Fully remote in less than one week
Published: April 30, 2020
When COVID-19 hit, entire workforces had to suddenly abandon their office infrastructure and work from home. For many companies, this has been a giant logistical nightmare which has driven their corporate virtual private network (VPN) and network appliances into meltdown and significantly impacted their ability to deliver.
Yet at Thoughtworks, it was more or less business as usual. Within a week, we’d closed every office, and transitioned every single employee to delivering value for our clients and our business, in their homes.
But things weren’t always like this. In 2015 a colleague, Mark Richter (Identity Tech Lead), was taking the IT leadership team through our access control systems. His architecture diagram illustrated an infrastructure which had evolved over 20 years into a complex spaghetti which was expensive to maintain and needed constant monitoring. Users had to jump through multiple hoops in order to accomplish simple tasks. Frustration was high, as was failure demand.
If we were in that same situation today, then COVID-19 would have hit us, and our clients, hard. Really hard. We have had to aggressively pay down technical debt and dramatically simplify our IT estate at every single level. But we didn’t get there overnight or with one magic bullet. In the last month, our efforts have more than paid off.
User-Centered Outcome
Our CIO David Whalley responded with a simple question “why should working in our office be any different from working in a cafe? Why is it easier to access online banking than our internal tools?”.
Notice what Dave didn’t say? He didn’t say “reduce the costs of our networks” or “eliminate the need for infrastructure engineers” or “reduce our bandwidth costs” or “pay down technical debt”. He didn’t view success through cost considerations, instead success was focussed on “the positive impact.. [on]... clients, end-users and employees”.
We had to think “customer first” and recognise that when serving our clients, Thoughtworkers are always on the move and are required to work securely in many different places.
And so “collaboration across boundaries” became a strategic goal for IT. Technology delivered clear customer value in making collaboration as frictionless as possible and our measure of success moved the needle on that value.
COVID-19 has simply expanded that original goal to the scope of the entire company!
Cloud First
Being ‘in the cloud’ used to be a hot topic, we’d talk about it a lot. By the end of 2016 we had shut down the majority of our own data centres, so now it's just the way things are done.
Operating our own infrastructure was challenging. Keeping servers stable and available 24/7 was expensive and we were forced to employ complex network setups to keep applications secure. Where we had Commercial off-the-shelf (COTS) products, software updates were often bi-annual. Due to the significant effort in upgrading, we’d struggle to keep pace with new releases. None of this added up to a good user experience.
Switching to SaaS providers moves the overheads and downsides of managing and securing infrastructure to the vendor. This also allows SaaS applications to be more agile and responsive to user needs, deploying new features frequently and using analytics to drive significant improvements to user experience.
Custom software went to the cloud and we apply the same philosophy to our delivery and infrastructure tooling. GitHub for source code, CircleCI for Continuous Delivery and where we are using open source tools like Kafka, we work with vendors like Confluence.
This has provided two benefits to moving to remote working, we haven’t had the overhead of operating, maintaining and securing data centres in this crisis and users of the systems simply leverage the public internet.
Identity at the Heart of the User Lifecycle
Employees were overburdened with having to manage multiple logins to multiple services all with their own password policies. Users had to jump through hoops to gain access, resetting forgotten passwords etc. Some people were deterred from using the services altogether. We needed a way to remove these barriers whilst maintaining security for our clients, and our business.
We pursued a Single sign-on policy and migrated the management of all our identity and authentication services away from complex on premise solutions and to identity as a service (Okta). Individuals had one single login with state of the art multi-factor authentication. Every service used dramatically reduced the effort required to operate this technology.
From a security perspective, Okta can provide a far higher level of security and protection, than any self managed solution we would run. Every service employees use has the same high identity management, moving everyone to work from home didn’t expose us to significantly increased security risks.
Combined with our internal Platform Strategy, we have a fully event driven and near real-time, automated hire to retire integration. This includes the ability for new joiners to set up their accounts and start onboarding activities, before their first day. Highly helpful when new employees can’t get into the office and have to do their induction remotely.
Lightweight Device Management
Our clients need to trust our consultants with their IP both inside and outside the office. Lightweight device management (using SimpleMDM) gives our client’s the security guarantees they need in a way which isn’t overbearing, restrictive and invasive like other heavy tools.
Thanks to our platform our laptop deployment service is fully automated and zero touch. Devices are delivered directly from supplier to end user and when switched on they register with our asset management system and automatically set themselves up. This guarantees device security and completely removes the need to visit an office.
Perimeterless
Thoughtworks put Perimeterless Enterprise on the Tech Radar back in 2013. Internally we’d been closely following and attempting to emulate Google’s BeyondCorp for many years.
By “building zero trust networks… [which shift] access controls from the network perimeter to individual users and devices, BeyondCorp allows employees, contractors, and other users to work more securely from virtually any location without the need for a traditional VPN.”
Our robust identity strategy, coupled with Cloud First and device management (we use the device as an additional authentication factor), enabled us to exploit Perimeterless and emulate BeyondCorp. Which means working from home requires no connection to centralized infrastructure.
