SecurityBrief New Zealand logo
New Zealand's leading source of cybersecurity and cyber-attack news
Story image

Exclusive interview: Okta CSO on skill shortages, passwordless authentication, and UX

By Kai Ping Lew
Tue 12 Jun 2018
FYI, this story is more than a year old

The tension between security and user experience is one IT practitioners have had to grapple with as businesses become more vulnerable to breaches.

As an organisation, identity and access management solutions provider Okta believes the key to this dilemma lies in embedding security in identity management to create a seamless user experience.

Techday sat down with Okta chief security officer Yassir Abousselham at Oktane18 in Las Vegas to discuss passwordless authentication, company culture, and how Okta ensures its offerings remain secure.

Where does security fit in Okta’s vision?

Cybersecurity is an integral part of Okta as a company and definitely one of the major components of our products.

The reason for that is that the whole product suite is built on the premise that we’re getting access to business applications for all of our customers’ business users.

Any time one of the business users want to use an application that allows them to do their job, they have to go through Okta.

Our vision and our philosophy is that people are the new perimeter.

It used to be that all the applications and older systems are guarded by a perimeter firewall, now because we are externalising a lot of those systems, now we have to tag the security controls to user identity. 

So anywhere on the cloud where users are accessing data or functionality, we want to tag that security to those identities.

That security is composed of things like single sign-on (SSO), multifactor authentication (MFA), we want to converge on a single account per user and invest in monitoring security for that account as opposed to monitoring multiple accounts per user.

These are the basics, and then the next level of details is when you start looking at things like the adoption of our security products in general. 

How do you increase adoption of security products?

The equation has been historically that when you increase security, you impact user experience (UX) in a negative way.

What we’re trying to do is to innovate in a way where both of those elements go hand-in-hand.

We want you to be secure, but we also want to provide you with good UX because we think that’s what increases adoption, that’s how we can make customers secure, because if you increase adoption of a security product, then the logical consequence is that you’re becoming more secure as a company.  

When you think about how we used to do MFA a decade ago, it used to be a small hardware device, you used to have to track six digits, and those digits would change after 20 seconds, and sometimes they would change before you key all of them in, and that used to be a somewhat frustrating experience.

Now what we’re trying to push a signal to the user's mobile device, and they can already use this strong authentication to get into the business applications, which you have seen is the new breed of products we’re releasing is passwordless authentication.

Instead of getting input from the user to properly authenticate them, we want to instead consume contextual signals to maintain an acceptable level of assurance that this user is whoever they say they are. 

Those contextual signals could be their location, IP address, whether they have used the device before, there’s a number of things we are consuming, and some things we’re doing through integrations with other partners like VMware to make sure that when the user authenticates, they also provide the right credentials to be able to authenticate.

Passwordless authentication has been hyped a lot - from a security standpoint, why is this form of MFA more secure than traditional authentication methods?

The reason it’s more secure is that it’s attached typically to a piece of hardware.

Hardware is hard to replicate, as opposed to passwords.

Passwords you can copy.

It’s very cheap, it’s very recoverable, it’s something that you can copy to share over the phone or you can compromise.

Hardware is a lot more challenging to compromise because you have your phone, and you are the only one who has that phone, so for someone to be able to clone the device and get that signal to authenticate as you, it’s a very challenging endeavour. 

It's a highly complex exercise.

It doesn’t mean that this is impossible, but the interesting thing is that it’s not something that can be done at scale, as opposed to passwords, and that’s what makes it more secure. 

If someone has access to the piece of hardware you use as a second factor, it is a risk that can be properly mitigated, and the way you do it is by gaining a certain level of assurance that the device itself is secure, and this is where we start talking about device trust. 

So let’s say we only allow you to use passwordless authentication from a managed mobile device. 

This means that your IT has a piece of software that ensures that the device belongs to you, that it meets certain levels of criteria in terms of security, for example, it has a PIN set, it runs the latest version of the OS, there’s a number of things you can check allowing access to your environment.

So by being able to gain that device trust and with the right policy, it makes it a lot more complicated for someone to both have access to your device and also get into your device.

