With Okta at the centre of their digital strategy, CPA Australia is ready to transform the member experience
employee users logging into Okta for secure, remote access to their work
essential collaboration and security applications integrated into Okta (and growing)
- A risk-driven approach to digital transformation
- Unifying IAM behind strong third-party integrations
- Reduced risk in an era of remote work
- Smoother onboarding and offboarding
- Bringing members onto the identity platform
CPA Australia, one of the world’s largest accounting bodies providing education, training and advocacy services for members, set out to secure and enhance both the member and employee experience, reducing IT’s on-prem footprint while providing more value. Key to the project: Consolidating and updating homegrown, Microsoft-dependent identity and access management systems in preparation for digital transformation projects and initiatives.
CPA Australia chose Okta because of its leadership in both workforce and customer identity management, and also for its vendor-neutral approach and the 6,500+ pre-built integrations in the Okta Integration Network. Okta Professional Services helped smooth implementation.
When Covid-19 hit, CPA Australia was ahead of the curve. To secure the workforce, they integrated key applications with Okta. By July 2020, Office 365, Zoom, WebEx, and an array of business services and security platforms sat behind stronger MFA.
CPA Australia integrated Okta to their enterprise HR platform as a source for employee profile management, transitioning away from manual processes with Microsoft Active Directory. Using Okta’s pre-built integration, they connected HR and IT directly so that HR changes would show up automatically in IT processes.
Today, the team is building a new member portal using Okta customer identity products. Upon its completion, they look forward to providing enhanced member experiences and improved security—along with deeper business and security insights and truly centralised identity management.
With secure remote access technology and the ability to authenticate with Okta and use MFA, I can be really comfortable that we’re reducing the risk of account compromise.
Nigel Hedges, Head of Information and Security, CPA Australia
- 700 employee users logging into Okta for secure, remote access to their work
- 24 essential collaboration and security applications integrated into Okta
- 98% user adoption
- Reduced risk in an era of remote work
- Direct connection between HR and IT, so that HR changes show up automatically in IT processes
- Streamlined, automated processes to onboard and offboard employees
- Deeper business and security insights and truly centralised identity management
- Easy IAM integration with third-party services and platforms
- Ability to phase out legacy, on-prem technologies
- Strong partnership with Okta Customer Success team, taking an open, collaborative approach
A risk-driven approach to digital transformation
When Nigel Hedges joined CPA Australia in 2018, he took on strategic security governance for the 134-year-old membership organisation—one of the world’s largest accounting bodies. While the Melbourne-based organisation had come a long way toward automating manual processes and moving into the 21st century, it remained a Microsoft shop with a significant on-prem footprint.
In his role as head of information and security, Hedges was charged with securing and enhancing both the employee and the member experience. “It was a good time to get in and influence the security aspects of the evolving IT strategy,” he says. “As a business, we’re trying to be more nimble because members are demanding more from our services.”
CPA Australia leaders have embraced cloud technologies to help fulfill those expectations. “We’re not primarily in the business of being a technology house—our role is to provide value to our members and protect their designation,” says Hedges. Even in the realm of security, it made more and more sense to partner with software-as-a-service providers, rather than continue the heavy resource drain of in-house complex, legacy IT systems.
Hedges’ approach to security is more risk-driven than compliance-focused—more Zero Trust than Network Perimeter. “There are compliance aspects to our business that we need to maintain, but I’m bringing more security awareness and culture into the organisation,” he says. “Identity is the new perimeter. We can’t just stick a firewall in front of something and think it’s all going to be secure.”
Once CPA Australia’s leaders had committed to transforming IT—moving customer relationship management (CRM) to a new platform and building a new member portal—Hedges identified identity and access management (IAM) as a foundational step toward that goal.
“We needed to make sure that our APIs and integrations could all support the new world,” he says. As a “core plumbing” technology, IAM would connect everything together and ensure fluid and secure communication throughout the organisation.
Two legacy identity systems
When Hedges joined CPA Australia, he found two worlds: one for members and one for employees.
