SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Exclusive interview: Okta CSO on skill shortages, passwordless authentication, and UX
Tue, 12th Jun 2018
FYI, this story is more than a year old

The tension between security and user experience is one IT practitioners have had to grapple with as businesses become more vulnerable to breaches.

As an organisation, identity and access management solutions provider Okta believes the key to this dilemma lies in embedding security in identity management to create a seamless user experience.

TechDay sat down with Okta chief security officer Yassir Abousselham at Oktane18 in Las Vegas to discuss passwordless authentication, company culture, and how Okta ensures its offerings remain secure.

Where does security fit in Okta's vision?

Cybersecurity is an integral part of Okta as a company and definitely one of the major components of our products.

The reason for that is that the whole product suite is built on the premise that we're getting access to business applications for all of our customers' business users.

Any time one of the business users want to use an application that allows them to do their job, they have to go through Okta.

Our vision and our philosophy is that people are the new perimeter.

It used to be that all the applications and older systems are guarded by a perimeter firewall, now because we are externalising a lot of those systems, now we have to tag the security controls to user identity.

So anywhere on the cloud where users are accessing data or functionality, we want to tag that security to those identities.

That security is composed of things like single sign-on (SSO), multifactor authentication (MFA), we want to converge on a single account per user and invest in monitoring security for that account as opposed to monitoring multiple accounts per user.

These are the basics, and then the next level of details is when you start looking at things like the adoption of our security products in general.

How do you increase adoption of security products?

The equation has been historically that when you increase security, you impact user experience (UX) in a negative way.

What we're trying to do is to innovate in a way where both of those elements go hand-in-hand.

We want you to be secure, but we also want to provide you with good UX because we think that's what increases adoption, that's how we can make customers secure, because if you increase adoption of a security product, then the logical consequence is that you're becoming more secure as a company.

When you think about how we used to do MFA a decade ago, it used to be a small hardware device, you used to have to track six digits, and those digits would change after 20 seconds, and sometimes they would change before you key all of them in, and that used to be a somewhat frustrating experience.

Now what we're trying to push a signal to the user's mobile device, and they can already use this strong authentication to get into the business applications, which you have seen is the new breed of products we're releasing is passwordless authentication.

Instead of getting input from the user to properly authenticate them, we want to instead consume contextual signals to maintain an acceptable level of assurance that this user is whoever they say they are.

Those contextual signals could be their location, IP address, whether they have used the device before, there's a number of things we are consuming, and some things we're doing through integrations with other partners like VMware to make sure that when the user authenticates, they also provide the right credentials to be able to authenticate.

Passwordless authentication has been hyped a lot - from a security standpoint, why is this form of MFA more secure than traditional authentication methods?

The reason it's more secure is that it's attached typically to a piece of hardware.

Hardware is hard to replicate, as opposed to passwords.

Passwords you can copy.

It's very cheap, it's very recoverable, it's something that you can copy to share over the phone or you can compromise.

Hardware is a lot more challenging to compromise because you have your phone, and you are the only one who has that phone, so for someone to be able to clone the device and get that signal to authenticate as you, it's a very challenging endeavour.

It's a highly complex exercise.

It doesn't mean that this is impossible, but the interesting thing is that it's not something that can be done at scale, as opposed to passwords, and that's what makes it more secure.

If someone has access to the piece of hardware you use as a second factor, it is a risk that can be properly mitigated, and the way you do it is by gaining a certain level of assurance that the device itself is secure, and this is where we start talking about device trust.

So let's say we only allow you to use passwordless authentication from a managed mobile device.

This means that your IT has a piece of software that ensures that the device belongs to you, that it meets certain levels of criteria in terms of security, for example, it has a PIN set, it runs the latest version of the OS, there's a number of things you can check allowing access to your environment.

So by being able to gain that device trust and with the right policy, it makes it a lot more complicated for someone to both have access to your device and also get into your device.

