed to find another way to secure data while still providing remote access to field workers.
The organization is intensely aware of the urgent need to protect data, especially since parties to the conflict sometimes target people NRC is helping. “When you’re dealing with the identity and the data of people who have been forced to flee a war or a regime, that information is not just core to our work—it’s also core to their well-being and survival,” says Galli. “Therefore, that's one of our biggest concerns; how do we safeguard that information in the long-term?”
Finding new partners
When Galli started at NRC, the organization was already trying to solve some of its common issues with technology, but unfortunately, the efforts were unsustainable. “We were trying to solve our challenges with a lot of hardware,” he says. “With the idea that we could create a safe environment where everybody from anywhere in the world, NRC-wise, would connect. It was extremely expensive and difficult to maintain, so we finally came to terms with that, and dropped it.”
At the time, the organization’s technology landscape was primarily on-premise, and included a data center, an enterprise resource planning system, Active Directory, Exchange, SharePoint, a basic multi-factor authentication solution, and an email client.
“Our legacy solutions didn't fit the IT landscape we saw emerging,” says Mads Grandt, Global ICT Advisor. “We needed to figure out how to transition to the cloud while still retaining our on-prem environment. We were so embedded in it that we couldn’t cut the cord overnight, so we needed to find something that could do both, for a long period of time.”
NRC joined NetHope, a collaborative organization that brings non-profits and tech companies together in an effort to improve programs, mitigate risks, and share information. In 2017, NetHope also established the Center for the Digital Nonprofit, with Okta as one of its two founding sponsors, to enable digital transformation in the non-profit sector.
As a non-profit, NRC is limited by a stringent budget, and so technology projects can be difficult to justify. NetHope, however, gave NRC access to tech companies that are already predisposed to supporting the work of the organization.
“We're not just talking discounts, but also solutions that are tailored to the areas and environments we work in,” says Galli. “Most technology companies build for the connected world, but we operate in places where that’s not a given. The companies that help us succeed are the ones that tailor their products to our environments and our needs.”
The collaborative opportunities offered by the Center for the Digital Nonprofit help, too. “We use the tools that the center puts out there to assess our status versus our peers, and also compare standards,” says Galli. “When our leadership sees what others are doing, it resonates in a different manner, as opposed to us just saying ‘we need this, we need that.’”
After joining NetHope, NRC finally had the tools and the collaborative support it needed to modernize its IT infrastructure.
“NetHope has really been a force multiplier for our technology journey,” says Galli. “We’ve met peers with the same challenges as us, and benefitted from an ability to exchange and build on each others' learnings and failures. We also use NetHope as a conduit to meet and to collaborate with organizations like Okta.”
To help field workers and office-based employees do their work more effectively, NRC needed an identity solution that could provide frictionless, secure access to both cloud and on-prem solutions.
“We need to be sure that you are who you are so we can give you access to the systems and information that you need in the role you play for NRC,” says Grandt. “Everything revolves around your identity and what we know about you.”
Ultimately, the organization chose Okta, another NetHope member, for a number of reasons. NRC liked Okta’s lightweight, secure platform. Because it was able to access the benefits of Okta for Good, a program that provides non-profit organizations with deeply discounted products and training, Okta’s solutions were also cost-effective.
Okta also introduced NRC to Cloudworks, an advisory company specializing in cloud-enabled business and technology solutions. This valuable connection, and Okta’s willingness to invest a significant amount of effort into ensuring NRC would be successful, were also significant factors in NRC's decision to purchase Okta.
“We were able to run the proof-of-concept on a large scale that would support a hybrid environment, with only a little effort from us,” says Grandt. “With the limited resources we have available to run IT, that was key.”
The proof-of-concept was successful, and NRC selected Okta for, Single Sign-On (SSO), Universal Directory, Lifecycle Management, and Multi-Factor Authentication (MFA). It also started a migration to Office 365 and adopted a number of other SaaS apps, including Workplace by Facebook and Zendesk and Kaya.
Within just a couple of months, NRC successfully rolled out its new environment to 1,200 field workers.
No more roadblocks
Once this new infrastructure was put in place, field workers were able to start accessing all of their core apps easily, and without compromising security. They simply had to sign on to the Okta SSO dashboard to access cloud apps like Workplace by Facebook as well as on-prem tools such as Oracle and Citrix. With Multi-Factor Authentication in place, they also avoided the hassle of dealing with a VPN.
“When we had a VPN, we spent around 2,000 hours maintaining the environment. We don't need to do that anymore,” says Grandt. “There's no VPN software that fails on the clients, so our staff members have one less hurdle to overcome when they opt to connect to our systems. I think that's a great benefit.”
Workers were also delighted by the fact that they only had to remember one password. “I think that's our savior,” says Grandt. “With all of this, we’ve been able to give them a fair password policy.”
