In the wake of several well-publicized security incidents, the identity and access management provider Okta has begun a company-wide transformation similar to the one Microsoft undertook more than 20 years ago, aiming to build an internal security-minded culture and put security considerations first and foremost.Like Microsoft in the early 2000s, Okta recently endured a wave of embarrassing incidents that raised questions about the company's security practices.In early 2022, a security breach exposed Okta's source code, with the hackers declaring publicly that they were trying to leverage Okta for supply-chain attacks upon its customers.In September 2023, MGM Entertainment's systems were shut down by ransomware attackers who hijacked the company's Okta platform. The MGM hack wasn't Okta's fault, and the company had in fact recently warned its clients about such attacks. But it's not something any company would want to be associated with.In October 2023, the company disclosed that its own systems had been penetrated by an attacker who used Okta as a springboard to launch attacks on five Okta clients — the kind of supply-chain attack the 2022 source-code thieves had attempted. The initial access vector was found to be an employee's personal Google account.Within Okta itself, the internal security infrastructure is being hardened by:
'Security must come first'
In the wake of these incidents, Okta CEO and co-founder Todd McKinnon issued a statement akin to Bill Gates' famous "Trustworthy Computing" memo — and, like Gates, proposed a path forward:"While we've seen a lot of success, we recognize that none of it matters if our customers and community can't rely on our security," McKinnon wrote in a blog post at the end of February 2024. "It has become clear that we have to think about the relationship between identity and security differently than we have in the past — security must come first. "In his post, McKinnon announced the company's Secure Identity Commitment, which has four stated goals: hardening Okta's own security infrastructure, strengthening its clients' security best practices, embracing new technologies and delivering new products."Because Okta is the entry point to an organization's most important data and infrastructure, we are a big target with a massive attack surface," McKinnon wrote. "The stakes are high, and we need to answer the call."Okta's efforts are more than just window dressing. In early November 2023, the company put new product development on hold for three months to focus on hardening its security posture. In May 2024, the company hired Jen Waugh, an experienced Australian cybersecurity executive, to be Okta's new Senior Director of Security Culture."Although security was always part of Okta's identity, the evolution of cyber threats — both against companies like us and against our customers — has caused us to look at ourselves through a slightly different lens," Waugh wrote in a blog post Monday. "Creating a culture of security — such that security becomes implicit within an organization's DNA and second nature to its team — isn't a small or easy feat, and it doesn't just happen. Change is required, and often that change brings an element of organized disruption."Toughening inside and out
Several important initiatives have already been implemented, some of which Okta Chief Security Officer David Bradbury spelled out in a blog post.First, as part of strengthening its own clients' best practices, Okta has enabled optional IP binding for administrators of its Workforce Identity Cloud platform, a process that ties session cookies to a specific range of Internet Protocol addresses or an autonomous system number.This defeats session-cookie hijacking, which is when an attacker steals the authentication token used by a legitimate user's browser after logging in to hijack the user's account. (The October 2023 attackers used this method among others.) IP binding makes sure a session cookie can't be used outside a particular IP-address range.Okta isn't mandating IP binding but giving its clients the option to leave it on or turn it off, which Bradbury said was the proper approach in a recent interview."Our position right now is that we think customers shouldn't be asking us for advice about how to secure their platform," Bradbury said. "We should just be turning these features on for them as we go."Similarly, Okta is enabling clients to "whitelist" network zones for application-program interfaces, which will block attackers who steal API authentication tokens from re-using them elsewhere.Other steps, some of which are on by default, include:- Enabling zero standing privileges for administrators of Okta platforms, which means that the admins receive authorization for certain tasks only for the amount of time necessary to perform those tasks
- Enabling 12-hour timeouts for administrative sessions
- Enabling mandatory multi-factor authentication (MFA) for certain administrative tasks, and
- Enabling blocks of anonymizing services like VPNs or proxy services to Okta endpoints.
- Distributing phishing-resistant MFA Yubikeys to all employees
- Conducting an internal security assessment
- Conducting a third-party assessment of Okta's SaaS platforms
- Centralizing and standardizing vulnerability management, risk management and incident reporting
- Assessing security hygiene of open-source-software libraries
- Beefing up dark-web monitoring capabilities for Okta-related content
- Enhancing its laptop and mobile-device protections, and
- Introducing a new threat-intelligence platform.
