TX Group: Automating identity and access management with Okta
years coding time saved with 276 integrated apps
of staff on automatic HR provisioning
unnecessary licences saved in one year
- Enabling independent interdependency
- Modernizing identity and access management
- Deploying secure, cost and time-saving technology
- Embracing HR-Driven IT Provisioning
- Building for future success
TX Group is a network of media and platforms offering information, orientation, entertainment and services to over 80 percent of the Swiss population every day. Technology drives the company’s growth, particularly through mergers and acquisitions, but this presents a challenge: how to afford individual brands within the group their independence while creating a cohesive internal identity?
Having moved from an on-premises to a cloud-first technology strategy, TX Group was keen to further modernise its identity and access management (IAM) setup to remove inefficiencies through automation, onboard new acquisitions promptly, and improve experiences for end-users, while maintaining a secure infrastructure. TX Group turned to Okta for industry-leading products, services, and support to address these challenges.
Okta provided TX Group with a unified IAM experience through single sign-on across most systems and apps. This is secured with Adaptive Multi-Factor Authentication (AMFA) for a significant and growing number of employees, with out-of-the-box integrations to regularly used apps and services. TX Group was also able to automate HR-based processes through Lifecycle Management and adopting HR-Driven IT Provisioning, leavarging Okta’s partnership with Workday.
TX Group has fully embraced automation of identity and access management, thanks to its work with Okta and it now uses OpenID Connect, Lifecycle Management and HR-Driven IT Provisioning, which leverages Okta’s pre-built integration for Workday. Now these processes are fully automated for 90% of the TX Group workforce, saving hundreds of hours of help-desk time per category of task.
Okta has been more than a technology provider to TX Group, it has become a valued partner that colleagues across the company are excited to work with. With the business’s continued growth, and the ever-present need for security, Okta and TX Group will continue to work together to ensure that a consistent internal identity and great user experience remains central to the company’s technology strategy.
Our previous setup was a nightmare and a mess to maintain. We chose Okta because it ticked all the boxes we needed, including adopting cloud-first and best-in-class products. Okta’s the industry leader and the most mature IAM platform available.
Federio Sacchet, Head of Enterprise Infrastructure Services at TX Group
- Automates IT provisioning and deprovisioning
- Reduces time spent on Helpdesk queries
- Enables bi-directional HR process automation
- Facilitates smooth mergers and acquisitions
- Saves times spent on coding manual app integrations
TX Group is a network of media and platforms offering information, orientation, entertainment and services to over 80 percent of the Swiss population every day. Times have changed since the foundation of its flagship newspaper Tages-Anzeiger 128 years ago, but the company has remained agile and pivoted to meet the shifting demands of its growing audiences, as well as the wider industry.
In recent years, TX Group has expanded through mergers, acquisitions, and partnerships with other media outlets. With this growth came challenges, particularly when it came to managing people and technology. Switching from an on-premises arrangement to a cloud-first strategy did much to improve the company’s technological infrastructure.
But TX Group still had to address its identity and access management (IAM) challenges, many of which arose as a result of the independence afforded to companies that sit under its banner. Each brand was using its own cloud identity provider, managed through separate consoles, which led to inefficiencies. TX Group was looking for a way to unify these diverse brands while maintaining their freedom and turned to Okta for the answer.
“Our previous setup was a nightmare and a mess to maintain,” says Federio Sacchet, Head of Enterprise Infrastructure Services at TX Group. “We chose Okta because it ticked all the boxes we needed. It was the most mature IDaaS solution, it integrated well with Workday and adopts cloud-first and best-in-class products. Okta’s the industry leader and the most mature IAM platform available.”
Upgrading to cloud-based identity and access management
TX Group had already started to implement Single Sign-On capabilities through its previous on-premises infrastructure prior to its evaluation of Okta as a cloud-based IAM platform. But Pierre says adopting Okta made this functionality much simpler to use and implement by default. TX Group now has 276 applications integrated with Okta Single Sign On (SS0). This has created a number of benefits for users, including the ability to conduct password resets through the Okta self-service portal.
“When a new starter joins, they can log in and find all the tools they need in one place,” says Pierre Steiner, Head of Cloud and Technology at TX Group. “And that has many benefits, including for the user who now has less URLs to remember, but also in terms of security and for promoting the value of Okta internally.”
Federio adds that he has seen value in SS0 beyond these practical benefits, and that the Okta brand has been a reassuring presence within the company in recent times. One unintended, and timely benefit of the TX Group’s move to Okta came during the switch to home working during the early days of the COVID-19 pandemic. Federio believes that this would not have been an easy process under the company’s previous setup.
“Our legacy SS0 system relied on domain membership, which would have made the transition to remote working during COVID-19 much harder than it was,” he explains. “And Okta’s security measures meant we could make the switch without the need for a VPN.”
