Norwegian Refugee Council Safely Expands Its Reach With Okta
incentive workers and 7,700 employees
countries with active operations
in employee productivity and IT cost savings annually with SSO and password self-reset
saved per year by eliminating legacy VPN
IT hours saved per year due to automated provisioning/deprovisioning
- Aid, interrupted
- Partners in action
- Prioritising identity
- A Zero Trust approach
- Closer to the cloud
- A streamlined workflow
The Norwegian Refugee Council (NRC), an organisation that aids--and often employs-- people who have been forced to flee their homes due to war and conflict. This work often takes place in harder-to-reach communities. Legislation challenges, limited connectivity, and a large provisioning workload hindered NRC’s ability to provide aid most effectively.
The Norwegian Refugee Council joined NetHope, a group that provides non-profit organisations with opportunities to share knowledge and collaborate with their peers and community-minded tech companies.
NRC placed the Okta Identity Cloud at the core of its infrastructure, allowing it to adopt and provide easy access to new cloud-based apps, as well as integrate with existing on-prem solutions. By implementing Okta Multi-Factor Authentication, users can avoid going through a VPN, which increases workers’ productivity and keeps them secure despite limited bandwidth requirements in many remote locations.
This solution is part of a new Zero Trust strategy that puts emphasis on securing people and data, instead of a network perimeter. A strong, granular approach to security is particularly important for NRC because the people it serves are already vulnerable, and their data is highly sensitive. By deploying Multi-Factor Authentication, NRC increased security and simplified user access to apps.
NRC also partnered with Okta on another initiative: integrating VMware Workspace ONE with Okta. This project will strengthen the organisation’s Zero Trust framework by providing it with: increased visibility into the devices being utilised in the field; the ability to help employees requesting access from new devices; and actionability to make fine-grained access policies and decisions.
Ultimately, NRC plans to completely eliminate its on-premises technology by sunsetting Active Directory in favour of Okta’s Universal Directory. By implementing Universal Directory as its identity master, NRC will stretch its budget farther by saving on maintenance and licensing costs, as well as costs related to provisioning and other labour-intensive IT tasks.
Amplifying impact with modern IT
Like many nonprofits, the Norwegian Refugee Council operates with a limited budget, a small IT team, and sprawling workforce that includes a lot of remote employees and volunteers. Since NRC often hires the same displaced people it aims to assist, many are temporary workers. All of these factors, combined with government restrictions and the technology challenges that arise when working in the far corners of the world, make it difficult to communicate effectively and provide widespread humanitarian aid. After modernising its IT infrastructure--a process that included embracing a Zero Trust security strategy and placing the Okta Identity Cloud at the core of its new framework--NRC is able to help more people than ever before.
When our staff works on a crisis, wherever they are in the world, having seamless and secure access to our applications is fundamental for communications, for quick decision-making, and, ultimately, for doing the work that we do every day. An interruption can mean you're offline for half a day, and that can really delay aid and operations.
Pietro Galli, Head of ICT at Norwegian Refugee Council
- Simplified access for workers
- Increased security without the use of a VPN
- Cost savings due to Okta for Good discounts and expertise
- 2,000 hours saved in IT maintenance
- Automated provisioning and Day 1 access for workers
- $135k and 8,940 hours saved per year by reducing infrastructure outages
- Access to affordable technology partners
- Identity solution that transitions well from hybrid to cloud-only infrastructure
- $232k and 5,960 hours in IT cost savings with automated provisioning
- Reduced IAM outages, saving 8,940 hours and $135k in IT cost savings annually
- Fewer password resets, saving a combined total of $121k in employee productivity and IT cost savings annually
Reaching across borders
There are more displaced people in the world than ever before. Persecution, armed conflict, and natural disasters have forced more than 70.8 million people away from their homes and into extreme hardship. The Norweigan Refugee Council (NRC) is one of the non-governmental organisations offering humanitarian aid to this growing population. With a workforce of almost 7,000 incentive workers and over 7,000 employees, NRC currently works in 32 countries, including Syria, Iraq, Colombia, South Sudan, and the Central African Republic. NRC’s incentive workers are often displaced people themselves, or people who live in the local community.