The last thing I would mention is that for mobile devices specifically, we live in an era where we interact with our phones on a continuous basis.

It is safe to assume that a user will quickly notice when they no longer have access to their device and they will report it or do something about it.

So in the aggregate, this makes it an acceptable authentication method for certain conditions.

The other angle to this is that as a security team, you need to do a risk assessment.

You need to decide which systems or data are you willing to allow passwordless authentication to, and under what conditions

That's how you mitigate the risk.

What measures does Okta take to make sure its identity offerings are continuously tested for security?

We run a comprehensive security programme with a fully staffed team that is focused on a number of areas like application security, infrastructure security, we look at entirety of our environment and we have efforts that are dedicated to mitigating the risk and prioritising our efforts to deal with the highest risk and mitigate it and that's how we keep Okta secure.

The next thing is that we promote a security culture within the company.

We have town hall meetings, we have training, we have posters, a number of things to make sure that everyone within Okta including employees and even partners, in some cases, maintain security as one of their goals as they go about their daily lives.

The next thing is we're not only investing internally in security, but we are partnering with both our customers and independent parties to make sure our security is up to par.

The way that takes place is first, we hire independent consulting firms to do pentest (penetration test) security assessments on our infrastructure on a regular basis.

That's independent of our team that already does these types of pentests.

The second thing is that we have auditors that look at our controls on a continuous basis, that's how we're able to meet standards such as ISO27001, we have SOC2, we're compliant with FEDRAMP, which is one of the higher standards in terms of requirement, if you want to do business with the government.

And each one of these compliance mandates requires us to bring someone external to look at our security.

The next thing is that we allow our customers to pentest the Okta infrastructure, which is not something that you're going to find in a lot of players in the industry.

As a customer, you're able to use your internal team or contract to a vendor to do a pentest of the Okta environment and if you find something, we'll collaborate with you and fix it as quickly as possible.

And the last thing I'm going to mention is we have a bug bounty programme that's public.

We've had the programme for 2 years.

We now have north of 1100 researchers actively accessing Okta, we have had a few submissions, and we go through, triage and fix those findings as quickly as we can.

How are you dealing with the issue of skill shortages in cybersecurity?

I think if you want to hire best of breed, it's a challenge to find those people.

It is a very small community because we're based in Silicon Valley and each of the tech firms based in Silicon Valley is looking for the exact same profiles, so it ends up being just the same small community of engineers moving around the companies.

Once you're able to hire one of those engineers, then you need to provide the proper environments for them to thrive.

Part of it is having very challenging problems - the fact that we are on the forefront of the threat attacks and threat landscape makes it a reality.

The next thing is, we had to become more flexible when it comes to location.

We learned over the years to maintain a highly effective team while having some folks work in multiple locations.

Some of them work out of offices and some of them are remote.

The most important thing is when you find a rock star, you have to be able to make those compromises to hire them and you need to make it such that they're successful at their jobs.

I think you need to provide for an environment where their values align with the corporate values of your corporation.

One of our values is execution - being nimble and executing on findings.

As security engineers, when they identify something that needs to be improved, you have to make sure it's improved because the second worst thing after not finding a security issue is finding a security issue and then not having it fixed.

If the entire engineering team does not believe in that, and if you don't have the processes that are formalised, in place and functioning to enable that, then it's not going to happen.

That's the kryptonite when it comes to security engineers because what you'll see is a very quick degradation in morale, and people will start leaving.

It's not something that should only be present in the security team.

The second value is our philanthropy efforts.

I've had an engineer - someone that I onboarded a few months ago - ask specifically during the interview about all the efforts that we do as a company to contribute to charity, and he actually wanted to drill into the details.

And to him, that was very important - and in fact, he is now the point of contact within my team for all the corporate social responsibility OktaforGood efforts that we do.

To him, it gives him an additional level of satisfaction in doing a good job.

So he's not just focused on the technical aspect, but he also knows that while he's doing his job, he's able to contribute to the community and so on.