Providing secure and user-friendly access
Like many businesses, security is a key concern for TX Group, but this has to be balanced with consideration for the experience of end-users. As with SS0, TX Group had begun to implement MFA on-premises but it has greatly expanded this functionality since moving to Okta. It next plans to use Okta Adaptive Multi-Factor Authentication (AMFA) to authenticate the identity of a subset of its users. AMFA policies enable a smarter approach to authentication, using contextual access management and big-data analytics to secure apps more effectively. This also leads to less frustration for the end-user as it significantly cuts the number of authentication prompts needed compared to two-factor authentication (2FA).
Some users within the TX Group still use 2FA via SMS, where each authentication prompt text message can take up to 60 seconds to be addressed. With multiple prompts throughout the day across a workforce of 3,800, this adds up to considerable and unnecessary distractions for employees. Currently, 1,500 users benefit from AMFA, but Pierre is confident that AMFA will be adopted by more brands within the TX Group in the future.
“MFA started gaining traction when we joined Okta, as more applications can now benefit from it,” Pierre adds, “We hope to start a communications campaign in the near future to explain the benefits of AMFA to colleagues more widely.”
TX Group Chief Information Security Officer, Andreas Schneider, finds the passwordless signing particularly impressive.
Automating the lifecycle of a user
Another area where TX Group is leveraging Okta is in the area of user lifecycle management, automating processes that were once maintained manually. The company now has 21 apps pre-integrated with Lifecycle Management (LCM), including Amazon Web Services, Git Lab, Google Workspace, Microsoft 365, Salesforce, Slack, Workday, and Zoom, saving the company an average of three years of coding time in manually building thee integrations. And there have also been cost efficiencies from LCM, with an estimated 6,000 licences that were being paid for unnecessarily at TX Group each year now eliminated.
“The one big feedback I got from brands within TX Group was that managing the user lifecycle was always a pain,” Federio says. “Adding a user was easy, but cleaning up when they left was harder. This meant that we ended up with additional licences we didn’t need, and it was tricky to track how many were actually in use. With Okta, we’re able to provide a clean user lifecycle and clear up such confusions.”
LCM is also paying dividends in terms of security. Under the previous setup, it was difficult for TX Group to track who still had access to apps once they left the company. That presents an obvious security risk, which has now been closed through automatic deprovisioning. It also means that apps aren’t directly plugged into Active Directories at TX Group, limiting the amount of data they have access to.
“App integration often requires granting permission to read your directory, which we’re not fond of from a security perspective,” Pierre adds. “With LCM, we get all the benefits of automation while remaining in control of our data.”
Embracing HR-Driven IT Provisioning
TX Group has now embraced this automation philosophy to use HR-Driven IT Provisioning, an area where Okta’s pre-built integration for Workday is particularly useful. Under its previous setup, TX Group used a ticketing system, where HR would send an email to IT to create or delete a user directory, processes that took around 20 minutes of keyboard time. With 3,700 employees on their systems, that’s around 1,266 hours of time spent on user directory creation alone.
With HR-Driven IT Provisioning, this process - and others like it - is fully automated for 90% of the TX Group workforce. And, thanks to the bidirectional nature of HR-Driven IT Provisioning, routine updates to an employee's file that would have been manual prior to Okta, such as someone changing their home address or getting promoted, are now more efficient.
“With Okta, HR is the master, so we enter changes and push them to Okta, where they’re propagated downstream. We get people approaching us from across the business asking to move over to Okta because it's making things so much easier,” says Pierre.
Building towards a successful future
Federio and Pierre say Okta has become more than a technology provider to TX Group, it is a valued partner. One area where this has been particularly true is in their experiences with the Premier Plus Success and Support package. This has led to concrete benefits, such as solving a particular pain point TX Group was experiencing with one of its external connectors.
Pierre adds: “The support we receive is invaluable. Okta proactively links us to internal resources to give us insight about upcoming features, so we can shape our implementation accordingly. Identity is the absolute core, so if you get it wrong you will have a really hard time. We try to adapt as swiftly as possible to the ever changing context of identity management.”
Federio and Pierre work hard to convince colleagues of the benefits that the partnership between Okta and TX Group has brought about and, In the future, both agree that this relationship will continue to grow and deepen. To further integrate Okta’s solutions, TX Group has now moved on to the Okta Identity Engine and will use FastPass / Device Trust 2.0 with Cybereason and App-level Policies. As TX Group continues to expand, new businesses will be encouraged to join this as they move under its umbrella.
“We’re surrounded by a company that sees the value of what we’re doing,” Federio adds, “as it gives us the ability to quickly integrate and provision new users. And we want to facilitate even more for our end users to make life even easier for them.”