Arrow: International financial services firm unites teams and strengthens trust with integrated secure solution

13 Active Directory

instances connected by Okta

6 hours

to deploy the Okta agents

“Okta is one of the only ways in which we’re able to control access to, and prevent the unauthorised exfiltration of data from, our Workplace platform; the project would not have received sign-off without it being in place.”

Matthew O’Neill,

Group Information Security Manager, Arrow Global

Highlights

2,500 employees

13 Active Directory instances connected by Okta

6 European countries (including the UK) with an Arrow Global presence

6 hours to deploy the Okta agents

Doing the right thing

At Arrow, trust is everything. The financial services organisation, which comprises multiple brands under its ‘One Arrow’ umbrella, is committed to building and maintaining trust, which extends to all areas of the business, whether that means offering flexible repayment schedules to its customers and protecting their sensitive information.

In addition to debt collection, Arrow also offers capital and asset management services. Most recently, the organisation has embarked on an ambitious new initiative that makes security even more essential - a new investment fund that offers opportunities to corporate investors.

“We've got a core responsibility to do the right thing under all sorts of circumstances, and trust is a massive part of that,” says Matthew O’Neill, Arrow’s UK-based Group Information Security Manager. “In order for creditors, customers, investors, and shareholders to put their faith in us, they've got to be able to trust us - first and foremost. Security is heavily tied to that trust, especially with cyberattacks increasing and a lot of crime moving into the cyberworld.”

A complex business

Arrow’s work is heavily regulated. With businesses based all over the UK - as well as operations in Ireland, Portugal, the Netherlands, Italy, and Albania - meeting all of its regulatory obligations is a critical requirement.

“Obviously, there's a lot of scrutiny from regulators, from our shareholders, and from our clients,” says O'Neill. “There are a lot of requirements, in terms of security and privacy regulations. Across Europe, for instance, we all collectively abide by GDPR regulations; however, each company also has to abide by its own company-specific requirements - PCI-DSS, for example - including region-specific requirements as well.”

Amongst a number of other challenges of having such a large Europe-wide user base, multiple identity access and management solutions across a mixture of on-premises and cloud-based environments had made it extremely challenging to maintain consistent communications across the organisation.

In 2018, Arrow decided to launch a group-wide digital communications transformation project that would make it easier for its employees to communicate and collaborate with one another. “Like most other organisations, everybody is ultimately able to communicate over email or via telephone, however this is extremely difficult without one single and consistently synchronised directory; without that, employees aren’t able to find one another,” says O'Neill. “We also wanted to empower our staff to be able to use other communications mediums that they may feel more comfortable with - particularly ones that would help to alleviate any language barriers.”

Centralising communication

As a part of this initiative, Group CEO Lee Rochford gave the Group Corporate Communications Team a challenging and ambitious task: find a way to create a shared communications and collaboration platform that all Arrow employees would have access to - no matter where they live, where they work, what language they speak, and what device(s) they use.

“The (Group Corporate Communications) Team wanted communications to be run centrally, because that would mean our messaging would be consistent,” says O'Neill. “We could achieve that with a communications platform that offers the same experience for all of our companies and all of our users; that's where Workplace from Facebook came in.”

Not only would Workplace allow Arrow to reach all employees with consistent messaging, it would also allow the organisation to target its communication more effectively, by choosing to send communications to specific companies in the group without inconveniencing other employees with irrelevant messages, for example. The product would also offer opportunities to measure the impact of any messaging that is sent out, as well as to gather feedback from employees through features like polls and surveys.

To allow for relatively free communications and collaboration however, Arrow knew it would need strong security controls in place to protect the platform.   

“Initially, the Team asked what we would need (in terms of security) and whether or not we could go live - as is - with the platform’s standard controls,” says O'Neill. “Unfortunately, bearing in mind both our strict contractual and regulatory obligations with regards to security, these controls were not sufficient in this context, and as such I advised the team that - without any additional controls - we would only be able to use the platform for non-sensitive communications. In its existing form, we wouldn’t be able to discuss sensitive information (via the platform) because we wouldn’t be able to guarantee the integrity and confidentiality - to our required standards - of the information that would be residing there.”