Simple Offices
We have 42 offices across 14 countries accommodating a mix of purposes from delivery centres, work space for operations teams, events facilities for both internal and external groups to use and much more.
Rather than creating complex set-ups to support many different arrangements, the teams aggressively simplified to enable this flexibility - adopting a Zero Trust model where we treat the internal office network with the same caution as the external network.
Our offices don’t have racks of servers to keep them running as everything is in the cloud. We just need basic access points, network switches and firewalls. If someone needs a server, it goes on the cloud, not in an office.
So when we shut our offices down the impacts were greatly reduced.
Remote collaboration and productivity tools
We collaborate a lot in Thoughtworks, whilst the majority of Thoughtworkers are on client projects, they are collaborating across and between sites and regions. Over the most recent six months (pre COVID-19), we have added more than four and half million new files, sent more than eight hundred and seventy-five thousand chat messages, and more than sixty-eight million emails.
Thoughtworks was one of Google’s G Suite’s earliest customers (we migrated in 2008) and their tooling fully embraces remote collaboration. This takes a huge infrastructural strain away from us. All files, emails and other content is securely stored on Google’s highly scalable cloud infrastructure. So there was no need for complex VPNs to enable staff to get hold of their documents.
We’ve also made extensive use of video conferencing and have been leveraging Zoom for several years (we've gone from eight million to twenty-four million person minutes a month since COVID). Martin Fowler has recently published “how to do effective video calls” to help during this pandemic.
Maintaining client delivery
Our clients have their own needs and toolsets which they require our consultants to use. For some this has meant connecting to their infrastructure via VPNs.
Here once more, our approach has been beneficial as we move to a fully remote scenario. Because we don’t require a VPN to connect to our internal services, we haven’t had to face the challenges of keeping Thoughtworkers simultaneously connected to both client and internal networks. By keeping our own needs simple, it has allowed us to focus on our clients' needs first.
Where we would have been spending effort on adapting our infrastructure to a remote workforce, we’ve spent it supporting the delivery of value to our clients and accelerating learning. We’ve been curating our catalogue of playbooks and other resources and sharing our experiences with running online discoveries, workshops and inceptions to make available to our consultants and clients. Our China based colleagues (who began delivering for their clients’ remotely much earlier than the rest of us) provided us with a head start by sharing their learnings with the rest of the organisation.
Acknowledgements
Kelsey van Haaster who contributed a lot of the content, Philip Ibarolla as our historian, and Emma Ridgway for context. Andy Yates, Tess Zelechowski, Swapnil Deshpande and Ana Rodrigo for feedback. And a massive thank you to all the teams and individuals who have put in the real smarts and work to make this happen.
Yet at Thoughtworks, it was more or less business as usual. Within a week, we’d closed every office, and transitioned every single employee to delivering value for our clients and our business, in their homes.
But things weren’t always like this. In 2015 a colleague, Mark Richter (Identity Tech Lead), was taking the IT leadership team through our access control systems. His architecture diagram illustrated an infrastructure which had evolved over 20 years into a complex spaghetti which was expensive to maintain and needed constant monitoring. Users had to jump through multiple hoops in order to accomplish simple tasks. Frustration was high, as was failure demand.
If we were in that same situation today, then COVID-19 would have hit us, and our clients, hard. Really hard. We have had to aggressively pay down technical debt and dramatically simplify our IT estate at every single level. But we didn’t get there overnight or with one magic bullet. In the last month, our efforts have more than paid off.
User-Centered Outcome
Our CIO David Whalley responded with a simple question “why should working in our office be any different from working in a cafe? Why is it easier to access online banking than our internal tools?”.
Notice what Dave didn’t say? He didn’t say “reduce the costs of our networks” or “eliminate the need for infrastructure engineers” or “reduce our bandwidth costs” or “pay down technical debt”. He didn’t view success through cost considerations, instead success was focussed on “the positive impact.. [on]... clients, end-users and employees”.
“Business value is not (just) about money… Business value is about getting to know who will, in the end, benefit from what we are creating”
We had to think “customer first” and recognise that when serving our clients, Thoughtworkers are always on the move and are required to work securely in many different places.
And so “collaboration across boundaries” became a strategic goal for IT. Technology delivered clear customer value in making collaboration as frictionless as possible and our measure of success moved the needle on that value.
COVID-19 has simply expanded that original goal to the scope of the entire company!
Cloud First
Being ‘in the cloud’ used to be a hot topic, we’d talk about it a lot. By the end of 2016 we had shut down the majority of our own data centres, so now it's just the way things are done.
Operating our own infrastructure was challenging. Keeping servers stable and available 24/7 was expensive and we were forced to employ complex network setups to keep applications secure. Where we had Commercial off-the-shelf (COTS) products, software updates were often bi-annual. Due to the significant effort in upgrading, we’d struggle to keep pace with new releases. None of this added up to a good user experience.
Switching to SaaS providers moves the overheads and downsides of managing and securing infrastructure to the vendor. This also allows SaaS applications to be more agile and responsive to user needs, deploying new features frequently and using analytics to drive significant improvements to user experience.
