Norwegian Refugee Council (NRC) Safely Expands Its Reach With Okta

Reaching across borders

There are more displaced people in the world than ever before. Persecution, armed conflict, and natural disasters have forced more than 70.8 million people away from their homes and into extreme hardship. The Norweigan Refugee Council (NRC) is one of the non-governmental organisations offering humanitarian aid to this growing population. With a workforce of almost 7,000 incentive workers and over 7,000 employees, NRC currently works in 32 countries, including Syria, Iraq, Colombia, South Sudan, and the Central African Republic. NRC’s incentive workers are often displaced people themselves, or people who live in the local community.

“The bulk of our work is direct aid,” says Pietro Galli, NRC’s Head of ICT. “We provide food assistance, education, shelter, information, counselling, legal assistance, camp management and clean water.” In 2018 alone, NRC assisted close to 9 million people in need but, with displaced populations at an all-time high and in a world that’s becoming increasingly turbulent, the organisation is driven to help more people--and to offer aid in places other non-profits are unable to reach.

This can be an incredibly difficult task, especially since NRC focuses on people fleeing from conflict. “Staff members have been kidnapped,” says Galli. “We’re working amid bombing raids in Yemen, and in countries such as the Central African Republic where aid workers have been killed. These situations are chronic, and often get worse over time.”

Of course, technology plays an important role in achieving this goal, but NRC was struggling to increase agility and security, while juggling costs and logistical challenges that can be associated with major modernisation projects.

“NRC, like many other nonprofit organisations, comes from 60 or 70 years of work, and technology is definitely a new part of the way we do business,” says Galli. “We are a non-profit and the bottom line is that every dollar possible has to go to our beneficiaries. Most technology companies build for the cloud and build for the connected world. But we operate in places where that is not a given.”

Simply put, it can be difficult and expensive to deploy modern technologies in remote areas with significant political and geographic barriers.

Internet connectivity is often a significant issue, especially with so many people working in the field. “We have areas where you may be offline for several days while you're providing aid,” says Galli. “You can only sync up to the cloud once a week, when you come back to the office.”

This is part of a larger issue: because the roles and restrictions within NRC’s massive, scattered workforce are so varied, it’s difficult to provide field workers with communication options and standard IT tools that meet everyone’s needs.

The organisation is intensely aware of the urgent need to protect data, especially since parties to the conflict sometimes target people NRC is helping. “When you’re dealing with the identities and data of people who have been forced to flee a war or a regime, that information is not just core to our work—it’s also core to their well-being and survival,” says Galli. “Therefore, that's one of our biggest concerns; how do we safeguard that information in the long-term?”

Finding new partners

When Galli started at NRC, the organisation was already trying to solve some of its common issues with technology, but unfortunately, the efforts were unsustainable. “We were trying to solve our challenges with a lot of hardware,” he says. “With the idea that we could create a safe environment where everybody from anywhere in the world, NRC-wise, would connect. It was extremely expensive and difficult to maintain, so we finally came to terms with that, and dropped it.”

At the time, the organisation’s technology landscape was primarily on-premise, and included a data centre, an enterprise resource planning system, Active Directory, Exchange, SharePoint, a basic multi-factor authentication solution and an email client.

“Our legacy solutions didn't fit the IT landscape we saw emerging,” says Mads Grandt, Global ICT Advisor. “We needed to figure out how to transition to the cloud while still retaining our on-prem environment. We were so embedded in it that we couldn’t cut the cord overnight, so we needed to find something that could do both for a long period of time.”

NRC joined NetHope, a collaborative organisation that brings non-profits and tech companies together in an effort to improve programmes, mitigate risks, and share information. In 2017, NetHope also established the Centre for the Digital Nonprofit, with Okta as one of its two founding sponsors, to enable digital transformation in the non-profit sector.

As a non-profit, NRC is limited by a stringent budget, and so technology projects can be difficult to justify. NetHope, however, gave NRC access to tech companies that are already predisposed to supporting the work of the organisation.

“We're not just talking discounts, but also solutions that are specific to the areas and environments we work in,” says Galli. “The companies that help us succeed are the ones that tailor their products to our environments and our needs.”

