Story image

Exclusive: Okta CSO on scaling security alongside business growth

03 May 2019

Identity and access management solutions provider Okta recently marked its ten-year anniversary, announcing revenue of US$115million last year and an employee count of 1,500.

As the company continues to expand its identity platform, security continues to play a major part in the development of its products and strategy.

Techday spoke to Okta chief security officer Yassir Abousselham about scaling security in tandem with its growth, Okta’s recent acquisitions, and the journey to secure second factors.

In terms of security strategy, what’s changed for Okta since last year?

For us as a company, the challenge is to be able to grow the security capabilities at the same speed as the business.

We are acquiring more customers, and a lot of them are high-profile organisations who constitute better targets for attackers.

At the same time, we are acquiring companies and creating and releasing more features, which translates into more lines of codes and more things to make sure we secure.

In the context of all that, the challenge for any security team is to be able to maintain the effectiveness of the security environments while supporting the business.

That means not slowing it down and positioning security as a differentiator as opposed to something that cuts into the velocity of our releases and our products.

How active is the security team in the development of Okta’s products and services?

We are deeply entrenched in every aspect of the business, whether it is our product roadmap, the service, defining the strategy, and being there to define the requirements for a security organisation.

We're involved in branding, in making sure that our marketing campaigns have the right message, to be able to resonate with the security team.

So we're involved in every aspect of our business, and we want to continue doing so as we scale as a company.

Okta is making quite a few acquisitions at the moment – have you found it challenging bringing them to an acceptable level of security hygiene?

If you can get involved in the merger and acquisition cycle early on, then it's not going to be a challenge.

We do two things very well.

Security is involved in the early stages of any acquisition in the sense that we have those conversations, we do our due diligence on the acquisition and we make sure the target’s security is on par with what we expect for a company that's going to join Okta.

The second thing is that we have a process and a framework - we've established a roadmap for how any company acquired integrates within the information security programme at Okta.

Once we complete the acquisition, we do a number of things including deep dives into their security and penetration testing.

If there are any issues or any kind of improvements that we need to make, we make sure that those are completed even before we make the product available to our customers as an Okta product.

We integrate or take over a lot of their security processes.

For example, identity and access management, application security, and compliance.

In fact, for a company such as ScaleFT, which we acquired a few months ago, we're well underway and have made significant progress in getting them compliant, or showing at least compliance with things like SOC2.

We're also working on a number of additional compliance mandates, to be able to position them at the same level as Okta when we have these conversations with our current customers.

Okta is focusing on multifactor authentication (MFA), but attacks like SIM swapping can compromise it. How does this impact the effectiveness of MFA?

With approaches we take to security, there's always going to be vulnerabilities along the way.

You look back at the introduction of FaceID or TouchID on the iPhone, you have researchers that came up with ways to circumvent that.

These are small things that slow us down, but they do not necessarily speak to the effectiveness of the solution as a whole.

SIM swapping is an issue, but it is one that has a couple of things that make it not necessarily material in the larger scheme of things.

The first is that it is a vulnerability or attack that's executed on a one-on-one basis - it's not something that can be done at scale.

It's very tricky and very hard to execute.

The second thing is that it’s a known issue now.

A lot of the players in the industry are going to improve their controls to make sure that's no longer an issue and that the security of their customers is not going to be impacted.

If a threat actor is able to trick them into considering them as the owner of that phone number, it’s a breakdown of a control on the telecom operator side.

But I have to believe that telcos are taking the necessary steps to close those holes, and this is something that has existed for a while.

The verdict is that this is one very small roadblock, but it does not speak by any stretch to the effectiveness of multifactor authentication as a control to protect access.

Does Okta use phone numbers as one of the key ways to authorise the second factor?

Okta is a platform and we have to give our customers the flexibility to choose any factor that they need.

In some cases, some customers choose not to use a second factor and rely solely on password.

You have to be able to allow your customers to make those choices.

As much as it can appear as a given that an organisation will go for two factors from the get-go, it's not always obvious.

For organisations that have been in operation for a while - the more traditional industries, even - it's hard to manage the change between those technologies.

Going from password to a second factor is not something that's done overnight, it takes a lot of work and it takes a lot of organisational change management to make sure that you get to the endpoint.

To be able to achieve that goal, a lot of organisations have to take that intermediate step of using something that's available to all of their users - and that would be a phone number.

Not every organisation is going to have the ability to make that change to a stronger factor because of a number of different reasons.

In some cases, it's pushed back, there’s a reluctance to change from their users, many of those users can apply pressure through the executive representative and so on.

And in some cases, those reasons are economic.

Not every company is going to have the budget to invest in second factors that do cost and represents a significant line item in their IT budget.

So I think a lot of the other organisations, and at least security teams, have this target of getting all of the users to have a second factor that is strong.

But it is a journey.

And sometimes you have to be able to take intermediate steps to get there.

Forescout strengthens investment in OT security
Forescout’s latest features will provide enterprises with improved productivity, lower risk profiles and faster mitigation of threats.
Hybrid cloud security big concern for business leaders
A new study highlights that IT and security professionals have significant concerns around security for hybrid cloud and multi-cloud environments.
GitHub launches fund to sponsor open source developers
In addition to GitHub Sponsors, GitHub is launching the GitHub Sponsors, GitHub will match all contributions up to $5,000 during a developer’s first year in GitHub Sponsors.
Check Point announces integration with Microsoft Azure
The integration of Check Point’s advanced policy enforcement capabilities with Microsoft AIP’s file classification and protection features enables enterprises to keep their business data and IP secure, irrespective of how it is shared. 
ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.