Custom software went to the cloud and we apply the same philosophy to our delivery and infrastructure tooling. GitHub for source code, CircleCI for Continuous Delivery and where we are using open source tools like Kafka, we work with vendors like Confluence.
This has provided two benefits to moving to remote working, we haven’t had the overhead of operating, maintaining and securing data centres in this crisis and users of the systems simply leverage the public internet.
Identity at the Heart of the User Lifecycle
Employees were overburdened with having to manage multiple logins to multiple services all with their own password policies. Users had to jump through hoops to gain access, resetting forgotten passwords etc. Some people were deterred from using the services altogether. We needed a way to remove these barriers whilst maintaining security for our clients, and our business.
We pursued a Single sign-on policy and migrated the management of all our identity and authentication services away from complex on premise solutions and to identity as a service (Okta). Individuals had one single login with state of the art multi-factor authentication. Every service used dramatically reduced the effort required to operate this technology.
From a security perspective, Okta can provide a far higher level of security and protection, than any self managed solution we would run. Every service employees use has the same high identity management, moving everyone to work from home didn’t expose us to significantly increased security risks.
Combined with our internal Platform Strategy, we have a fully event driven and near real-time, automated hire to retire integration. This includes the ability for new joiners to set up their accounts and start onboarding activities, before their first day. Highly helpful when new employees can’t get into the office and have to do their induction remotely.
Lightweight Device Management
Our clients need to trust our consultants with their IP both inside and outside the office. Lightweight device management (using SimpleMDM) gives our client’s the security guarantees they need in a way which isn’t overbearing, restrictive and invasive like other heavy tools.
Thanks to our platform our laptop deployment service is fully automated and zero touch. Devices are delivered directly from supplier to end user and when switched on they register with our asset management system and automatically set themselves up. This guarantees device security and completely removes the need to visit an office.
Perimeterless
Thoughtworks put Perimeterless Enterprise on the Tech Radar back in 2013. Internally we’d been closely following and attempting to emulate Google’s BeyondCorp for many years.
By “building zero trust networks… [which shift] access controls from the network perimeter to individual users and devices, BeyondCorp allows employees, contractors, and other users to work more securely from virtually any location without the need for a traditional VPN.”
Our robust identity strategy, coupled with Cloud First and device management (we use the device as an additional authentication factor), enabled us to exploit Perimeterless and emulate BeyondCorp. Which means working from home requires no connection to centralized infrastructure.
Simple Offices
We have 42 offices across 14 countries accommodating a mix of purposes from delivery centres, work space for operations teams, events facilities for both internal and external groups to use and much more.
Rather than creating complex set-ups to support many different arrangements, the teams aggressively simplified to enable this flexibility - adopting a Zero Trust model where we treat the internal office network with the same caution as the external network.
Our offices don’t have racks of servers to keep them running as everything is in the cloud. We just need basic access points, network switches and firewalls. If someone needs a server, it goes on the cloud, not in an office.
So when we shut our offices down the impacts were greatly reduced.
Remote collaboration and productivity tools
We collaborate a lot in Thoughtworks, whilst the majority of Thoughtworkers are on client projects, they are collaborating across and between sites and regions. Over the most recent six months (pre COVID-19), we have added more than four and half million new files, sent more than eight hundred and seventy-five thousand chat messages, and more than sixty-eight million emails.
Thoughtworks was one of Google’s G Suite’s earliest customers (we migrated in 2008) and their tooling fully embraces remote collaboration. This takes a huge infrastructural strain away from us. All files, emails and other content is securely stored on Google’s highly scalable cloud infrastructure. So there was no need for complex VPNs to enable staff to get hold of their documents.
We’ve also made extensive use of video conferencing and have been leveraging Zoom for several years (we've gone from eight million to twenty-four million person minutes a month since COVID). Martin Fowler has recently published “how to do effective video calls” to help during this pandemic.
Maintaining client delivery
Our clients have their own needs and toolsets which they require our consultants to use. For some this has meant connecting to their infrastructure via VPNs.
Here once more, our approach has been beneficial as we move to a fully remote scenario. Because we don’t require a VPN to connect to our internal services, we haven’t had to face the challenges of keeping Thoughtworkers simultaneously connected to both client and internal networks. By keeping our own needs simple, it has allowed us to focus on our clients' needs first.
Where we would have been spending effort on adapting our infrastructure to a remote workforce, we’ve spent it supporting the delivery of value to our clients and accelerating learning. We’ve been curating our catalogue of playbooks and other resources and sharing our experiences with running online discoveries, workshops and inceptions to make available to our consultants and clients. Our China based colleagues (who began delivering for their clients’ remotely much earlier than the rest of us) provided us with a head start by sharing their learnings with the rest of the organisation.
Acknowledgements
Kelsey van Haaster who contributed a lot of the content, Philip Ibarolla as our historian, and Emma Ridgway for context. Andy Yates, Tess Zelechowski, Swapnil Deshpande and Ana Rodrigo for feedback. And a massive thank you to all the teams and individuals who have put in the real smarts and work to make this happen.
Disclaimer: The statements and opinions expressed in this article are those of the author(s) and do not necessarily reflect the positions of Thoughtworks.