In the wake of several well-publicized security incidents, the identity and access management provider Okta has begun a company-wide transformation similar to the one Microsoft undertook more than 20 years ago, aiming to build an internal security-minded culture and put security considerations first and foremost.
Like Microsoft in the early 2000s, Okta recently endured a wave of embarrassing incidents that raised questions about the company's security practices.
In early 2022, a security breach exposed Okta's source code, with the hackers declaring publicly that they were trying to leverage Okta for supply-chain attacks upon its customers.
In September 2023, MGM Entertainment's systems were shut down by ransomware attackers who hijacked the company's Okta platform. The MGM hack wasn't Okta's fault, and the company had in fact recently warned its clients about such attacks. But it's not something any company would want to be associated with.
In October 2023, the company disclosed that its own systems had been penetrated by an attacker who used Okta as a springboard to launch attacks on five Okta clients — the kind of supply-chain attack the 2022 source-code thieves had attempted. The initial access vector was found to be an employee's personal Google account.
'Security must come first'
In the wake of these incidents, Okta CEO and co-founder Todd McKinnon issued a statement akin to Bill Gates' famous "Trustworthy Computing" memo — and, like Gates, proposed a path forward:
"While we've seen a lot of success, we recognize that none of it matters if our customers and community can't rely on our security," McKinnon wrote in a blog post at the end of February 2024. "It has become clear that we have to think about the relationship between identity and security differently than we have in the past — security must come first. "
In his post, McKinnon announced the company's Secure Identity Commitment, which has four stated goals: hardening Okta's own security infrastructure, strengthening its clients' security best practices, embracing new technologies and delivering new products.
"Because Okta is the entry point to an organization's most important data and infrastructure, we are a big target with a massive attack surface," McKinnon wrote. "The stakes are high, and we need to answer the call."
Okta's efforts are more than just window dressing. In early November 2023, the company put new product development on hold for three months to focus on hardening its security posture. In May 2024, the company hired Jen Waugh, an experienced Australian cybersecurity executive, to be Okta's new Senior Director of Security Culture.
"Although security was always part of Okta's identity, the evolution of cyber threats — both against companies like us and against our customers — has caused us to look at ourselves through a slightly different lens," Waugh wrote in a blog post Monday. "Creating a culture of security — such that security becomes implicit within an organization's DNA and second nature to its team — isn't a small or easy feat, and it doesn't just happen. Change is required, and often that change brings an element of organized disruption."
Toughening inside and out
Several important initiatives have already been implemented, some of which Okta Chief Security Officer David Bradbury spelled out in a blog post.
First, as part of strengthening its own clients' best practices, Okta has enabled optional IP binding for administrators of its Workforce Identity Cloud platform, a process that ties session cookies to a specific range of Internet Protocol addresses or an autonomous system number.
This defeats session-cookie hijacking, which is when an attacker steals the authentication token used by a legitimate user's browser after logging in to hijack the user's account. (The October 2023 attackers used this method among others.) IP binding makes sure a session cookie can't be used outside a particular IP-address range.
Okta isn't mandating IP binding but giving its clients the option to leave it on or turn it off, which Bradbury said was the proper approach in a recent interview.
"Our position right now is that we think customers shouldn't be asking us for advice about how to secure their platform," Bradbury said. "We should just be turning these features on for them as we go."
Similarly, Okta is enabling clients to "whitelist" network zones for application-program interfaces, which will block attackers who steal API authentication tokens from re-using them elsewhere.
Other steps, some of which are on by default, include:
- Enabling zero standing privileges for administrators of Okta platforms, which means that the admins receive authorization for certain tasks only for the amount of time necessary to perform those tasks
- Enabling 12-hour timeouts for administrative sessions
- Enabling mandatory multi-factor authentication (MFA) for certain administrative tasks, and
- Enabling blocks of anonymizing services like VPNs or proxy services to Okta endpoints.
Within Okta itself, the internal security infrastructure is being hardened by:
- Distributing phishing-resistant MFA Yubikeys to all employees
- Conducting an internal security assessment
- Conducting a third-party assessment of Okta's SaaS platforms
- Centralizing and standardizing vulnerability management, risk management and incident reporting
- Assessing security hygiene of open-source-software libraries
- Beefing up dark-web monitoring capabilities for Okta-related content
- Enhancing its laptop and mobile-device protections, and
- Introducing a new threat-intelligence platform.
People have the power
However, Waugh emphasizes that transforming a security culture can't be done through technical means alone.
"A strong security culture must be more than just defined policies and procedures," she writes. "It requires every employee at Okta to take an active role in accepting, practicing, and promoting effective security."
To that end, she defines three pillars she intends to build the security culture upon. The first, "Security Why," Waugh explains, "focuses on contextualizing security to each and every team member’s individual role and responsibilities."
"Looking at the wider business world, a lot of large-scale initiatives often fail because those behind them think that top-down leadership is all that it takes to change things," she writes. "An initiative is much more likely to succeed when there are champions throughout the organization and when communication flows in every direction."
The second pillar, "Security People," aims to make every employee feel responsible for the company's security through security education and cross-team working groups. Special emphasis will be given to developers and coders, who will have members of the security-education teams embedded with them.
The third pillar is what Waugh calls "Security Pulse," metrics that can be compared to known progress indicators to make sure that Okta is making substantial gains in its quest to have, as Bradbury put it in his interview, "a clean sheet ... zero [breaches] for the next few years."
"Building a culture of security isn't an overnight project, and it's not a set-it-and-forget-it task," Waugh writes. "Rather, it's a long-term, ongoing process that requires collective change and concerted effort."
