While I didn’t originally plan to attend Okta Oktane 2019 alongside Jack, I’m glad I did. I learned some interesting things during the keynote and breakout sessions from the past two days in San Francisco.
Interesting Okta product announcements
Jack covered the main announcements Okta made during the Tuesday morning keynote, but they mentioned a couple additional announcements during Oktane worth mentioning: ThreatInsight (originally shown off at Oktane 2018) is nearing production, and they have a no-code workflow platform called Automations.
The latter intrigued me because, ideally, it could make things easier for the less code fluent. Instead, it uses a visual design aspect (think of an IFTTT UI, essentially) to help create and implement policies. One example they showed during the keynote was the creation of a workflow process using risk-based authentication to approve or deny user access and then send a message via Slack to an admin about unusual login attempts for them to remediate, as necessary.
Related to Automations are Okta Hooks, which has similar intent, but is designed for admin who know how to handle some coding and require more custom workflow automations than what is currently available through Automations. Okta says that there are about 6,000 integrations already available, via the Okta Integration Network, but predicted that it could scale up to more than 60,000 once customers start using it.
Automations and Hooks help admin-focused use cases like lifecycle management and security. During the keynote, they explained that it’s possible to create custom code around marketing tech integrations, custom authorization, identity proofing, fraud detection, and analytics.
Automations is in Early Access already and Hooks drops later in April. Some use cases for Automations are in EA now (for example, suspending users based on user activity in Okta), while others will be added later in the year (such as deactivating and reactivating users based off custom attributes).
Of course, zero trust came up a lot
Okta’s philosophy, as seen in a couple sessions, is, “When people are the perimeter, identity becomes the foundation of a zero trust strategy.”
Clearly, “zero trust” is the term everyone seems to have latched onto—helps it’s not attached to any one specific vendor like other terms are. It’s good to see the industry jumping into working on conditional access. In Okta’s Digital Enterprise Report, 34% (a plurality) of respondents had a zero trust strategy developed and that they were actively implementing; meanwhile, another 26% were currently looking at how to develop a strategy for their business. During a roundtable with Okta co-founders Frederic Kerrest and Todd McKinnon, Todd noted that he was actually surprised that many people know about zero trust—or claim to, anyway.
A session led by Palo Alto Networks focused on how companies should look at developing their zero trust strategy through four areas:
- Focus on business outcomes (Is your data sensitive or not, and what’s the cost if it leaks?)
- Design from the inside out perspective (Find the surfaces you want to protect the most)
- Determine who/what needs access (Consider using the principle of least privilege)
- Inspect and log all traffic (Device, network posture, etc.)
Another challenging aspect companies must consider for their IAM and security strategy involves the extended enterprise. More and more organizations have contract employees or partner organizations that may need access to the company network and data, but how do you handle that? (This is something Jack and I remain interested in and why I looked into device attestation.) Naturally, Okta is positioning many of their products towards these use cases, as their focus is broader than just direct employees.
Moving on to another focus of the show: Authentication. It was nice to see contextual access show up in the form of their newly announced Risk-Based Authentication feature (available later this year). It uses machine learning and evaluates your company’s authentication data to help you develop risk profiles (high, medium, and low) and authentication strategies. For example, if a user wants access to more regulated data, maybe they must use U2F, while a medium risk profile only uses a push notification, while low could potentially be a passwordless login.
Passwordless actually came up several times both in the opening keynote and in multiple breakout sessions. The Okta Identity Engine, an upgrade of Okta Identity Cloud coming later this year, is one option for customers looking into passwordless login. The idea is that the platform will be flexible enough to let customers build apps that use other authentication methods, taking into account context like security risks and the application.
The move toward zero trust also pushes us closer to passwordless login, offering users things like a magic link or push notification to log in. I’m all on board ditching passwords ASAP, so keep that positive momentum coming.
One April conference down!
It was nice to attend a medium-level conference, making it easier to attend all the interesting sessions—not always possible at others. I got to learn more about Okta and their product offerings, which was a blind spot for me until now.