Following several high-profile security incidents in the media, identity and access management provider Okta has initiated a company-wide transformation similar to that undertaken by Microsoft over 20 years ago. The goal is to build a security-conscious corporate culture and put security at the forefront.
Like Microsoft in the early 2000s, Okta recently experienced a wave of embarrassing incidents that raised questions about the company’s security practices.
In early 2022, Okta’s source code was exposed in a security breach and the hackers publicly stated that they were attempting to use Okta to launch supply chain attacks on the company’s customers.
In September 2023, MGM Entertainment’s systems were crippled by ransomware attackers who had hijacked the company’s Okta platform. The MGM hack was not Okta’s fault, and the company had actually recently warned its customers about such attacks. But it’s not something any company wants to be associated with.
In October 2023, the company announced that its own systems had been infiltrated by an attacker who used Okta as a springboard to launch attacks on five Okta customers—the type of supply chain attack that the 2022 source code thieves had attempted. The first access vector was an employee’s personal Google account.
“Safety must come first”
Following these incidents, Todd McKinnon, CEO and co-founder of Okta, released a statement reminiscent of Bill Gates’ famous “Trustworthy Computing” memo – and, like Gates, suggested a way forward:
“While we have achieved many successes, we recognize that none of it matters if our customers and community cannot rely on our security,” McKinnon wrote in a blog post in late February 2024. “It has become clear that we need to think about the relationship between identity and security differently than we have in the past – security must come first.”
In his post, McKinnon announced the company’s Secure Identity Commitment, which includes four stated goals: strengthening Okta’s security infrastructure, reinforcing security best practices for its customers, adopting new technologies, and delivering new products.
“Because Okta is the access point to an organization’s most critical data and infrastructure, we are a big target with a huge attack surface,” McKinnon wrote. “The stakes are high and we must answer the call.”
Okta’s efforts are more than just a facade. In early November 2023, the company put new product development on hold for three months to focus on strengthening its security posture. In May 2024, the company hired Jen Waugh, an experienced Australian cybersecurity executive, as Okta’s new Senior Director of Security Culture.
“While security has always been part of Okta’s identity, the evolution of cyber threats — both against companies like us and our customers — has caused us to look at ourselves through a slightly different lens,” Waugh wrote in a blog post to be published this week. “Creating a culture of security — so that security is embedded in an organization’s DNA and becomes second nature to its team — is no small or simple feat, and it doesn’t just happen. Change is required, and often that change brings with it an element of organized disruption.”
Hardening inside and out
Several important initiatives have already been implemented, some of which David Bradbury, Chief Security Officer at Okta, explained in a blog post.
First, as part of strengthening its own customers’ best practices, Okta has introduced optional IP binding for administrators of its Workforce Identity Cloud platform, a process that links session cookies to a specific range of Internet Protocol addresses or an autonomous system number.
This prevents session cookie hijacking, where an attacker steals the authentication token that a legitimate user’s browser uses after logging in to hijack the user account. (The October 2023 attackers used this method, among others.) IP binding ensures that a session cookie cannot be used outside of a specific IP address range.
Okta doesn’t mandate IP binding, but gives its customers the option to leave it enabled or disable it, which Bradbury described as the right approach in a recent interview.
“Our position right now is that we don’t think customers should be asking us for advice on how to secure their platform,” Bradbury said. “We should just gradually enable these features for them.”
Okta also enables its customers to Whitelist network zones for application program interfacesthat prevents attackers who steal API authentication tokens from reusing them elsewhere.
Additional steps, some of which are enabled by default, include:
- Activate no standing privileges for Okta platform administrators, meaning that administrators are authorized to perform certain tasks only for the time necessary to perform those tasks
- Activate 12-hour breaks for administrative meetings
- Activate mandatory multi-factor authentication (MFA) for certain administrative tasks and
- Activate Blocks from anonymization services such as VPNs or proxy services to Okta endpoints.
Within Okta itself, the internal security infrastructure is strengthened by:
- Distribute Phishing-resistant MFA Yubikeys for all employees
- Implementation of a internal security assessment
- Implementation of a Third-party evaluation of Okta’s SaaS platforms
- Centralization and standardization Vulnerability management, risk management and incident reporting
- Evaluate Security hygiene of open source software libraries
- Increase Dark web monitoring features for Okta-related content
- Improvement of Protection for laptops and mobile devicesAnd
- Introduction of a new Threat intelligence platform.
People have the power
However, Waugh emphasizes that the transformation of a security culture cannot be achieved through technical means alone.
“A strong security culture must be more than just defined policies and procedures,” she writes. “It requires every employee at Okta to take an active role in embracing, implementing and promoting effective security.”
To that end, she defines three pillars on which she will build the safety culture. The first, “Safety Why,” explains Waugh, “focuses on putting safety in the context of each team member’s individual role and responsibility.”
“If you look at the business world more broadly, many large-scale initiatives often fail because leaders think that top-down leadership is all it takes to change things,” she writes. “An initiative has a much better chance of success when there are advocates across the organization and communication flows in all directions.”
The second pillar, “Security People”, aims to make every employee feel responsible for the security of the company through security training and cross-team working groups. Particular attention is paid to developers and programmers, with members of the security training teams being involved.
The third pillar is what Waugh calls the “Security Pulse,” which are metrics that can be compared to known indicators of progress to ensure that Okta is making significant progress toward its goal of having, as Bradbury put it in his interview, “a clean slate… zero (security breaches) for the next couple of years.”
“Building a safety culture is not an overnight project, nor is it a task that is set up once and then forgotten,” Waugh writes. “Rather, it is a long-term, ongoing process that requires collective change and concerted effort.”
