“You should work from home unless it is impossible for you to do so”
A couple of weeks ago, many companies across the country were suddenly faced with the challenge of having to transition their whole workforce to remote working overnight.
This rapid change was bound to present difficulties. Even for those organisations that had BCP plans in place, many still experienced problems with overloaded IT helpdesks, VPN connections going down, unreliable telephony and conferencing tools, and employees being unable to access their usual business systems.
That said, our team has been able to navigate this challenging period relatively smoothly. All our 60+ colleagues were able to start working from home almost immediately. Fortunately, we completed our annual SOC2 audit last month, so the topic of BCP was fresh in everyone’s minds!
WFA: Work From Anywhere
When we founded FINBOURNE just over 3 years ago, we had the benefit of being able to design all our internal systems from scratch. The technology choices we made have undoubtedly made the recent restrictions far easier for us to deal with.
Our original objectives for our internal systems were to:
- Have no on-premise servers: 100% cloud hosted, either SaaS or self-hosted in AWS
- Allow team members to use their own devices; be it Windows, MacOS, Linux or mobile devices
- Support flexible remote working – simply need an internet connection
This did present a number of technical and organisational challenges though:
- How to control access to a wide set of disparate web-hosted services?
- How to mitigate the risk of self-administered user devices?
- How to work effectively with people in different locations
Access Control
We had over a dozen separate platforms we needed to access – Office 365, AWS, GitLab, Jira etc – and wanted to achieve a user experience similar to what you’d find in a traditional on-premise environment: one set of credentials for all applications, integrated authentication, and centralised control. This was a challenging problem to solve at the time. Many identity solutions were aimed at on-premise organisations migrating to the cloud, and depended on having an existing on-premise user directory, like Active Directory or LDAP.
We didn’t want to host our own directory server, so we ended up trialling OneLogin and Okta, as they both featured a cloud-based user directory and strong support for federated authentication (SAML, OpenID Connect etc). We chose Okta, as it had better group management features and we could use their APIs to drive our automated role-based access control system.
End-User Device Management
From the beginning we had team members running both Windows and Mac devices. We needed a way to enforce some device policies to ensure the devices were secure; such as password policies, disk encryption, regular patching, and anti-virus / firewall provision.
To achieve this, we used Microsoft InTune. InTune gives us the ability to restrict access to corporate resources to only those devices which meet a pre-defined set of compliance criteria. InTune works with agents installed on the device (e.g. Microsoft Defender ATP) to secure each device individually.
Getting everything to work together isn’t a smooth process though, and on-boarding brand new devices is particularly complicated. The workflow of registering a user with the Operating System, authenticating with Okta, and enrolling the device with Azure AD makes the process very unforgiving if anything isn’t perfectly configured. If anything goes wrong, you often get a very cryptic error message, and it can be hard to diagnose what the problem is. This technology is improving, but our process isn’t yet as robust as we’d like.
Efficient Remote Working
As it turned out, by forcing ourselves to have zero on-premise equipment, the ability to work remotely almost came for free. Once we’d solved the single-sign-on problem, it really didn’t matter where we were working, just as long as you had internet connectivity. And given that many in our team were already working from home periodically, our working practices were already geared up to support people being out of the office.
For some of our applications, we do operate IP whitelists to give us an extra layer of protection from malicious actors, and this caused some difficulties. But generally speaking, our internal systems work regardless of whether we’re at home, in the office, in an airport, or on-site with a client.
Our Toolbox
Here’s a summary of the tools we currently use:
Authentication and Authorisation
- Employee records: BambooHR
- User directory: Okta
- Single Sign On & Federation: Okta
- Role-based access:
- Org structure mapping to Okta groups (built in-house)
- Starters and Leavers process (built in-house)
- Break-glass access (built in-house)
Device Management and Security Policies
- Azure AD
- Microsoft InTune
- Microsoft Defender ATP
Password Management
Cloud Infrastructure and Hosting
Business Tools
- Office 365
- Conferencing & Video: MS Teams
- Chat: Slack
- Phone: mobile phones & MS Teams
- Wiki: WikiJs (self-hosted)
- Alerting: OpsGenie
- CRM: MS Dynamics
Engineering Pipeline
- Task management and requirements: JIRA (SaaS)
- Source control and code reviews: GitLab (self-hosted)
- Build / CI / CD: Concourse (self-hosted)
What have we learned?
Not everyone had a computer at home, meaning some people had to take kit from the office. Our policy had been to purchase Small Form Factor desktops (Intel NUC, HP EliteDesk etc), so these were relatively portable. But people still needed a screen etc.
Going forward we plan to issue everyone with laptops. This is an expensive proposition, especially for developer-grade devices. But as our company grows, and people require increasing mobility, we feel the trade-off is worthwhile. Furthermore, by using generic USB-C docking stations in our offices, we can reorganise the team quickly as business requirements change.
What day is it again?!
Finally, to help everyone in the team keep some semblance of work/life balance, we started having twice daily team video-calls, at the start and end of the working day. As well as ensuring ‘work life’ doesn’t simply blur into ‘home life’, it has helped keep communication flowing, and most importantly ensures that everyone is kept in the loop, regardless of where they may be working. It also avoids anyone ending up feeling too isolated at home – it’s good to see a few different faces each day!
These calls are one of the positive things we’ve discovered, and I think they will carry on after the Covid19 restrictions have been lifted.
It’s no doubt a challenging time for everyone, and we’re very fortunate to work in a digital industry where home working is possible. But this experience has forced us to change our working practices, and by making home-working more effective, perhaps it may even benefit us in the long run.