Employees could access their apps more quickly without signing into each app separately, and they no longer lost hours of work time after getting locked out of a critical app. For Galli, improving access management was mission critical. “When our staff is working on a crisis, having seamless and secure access to our applications is fundamental for communications, for quick decision-making, and, ultimately, for doing the work that we do every day.”
By automating provisioning with Lifecycle Management, the organization has increased productivity for its field workers, who no longer have to wait for access, and IT employees, who no longer have to manage user lifecycles manually. Revoking access as soon as a worker leaves the organization also reduces the chance of a breach.”
Now, we can provision applications almost at a click, as opposed to what we used to do, which was a headache,” says Galli. “With this change, the speed of provisioning, the speed of deployment has changed. We’re able to roll out new applications much faster.”
Checks and balances
During the Okta deployment, NRC began laying the groundwork for a Zero Trust security strategy. “We're now operating in an environment where it's not about securing an office or our data center,” says Galli. “The security is actually on the information. Therefore, it’s increasingly important to know who is accessing what, and when.”
MFA was an important component of this process. While connectivity will continue to be a challenge, NRC was able to offer workers a choice of factors to use, depending on the situation. Office workers often used Okta Verify, while field workers tended to rely heavily on SMS.
“We can apply different factors to different contexts,” says Grandt. “If we don't have cellular networks or our staff doesn't have phones, various sets of MFA factors allow us to work around those challenges.” This granular security approach allows NRC to apply heavier security in more vulnerable scenarios, while minimizing the legwork required by users working in safer areas, or accessing apps without sensitive data.
It also became much easier for NRC to monitor access. “Should we suspect that there's foul play happening, we can then check the Okta logs to get a quick overview, to see if there are any hints,” says Grandt. “If we do see something, we can quickly move on and look at different logs in other applications. That's very helpful.”
NRC’s workers appreciate this increased visibility as well. “They can rest assured that it's hard to impersonate them and their role,” says Grandt. “We protect their integrity and lower the risk of being wrongly accused. We’re not only protecting our own data and access, but also our staff members.”
Galli is looking forward to watching NRC’s Zero Trust strategy evolve. “As NRC continues its migration from the hybrid state into cloud, Zero Trust is how we’ll control access to cloud data in a secure, controllable manner,” he says.
Although NRC has now achieved its goal of building a new hybrid infrastructure around a strong identity solution, the organization hasn’t stopped there. In 2018, NRC released a new strategy that includes a digital transformation that will address NRC’s remaining infrastructure and connectivity issues, while working towards a cloud-only infrastructure.
“Partnering with technology companies like Okta, working through forums like NetHope, really helps us drive our digital transformation forward,” says Galli. “At speed, at scale. And collectively, we can impact the needs of the people we're trying to serve better and faster. And so, we believe this partnership is the way to go and we are committed to it.”
Recently, NRC took a step forward in its new cloud-only strategy by eliminating Citrix, and moving SharePoint and its ERP system to the cloud.
“Active Directory won’t be a part of the picture anymore. We would very much like to make the human resource management (HRM) system much more influential as an identity master,” says Grandt. “We’d also like to set up a partner portal for our third-parties and consultants so they can self-onboard their contractors without NRC IT necessarily doing all the approvals and setup.”
Going granular with VMware
As NRC continues its transformation, the organization continues to work closely with Okta. “It's very valuable to have a partner like Okta,” he says. “Anyone will sell you stuff, but not everyone will be your friend, so try to find your friends. I think that is true for NRC and Okta— we are beyond business, we are working as friends and partners to try to understand and solve common problems.”
In fact, Okta and NRC are already working together on their next project. With the help of Okta for Good, NRC is in the initial phases of integrating Okta with VMware Workspace ONE. “It will let us combine what we know about user identity in Okta with what we know about the device from the VMware space,” says Grandt. “With that, we can granulate the level of access and what you can do with your access. That is what we would like to achieve.”
By adding granular device security to its overall strategy, NRC is taking another big step on the path to a mature Zero Trust framework and in turn, increase the organization’s security and compliance posture. It will also improve the end user experience by introducing new possibilities, passwordless access and secure enrollment on unmanaged devices.
Although Grandt and Galli are always looking ahead, they’ve also taken the time to consider how far they’ve come in just three years.
“We’ve taken a huge leap forward in our operations by implementing Okta,” says Grandt. “With just a few of our own resources applied over time, we’ve moved on from our on-prem-only infrastructure, deployed Okta identity, and added many, many cloud apps. It’s been a tremendous change, and I think we are well-poised to leverage whatever the cloud can bring in the future.”
About Norwegian Refugee Council
The Norwegian Refugee Council (NRC) is an independent humanitarian organization helping people who have been forced to flee. With operations in over 30 countries, NRC protects displaced people and supports them as they build a new future. The organization specializes in six areas: food security; education; shelter; legal assistance; camp management; and water, sanitation and hygiene.