The collaborative opportunities offered by the Centre for the Digital Nonprofit help, too. “We use the tools that the centre puts out there to assess our status versus our peers, and also compare standards,” says Galli. “When our leadership sees what others are doing, it resonates in a different manner, as opposed to us just saying ‘we need this, we need that.’”

After joining NetHope, NRC gained useful tools and collaborative support for modernising its IT infrastructure.

“NetHope has really been a force multiplier for our technology journey,” says Galli. “We’ve met peers who have the same challenges as us. We’ve benefitted from our exchanges with these colleagues, and we’ve built on each others' learnings and failures.”

Identity overhaul

To help field workers and office-based employees work more effectively, NRC needed an identity solution that could reduce friction and secure access to both cloud and on-prem solutions.

“We need to be sure that our users are who they say they are, so we can grant access to the systems and information they need to fulfill their roles,” says Grandt. “Everything revolves around identity.”

Ultimately, the organisation chose Okta, another NetHope member, for a number of reasons. NRC liked Okta’s lightweight, secure platform. Because it was able to access the benefits of Okta for Good, a programme that provides non-profit organisations with deeply discounted products and training, Okta’s solutions were also cost-effective.

Okta also introduced NRC to Cloudworks, an advisory company specialising in cloud-enabled business and technology solutions. This valuable connection, and Okta’s willingness to invest a significant amount of effort into ensuring NRC would be successful, were also significant factors in NRCs decision to purchase Okta.

“We were able to run the proof-of-concept on a large scale that would support a hybrid environment, with only a little effort from us,” says Grandt. “With the limited resources we have available to run IT, that was key.”

The proof-of-concept was successful, and NRC selected Okta for Single Sign-On (SSO), Universal Directory, Lifecycle Management, and Multi-Factor Authentication (MFA). It also started a migration to Office 365 and adopted a number of other SaaS apps, including Workplace by Facebook, Zendesk, and Kaya.

Within just a couple of months, NRC successfully rolled out its new environment to 1,200 field workers.

No more roadblocks

Once this new infrastructure was put in place, field workers were able to easily access all of their core apps easily, without compromising security. They simply had to sign on to the Okta SSO dashboard to access cloud apps like Workplace by Facebook as well as on-prem tools such as Unit4 Agresso and Citrix. With Multi-Factor Authentication in place, they also avoided the hassle of dealing with a VPN, saving NRC in $324k in related IT costs annually.

“When we had a VPN, we spent around 2,000 hours maintaining the environment. We don't need to do that anymore,” says Grandt. “There's no VPN software that fails on the clients, so our staff members have one less hurdle to overcome when they opt to connect to our systems. I think that's a great benefit.”

Okta’s zero-downtime architecture has also significantly improved the stability of NRCs IT infrastructure. NRC has been able to completely eliminate identity-related system outages since deploying Okta, saving the organisation over $135K and 8,940 hours per year in lost employee productivity. That’s a significant amount of time that could be redirected to more strategic projects.

Workers were also delighted by the fact that they only had to remember one password. “I think that's our saviour,” says Grandt. “With all of this, we’ve been able to give them a fair password policy.”

With SSO in place, employees no longer have to wait for IT to reset their passwords. Instead, they simply reset their own passwords and carry on with their workday. Meanwhile, NRC’s lean IT team reduced the time it spends handling password resets by 2,235 hours per year. Overall, this reduction in password resets now saves $87k in IT costs and $34k in employee productivity annually.

For Galli, improving access management was mission critical. “When our staff is working on a crisis, having seamless and secure access to our applications is fundamental for communications, for quick decision-making and, ultimately, for doing the work we do every day.”

By automating provisioning with Lifecycle Management, the organisation has saved the IT costs of over $230K (5,960 hours) per year related to manual onboarding and offboarding. It’s a huge benefit for field workers, who no longer have to wait for access when they join the organisation. And when they leave, access is automatically revoked, which significantly reduces the likelihood of a security breach.

“Now, we can provision applications almost at a click, as opposed to what we used to do, which was a headache,” says Galli. “With this change, the speed of provisioning, the speed of deployment has changed. We’re able to roll out new applications much faster.”