“The bulk of our work is direct aid,” says Pietro Galli, NRC’s Head of ICT. “We provide food assistance, education, shelter, information, counselling, legal assistance, camp management and clean water.” In 2018 alone, NRC assisted close to 9 million people in need but, with displaced populations at an all-time high and in a world that’s becoming increasingly turbulent, the organisation is driven to help more people--and to offer aid in places other non-profits are unable to reach.
This can be an incredibly difficult task, especially since NRC focuses on people fleeing from conflict. “Staff members have been kidnapped,” says Galli. “We’re working amid bombing raids in Yemen, and in countries such as the Central African Republic where aid workers have been killed. These situations are chronic, and often get worse over time.”
Of course, technology plays an important role in achieving this goal, but NRC was struggling to increase agility and security, while juggling costs and logistical challenges that can be associated with major modernisation projects.
“NRC, like many other nonprofit organisations, comes from 60 or 70 years of work, and technology is definitely a new part of the way we do business,” says Galli. “We are a non-profit and the bottom line is that every dollar possible has to go to our beneficiaries. Most technology companies build for the cloud and build for the connected world. But we operate in places where that is not a given.”
Simply put, it can be difficult and expensive to deploy modern technologies in remote areas with significant political and geographic barriers.
Internet connectivity is often a significant issue, especially with so many people working in the field. “We have areas where you may be offline for several days while you're providing aid,” says Galli. “You can only sync up to the cloud once a week, when you come back to the office.”
This is part of a larger issue: because the roles and restrictions within NRC’s massive, scattered workforce are so varied, it’s difficult to provide field workers with communication options and standard IT tools that meet everyone’s needs.
The organisation is intensely aware of the urgent need to protect data, especially since parties to the conflict sometimes target people NRC is helping. “When you’re dealing with the identities and data of people who have been forced to flee a war or a regime, that information is not just core to our work—it’s also core to their well-being and survival,” says Galli. “Therefore, that's one of our biggest concerns; how do we safeguard that information in the long-term?”
Finding new partners
When Galli started at NRC, the organisation was already trying to solve some of its common issues with technology, but unfortunately, the efforts were unsustainable. “We were trying to solve our challenges with a lot of hardware,” he says. “With the idea that we could create a safe environment where everybody from anywhere in the world, NRC-wise, would connect. It was extremely expensive and difficult to maintain, so we finally came to terms with that, and dropped it.”
At the time, the organisation’s technology landscape was primarily on-premise, and included a data centre, an enterprise resource planning system, Active Directory, Exchange, SharePoint, a basic multi-factor authentication solution and an email client.
“Our legacy solutions didn't fit the IT landscape we saw emerging,” says Mads Grandt, Global ICT Advisor. “We needed to figure out how to transition to the cloud while still retaining our on-prem environment. We were so embedded in it that we couldn’t cut the cord overnight, so we needed to find something that could do both for a long period of time.”
NRC joined NetHope, a collaborative organisation that brings non-profits and tech companies together in an effort to improve programs, mitigate risks, and share information. In 2017, NetHope also established the Centre for the Digital Nonprofit, with Okta as one of its two founding sponsors, to enable digital transformation in the non-profit sector.
As a non-profit, NRC is limited by a stringent budget, and so technology projects can be difficult to justify. NetHope, however, gave NRC access to tech companies that are already predisposed to supporting the work of the organisation.
“We're not just talking discounts, but also solutions that are specific to the areas and environments we work in,” says Galli. “The companies that help us succeed are the ones that tailor their products to our environments and our needs.”
The collaborative opportunities offered by the Center for the Digital Nonprofit help, too. “We use the tools that the centre puts out there to assess our status versus our peers, and also compare standards,” says Galli. “When our leadership sees what others are doing, it resonates in a different manner, as opposed to us just saying ‘we need this, we need that.’”
After joining NetHope, NRC gained useful tools and collaborative support for modernising its IT infrastructure.