Outside expertise

Arrow decided to partner with Generation Digital, a remote working and digital workplace consultancy company with a mission “to transform how work gets done by helping leaders and their teams adopt digital culture, platforms, and ways of working.”

“Generation Digital helped us to manage the rollout of the Workplace platform,” says O'Neill. “Our account manager kept the project on track, and we’d typically consult with them on each stage of the rollout. They would organise the POCs, and lead negotiations with the external parties, allowing for us to utilise our time to achieve the ambitious implementation schedule that was set out by Lee (Rochford - the Group’s CEO).”

When Arrow needed a Workplace-friendly security solution, Generation Digital made a number of recommendations; one of which included Okta.

“I was already familiar with Okta,” says O'Neill. “I'd attended many Okta conferences, master classes, and expos. My initial gap analysis - in terms of what security controls would be required - had highlighted the need not only for a DLP solution, but also for an IDAM solution that would bring together all of our directories into one, whilst simultaneously providing the complex array of conditional access controls that would be required. For this, we had a discussion with Okta, who provided an overview of their platform. A further analysis of both the platform’s functionality and the security controls that it would provide gave me sufficient comfort to recommend it to the Team.”

Arrow was impressed by the results of O'Neill’s analysis: not only would Okta satisfy its Workplace-specific IDAM requirements, but it could also be used to solve other use cases in the future - providing IDAM functionality for other cloud-based applications, for example.

“What was really impressive about Okta was the two-way sync - to and from Active Directory,” says O'Neill. “It was so easy to do. Essentially, we just needed to install the directory agent and then, as long as the firewall rules were in place and the requisite service account existed, that agent would then sync the data permanently across to Okta, which resides in the cloud. Once that data is populated within the Okta platform, not only could we then sync it to Workplace, but we could also amend any incorrect directory entries, for example, and push these amendments back into the local Active Directory instance(s). That particular functionality, plus the extremely granular conditional access controls, is what sets Okta platform apart from its competitors’ in my opinion.”

This two-way synchronisation feature would potentially help the organisation create consistency across all of its company’s Active Directory instances, regardless of location. “All of our directories could have the same feel, the same information, the same consistent format - without us having to do this from within each AD instance” says O'Neill. “Instead, it could be done centrally, via the single Okta platform.”

The organisation was also impressed by the strength of Okta’s security features.

“Okta is a brilliant platform with regards to security,” says O'Neill. “In addition to leading its technical implementation as well as the creation of its security wraparound, I was also one of the last people to sign off on the Group’s Workplace platform, so I actually had to demo it as part of this process. Specialising in Cyber Threat Management, it’s my job to see threats and vulnerability where others don’t, so I spent the better part of two days trying to break and find ways around the security controls that I'd just built into the Okta platform. Essentially, I needed to identify and remediate any and all attack vectors against the Okta implementation that either an internal or external threat actor could. In the end, Okta’s security features were integral to the comfort of knowing that the Workplace platform was secure enough to sign off on.”

Graham Mackay, CEO at Generation Digital added, “More than ever, clients like Arrow Global need world-class, secure remote working solutions that can only be built by integrating ‘best of breed’ software apps. It was a privilege to partner with Okta, Workplace and Netskope to help support Arrow in building this solution.”

A successful and speedy deployment

Workplace presented a unique challenge: it can integrate only with one Identity Provider, something that is extremely difficult to do when both the environment and security requirement is as complex as Arrow’s.

At Generation Digital’s suggestion, Arrow purchased Okta Cloud Connect, a product that uses the Okta agent to protect a single application (in this case, Workplace) via a single Active Directory integration. With Okta Cloud Connect, Arrow’s Workplace implementation benefits from three Okta products: Universal DirectorySingle Sign-On, and Lifecycle Management.

Arrow first rolled out Workplace, region by region, beginning with the UK and Ireland. The Okta deployment was simple - the team simply needed to install the Okta agent and ensure the correct firewall rules were in place before they got started. 

“Okta gives some great guidance on its support site,” says O'Neill. “We installed the agent, which started syncing to Okta, and as soon as we started syncing, we set up the security rules that were configured in accordance with our specific requirements. Once the data was in the platform, and the rules were configured and tested, we were pretty much done deploying Okta to the UK. Although the security configuration took a number of days to actually finalise, bearing in mind our low appetite for risk, the actual deployment of each Okta agent took around 30 minutes.”