Checks and balances

During the Okta deployment, NRC began laying the groundwork for a Zero Trust security strategy. “We're now operating in an environment where it's not about securing an office or our data centre,” says Galli. “The security is actually on the information. Therefore, it’s increasingly important to know who is accessing what, and when.”

MFA was an important component of this process. While connectivity will continue to be a challenge, NRC was able to offer employees a choice of factors to use, depending on the situation. Office workers often use Okta Verify, while field workers tend to rely heavily on SMS.

“We can apply different factors to different contexts,” says Grandt. “If we don't have cellular networks or our staff don't have phones, various sets of MFA factors allow us to work around those challenges.” This granular security approach allows NRC to apply heavier security in more vulnerable scenarios, while minimising the legwork required by users working in safer areas or accessing apps without sensitive data.

It also became much easier for NRC to monitor access. “If we suspect that there's foul play happening, we can then check the Okta logs to get a quick overview, to see if there are any hints,” says Grandt. “If we do see something, we can quickly move on and look at different logs in other applications. That's very helpful.”

NRC’s employees appreciate this increased visibility as well. “It's difficult to impersonate them and their roles,” says Grandt. “We protect their integrity and lower the risk of being wrongly accused. We’re not only protecting our own data and access, but also our staff members.”

Galli is looking forward to watching NRC’s Zero Trust strategy evolve. “As NRC continues its migration from the hybrid state into cloud, Zero Trust is how we’ll control access to cloud data in a secure, controllable manner,” he says.

Facing forward

Although NRC has now achieved its goal of building a new hybrid infrastructure around a strong identity solution, the organisation hasn’t stopped there. In 2018, NRC released a new strategy that includes a digital transformation that will address NRC’s remaining infrastructure and connectivity issues, while working towards a cloud-only environment.

“Partnering with technology companies like Okta, working through forums like NetHope, really helps us drive our digital transformation forward,” says Galli. “At speed, at scale. And collectively, we can impact the needs of the people we're trying to serve better and faster. We believe this partnership is the way to go and we are committed to it.”

Recently, NRC took another step forward in its new cloud-only strategy by eliminating Citrix, and moving SharePoint and its ERP system to the cloud.

“Active Directory won’t be a part of the picture anymore. We would very much like to make the human resource management (HRM) system much more influential as an identity master,” says Grandt. “We’d also like to set up a partner portal for our third-parties and consultants so they can self-onboard their contractors without NRC IT necessarily doing all the approvals and setup.”

Once the organisation sunsets Active Directory, plus ADFS, DirSync and SP Gateways, NRC expects to save an additional $171K per year.

Going granular with VMware

As NRC continues its transformation, the organisation continues to work closely with Okta. “It's very valuable to have a partner like Okta,” he says. “Anyone will sell you stuff, but not everyone will be your friend. I think that is true for NRC and Okta—we are beyond business; we are working as friends and partners to try to understand and solve common problems.”

In fact, Okta and NRC have already started on their next project. With the help of Okta for Good, NRC is in the initial phases of integrating Okta with VMware Workspace ONE. “It will let us combine what we know about user identity in Okta with what we know about the device from the VMware space,” says Grandt. “With that, we can granulate the level of access and what you can do with your access. That is what we would like to achieve.”

By adding granular device security to its overall strategy, NRC is taking another big step on the path to a mature Zero Trust framework and in turn, increase the organisation’s security and compliance posture. It will also improve the end user experience by introducing new possibilities, passwordless access and secure enrolment on unmanaged devices.

Although Grandt and Galli are always looking ahead, they’ve also taken the time to consider how far they’ve come in just three years.

“We’ve taken a huge leap forward in our operations by implementing Okta,” says Grandt. “With just a few of our own resources applied over time, we’ve moved on from our on-prem-only infrastructure, deployed Okta identity, and added many, many cloud apps. It’s been a tremendous change, and I think we are well-poised to leverage whatever the cloud can bring in the future.”

About Norwegian Refugee Council

The Norwegian Refugee Council (NRC) is an independent humanitarian organisation helping people who have been forced to flee. With operations in over 30 countries, NRC protects displaced people and supports them as they build a new future. The organisation specialises in six areas: food security; education; shelter; legal assistance; camp management; and water, sanitation and hygiene.