The Gym Group: strengthens its security to optimise its operations and satisfy all of its stakeholders

Spurred on by the knowledge that physical exercise reduces your risk of early death by up to 30%, the fitness industry is booming, turning over around €3.5bn in the UK in 2021. Spotting a gap in the market for fitness clubs that allow people to exercise safely, flexibly, and economically, The Gym Group launched in 2008. Offering the latest equipment, personal trainers and a host of classes, it now has more than 200 locations across the country, a testament to the success of its 24/7, no contract, low-cost business model. 

Jasper McIntosh, Chief Information Officer at The Gym Group, says the strength of the group’s technology infrastructure is what enables the company’s fast growth. “From day one, every single customer who has joined The Gym Group has done so through an online sales mechanism, whether that’s via our website or app. Our members enter the gym using a QR code or a PIN pad, and our app helps to augment the in-gym experience.”

And, just as The Gym Group ensures that its members feel safe when they use their gyms at whatever time of day or night they visit, it’s focused on keeping their online data secure as well. “We have a rigorous and consistent approach to security and data protection,” says Jasper. “As essentially an online subscription business, we hold a lot of personal data on a large number of people.” 

The Gym Group wanted to concentrate on what it does best, which is helping its 800,000-strong membership keep fit. So when it came to protecting its members and business interests, it looked to work with a technology company whose focus is on customer and workforce identity and access management. So it chose to work with Okta and Auth0.

The identity challenge

“We run the best business possible by understanding who our members are and how our gyms are used. That means giving the right staff the right access to the right data. To do that we have to create an environment that's safe from a data and an operational perspective. But we have hundreds of members of staff, some of whom are not tech savvy and many of whom move from gym to gym. That creates an identity challenge,” says Jasper. “We needed to create an identity layer that enables our staff to do their jobs to the best of their abilities and enables us to leverage the valuable assets we have in terms of data and systems in a way that is not interruptive and is really secure.”

To add to this complexity, The Gym Group became a public company in 2015 and overhauled its technology in every area of the business. It now runs multiple enterprise softwares, including Microsoft Office 365 and the Workday, as well as internal solutions for health and safety, gym services, member management, and marketing.

Prior to Okta a new joiner, or a common occurrence such as an employee location move, would have resulted in a 3-5 day wait for this to be actioned with risk of errors occuring. This was due to the manual process of entering users into directories by a 3rd party after a user was created or updated in their HR solution Workday. Okta has automated this so that an employee exists within user directories on day 1, so no time elapses with employees waiting for access as states are instantly reflected within IT with no need for 3rd parties. 

Since deploying Okta, The Gym Group has grown from 500 to 600 employees and Okta has 100% automated the creation of these new users within directories by sourcing from HR, saving 25 hours a year of IT time spent manually entering data. 

After a new user was created in directories, they needed access to their standard or birthright apps such as Office 365, Workday, Box, FreshService, PowerBI and Egencia. Previously this was done manually taking 15 minutes per app, but with Okta this is automated. Without Okta, this year The Gym Group would have spent 450 hours provisioning new users only into birthright apps at a manual IT cost of £17K a year. With Okta day 1, provisioning to 6 birthright apps is done 100% automatically and this cost & time is saved.

By automating the access management of all these platforms, The Gym Group could quickly and easily on-board and off-board employees, allowing only authorised staff access to each platform. “As the group grew and the gym estate spread across the UK, it has also become common for managers to move around from region to region. This means that the access managers require for information on different sites can quickly change,” adds Jasper. The Gym Group now has more than 10 core applications integrated with Okta’s Workforce Identity Cloud platform, including Workday, Salesforce and Office 365. Staff use the system’s Single Sign-On (SSO) solution to quickly and securely log in to all their apps.

Adapted Multi-Factor Authentication is a game-changer

The Gym Group also added Okta’s Adaptive Multi-Factor Authentication (MFA) solution at the beginning of 2022 and it instantly made life easier for its geographically dispersed workforce, many of whom often switch between sites. 

“Adaptive MFA is a big win for us, because it allows us to integrate all of our different applications, which we weren't able to do before, and it’s a real time saver. Using Adaptive MFA with Workday, we can quickly patch people into different sites and add and remove them from groups and platforms and change their reporting lines,” says Jasper. 

And to verify sign-in to its various systems, The Gym Group uses Okta Verify, which allows people to securely access their apps via a two-step verification process using push notifications, a temporary 6-digit code, or biometrics. “Okta Verify is a fantastic tool for MFA,” says Jasper. “You can configure it in the way that suits you and your users and profiles. It's a powerful tool that enables us to create the best possible security envelope without impacting employee experience, which is really valuable. They just receive the SMS on their phone or watch, or use the Okta Verify app.”

Prior to Okta, The Gym Group only had 1 of its core apps enabled for MFA. If they had continued with this approach, each core app when accessed each day would have generated an MFA challenge for its users. As Okta has consolidated 10 app authentications a day down to 1 with Okta, it has avoided 9 MFA prompts by just doing it once, creating a 90% reduction in potential MFA challenges worth 16,875 hours of time this year or £513K of general staff hourly productivity.  

The Gym Group has also recently upgraded its Customer Identity and Access Management with the Customer Identity Cloud solution. “We seamlessly migrated over 800,000 gym members over from our proprietary system to Customer Identity Cloud, giving them a Single Sign-On for all our consumer-facing apps. We haven’t made full use of everything it offers yet, but we will be doing so over the next few months,” says Jasper. 

Okta and Auth0 aid governance reporting 

The Gym Group is now a listed company, so it has to ensure it meets compliance obligations. The company has found this easier now it is using a variety of Customer Identity Cloud solutions. Jasper says: “Thanks to Okta and Customer Identity Cloud, we now have a much more granular understanding of what’s happening across the business and it’s so much easier for us to audit our security to meet our compliance and regulatory obligations.” 

In the future, The Gym Group is considering becoming ISO 27001 accredited and as Okta’s solutions already comply with this security standard, Jasper is confident that it will speed up this process. “Being able to demonstrate that we use the Okta identity platform for our information security management satisfies all of our stakeholders and helps us to pass regulatory specifications,” he says. “It ticks so many boxes for us, I sleep better knowing that we have a top quality, Identity and Access Management platform in place.”