“NetHope has really been a force multiplier for our technology journey,” says Galli. “We’ve met peers who have the same challenges as us. We’ve benefitted from our exchanges with these colleagues, and we’ve built on each others' learnings and failures.”
To help field workers and office-based employees work more effectively, NRC needed an identity solution that could reduce friction and secure access to both cloud and on-prem solutions.
“We need to be sure that our users are who they say they are, so we can grant access to the systems and information they need to fulfil their roles,” says Grandt. “Everything revolves around identity.”
Ultimately, the organisation chose Okta, another NetHope member, for a number of reasons. NRC liked Okta’s lightweight, secure platform. Because it was able to access the benefits of Okta for Good, a program that provides non-profit organisations with deeply discounted products and training, Okta’s solutions were also cost-effective.
Okta also introduced NRC to Cloudworks, an advisory company specialising in cloud-enabled business and technology solutions. This valuable connection, and Okta’s willingness to invest a significant amount of effort into ensuring NRC would be successful, were also significant factors in NRCs decision to purchase Okta.
“We were able to run the proof-of-concept on a large scale that would support a hybrid environment, with only a little effort from us,” says Grandt. “With the limited resources we have available to run IT, that was key.”
The proof-of-concept was successful, and NRC selected Okta for Single Sign-On (SSO), Universal Directory, Lifecycle Management, and Multi-Factor Authentication (MFA). It also started a migration to Office 365 and adopted a number of other SaaS apps, including Workplace by Facebook, Zendesk, and Kaya.
Within just a couple of months, NRC successfully rolled out its new environment to 1,200 field workers.
No more roadblocks
Once this new infrastructure was put in place, field workers were able to easily access all of their core apps easily, without compromising security. They simply had to sign on to the Okta SSO dashboard to access cloud apps like Workplace by Facebook as well as on-prem tools such as Unit4 Agresso and Citrix. With Multi-Factor Authentication in place, they also avoided the hassle of dealing with a VPN, saving NRC in $324k in related IT costs annually.
“When we had a VPN, we spent around 2,000 hours maintaining the environment. We don't need to do that anymore,” says Grandt. “There's no VPN software that fails on the clients, so our staff members have one less hurdle to overcome when they opt to connect to our systems. I think that's a great benefit.”
Okta’s zero-downtime architecture has also significantly improved the stability of NRCs IT infrastructure. NRC has been able to completely eliminate identity-related system outages since deploying Okta, saving the organisation over $135K and 8,940 hours per year in lost employee productivity. That’s a significant amount of time that could be redirected to more strategic projects.
Workers were also delighted by the fact that they only had to remember one password. “I think that's our saviour,” says Grandt. “With all of this, we’ve been able to give them a fair password policy.”
With SSO in place, employees no longer have to wait for IT to reset their passwords. Instead, they simply reset their own passwords and carry on with their workday. Meanwhile, NRC’s lean IT team reduced the time it spends handling password resets by 2,235 hours per year. Overall, this reduction in password resets now saves $87k in IT costs and $34k in employee productivity annually.
For Galli, improving access management was mission critical. “When our staff is working on a crisis, having seamless and secure access to our applications is fundamental for communications, for quick decision-making and, ultimately, for doing the work we do every day.”
By automating provisioning with Lifecycle Management, the organisation has saved the IT costs of over $230K (5,960 hours) per year related to manual onboarding and offboarding. It’s a huge benefit for field workers, who no longer have to wait for access when they join the organisation. And when they leave, access is automatically revoked, which significantly reduces the likelihood of a security breach.
“Now, we can provision applications almost at a click, as opposed to what we used to do, which was a headache,” says Galli. “With this change, the speed of provisioning, the speed of deployment has changed. We’re able to roll out new applications much faster.”
Checks and balances
During the Okta deployment, NRC began laying the groundwork for a Zero Trust security strategy. “We're now operating in an environment where it's not about securing an office or our data centre,” says Galli. “The security is actually on the information. Therefore, it’s increasingly important to know who is accessing what, and when.”