Since the first deployment back in early 2019, Arrow’s Workplace Implementation Team - led by O'Neill, with support from Andrew Mallin (Technical Project Manager and Infrastructure Architect) as well as the local IT teams - the company has successfully deployed its Workplace platform across the Group. “For the Okta implementation, we synced each of the company’s Active Directories up to Okta, whether on-premise or in the cloud - through Azure AD, for example. Then, because the directory information was synced to Okta, we were able to sync that information to Workplace and activate our users. That's how users are able to log on, and that's how we're able to control the flow of security into the platform. Without Okta, the platform simply isn't secure enough to satisfy our strict and demanding security requirements.”

Security boost

When Arrow began implementing its Workforce security strategy, it focused on two main concerns. The first concern was the unauthorised exfiltration and infiltration of data; the organisation wanted to be able to control the information that flowed out to employees, as well as to protect the platform from unauthorized users.

“The second concern related to data policing,” says O'Neill. “For example, we wanted to ensure that there were no payment card details on there. We also wanted to allow specific users to upload certain types of file formats to the platform, while controlling other users’ ability to download them. We want those files to remain on the platform.”

Arrow took a multi-faceted approach to tackling these concerns. Some aspects of the strategy were policy-based - for example, O'Neill developed Workforce-specific acceptable usage and security policies, establishing expectations and guidelines upfront. Other security components were technical - built right into the environment, in what O'Neill refers to as its security ‘wraparound’.

Okta Multi-Factor Authentication (MFA) plays a significant role in managing access to the platform. Arrow’s Okta administrators are required to enter a second factor in order to use their administrator privileges, while some users are restricted by other policies, like the one that prohibits them from logging in when they’re off-network.

“If you’re a high-risk user with access to a lot of sensitive information, we require a lot more in terms of authentication when you request access,” says O'Neill. “If you’re a low-risk user however, you’ll be lower down on the policy list. The tailoring of Okta’s security controls is really only limited to a combination of your ability and desire to configure them. Security has a direct impact on usability - typically, the more security controls you put in place, the more this impacts on both usability and (in turn) productivity. I was pleased to find however, that Okta could actually be tailored in a way that didn’t really impact on my ability to restrict access to the platform; that was particularly impressive.”

Initially, to protect remote workers, Arrow implemented a key-based system. “We wanted our users to be able to log in to the platform when residing outside of the corporate WAN - when offline using their GSM connections, for example - but only as long as they were using a corporate device,” says O'Neill. “We already secure these devices using Mobile Device Management controls, and so were able to use management keys - ingrained directly into the configuration of Okta - to ensure that users could only access Workplace via an MDM-distributed version of the Okta Mobile app; this effectively restricted access to corporate-only devices. Later - due to the COVID-19 pandemic - we wanted to open-up Workplace to personal devices, and so Okta’s conditional access controls were key to ensuring this could be done in a safe and secure manner - in line with the company’s information security and acceptable usage policies.”

In what formed part of his 5-layer strength-in-depth security wraparound of Workplace, O'Neill also opted to deploy the Netskope CASB to protect the platform’s content and data. Netskope is already built into Workplace via an API integration, so if unapproved content ends up on the platform, it is able to be removed within minutes. O'Neill also arranged to have Netskope’s Endpoint Agent installed onto corporate devices; this screens for approval before it will allow the user to upload data to, or download it from, within Workforce. Netskope’s Reverse Proxy, which allows employees to use personal devices securely, completed this security wraparound.

“Netskope essentially controls the risk of things like data loss and profanity,” says O'Neill. “And Okta is there to control access. Imagine the platform with 5 bands around it: the Workplace-specific AUP is band 1 - our overarching administrative control; Okta is band 2 - the first of five technical controls; and finally the three Netskope layers - Endpoint Agent > Reverse Proxy > API integration - complete our multi-faceted approach to security. An unauthorized user would have to essentially break through each of those bands to gain access; I designed the platform’s security implementation specifically with security redundancy in mind. Generation Digital commented that ours was the most comprehensively secure implementation of Workplace they'd seen - the ‘gold standard’, they noted. Bearing in mind the number of implementations that they will have seen and been involved with, this was a huge compliment, and one that we were particularly proud of.”

