6 min Security

Okta CEO: “We’ve been at cyber war for some time”

Don't forget 2FA

Insight: Security

Okta CEO: “We’ve been at cyber war for some time”

Okta co-founder and CEO Todd McKinnon was in Amsterdam last week to speak with customers and partners. In an interview with Techzine, he points out the role his company now plays in the tech world. “Every vendor wants to be the central hub of an IT environment.”

Picture a hack, and your mind may reach to an exploited software vulnerability. However, recent cyber incidents at the Snowflake accounts of Ticketmaster, Santander and Advance Auto Parts show that hackers can often simply log in without having to break in. The cause: a failure to implement two-step authentication (2FA), a misconfiguration for which the IT vendor is not to blame.

Bearing responsibility

Okta cannot afford to have that mindset. As an identity specialist, the company bears responsibility for authentication across all kinds of IT services, regardless of whether those are in the cloud or on-prem. McKinnon, at the helm at the company since its founding in 2009, recalls an incident in which a customer accidentally deleted crucial Okta configurations. The incident, which occurred many years ago when Okta was a lot smaller, led to some internal debate. “Someone on the team at the time said ‘they shouldn’t have done that.’ And I refuted that, because that’s the wrong way of looking at it. The product shouldn’t have allowed them to do something like that. It’s never the customer’s fault.”

It turned out to be an important lesson for Okta. There’s now a long standing internal framework that prescribes “speed bumps” for sensitive actions. “You see roughly the same thing happening in security. It shouldn’t be possible to turn on something that allows an attacker to move between domains.”

Still, this requires a cultural shift in organizations. McKinnon admits that it’s never just about the technology if you want to protect your business. “Technology is necessary, but not sufficient.” For example, transparency is needed among vendors and within organizations to minimize the damage around a compromise. If there’s an unpatched vulnerability floating around somewhere in the supply chain, it affects everyone. The only thing Okta can do about that is to lead by example and be transparent itself.

Tip: Okta hack shows how vulnerable digital authentication is

Internal pillars

McKinnon states that customers also want to learn from what Okta itself is doing internally about its own security. The company describes itself as critical infrastructure, something it genuinely is nowadays, given identity is at the core of most security strategies.

He names Okta’s long-term commitment against identity-based attacks, known as the Okta Secure Identity Commitment. That includes four pillars. First, “hardening” its own IT infrastructure, using the same cyber-threat profiles internally as it does with customers. Additionally, Okta has to be a particularly secure product, as attackers can assume its presence within an organization’s cloud infrastructure. In this light, McKinnon sees his company as the new Azure Active Directory (now Entra ID). Third, the Okta commitment revolves around clearly communicating best practices to customers. Finally, Okta insists on industry standardization, including sharing data from different software. We’ll come back to that later.

Constant drumbeat

Okta blocks two billion attacks a month. How consistent is that avalanche of cyber attacks? Does it increase at certain times? After all, we are living in an election year in Europe, Britain, France and the United States, among others. Is Okta noticing any increased activity, perhaps from Russia? Not really, McKinnon concludes. “There is, of course, an increase in misinformation right before elections. But we shouldn’t confuse that with an upward wave of cybercrime. That’s a constant drumbeat. We’ve been fighting a cyber war for quite some time.”

That takes place mostly in cloud environments. Okta has been there to experience the rise of the cloud nearly from its inception, but McKinnon also saw its initial run-up during his time at Salesforce (2003-2009). McKinnon had an early sense that not just apps, but collaboration, communication, infrastructure and more would all take place in the cloud. He notes that the cloud is now what people think of when you say “IT.” That’s where the innovation takes place, business value gets created, AI applications get developed, et cetera. Okta, as a SaaS vendor, fits well with that paradigm. And because all the value is mostly in the cloud, according to McKinnon, many customers end up choosing Okta because they need it for their security. That’s not without reason: “Eight out of ten data breaches involve stolen credentials.”

McKinnon works closely with a number of large clients. One of these is Japanese conglomerate NTT, with Okta being “the brain of their security infrastructure.” One of Okta’s main roles, then, is to bring other software together. Heterogeneity in general is important, because a layered defense with multiple vendors can prevent one exploit from being enough to do damage.

Who is the linchpin?

The move to general IT security from identity is quickly made. However, Okta is obviously one application, one layer of the entire stack. It works extensively with other parties such as Zscaler, CrowdStrike and Trellix. Through the so-called Shared Signals Pipeline, Okta exchanges data between applications so that, for example, CrowdStrike’s threat intelligence can issue an alert that leads to a suspicious account getting blocked in Okta.

Even though there’s genuine enthusiasm among IT vendors to exchange data, some parties would rather control everything in the stack. With everyone shouting that it has its own single pane of glass, everyone can be the go-to hub of the IT infrastructure, an impossibility at face value. McKinnon thinks there’s room for multiple control points, but in doing so, he argues that any company that receives a signal must also give one back. Software from Palo Alto Networks and Zscaler should equally be a “smart node” with data from Okta.

Joint coordination is a good thing, but it has to be manageable. We note that there are now more than 3,600 security parties. Doesn’t this multiplicity go against the message of unification that IT security currently prides itself on? McKinnon sees it differently. “If we get the middleware right, or the integration layer right, then innovation helps us protect us from constantly evolving attackers and attacks.”

Also read: Okta merges identity into one platform: what does that entail?