Exploring Okta
A complete user and system management setup isn’t just in one product, nor is it dependent upon a single vendor. A complete view of all sections within and outside of the organization is best done by utilizing different tools.
This combination and their deep integrations make it possible to create a fine-knit layer of security and insights on top of everything, flexible enough to allow exceptions, but strong enough to fight off anything considered harmful to the user, content, data, systems, or organization.
An IAM system can be seen as a collection of different elements and tools to deliver this. It can be considered that the following functionalities are part of, but not limited to, an organization’s toolkit:
- A password vault to store and maintain access to applications and systems. This can be advanced by using protocols that allow single sign-on (SSO).
- Provisioning integrations to create and manage user identities within directories, applications, databases, and infrastructures.
- Security enforcement applications to secure access to applications, as well as securing the data of these systems and others.
- Unified reporting systems allow fine-grained insight into the array of tools to create oversight and provide better knowledge of what is happening within and outside of the corporate network.
Okta is capable of delivering all of these functionalities, to some degree, for organizations large and small across any business vertical and within cost-effective boundaries.
By staying true to their form, they are capable of excelling in being an agnostic system. By allowing any application vendor to create integrations with Okta and delivering applications broadly on request from customers, Okta has been able to grow its reach to over 7,000 pre-built and maintained integrations in the public catalog Okta Integration Network (OIN). While creating these integrations, Okta also invested heavily in delivering more and more functionality to ground-to-cloud visibility and launched their Okta Access Gateway product. On top of these out-of-the-box integrations, Okta has added their no/low-code Workflows engine, allowing any identity-driven event to use Okta’s abilities internally and even on applications not in their integrations library.
Looking further than users, the world consists of more and more IoT applications, and the need for machine-to-machine management is becoming a much larger element within organizations’ business models. By offering API access management and Advanced Server Access (ASA), Okta creates more functionality to fill the needs of every aspect of the IAM situation within any organization.
Let’s now take a look at the things that set Okta apart in the IAM space.
Zero trust
As organizations shift away from on-premises applications by making sure the workforce can decide how and when they access the data they need, Okta makes it possible to incorporate forward-thinking concepts, such as zero trust. Zero trust is the framework where no physical or non-physical entities within or outside of the corporate perimeter are trusted at any given moment in time. This allows for insight and control to manage users, identities, infrastructure, and devices accessing business resources and data. Threat detection and remediation are a part of the cycle that makes sure that this concept is enforced.
The zero trust principle of least-privileged access can be incorporated into the organization’s security policies. It allows users and machines to only get enough access for that given moment and that task. This can be hard to manage on a case-by-case scenario (for example, allowing and denying access to individual corporate content and files), but by understanding the concept, it can be used as a rule of thumb to only give out need-to-access privileges. A couple of examples are as follows:
- A support agent needs administrator rights in a system but might not need full super admin rights. Role-based access can be applied here.
- A machine reading data from a database needs read-only access, not write access. This would reduce the risk of an attacker being able to change or delete data.
Acquiring an IAM tool is not enough by default to make sure your organization lives up to a zero trust approach, but it is a starting point for many organizations. When it comes to IAM and zero trust, Okta divides the journey into four stages of maturity.
Stage zero – fragmented identity
An organization in this stage typically has an Active Directory (AD) or some other on-premises structures as a user directory. Cloud applications might be used, but there is no integration into the directory. Passwords are not consolidated, but rather separate logins are everywhere. Security is done on a case-by-case basis, or rather, app by app. In stage zero, most services and devices will reside within the corporate infrastructure, as seen in Figure 1.1:
Figure 1.1 – All applications and access are managed with networks and directories
Once users break free from or break through the corporate firewall, the need for more control over who can access what and when, where, and how allows the organization to move to the next stage.
Usually, more traditional organizations fall into this category. Their history is based more upon older infrastructure, and the move toward the cloud is slowly happening. Companies with on-premises servers, fierce reliance on firewalls, and VPN access are often found in this stage.
Stage one – unified IAM
Once you open the gates, there is no coming back to a perimeter-based security practice. It’s important to make sure certain access is managed for employees, partners, and contractors. Delivering unified SSO relieves the user of the responsibility to create, maintain, and manage strong passwords per application, portal, and infrastructure. By adding multifactor authentication (MFA), the organization is capable of creating more policies that incorporate different activities to confirm the user’s identity while accessing corporate content.
Examples of this are as follows:
- Using an application such as Google Authenticator or Okta’s own application, Okta Verify, to receive a one-time code
- Using SMS to receive a one-time code
- Biometrics such as a fingerprint reader or a YubiKey
In stage one, you will see a shift. Users will access corporate data outside of the network. Slowly, SaaS will make its way into the organization. Even so, old structures will still stay in place to maintain legacy and non-cloud access as follows:
Figure 1.2 – An outline of what stage one might look like
You will find organizations of every trade in this stage. Moving to the cloud is part of their strategy. They will most likely start to embrace Software-as-a-Service (SaaS) options over their own capabilities. This is where perimeters start to fade and the call for more flexible security and management is needed.
Stage two – contextual access
Context-based access plays a large part when you want to expand your zero trust initiative. Understanding your users, their devices, location, systems, and even time and date can be of importance to accelerate your dynamic zero trust parameters. By incorporating all these components, you now allow your security team to widen their view of a user’s posture and activities and set fine-grained policies and rules that are applicable to that user.
Having such deep control and the capability to interact on such a low level with users fits perfectly with the concept of zero trust. Of course, automation is the magic sauce. Using all these different elements in your security risk assessment is the first step, setting policies on top of that is step two, but automating it all and having the systems grow stronger is what adds even more value. This is step three.
Within this stage, usually, you will observe that corporate APIs and systems have, or leverage, APIs that need to be protected as well. Allowing API management ensures that even your systems are only allowed access based on the least-privilege framework.
Figure 1.3 – An outline of what stage two might look like
Organizations might have a complete roadmap for themselves set out with regard to their zero trust initiative. Cloud-driven, cloud-native, and cloud-born organizations will quickly adopt it, and there are many of them in this stage. Traditional organizations that have made it to this stage have come a long way; they truly were able to reinvent themselves.
Stage three – adaptive workforce
When system automation increases, risk-based analysis can be added. This is when we are capable of creating a fully flexible and adaptive workforce. The incorporation of more security systems becomes a large addition to the whole security practice. Usually, external values from third-party applications such as mobile device management (MDM), cloud access security broker (CASB), security information and event management (SIEM), and other connected systems will deliver even more user and machine context that can be used within policies.
Unknown vectors are detected, and policies start to act upon these discoveries. Adding alternative access controls when it’s needed or required allows for more security. While security might go up, the users’ access can now be more controlled with the help of seamless access methods. Passwordless and dynamic authentication policies become a more common situation in which users are prompted to show who they are based on the risk they present to the systems that are controlling the access:
Figure 1.4 – An outline of what stage three might look like
Organizations that fall into this category will be front-runners in this initiative. They not only understand it, but they have also implemented it and made it their mantra. High-tech organizations with global workforces and dynamic management will fit this picture perfectly.
So, how would you start your own organization’s journey towards zero trust?
- Start by researching the concept
- Assess your own organization
- See what solutions you can keep and what needs to change and mitigate the gaps in your solutions
- Get your users on board
Now that we’ve learned about the steps to take with your organization to move toward a zero trust approach, let’s look at the basic features in Okta that we can use to start our journey.