Top-level reevaluation of security by Okta, following a damaged reputation
In the wake of a series of high-profile cyberattacks, Okta, a leading provider of identity and access management solutions, has announced several significant security improvements. The latest round of enhancements comes after a September 2022 cyberattack that exposed Okta's customer support system clients, although detailed public disclosures by Okta remain limited.
Okta's immediate response involved identifying and directly contacting all potentially impacted customers. It is essential to note that the breach affected only legacy Sykes’ support systems, not the Okta service itself or modern systems like Auth0, HIPAA, or FedRAMP customers.
One of the key measures taken or recommended following the breach is the strengthening of authentication security. Security experts, along with Okta, now advocate for the mandatory use of strong multi-factor authentication (MFA), particularly hardware-based MFA ("hard keys") as these offer better resistance against phishing attacks compared to other MFA forms.
Okta has also emphasized the importance of rigorous, transparent stakeholder communication during incident response. The company has aligned with best practices to maintain transparent, multi-channel communications during incident response, issuing regular updates on scope, remediation milestones, and containment efforts to reduce customer churn and maintain trust.
While there is no detailed public list from Okta enumerating all technical enhancements post-breach, industry practices suggest Okta likely enhanced monitoring, access controls, and identity threat detection capabilities. The breach underscored risks inherent in third-party support system access, leading to increased emphasis on tightened third-party controls and identity-focused security, consistent with evolving security trends like Identity Threat Detection and Response (ITDR).
Okta's priority is to improve its security, and in this regard, the company is instituting multifactor authentication requirements for all Okta admin roles and protected actions in the admin console. Not all new features are secure by default, some require customers to implement and properly configure settings.
Okta is also implementing a series of security controls to improve its products and internal IT operations. The company has overhauled its values to make security the only priority, and more than 400 of Okta's 1,000 person engineering team are working on security-related activities on a full-time basis.
Okta is incorporating secure by design principles into its internal and external tech stacks. The company aims to turn controls deemed most beneficial on by default as more features are rolled out. Okta has pledged to harden its corporate infrastructure, embody secure-by-design principles, champion best practices, and invest $50 million in a fund to address cybersecurity challenges outside the company.
Looking ahead, Okta will report its fourth quarter fiscal 2024 earnings on Wednesday. David Bradbury, the CSO at Okta, has stated that Okta needs a track record of zero breaches to rebuild trust. The company is determined to turn its focus on security into a competitive advantage, setting a new standard for identity and access management solutions.
References:
[1] Okta Security Blog: https://www.okta.com/blog/2022/10/14/okta-security-update-october-2022/ [3] Okta Security Blog: https://www.okta.com/blog/2022/10/14/okta-security-update-october-2022/ [5] Okta Security Blog: https://www.okta.com/blog/2022/10/14/okta-security-update-october-2022/
- In response to a cybersecurity breach, Okta has urged customers to implement strong multi-factor authentication, particularly hardware-based MFA, to bolster protection against phishing attacks, following the company's enhanced focus on cybersecurity.
- To address the risks associated with third-party support system access, Okta has vowed to strengthen its identity-focused security measures, aligning with emerging security trends like Identity Threat Detection and Response (ITDR).
- In an effort to set a new standard for identity and access management solutions, Okta has allocated $50 million to address cybersecurity challenges outside the company, boosting its emphasis on security as a competitive advantage.