The last thing I would mention is that for mobile devices specifically, we live in an era where we interact with our phones on a continuous basis.

It is safe to assume that a user will quickly notice when they no longer have access to their device and they will report it or do something about it.  

So in the aggregate, this makes it an acceptable authentication method for certain conditions.  

The other angle to this is that as a security team, you need to do a risk assessment. 

You need to decide which systems or data are you willing to allow passwordless authentication to, and under what conditions

That’s how you mitigate the risk. 

What measures does Okta take to make sure its identity offerings are continuously tested for security?

We run a comprehensive security programme with a fully staffed team that is focused on a number of areas like application security, infrastructure security, we look at entirety of our environment and we have efforts that are dedicated to mitigating the risk and prioritising our efforts to deal with the highest risk and mitigate it and that’s how we keep Okta secure. 

The next thing is that we promote a security culture within the company. 

We have town hall meetings, we have training, we have posters, a number of things to make sure that everyone within Okta including employees and even partners, in some cases, maintain security as one of their goals as they go about their daily lives. 

The next thing is we’re not only investing internally in security, but we are partnering with both our customers and independent parties to make sure our security is up to par.  

The way that takes place is first, we hire independent consulting firms to do pentest (penetration test) security assessments on our infrastructure on a regular basis. 

That’s independent of our team that already does these types of pentests.

The second thing is that we have auditors that look at our controls on a continuous basis, that’s how we’re able to meet standards such as ISO27001, we have SOC2, we’re compliant with FEDRAMP, which is one of the higher standards in terms of requirement, if you want to do business with the government. 

And each one of these compliance mandates requires us to bring someone external to look at our security. 

The next thing is that we allow our customers to pentest the Okta infrastructure, which is not something that you’re going to find in a lot of players in the industry. 

As a customer, you’re able to use your internal team or contract to a vendor to do a pentest of the Okta environment and if you find something, we’ll collaborate with you and fix it as quickly as possible. 

And the last thing I’m going to mention is we have a bug bounty programme that's public.

We’ve had the programme for 2 years.

We now have north of 1100 researchers actively accessing Okta, we have had a few submissions, and we go through, triage and fix those findings as quickly as we can. 

How are you dealing with the issue of skill shortages in cybersecurity?

I think if you want to hire best of breed, it’s a challenge to find those people.

It is a very small community because we’re based in Silicon Valley and each of the tech firms based in Silicon Valley is looking for the exact same profiles, so it ends up being just the same small community of engineers moving around the companies.  

Once you’re able to hire one of those engineers, then you need to provide the proper environments for them to thrive. 

Part of it is having very challenging problems - the fact that we are on the forefront of the threat attacks and threat landscape makes it a reality. 

The next thing is, we had to become more flexible when it comes to location. 

We learned over the years to maintain a highly effective team while having some folks work in multiple locations. 

Some of them work out of offices and some of them are remote. 

The most important thing is when you find a rock star, you have to be able to make those compromises to hire them and you need to make it such that they’re successful at their jobs. 

I think you need to provide for an environment where their values align with the corporate values of your corporation.

One of our values is execution - being nimble and executing on findings.

As security engineers, when they identify something that needs to be improved, you have to make sure it’s improved because the second worst thing after not finding a security issue is finding a security issue and then not having it fixed.

If the entire engineering team does not believe in that, and if you don’t have the processes that are formalised, in place and functioning to enable that, then it’s not going to happen. 

That’s the kryptonite when it comes to security engineers because what you’ll see is a very quick degradation in morale, and people will start leaving. 

It’s not something that should only be present in the security team. 

The second value is our philanthropy efforts.  

I’ve had an engineer - someone that I onboarded a few months ago - ask specifically during the interview about all the efforts that we do as a company to contribute to charity, and he actually wanted to drill into the details.

And to him, that was very important - and in fact, he is now the point of contact within my team for all the corporate social responsibility OktaforGood efforts that we do.

To him, it gives him an additional level of satisfaction in doing a good job. 

So he’s not just focused on the technical aspect, but he also knows that while he’s doing his job, he’s able to contribute to the community and so on.   