“On the member front, we had a legacy single sign-on (SSO) platform that had grown organically with our CRM and member platform,” he says. CPA Australia serves members at different stages of their accounting careers, from students just starting work on their CPA designation, to Fellows with 15 or more years of experience.
“They all have different access needs to our website, and there are a lot of different connections to different systems on the backend to make that work,” says Hedges. As the business moves more to the cloud, the team spent an increasing amount of time integrating new platforms, protocols, and standards with legacy systems—and maintaining the whole contraption.
On the employee side, the organisation was using Microsoft Active Directory with Active Directory Federation Services (AD FS), with mixed results. “The employee journey wasn’t always smooth,” says Hedges. “Certain scenarios, such as maternity or paternity leave, or contingent workers, required more manual intervention.”
In addition, he says, “Day One access provisioning was not quite there for anyone.” He found cases of CPA Australia employees waiting three to four weeks to get full access to their work. “I could see there was something missing,” he says. “Access needed to be based on role."
Having two separate member and employee platforms was inefficient, and also presented cross-platform security and administration obstacles. “Ultimately, it became clear that our homegrown, Microsoft-dependent IAM solution didn’t support the latest developments in the IAM and SSO space,” says Hedges. “Therefore, it didn’t support our digital transformation initiatives.”
Unifying IAM behind strong third-party integrations
In evaluating IAM vendors, the CPA Australia team looked for technology that could play well across the workforce and member ecosystems and found that most providers handled only one of the two well. For example, says Hedges, “Auth0 was great for a developer platform, but not so great for workforce applications.”
It came down to a choice between Okta and Microsoft, representing two distinct technology strategies. “Buying into a native, inwardly focused stack where the value is captured in building everything within one platform—that didn’t fit well with the nimbleness that we needed,” he says.
The Okta Integration Network was a strong selling point. “Okta was a better fit for strong integrations and strong partnerships with other technologies,” says Hedges. “We could have confidence that Okta was focused on third-party integrations, not on building stuff internally and locking customers in.”
Balancing increased security with a seamless employee experience
When it came to the question of balancing increased security for employees and members with a seamless user experience, the CPA Australia leadership team saw an advantage in Okta’s leadership in and laser focus on the identity space.
It was a new approach for the organisation as a whole, however. “We were working through natural resistance and bias, and previous experiences with other things, so it was important to get things right,” says Hedges. “Phase One of our Okta implementation was about cutting our teeth on the technology and deciding on a set of applications we wanted to move to.”
To make sure it went smoothly, the team partnered with Okta Professional Services. Together, they decided to begin CPA Australia’s implementation with employee identity, replacing AD and AD FS with Okta Single Sign-On, Okta Lifecycle Management, Okta Universal Directory, and Okta Multi-Factor Authentication (MFA).
To secure the workforce, the team focused on integrating collaboration applications with their Okta Identity Cloud. Office 365 was important, as well as WebEx, Zoom, the company’s CRM, and several other business applications. Hedges wanted to make sure the organisation’s security platforms were behind MFA, so they also included Cisco SDWAN technologies, Mimecast, Rapid7, and CrowdStrike. To date, they have integrated ServiceNow, the company’s travel system, APIs, and their Content Delivery Network provider.
The team also introduced SAP SuccessFactors as a source for employee profile management, to initiate the transition away from AD. Using Okta’s pre-built integration with SuccessFactors, they brought CPA Australia’s HR and IT systems together. Now, employee profiles are maintained in Universal Directory and HR changes are reflected automatically in IT processes.
That integration helps smooth and automate employee onboarding and offboarding. “People are being put into groups and getting access to things more quickly than they did before,” says Hedges. They also have easier, more secure access to HR services and information.
Reduced risk in an era of remote work
CPA Australia purchased Okta in early 2020, and Melbourne went into lockdown because of the Covid-19 pandemic in March. “A large proportion of our staff had to suddenly pivot to working from home,” says Hedges.
