SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Okta's redrawing its cybersecurity boundaries, says CSO

Fri, 18th Oct 2024

Identity management vendor Okta is shifting its focus to strengthen its security posture amid increasingly sophisticated cyberattacks. David Bradbury, the company's Chief Security Officer, explained in an interview that this evolution is part of Okta's long-term "secure identity commitment." He emphasised that the company's new approach goes beyond quick fixes following incidents, aiming instead for continuous improvement and stronger infrastructure.

"Identity is security," Bradbury said. "We are a security company, so we need to ensure that security is baked into everything we do, from our products to our corporate infrastructure."

Bradbury acknowledged that an important lesson came from last year's incident, which exposed vulnerabilities in areas previously deemed peripheral. "We realised that the infrastructure supporting our growth and the systems outside the core product have become equally critical," he explained. "Previously, if I had a dollar to spend, it would go into the product. Now, we see that's not enough. We need to ensure that the same level of security applies across every system and touchpoint."

This strategic shift has led Okta to redraw its security boundaries. In the past, the company focused primarily on protecting its core product, but now it includes infrastructure like its customer support system within its critical defences. "We've erased those boundaries," Bradbury said. "Every system that touches customers or has any link to production needs to meet the highest security standards."

A significant part of Okta's strategy addresses the challenge of "shadow IT," where employees use unauthorised tools without the security team's knowledge. Bradbury admitted that such challenges persist for every company, but Okta has developed layers of defence to minimise risks. "There are no perfect security controls," he said. "But we've built a stronger perimeter to deal with serious threats, whether they come from nation-state actors or criminal gangs."

Bradbury emphasised the need for Okta to act as both a service provider and a security advisor for its customers. "Our customers expect us not just to listen but to lead," he said. "That's a big shift for us. We've always been customer-led, but now we're blending that with our security expertise to build safer products."

One major challenge Okta faces is phishing, an attack method that remains alarmingly effective. Bradbury described how phishing tools are becoming more sophisticated, blending AI-enhanced messaging with personalisation. "These kits have evolved just like enterprise software," he noted. "The grammar is perfect, and they feel authentic. Sadly, phishing works—most of our customers still use authenticators vulnerable to phishing, despite our phishing-resistant alternatives."

Bradbury pointed to adopting their "Fastpass" technology as one way Okta is combating phishing. "Fastpass offers a more user-friendly, phishing-resistant solution. We've found that once customers adopt it, they become raving fans," he said. "The challenge is getting more people to switch—over 90% of authentications on our platform are still vulnerable."

Okta is also focused on post-authentication attacks, a growing trend where attackers steal session tokens after a user has logged in. "It's becoming more common to see attackers wait until someone is authenticated and then steal their session," Bradbury explained. "These tokens shouldn't be so easy to misuse."

The company aims to push the adoption of solutions like the Distributed Proof of Possession (DPoP) protocol, which binds authentication tokens to specific devices. "It's frustrating because the industry knows how to solve this issue, but adoption has been slow," Bradbury said. "This gap leaves a window for attackers to exploit."

A crucial part of Okta's evolving strategy is collaborating with other security companies. Bradbury cited partnerships with CrowdStrike and Palo Alto Networks as examples. "Because we're a neutral identity provider, these companies are happy to work with us. The deeper our integrations, the stronger the security signals we can leverage," he said.

Okta has embraced the OpenID Foundation's "Shared Signals" framework, which allows companies to share security insights in real time. This enables faster responses to suspicious behaviour across platforms. "If something unusual happens on Slack, for example, that information can trigger additional security checks during a login attempt on Okta," Bradbury explained. "It's about making sure our customers are protected with insights from across the ecosystem."

As businesses face increasing pressure to invest in AI, Okta is also grappling with how to secure these new technologies. "Security budgets are always under pressure," Bradbury acknowledged. "Now, with AI projects taking priority, it's even more challenging to secure the necessary resources. Yet AI introduces new risks—non-human agents still need identities and access controls."

He noted that the company is working to support customers with emerging threats related to AI agents. "AI is evolving quickly, and so are the security implications. We need to ensure that security remains part of the conversation, especially when companies are integrating AI into their systems," he added.

Bradbury concluded by reflecting on the challenges of balancing customer experience with security. "It's not about giving customers everything they ask for anymore—it's about doing what's right for their security," he said. "As identity and security experts, we need to lead the way."

The shift in Okta's approach highlights the complex landscape of modern cybersecurity, where companies must anticipate threats, guide customers, and continuously improve. "We see things others don't, and it's our responsibility to act on that knowledge," Bradbury said.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X