Australian Football League scores security overhaul with Okta

Rob Pickering, Chief Technology Officer, Australian Football League. Image courtesy of AFL.

Like most industries, the sporting world had to readjust its operations following the COVID-19 lockdowns. Since live sporting events were prohibited, and later restricted, organisations such as the Australian Football League (AFL) suffered quite a blow.

The AFL, for instance, had to change its venue for the 2020 Grand Final and accommodate fans at a reduced capacity due to safety concerns.

However, the pandemic was also an opportune time for AFL to beef up its IT infrastructure in response to growing cyberthreats, and in anticipation of the resurgence of football fans as soon as the restrictions are lifted.

During a virtual roundtable, Rob Pickering, AFL’s CTO, and Todd McKinnon, CEO of Okta, broke down the details of their organisations’ partnership, and what enterprises can do amid the evolving cyberthreat landscape.

According to Pickering, one of the major changes the AFL has implemented during the pandemic was to move all of its applications behind Okta, which is especially helpful for the league’s employees.

New hires, for example, will be able to access everything in a single portal, eliminating the need to go back and forth between processes.

“This is really important because those people help deliver the sport. If they can’t do their job, then they can’t deliver the sport. While the players play, there are a whole lot of things that go around that, so if we can’t support the employees and the league, it’s going to be very hard to play the games itself,” Pickering explained.

Crucial minutes

The AFL’s decision to upgrade its IT systems was a calculated move as fans soon flocked back to stadiums to watch their favourite teams play.

From a reduced audience of only 29,707 during the 2020 Grand Final, the number of spectators rose to 61,118 in the following year’s penultimate match. For the 2022 Grand Final between the Geelong Cats and Sydney Swans, gate attendance was at 100,024.

Therefore, it was paramount to make employees’ access to AFL’s systems easier and more secure, so they, in turn, can serve their customers more efficiently.

As soon as an employee resigns, AFL can now quickly remove that person’s access from one place, instead of having it in 25 different places.

“That’s a game changer for us, for a person to get up to speed in their job, but also have security automation. When they leave, we close the door earlier on that as well,” AFL’s Pickering said.

As an added layer of security, the AFL uses multi-factor authentication (MFA) in front of every application, which takes away a lot of credential theft concerns.

“Clearly, you want to make sure that you don’t lose credentials. With a mixture of education of our workforce around what phishing looks like, and continuous feedback as to where that needs to evolve, and having MFA in front of every application we operate, credential stuffing is less of a concern than other vectors for us at the moment,” the league’s CTO shared.

Todd McKinnon, Chief Executive Officer, Okta. Image courtesy of Okta.

Indeed, identity is one major area of security that enterprises should focus on in order to tackle lurking cyberthreats, noted Okta’s Todd McKinnon.

“Phishing is a big problem in the industry, and it’s a specific way to compromise identity. In almost every breach of significant importance, there is a compromise of an account at some point in that breach. This is why a robust system to protect the identities — of not only applications, but cloud servers and cloud databases and infrastructure — is very important. If you can do that, then you can protect against most of the breaches that happen,” he said.

Aside from MFA, Okta is also assisting the league with privileged access management to ensure that the AFL has enough visibility across its systems.

‘We want to know what our privileged access users and administrators are doing. So, privileged access management sits there and supports the use cases of insider threats that are otherwise sitting in our current environment. We feel much better about at least knowing what we have to protect, and having identities that allows us to do that,” Pickering said.

Goal within reach

From what the AFL has achieved so far in terms of ensuring that fans can have a seamless experience enjoying the games, from ticket purchase to memberships, the league is eyeing further improvements and is currently working with Okta towards those goals.

“We’ve spent quite a bit of time on building up the AFL identity, which is going to be what we use to interact with AFL systems. If you’re a fan, at the moment we’ve got several different ways to log in and a number of usernames and passwords to remember, like if you’re participating in events in football, tipping, or if you buy tickets. The goal over time is to move that to a single AFL identity, so when you log in, you have just one login for everything you do with the AFL,” Pickering revealed.

Looking ahead, Okta CEO Todd McKinnon thinks the use of MFA is still burdensome for end users, and is aiming for a more user-friendly but equally secure method of validating identity.

“As an industry, Okta included, we have to do a better job making it even harder to phish and steal the identities, but also make it easy for users to log in,” McKinnon remarked. “We want to make it one single step for the user that’s also robust and hard to compromise, so their devices, their security teams, their IT teams, know about every device, every application, every server, every privileged account, everything in the entire environment — and they can use everything on the computer or the phone, whether it’s face ID technology, touch ID technology, or other security tools that deem the device secure.”

Meanwhile, Pickering highlighted the urgency of improving organisations’ security posture.

“Cybersecurity teams, and businesses in general, have to be perfect with their cybersecurity 24/7, 365. An attacker only has to be right on one day, with one person, system, or application — unless you’ve got a layered set of controls, that means attackers go to the next step, and then get cut off,” Pickering said.

The league CTO acknowledged that there is no such thing as “perfect” security, especially not perfect security all the time.

“But when you have people whose entire job is to wake up in the morning and try and work out how to compromise your systems, you’ve got to do all of your normal jobs plus try and protect your entire IT landscape, and it’s dangerous,” the CTO concluded.