MFA was an important component of this process. While connectivity will continue to be a challenge, NRC was able to offer employees a choice of factors to use, depending on the situation. Office workers often use Okta Verify, while field workers tend to rely heavily on SMS.
“We can apply different factors to different contexts,” says Grandt. “If we don't have cellular networks or our staff don't have phones, various sets of MFA factors allow us to work around those challenges.” This granular security approach allows NRC to apply heavier security in more vulnerable scenarios, while minimising the legwork required by users working in safer areas or accessing apps without sensitive data.
It also became much easier for NRC to monitor access. “If we suspect that there's foul play happening, we can then check the Okta logs to get a quick overview, to see if there are any hints,” says Grandt. “If we do see something, we can quickly move on and look at different logs in other applications. That's very helpful.”
NRC’s employees appreciate this increased visibility as well. “It's difficult to impersonate them and their roles,” says Grandt. “We protect their integrity and lower the risk of being wrongly accused. We’re not only protecting our own data and access, but also our staff members.”
Galli is looking forward to watching NRC’s Zero Trust strategy evolve. “As NRC continues its migration from the hybrid state into cloud, Zero Trust is how we’ll control access to cloud data in a secure, controllable manner,” he says.
Although NRC has now achieved its goal of building a new hybrid infrastructure around a strong identity solution, the organisation hasn’t stopped there. In 2018, NRC released a new strategy that includes a digital transformation that will address NRC’s remaining infrastructure and connectivity issues, while working towards a cloud-only environment.
“Partnering with technology companies like Okta, working through forums like NetHope, really helps us drive our digital transformation forward,” says Galli. “At speed, at scale. And collectively, we can impact the needs of the people we're trying to serve better and faster. We believe this partnership is the way to go and we are committed to it.”
Recently, NRC took another step forward in its new cloud-only strategy by eliminating Citrix, and moving SharePoint and its ERP system to the cloud.
“Active Directory won’t be a part of the picture anymore. We would very much like to make the human resource management (HRM) system much more influential as an identity master,” says Grandt. “We’d also like to set up a partner portal for our third-parties and consultants so they can self-onboard their contractors without NRC IT necessarily doing all the approvals and setup.”
Once the organisation sunsets Active Directory, plus ADFS, DirSync and SP Gateways, NRC expects to save an additional $171K per year.
Going granular with VMware
As NRC continues its transformation, the organisation continues to work closely with Okta. “It's very valuable to have a partner like Okta,” he says. “Anyone will sell you stuff, but not everyone will be your friend. I think that is true for NRC and Okta—we are beyond business; we are working as friends and partners to try to understand and solve common problems.”
In fact, Okta and NRC have already started on their next project. With the help of Okta for Good, NRC is in the initial phases of integrating Okta with VMware Workspace ONE. “It will let us combine what we know about user identity in Okta with what we know about the device from the VMware space,” says Grandt. “With that, we can granulate the level of access and what you can do with your access. That is what we would like to achieve.”
By adding granular device security to its overall strategy, NRC is taking another big step on the path to a mature Zero Trust framework and in turn, increase the organisation’s security and compliance posture. It will also improve the end user experience by introducing new possibilities, passwordless access and secure enrollment on unmanaged devices.
Although Grandt and Galli are always looking ahead, they’ve also taken the time to consider how far they’ve come in just three years.
“We’ve taken a huge leap forward in our operations by implementing Okta,” says Grandt. “With just a few of our own resources applied over time, we’ve moved on from our on-prem-only infrastructure, deployed Okta identity, and added many, many cloud apps. It’s been a tremendous change, and I think we are well-poised to leverage whatever the cloud can bring in the future.”
About Norwegian Refugee Council
The Norwegian Refugee Council (NRC) is an independent humanitarian organisation helping people who have been forced to flee. With operations in over 30 countries, NRC protects displaced people and supports them as they build a new future. The organisation specialises in six areas: food security; education; shelter; legal assistance; camp management; and water, sanitation and hygiene.