ASX-listed mid-cap oil & gas company Beach Energy put Zero Trust on its future roadmap after completing a large-scale identity and access management (IAM) project last year.
The company had 180 employees and an IT team of four when it bought Lattice Energy from Origin for $1.5 billion in 2017.
The purchase and subsequent integration of the two companies led to a digital transformation, which in turn saw the company uplift its security posture and the way it managed identity.
The identity project was a finalist in the 2021 iTnews Benchmark Awards.
“When I came on board, I was the fourth person at Beach to get allocated a laptop,” information security manager Aaron Finnis said.
“Beach Energy came from this very small footprint of 180 employees, and then attached themselves to Lattice and inherited a few hundred employees on top, and then just grew from there: lots of projects, more assets to run, a footprint in New Zealand, Victoria, WA as well as SA, and 30 remote sites all up.
“From there, that next year was insane in terms of growth.”
The newly-enlarged Beach Energy consolidated the networks of the two companies to a Fortinet SD-WAN and moved to a single SAP enterprise resource planning (ERP) system hosted in AWS.
But remote workers accessed corporate systems via Citrix virtual desktop.
“That was just not going to work for the size of the organisation and the footprint as well of where Beach was heading,” Finnis said.
Beach also inherited a “partial office 365 implementation” from Lattice and decided to expand the cloud productivity suite across all staff; the company’s own staff previously used a mix of on-premises and cloud-based Microsoft productivity tools.
For identity, Beach Energy used Active Directory (AD). The onboarding and deprovisioning of people from being able to access the company’s systems was entirely manual.
After he joined Beach, Finnis spent some time initially observing and profiling how users were managed.
“Beach essentially had an Active Directory but no identity system at all,” he said.
“Beach is very much about being a lean machine - keeping our margins slim on the cost front. We're always looking for [new ways of doing things].
“So for instance, we had a person doing onboarding and offboarding of users, and giving them access rights, and they were just in Active Directory all day creating accounts.
“When you've got the kind of growth Beach had, you're [provisioning] 30-40 accounts a week. That's a lot of work and a lot of overhead.”
Identity was made a foundational piece of Beach Energy’s digital transformation plans, and that led the company to evaluate and ultimately deploy an Okta workforce identity platform in early-to-mid 2020.
Being headquartered in Adelaide, the company narrowly avoided lockdowns that had already started in other states, and was able to deploy Okta with the IT team still in the office.
All users are registered in Beach’s software-as-a-service human resources platform, SAP’s SuccessFactors, which is connected to Okta for provisioning and deprovisioning of corporate system access.
“We've essentially flipped an on-premise, Active Directory-centric identity management process and platform to Okta, driving everything with that Successfactors integration,” Finnis said.
“When a new person commences, immediately they're onboarded in Okta and they're given a base level of access so there's no longer that kind of manual assignment - or as much, there's still a little bit there that we're working through.
“We’re then able to push that user down into Active Directory and out to other systems like Office 365, give them an email address, and then write some information back.
“So that happens very much in a sequence now, rather than multiple people involved and potential mistakes [creeping in].”
Users are served up an Okta-powered “application portal” that is personalised to their requirements,
Finnis noted that onboarding and off-boarding of workers from access to Beach systems is now automated.
“The nature of our business means lots of projects spin up, with lots of activity, then people offboard and go onto the next thing, and they might come back again, so there's a lot of transient workforce,” he said.
“Having that end-to-end automation, particularly for offboarding as well, gives us the peace of mind that access is revoked at the right time and that our licensing costs are controlled as well.”
That is a major change to the prior situation Beach found itself in; according to a written case study, when Beach first examined its Active Directory environment, it “discovered that 14 percent of users were no longer working at Beach. And then, on every subsequent review, we found a percentage of active users who should have been offboarded.”
The project has also put Beach Energy on a path to achieving a Zero Trust approach to security.
“I guess part of our roadmap has been to move towards a Zero Trust security strategy. I think everyone says that,” Finnis said.
“I kind of call it continuous trust, because what we're looking for is an ecosystem of tools that are continually assessing identity, device and network.
“Being able to constantly re-evaluate users logging in - is it the right location, is it a weird device, has something changed, and then on the endpoint as well, being able to say, is this device still healthy, is there something weird running on it, and correlating that together.
“Definitely the future for us to continue to invest in tools that help us achieve that outcome.”
He added that the continuous trust approach “really positioned [Beach] well for the pandemic, and allowed us to work remotely without being too worried about it, given the tooling that we've put in place and the approach we've taken.”
Stay tuned to iTnews for the final installment in this series on Thursday September 2. Find other iTnews Insights articles here.