Identity and access management (IAM) provider Okta has announced it is to double its investment in security over the next 12 months and launched a Secure Identity Commitment, a long-term plan comprising four key initiatives – cementing market leadership, advocating for best practice around identity, elevating the identity sector, and hardening its own infrastructure.
Nearly six months after Okta’s products were exploited in a series of cyber attacks – including two dramatic and high-profile compromises of prominent Las Vegas casino operators by a ransomware gang and other attacks on other IT firms that used its products – the organisation is increasingly cognisant that it needs to do more to help its customers adopt best practice around identity, and to prevent its products from being taken advantage of in the future.
“When you look at some of the recent press articles and trends in the industry, it’s evident that threat actors are targeting identity, and targeting providers, a lot more,” Okta’s EMEA chief inforamation security officer, Stephen McDermid, told Computer Weekly. “This commitment is about recognising that we need to be at the forefront of challenging these issues.”
The attacks on Okta’s customers originated when attackers broke into one of its own employees’ personal Google account and stole credentials, which they then used to breach the firm’s support case management systems and access customer data. Among those impacted were 1Password, BeyondTrust and Cloudflare. The scope of this breach was initially thought to be quite limited, but later widened to include every Okta customer that has ever used its helpdesk.
Recognising the magnitude of the issue, Okta’s immediate response was to batten down the hatches and order all hands to the cyber pumps in an operation it dubbed Project Bedrock, which saw the organisation suspend all functional development of its products for 90 days.
“Okta being a market leader, we are always going to be under attack, so it’s important to be prepared for some of these new methods and strategies we’re seeing from threat actors” Stephen McDermid, Okta
“For those 90 days we did nothing but focus on security, and that’s an incredible step to take,” said McDermid. “That has turned into a huge amount of work for the internal security teams, but also gives us the opportunity to turn Okta’s enterprise security into the real strong force that it should be and must be to defend against these attacks.
“Okta being a market leader, we are always going to be under attack, we are always going to be a big target, so it’s important to be prepared for some of these new methods and strategies we’re seeing from threat actors and make sure that our systems are capable of defending against those.”
McDermid said Okta was now in a much better position than it was three months ago. “We’re not taking anything for granted [but] the reality is that Project Bedrock has allowed us to expedite the delivery of some of the security initiatives we had on the way, in tandem with some new ones once we identified the cause of the incident.”
Some of the enhancements that can now be revealed include enforced session time-outs for administrators if they go idle for longer than 15 minutes, and restrictions on how admins can access support cases.
McDermid said this had created a challenge for customers by introducing more friction in how admins use its products, but once the need for these changes has been properly communicated to them, the user base has, by and large, been very understanding.
Coupled with this, Okta is continuing to enhance its customer outreach in the service of creating a more transparent relationship with customers. This is an evolution of a policy that the firm’s vice-president of customer trust, Ben King, introduced following a previous incident in 2022, in which Okta was criticised over a lack of communication.
“Customers want to see us take a more active role in communication – they want greater understanding of the threats we’re seeing and they want partnership,” said McDermid.
“I’ve held a number of calls, hundreds, with customers to walk them through the incident, walk them through the changes we made, walk them through some of the details, help them understand what Okta looks like moving forward, and provide them with that reassurance that we’re taking this seriously and we’re committed to improving our own security as well as supporting them to do that,” said McDermid.
“It’s not been ideal to have had this experience, by any means, but certainly through the discussions we’ve had with customers, they understand what we’re doing, how we’re responding to it…. [Some] customers want to spend some time shouting at us, but the majority of customers understand that these things do happen.”
