Capita decommissions its 200 active directories using Okta

Outsourcing specialist Capita is increasingly using Okta technology as its employee identity platform, helping the firm decommission some of its 200 active directories, securely off-board employees and even save money on unnecessary Salesforce licences.

Scott Carey Jul 05th 2018

Outsourcing specialist Capita is increasingly using Okta technology as its employee identity platform, helping the firm decommission some of its 200 active directories, securely off-board employees and even save money on unnecessary Salesforce licences.

Capita turned to Okta back in August 2017 as a way to deliver single sign-on for new IT applications and services through a secure portal, allowing its 70,000 employees to request access to applications without having to wait for IT to respond.

Best known for business process outsourcing with key UK clients like John Lewis, the BBC and Transport for London, Capita has been an acquisition hungry company for the best part of a decade now, buying more than 20 companies in the past four years, according to Crunchbase.

This has led to some legacy IT issues, including a sprawl of more than 200 active directories across the business.

"We don't want any more," Rob Sansom, the global technology advisor at Capita quipped during the Okta Forum event in London last week. "In fact part of our vision was to reduce our dependency on on-premise active directories (AD). That wasn't going to be an overnight activity but remains one of our key aims." 

Getting to that point started with an enterprise-wide deployment of Office 365 three years ago. This was "authenticating from a single active directory with an on-premise [Active Directory Federation Services] infrastructure."

"So those islands of identity authentication presented real challenges for us in the area of identity governance and falling back on manual processes," he said.

Capita had even considered a broad on-premise consolidation of those active directories, but rejected the project because it would be too expensive, time consuming and complex, with no guarantee that it would benefit the business at the end. 

"So we had a single Okta tenant, it is integrated to our single on-premise AD that had been driving Office 365 and is now being established as a single point of identity for a growing range of applications," he said. "It is the start point for any new applications."

Benefits 

Getting to a singe source of truth for employee identity comes with a whole range of benefits, including more secure off boarding of employees, improved end-user happiness and better visibility into SaaS usage within the company. 

Expanding on these, Sansom said: "We are already seeing improving governance with leavers. We know with confidence that when a user leaves, their mobile device is automatically retired. We don't have to go to another system and remember to deactivate their device. That in turn is reducing the administrative burden for our service desk teams and allowing them to focus on more rewarding and valuable work." 

Capita runs on a perimeter-based security model. "[But] that is far less relevant today with so many mobile workers," Sansom said. "We changed that by embracing multi-factor authentication to replace an on-premise system, primarily through the Okta Verify app. We are building on device trust with mobile so users are free to access, in particular, Office 365 through Okta trusted devices, and we are extending that to desktop with Windows device trust."

It also helps Okta employees self-serve password resets, and gives business owners the ability to authenticate access to applications, saving IT teams time and effort. 

"They have been crying out for better access to systems and services," Sansom said. "Many users have certainly in excess of a dozen IDs and passwords, some more. That in itself leads to less robust practices for password management for users. We have all seen a spreadsheet on the laptop with everybody's passwords on it."

Employees are now familiar with using a single login for Okta to get access to applications. "What they're not used to is the fact that when they click that button the workflow doesn't go to a technical team but a business team that own that application and they approve that for access within minutes instead of days, or even longer in the past," Sansom said. 

Using Okta for better licence management 

Using Okta as a portal for SaaS applications has also given Capita new visibility into how these services are being used across the business.

"With acquiring so many businesses it is difficult to have a holistic view of all of the SaaS applications being consumed," he said. "We know for example that we have a high number of duplicate tenants of particular services, Salesforce being a particular example."

This meant effective licence management was virtually impossible. "We had no real picture of who was using a service," he added. "Now we can evidence that and have more opportunities for efficient and effective management of software licences."

By using Okta, the IT team can start to see how the applications it has integrated are being used. "That allows us to identify opportunities for consolidation of those tenants and also save money on licences," Sansom said. 

What next?

Over the next 12 months the aim for Capita is to increase that application integration and shift towards an environment where business owners, instead of IT, can grant access to those applications.

"We still have a huge amount to do, there are a huge number of applications out there that need integration and for me that is key to delivering more value to the business," Sansom said.