Related stories
Top stories
Story image
Tech job moves
Tech job moves - Adatree, Brother, Databricks, Nutanix & Rubrik
We round up all job appointments from May 20-26, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Could New Zealanders initiate a cyber attack from within?
The threat landscape is significantly increasing worldwide, and the opportunities it presents are a growing concern in Aotearoa.
Story image
The path to bolstering supply chain security in New Zealand
A significant amount of today's business and leisure activity relies on IT supply chains. From complex international freight trades to local small business distribution channels, any supply chain that involves IT infrastructure serves as a crucial tool in our daily lives. 
Story image
Microsoft NZ and TupuToa to boost diversity in cybersecurity sector
Microsoft NZ has teamed up with TupuToa to co-develop a cyber security employment programme specifically aimed at creating more diversity in Aotearoa's cybersecurity sector.
Story image
Asia Pacific plagued by sophisticated bad bots - report
The three most common bot attacks were account takeover, content or price scraping, and scalping to obtain limited-availability items.
Story image
BYOD / Bring Your Own Device
How zero trust can lead the battle against ransomware
SecOps teams champion a zero trust strategy to support the fight against the escalating risk of cybercrime and help monitor threat actors across a network.
Story image
Alarming surge in Conti Ransomware Group activity - report
A new report has identified a 7.6 per cent increase in the number of vulnerabilities tied to ransomware in Q1 2022.
Story image
Managed service provider
Barracuda MSP Day 2022 highlights MSP opportunities
Barracuda Networks has released a report showing global services-related MSP revenue is set to increase by more than a third in 2022 compared to 2021.
Story image
Cyber attacks
Devastating cyber attacks expected to hit energy sector
Energy executives anticipate life, property, and environment-compromising cyber attacks on the sector within the next two years.
Story image
Global cybersecurity insurance market worth $11.5b this year
Future Market Insights finds the cybersecurity insurance market is expected to reach USD$11.5 billion in 2022, growing to $61.2 billion in 10 years.
Story image
Data Protection
Information management capabilities to meet privacy requirements
Organisations with customers or operations across more than one country face a spate of new and proposed privacy and data protection laws.
Story image
Let’s clear the cloud visibility haze with app awareness
Increasingly, organisations are heading for the cloud, initiating new born-in-the-cloud architectures and migrating existing applications via ‘lift and shift’ or refactoring.
Story image
Employees on the frontline of cyber defense - report
In the first quarter of 2022, employees found themselves more than ever at the frontline of cyber defense, according to a new report from Kroll. 
Story image
Elevation of Privilege the top 2021 Microsoft vulnerability
BeyondTrust has released its 2022 Microsoft Vulnerabilities Report, finding that Elevation of Privilege is the top vulnerability category for the second consecutive year.
Story image
More than 40% of banks worried about cloud security - report
Publicis Sapient's new report finds security and the lack of cloud skills and internal understanding of business benefits are big obstacles for banks moving to the cloud.
Story image
New Relic
New Relic launches vulnerability management platform
New Relic has introduced New Relic Vulnerability Management to help organisations find and address security risks faster and with greater precision.
Story image
Artificial Intelligence
Gartner reveals top three tech trends for banks this year
Gartner says generative artificial intelligence, autonomic systems and privacy-enhancing computation are gaining traction in banking and investment services.
Threat actors are exploiting weaknesses in interconnected IT/OT ecosystems. Darktrace illuminates your entire business and takes targeted action to stop emerging attacks.
Link image
Story image
Ponemon Institute
Email revealed to be riskiest channel for data loss
More than half (60%) of organisations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months.
Story image
Cybersecurity prompts upgrade for 1.3 billion electricity meters
ABI Research finds Advanced Metering Infrastructure (AMI) and cybersecurity concerns are prompting the upgrade of 1.3 billion electricity meters by 2027.
Story image
Sysdig unveils new Kubernetes troubleshooting and cloud innovations
Sysdig has introduced two new innovations that look to help bolster cloud services and simplify Kubernetes troubleshooting.
Story image
Customer experience
Gartner recognises Okta for abilities in Access Management
Okta has announced it has been recognised as a Customers' Choice for the fourth time in a row in the Gartner Peer Insights "Voice of the Customer" report.
