Mitigating Risks in the Wake of Okta Breaches: A Two-Pronged Approach
In recent times, Okta breaches have become a hot topic, especially with the expansion of breach impact surfaces and downgrades by major financial institutions. For IT and Information Security leaders, this brings into sharp focus the reliance on Identity as a Service (IDaaS) solutions, Identity Providers (IDPs), and Single Sign-On (SSO) systems. While some advocate for hastily abandoning Okta, this approach is not only impractical but also fraught with challenges.
What options do organizations have to protect themselves?
- Migration: Many organizations are considering a complete migration in order to avoid being impacted by another Okta breach. This can be complicated but we provide actionable steps below to help you strategize and prioritize your migration.
- Protection without migration: For organizations that are not ready to migrate away from Okta, there still are ways to fortify your defenses against Okta breaches past and future. Plus, these defenses can be generalized across any IDaaS provider so you can rest assured that security assurances are in place around one the most critical solutions in your security stack.
It is also important to note that both strategies can be deployed simultaneously – that is, you can protect your Okta environment in the short-term while taking the time you need to plan and de-risk a migration down the line. Regardless of the approach you choose, being proactive with security against an IDaaS provider that has suffered a breach every quarter for the last two years is a good idea.
Approach one: migration
Firstly, the last five years have seen a surge in third-party application integrations, making the prospect of switching SSO providers a daunting task involving the migration of over 200 SAML applications. Additionally, years of evolution in policy, workflow, and entitlements have led to complex configurations that might not be easily replicated or correctly set up in a new system. Furthermore, switching costs – including new licenses, administrative training, and user education – can be significant and unpredictable. But the rewards of migration, namely a more secure IDaaS solution can pay dividends in the long term.
How can you migrate frictionlessly?
A measured and effective response lies in methodically deconstructing the architecture of the bundled IDaaS offering.
By treating components such as directory, identity lifecycle automation, SSO application integration, entitlement management, and authentication policy as separable entities, organizations can devise a strategy for evolution and migration that is less overwhelming.
|Step-by-Step Assessment Items
|Identity Lifecycle Automation
|SSO Application Integration
Approach two: protection without migration
With breaches being a primary concern, addressing the threats associated with initial access and lateral movement is crucial. Modern IDaaS solutions like Okta allow for delegate IDP integrations, shifting the focus from password-dependent directories and legacy multi-factor authentication (MFA) to passwordless and inherently phishing-resistant MFA solutions. This approach can significantly reduce the attack surface of an IDaaS system without necessitating a complete overhaul.
Implementing a delegated IDP gives organizations the space to make more deliberate decisions regarding other components of their IDaaS solution. Not all organizations will need to move away from Okta, but for those seeking to further minimize their attack surface, attention should be paid to gaps in security, such as legacy protocol interfaces and SSOs lacking vital key storage protection and bring-your-own-key models.
To understand if you were impacted by previous Okta breaches and protect against future ones, you can leverage the free Okta Defense Kit to assess indicators of compromise in your environment to prioritize remediation.
To summarize, organizations should start by deconstructing and reassessing the components of their IDaaS solutions. Prioritizing the replacement of existing MFA with a phishing-resistant, passwordless MFA solution via a delegate IDP as a critical first step functioning as insurance against security vulnerabilities of Okta and other IDaaS solutions.
Subsequent actions should focus on appropriately resizing and replacing other components based on risk sensitivity. Ultimately, organizations can establish a robust authentication foundation, significantly mitigating the risks associated with social engineering and initial access breaches prevalent in Okta and similar IDaaS environments.
While Beyond Identity offers the strongest phishing-resistant, passwordless authentication, organizations interested in ensuring a tolerable level of security and risk mitigation level in their digital infrastructure should consider PKI-based or FIDO2-certified solutions as a necessity.
Learn more about Beyond Identity and go on the offense with your defense.