Increased consistency and visibility

With all of these security measures in place, Arrow is also benefiting from increased visibility, including an ability to detect and prevent users who are logging in from unapproved regions, or via multiple locations simultaneously.

“Without Okta, we wouldn't have had any idea who was logging onto, and using the platform,” says O'Neill. “We’d have serious security concerns. Thankfully, security was put in place from the start - and not just retroactively fitted - so we're in a very good position. We wouldn't have had the confidence to launch the platform had it not been for Okta. Neither myself nor our Group CISO (Gareth Neal) would have signed off on our Workplace platform without it.”

Simple access, seamless presentation

Okta Single Sign-On (SSO) plays a significant role in creating a frictionless user experience that makes it easy to keep employees productive. Now, they just need to click on their website link and they’re routed through to a dashboard that provides them with everything they need, all in one place - even when they’re working from home.

“The value of a seamless user access experience is huge,” says O'Neill. “Our users barely even know that Okta is there. If we need to, we can even amend our users’ information in the background - on the fly - or add additional security features… and they won’t even notice the change.”

Okta has also increased productivity, with one of the major benefits of Okta being its ability to export group-wide directory information. Previously, Arrow would have needed to amend users manually - directory by directory - but now it’s able to use API scripts through Postman to automate these tasks within the single Okta instance. These changes can then be pushed back to the respective AD instance(s). The organisation can also do everything from changing directory information to adding new details to user accounts - quickly and easily.

Learning how to use Okta was simple. “I had never worked with Okta before, but the platform is so easy to use,” says O'Neill. “I went from being a novice to being pretty comfortable with using the platform in no time at all. Now, I’m the Group’s subject matter expert on Okta.”

Looking forward to the long-term 

Throughout the entire implementation process, Arrow focused on developing long-term relationships with like-minded partners. Together, all of the companies involved - Arrow Global, Okta, Workplace, Generation Digital, and Netskope - have invested a lot of time and effort into working collaboratively towards Arrow’s larger goal of building a more connected ‘One Arrow’ workforce.

“Okta’s support has been really good,” says O'Neill. “I’ve spoken to its support agents via both the digital support platform and via telephone. They've always been happy to offer us professional services when we needed something that went beyond the initial support that we got. Michael Alexander, our Okta Account Executive, has been extremely supportive as well; he understood the time constraints of the project and helped us to get everything over the line very quickly.”

Arrow is incredibly pleased with Generation Digital, as well. “They worked really hard to help us keep the project on track,” says O'Neill. “GenD had already been through the process many times before, and so they were able to make suggestions that we might not have otherwise considered. Also, being able to task them with things on our behalf - negotiations with vendors, for example - freed up the internal Workplace Implementation Team to be able to actually implement the platform across our Group”. 

With the COVID-19 pandemic forcing many employees to work from home, the Workforce initiative is also paying off in ways that Arrow could never have predicted. In a recent press release, Arrow’s chief executive officer Lee Rochford says, “I’m delighted that Workplace has been rolled out across all of the Arrow Global Group, making us truly One Arrow. The platform has helped to transform the way colleagues communicate and engage across the business, which has been vital during these unprecedented times.”

About Arrow Global Group PLC

Arrow identifies, acquires and manages secured and unsecured loan and real estate portfolios from and on behalf of financial institutions, such as banks, institutional fund investors and specialist lenders. Arrow is a regulated business in all its European markets, managing over GBP 50.0 billion of assets across five geographies with over 2,500 employees.

About Generation Digital

Generation Digital is a remote working and digital workplace consultancy on a mission to transform how work gets done by helping leaders and their teams adopt digital culture, platforms, and ways of working. Working in partnership with world-leading technology companies like Facebook, Netskope, and Okta, we build work and remote working collaboration solutions for leading brands including Arrow Global, Colgate, ED&F Man, Heathrow, HSBC, Metropolitan Police, Royal Mail, TOG, Tui Group and United Utilities. For more information, visit www.gend.co.

Continue your Identity journey

Get hands on with the free trial today, or get in touch with our team to discuss your unique needs.