How the British Red Cross secures access to its apps

Case study: The British Red Cross has streamlined access to vital applications by using software from OneLogin.

Notorious scam group targets universities and non-profits with gift card scheme Schools and charities beware: if someone pretending to be your boss emails you to buy Apple iTunes or Google Play gift cards, it’s almost certainly a scam.

For a number of years the British Red Cross has used software from OneLogin to manage users' access to its vital systems. ZDNet spoke to the head of service delivery at the British Red Cross, Phil Paul, to find out more.   

ZDNet: What is the role of OneLogin for the British Red Cross?

Paul: We were brought in to provide the ability to create a platform to access our core systems and that had to be behind three factor authentications. The first factor was passwords, the next was based on combining that with the right app or through questions and, remotely, we also use RSA SecurID tokens for our colleagues who work in our 300-plus shops.

The object was to say, "here's our product set across our colleague base and we need to have a three-factor secure ID system in order to be accessible". And that is what the migration was once we had done the set-up.

When did you get it set up?

We went live in January 2016 but in 2015, prior to the go-live, there was the engagement of four or five months to build the instance, and test the capability and how the system is used.

So, you found OneLogin to be a good service to use?

I think it's been built over the years it's been in play, but I think we missed a huge trick in terms of the impact on all our users. I went from having 4,000 "customers", as it were, to dragging another 17,000 volunteers towards me. There was some work involved in helping our volunteers to understand the importance of this as they were used to working very much in isolation behind OneLogin. 

phil-paul-british-red-cross.jpg

Paul: "OneLogin has given us that mobility and agility within the business to provide what the organisation is asking us for."

Photo: British Red Cross

Also, the way we had all worked – our staff and our volunteers – was very much a dated concept. We sent a trifold [wallet] with a 12-page document to read in order to learn how to get into OneLogin. Since then we have worked with OneLogin to do a series of webinars and videos. And also, we have worked with the marketing department and OneLogin to see how we can best work as a team.

Now that we've got stability, we've got this platform that we can now really drive along and working behind OneLogin has given us that mobility and agility within the business to provide what the organisation is asking us for.

We can now provide the use of mobile phones, tablets and other mechanisms that can be readily available to our service users. Gone are the days of just sitting there at your desk with a laptop. It's enabled us to be more agile.

How is it all working in practice?

Because of single sign-in, we can now access our core systems from a range of devices. Internally, OneLogin just sits within our systems but it goes through Citrix, so it can access anywhere where we've got data from our core systems. So it sits within our finance system, our HR systems, our internal intranet and where those assets are consumed.

And that's where they will go in and access the Red Cross, either through the browser that they are used to or through OneLogin.com. Whichever is used, OneLogin provides their two-factor login capability, and then they are presented with the application that they can then access.

Presumably that will be based on simplicity and the ability to cover a wide spectrum of users?

Absolutely, and that is why we have been able to drive adoption of one OneLogin. And that has helped with the products that we've been able to place behind OneLogin, such as Microsoft Dynamics that we use for our BRM [Benefits Relationship Management] database, which is a core services in our Crisis Response and our Refugee Support.  

We've also got our Ambulance Service and one that we have provided through OneLogin only recently, our Independent Living Service, which is a core service and provides Assisted Discharge for those in hospital that need to be discharged and taken home from A&E.

Now, when we roll out a new product it's not so much about how you use it with OneLogin but, in fact, about how your product has actually been placed behind OneLogin. It provides compliance and it allows us to have that single platform that provides that collection of services that can be used across our entire organisation.

Security must be an important factor?

Absolutely. But we are actually in a better place because we had done the NHS compliance requirements three years ago and working with OneLogin and using their product allowed us to fulfil a number of the NHS requirements. So, it actually had a very organic, GP-led, GDPR requirement to the data access, and a requirement and data retention that fits within the product level, not within OneLogin.

Do you have plans for extending capability and adding new features going forward?

We certainly do. One that I think I mentioned is extending the product to laptops and mobile devices, so that you can have that desktop experience no matter where you are and providing a two-factor challenge within the radius of a server. Also, we have actually just added our area management system, which is fused behind OneLogin.

SEE: Cloud v. data center decision (ZDNet special report) | Download the report as a PDF (TechRepublic)

It's actually a huge challenge to include all volunteers who range from about 32,000 people, depending on the count for the day, or adding requirements for new users and uses.

We have to look at all that in terms of our license model and work with OneLogin to see how that works. And recently, as part of our BYOD set-up for our WiFi, we have basically used OneLogin to provide the setup. So, we are looking at more use cases.

We are driving more behind our system and making it more accessible. With that we've got a more determined marketing and training campaign to ensure that we have more presence, more usage, and fewer calls to my service desks.

PREVIOUS AND RELATED COVERAGE

Citrix discloses security breach of internal network

Citrix learned of the hack from the FBI. Hackers stole business documents.

Chinese company leaves Muslim-tracking facial recognition database exposed online

Researcher finds one of the databases used to track Uyghur Muslim population in Xinjiang.

ICANN: There is an ongoing and significant risk to DNS infrastructure

Recent rash of DNS hijacking attacks has spurred ICANN to urge the industry for a more rapid DNSSEC adoption.

There's no ops like NoOps: the next evolution of DevOps

Code moving from frontal-lobe-to-front-office in a snap? Let's consider the case for the complete automation of software delivery and operations.

Why businesses fear cyberattacks from ex-employees more than nation states TechRepublic

A major data breach would likely shut down half of SMBs permanently, according to an AppRiver report.

Gmail, Google Drive hit with global outage CNET

The hours-long outage gave people plenty of time to send out tweets to complain.