The organisation rolled out Microsoft Teams to help everyone share files and communicate, but on top of this significant change in work platforms and processes, Hedges was aware of heightened threat factors. “Our threat intelligence feeds showed that hacking groups in Australia were increasing significantly,” he says. “There was a real risk profile developing.”
The team went live with Okta in July for all 700 CPA Australia employees, with a strengthened MFA policy for remote workers, and people adapted easily. “We anticipated a lot of support calls, and we didn’t get them,” he says.
“MFA was really important for us, for protecting Office 365 and our core collaboration platforms,” says Hedges. “Here’s an analogy, it’s like when somebody first decided that we needed doors. Prior to this there were huts and caves that didn’t have doors, and then someone woke up and said, ‘We need a door for security.’ At first, I’m sure people thought ‘This is inconveniencing me, this whole opening and closing doors business.’ But now, of course we don’t even think about it. We instinctively know what we need to do to secure our house, it has become ingrained, and we don’t even think about it.”
The strategy of putting identity at the centre of security meant that the organisation was ahead of the game when the pandemic hit, says Hedges. “With secure remote access technology and the ability to authenticate with Okta and use MFA, I can be really comfortable that we’re reducing the risk of account compromise.”
Building on Phase One success
By all accounts, Phase One has been a success and the team has moved on to Phase Two—integrating more employee applications onto CPA Australia’s identity platform. Hedges reports a 98% Okta adoption rate, with 12 applications integrated so far.
Business teams at CPA Australia increasingly recognise the value of the new identity strategy and request Okta trainings. “One admin was a die-hard Microsoft fan, and I had to almost drag him to an Okta training. Then, he did a complete 180 degrees,” says Hedges. “We’ve had some great A-ha! moments.”
As part of Phase Two, the team will continue their transition from legacy technology to the cloud, maintaining both environments for a time.
Coming soon for members: Enhanced usability + increased security
In the meantime, Phase Three is getting underway, to bring CPA Australia members into the Okta identity fold. The team is building a new website portal using Okta customer identity products, including Okta API Access Management, Okta Authentication, Okta Authorization, Okta User Management, and Okta MFA.
“Work on preparing our customer Okta environment is now in progress” says Hedges. He expects the new portal to be ready for rollout in 2021, serving some 720,000 annual active user authentication requests. “Once that’s completed, we can start leveraging technologies, such as passwordless authentication, voice assisted self-service, and federation with social platforms, such as LinkedIn. I’m really excited about what these features will do to enable greater customer personalisation for our members” he says. “We like to look after our members who don’t log in frequently and often forget their passwords.” He looks forward to implementing features that make the experience easier for them to navigate.
Hedges says the new member portal will enhance the user experience, while also increasing member confidence in the safety of their private data. He plans to collaborate with the business and member experience teams to use customer control groups, to gather immediate feedback as the team rolls out new features and functionality.
Benefits that extend in all directions
From a business perspective, Hedges foresees considerable benefits from gleaning insights into when and how members log on to the platform. Through holistic analysis of information such as login location, geography, and browser, CPA Australia business managers will be able to understand better how to serve and communicate with members.
On the security administration side, he says his team already sees benefits from gaining deeper visibility into activity on CPA Australia’s IT systems. “We now have Okta events plumbed into our security monitoring platforms, so we can see when people are logging into different systems, not limited to just the Microsoft stack,” he says. “We can start to get richer security insights and troubleshoot much more effectively.”
CPA Australia’s Board of Directors has been following Hedges’ progress closely. “Our board has a keen interest in cyber risk, and is very supportive of cybersecurity initiatives. At our cybersecurity update to the board this summer, we were able to demonstrate how we are addressing previous gaps,” he says. “There’s still work to be done, but they have present confidence that we’re on the right track.”
As Hedges’ team moves CPA Australia toward a more secure, digital, and user-friendly future, they appreciate the partnership that the Okta Customer Success team brings to the table. “It’s comforting to know that, as issues come up, we’re able to talk freely and transparently, share the many wins as well as the occasional losses, and work together to get this done,” says Hedges.