Okta, the identity and access management vendor, hosted their Oktane conference this week. Here’s why it was interesting:
Identity and access management is a central part of end user computing, and is becoming more important as we move to more cloud apps and mobile devices. Right now Okta is one of the pre-eminent identity vendors. They’re well known, growing, and consistently highly-ranked in analyst reports. Okta also does mobile device management (launched in late 2014) and it’s tightly coupled to their identity platform.
Oktane 2016 brought a full slate of new announcements, expanding the depth and breadth of Okta’s identity products, and strengthening their relationship with Google Apps.
Also interesting to note, Oktane happened to be at the exact same time as VMworld, and the keynote even featured Diane Greene (formerly of VMware, now of Google’s cloud business).
Now let’s look at the context and announcements.
Everybody is already sold on the general security and convenience benefits of identity federation and single sign on—so here are a few other things to think about:
The number of cloud apps that support SAML authentication has grown considerably—Okta says their catalogue has over 700 SAML apps, up from around 100 three years ago. (In total Okta supports over 5000 apps.)
Integrations for automated provisioning are spreading, too—Okta says they support it for over 75 apps. There are few different ways to integrate provisioning between identity services and cloud apps, including APIs, proprietary integrations, through SAML, or with the emerging SCIM standard. Automated provisioning makes it easier for IT departments to onboard new SaaS products, and helps make HR-driven app provisioning possible.
New types of authentication factors (both primary and secondary) are always coming along, but what’s interesting is what’s going on behind authentication processes. Contextual (a.k.a. conditional) authentication systems can look at variables such as the device, network, location, and app—as well as even look for anomalous user behavior—in the process of deciding when to allow or deny access, when to ask for a second factor, or when as for re-authentication. The result is that more intrusive authentication practices can be reserved for only when they’re really needing, giving users a better experience. Overall, smarter contextual authentication and access is a really hot topic right now, so expect to hear more about it.
(For more background on Okta, you can also see my article from the last Oktane conference, which was about 10 months ago.)
Remember, beside just business-to-employee identity, the Okta platform is also used for business-to-business and business-to-consumer identity. The scenarios Okta supports are getting wider:
- This week they announced identity and access management for APIs—this is often application-to-application, instead of user-to-application.
- They’re also adding support for VPNs, gateways, and RADIUS—so Okta is getting more involved with managing access to on-premises resources, as well.
Existing products are getting deeper and more flexible:
- Okta’s Provisioning product line is now being recast as Lifecycle Management, in light of several new updates, including new policies, better auditing and reporting, and more extensibility options.
- There are new variables for contextual access management, including device trust (i.e. whether or not a device is managed), IP reputation, and what protocol a user is using to access an app (for example, accessing email via OWA versus EAS.)
On the mobile side, they showed off a new, more streamlined process to help guide users through enrolling their devices into MDM—this allows Okta to push a certificate to the device, which means that the device will be considered to be trusted for the purposes of contextual access policies. This also gives more options for mobile app authentication.
There are a few other mobile-related bits to keep in mind:
- Okta now supports SSO in around 150 mobile apps.
- They’ve done a lot to make Android for Work device management easier—under Android for Work, a Google account is required for each user. With Okta’s provisioning integrations, identity platform, and EMM platform all working together, these accounts can all be created and managed automatically.
- We also learned that support for the Apple Device Enrollment Program is on the way later this year or early next year.
Lastly, there was the Google Apps partnership announcement—Okta and Google Apps have worked together in the past, but this announcement makes them a “preferred partner.”
I already outlined several reasons why I think Okta and the Oktane announcements are interesting. Clearly, identity and access management—especially when linked with EMM—should be on everybody’s radar.