Unique work with unique requirements
While they have to operate in wider areas than the private sector, councils often have to deal with more restrictions. Thanet, for example, has a hybridised IT system, in which it is in control of some of the platforms it uses while also sharing core services, such as a Human Resources platform and Information and Communication Technology (ICT) systems, with two neighbouring councils.
This means that Thanet District Council’s technological requirements are unique, requiring bespoke solutions and workarounds. Joe and his team had previously made good headway implementing cloud-based services like Google Workspace and Citrix, which helped workers to become more efficient. But with 90 applications in use and the need to integrate with shared HR and ICT platforms, simply accessing these applications was becoming harder and harder for workers.
Users had to maintain a multitude of passwords and often had to deal with outdated, needlessly restrictive identity management. One application asked users to generate alphanumeric, mixed case passwords of 14 characters, and then remember the position of individual characters. In order to log in, users would be asked to input, for example, the 5th, 7th and 12th characters of their password. The friction actually led to bad security practices, just so that people could access the tools they needed. Password resets were a huge burden, with 90 apps and therefore 90 complex passwords to reset across 400 users. Each reset took on average 15 minutes of IT time, taking up as much as 4,500 hours a year or roughly £100k of cost. “It was a nightmare. People were either constantly resetting their passwords or writing them down in ‘password books’,” says Joe.
The situation was made even more acute when the pandemic forced Thanet District Council staff to work remotely. While the move to SaaS applications actually made the transition much easier for the council, the environment was not all it could be. Council workers were logging in via RSA-based physical tokens and still having problems finding the right password and username. Each council worker was doing two Multi-Factor Authentication (MFA) prompts a day with their hard token, taking roughly one minute to do each time. This added up, taking up as much as 3,333 hours of workforce time a year across the council. These also needed to be resynched every month and had minimum orders of 100, making them a huge administrative and cost burden for the IT team.“I just felt there had to be a better way of doing things,” says Joe. “We had this big drive to move to the cloud but we were being slowed down on the identity and access side of things.”
Okta's Adaptive MFA removed roughly two thirds of those prompts due to contextual access management, and of the remaining third, these took a few seconds to do with a push notification. Thanet Council was able to reduce the MFA burden to their employees from 3,333 hours by 3,220 hours a year that was worth roughly £90,000 of resource time.
Overcoming roadblocks with identity and access management
Joe and his team evaluated some of the leading providers of identity and access management platforms, but only Okta had the complete package for Thanet District Council.
“Okta felt like the right choice for us from day one,” says Joe. “It comes with tonnes of app integrations right out of the box and it looked and felt rock solid in terms of security. We also love the ethos that Okta has of continually releasing feature upgrades and improvements.”
As a test of Okta’s ease of use, Joe set up a trial environment to see how it would run without any help from the wider IT department. “I just wanted to see what I could do on my own,” he explains. “If it needs a whole lot of training to do basic things like add users or add applications, then it’s never going to work for us. As it was, I managed to get a lot of it up and running before we’d even bought the solution!”
Initially, Joe and his team planned to take advantage of Okta’s huge range of pre-built integrations, but quickly realised that they could also quickly and easily build their own for those apps Okta hadn’t already added to its market leading Integration Network. That way, they could adapt Okta around the unique requirements of each application. “It was all very quick for us. We didn’t take more than 20 minutes setting up the integrations for each custom app,” says Joe. “Some we did in seconds.”
One unique aspect of Thanet District Council’s IT system is that it has different standards to adhere to depending on whether it fully owns the platform or is sharing it with other councils. For example, due to the wider ICT protocols, some applications can only be accessed via Citrix virtual desktops or Google Workspace.
To accommodate these restrictions without hampering the user experience, Joe and his team deployed an innovative way of combining Okta’s Universal Directory and Lifecycle Management (LCM) with the existing directories. This way, they could gain a complete and up-to-date picture of the identity and access landscape as well as automating key processes like provisioning and de-provisioning employees without disrupting their partners in other councils.
Thanet Council has integrated three apps with LCM, they were all part of Okta's pre-built Okta Integration Network. These pre-built connectors saved the council roughly one to three months of resource cost per app of integration time. Automating Lifecycle Management for just these three core apps has saved 120 hours a year of IT effort across joiners, movers and leavers. Thanet Council has the ambition to bring more apps onto Okta and further reduce their manual provisioning costs.
And, it’s not just the existing employees who have benefitted from Okta. Previously, new hires had to request access for each individual application they needed and it would be about two weeks before they were fully up and running. This represented a huge amount of time an employee might be waiting for an app. Waiting two weeks to attain full productivity represented 4,800 hours of unproductive time across the council. With automatic provisioning on Okta, they are set up with the tools they need as soon as they start. “If the applications they want are on Okta, then we don’t touch it,” says Joe. “It’s all there for them. At most, we spend a couple of minutes just making sure they’ve got what they need.”
Okta’s Single Sign-On solution has been key for Thanet District Council workers who can now access 70 applications with a single username and password, reducing friction. Meanwhile using Okta’s Adaptive Multi-factor Authentication (MFA) means that connections stay secure whatever devices are being used, helping the council to move closer to adopting a zero trust model of security.
Saving time and improving security with Okta
Prior to going live with Okta, the Digital Transformation team sent out a series of internal emails and newsletters informing council workers of the new identity platform. Realising that overstretched staff had very little time to read detailed IT instructions, Joe demonstrated the simplicity of Okta’s platform with a series of simple before and after GIFs. The response was dramatic.
“When we went live, joining the platform was voluntary. We were shocked when nearly half the workforce signed up in the first week,” he says.
Less than a year later, around 90% of Thanet’s 400 employees have chosen to sign up with Okta.
“There’s usually a compromise,” says Joe. “When you make things more useable, you tend to lower the security. But with Single Sign-On and Adaptive MFA, we’ve managed to find that balance. Our security practices are so much better than they were before.”
Adapting to and overcoming new challenges with new solutions
The impact all of this has had on workers has been profound. As well as maintaining standards, moving to Okta has helped them expand on the work they do to help the people of Thanet. “I think it’s made them more comfortable with the full range of technological tools we have,” explains Joe. “We love getting feedback from customers but in the past we sent them PDFs or Word documents to print out and return. Now, because everything’s so easy to access, we’re more likely to send them Google Forms, which they can just fill out on their phones. Despite working remotely, in some ways we’re more accessible than before.”
As more of the UK becomes vaccinated and lockdown restrictions ease, the Digital Transformation team surveyed Thanet’s employees to gauge their feelings on returning to the office versus maintaining some degree of remote working. Only 25 of the 350 workers surveyed wanted to return to the office full-time.
“What we’ve discovered is that with Okta we’ve been able to build a new hybrid way of working. You can work just as effectively from home as you can in the office. It’s the same technology, the same setup, wherever you are,” says Joe.
While the move to Okta was successful, the work hasn’t stopped for Joe and the Digital Transformation team as they look for ways to integrate applications even more closely with Okta and expand the HR platform to automate as much as possible. “The goal is to make everything digital end-to-end,” says Joe. “Councils aren’t known for their agility, especially when it comes to technology, but I’ve been lucky. My team is small but very good. We’ve got a clear vision of where we want to get to and how to get there.”