Story image
CERT NZ releases first Cyber Security Insights for 2022
CERT NZ has released Quarter One: Cyber Security Insights 2022, which offers an overview of reports about cybersecurity incidents affecting New Zealanders.
Story image
Data Protection
Barracuda launches new capabilities for API Protection
"Every business needs this type of critical protection against API vulnerabilities and automated bot attacks," Barracuda says.
Story image
Accenture - a collective security approach a driving factor for cyber resilience
With the approaching Davos World Economic Forum upon us, it is even more imperative to discuss the impact of cybersecurity on business operations leading into the future.
Story image
APAC ranks third-highest region targeted by ransomware
Asia Pacific has ranked the third-highest region globally to be targeted by ransomware, according to cybersecurity firm Group-IB.
Story image
Tech job moves - Forcepoint, Malwarebytes, SolarWinds & VMware
We round up all job appointments from May 13-20, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Check Point
Check Point and CCTV expert join forces to boost protection
The partnership will involve Check Point Quantum IoT Protect Nano Agent being embedded in Provision-ISR’s CCTV cameras for on-device runtime protection.
Story image
Third-party automotive apps bear significant privacy risks
Mobile applications for connected cars provide various features to make life easier for motorists, but they can also be a source of risk.
Story image
Remote Working
Successful digital transformation in the hybrid work era is about embracing shifting goalposts
As organisations embraced remote working, many discovered they lacked the infrastructure needed to support history’s first global load test of remote work capabilities.
Story image
Infosec unveils role-guided cybersecurity training roadmaps
Infosec Skills Roles maps hands-on training and certifications to the 12 most in-demand cybersecurity roles to maximise training efficiency.
Story image
'Alarming' rise in ransomware threats - Verizon report
As criminals look to leverage increasingly sophisticated forms of malware, it is ransomware that continues to prove particularly successful.
Story image
WhatsApp and QR codes the next scam threat - report
KnowBe4 has warned it expects to see an increase in QR Codes and the WhatsApp chat platform being used for phishing and other scams. 
Story image
Comcast to use ThreatQuotient for cybersecurity operations
Comcast, the parent company of NBC Universal and SKY Group, has chosen ThreatQ Platform and ThreatQ Investigations to meet their cybersecurity needs.
Story image
Identity and Access Management
The post-pandemic workforce requires secure IAM capabilities
HID Global discusses what identity and access management means for organisations in today's convoluted digital world.
Story image
ChildFund launches new campaign to protect children online
ChildFund says WEB Safe & Wise aims to protect children from sexual exploitation and abuse online while also empowering them to become digitally savvy. 
Story image
Vectra AI
Understanding the weight on security leader’s shoulders, and how to shift it
Millions of dollars of government funding and internal budgets are being funnelled into cybersecurity to build resilience against sophisticated threats, indicating how serious this issue has become.
Story image
Maintaining secure systems with expectations of flexible work
Most office workers feel they've proved they can work successfully from home, and as much as employers try, things aren't going back to the way they were anytime soon.
Story image
Fortinet introduces self-learning AI in latest offering
Fortinet is introducing self-learning AI capabilities in its new network detection and response offering, FortiNDR.
Story image
The ups and downs and runarounds of catching cybercriminals in NZ
We're becoming more and more aware of cybercrimes but how many criminals actually get caught? The New Zealand police explain why the answer is complicated.
Story image
Trojan cyber attacks hitting SMBs harder than ever - Kaspersky
In 2022 the number of Trojan-PSW detections increased by almost a quarter compared to the same period in 2021 to reach 4,003,323.
Story image
What every CISO must answer to enable a best-in-class security operations program
It has been widely reported recently that South Australian government employees have been the victims of a cyberattack.
Story image
Vishing attacks reach all time high - Agari and PhishLabs
"Hybrid vishing campaigns continue to generate stunning numbers, representing 26.1% of total share in volume so far in 2022."
Story image
Silver Peak
The path to an adaptive, modern network
Managing and securing the network looks different than it did just two years ago—especially given that most of these networks are made up of multi-generations of infrastructure stitched together over time.