sso migration

Mitigating Risks in the Wake of Okta Breaches: A Two-Pronged Approach

12/11/2023
Categories: Thought Leadership

In recent times, Okta breaches have become a hot topic, especially with the expansion of breach impact surfaces and downgrades by major financial institutions. For IT and Information Security leaders, this brings into sharp focus the reliance on Identity as a Service (IDaaS) solutions, Identity Providers (IDPs), and Single Sign-On (SSO) systems. While some advocate for hastily abandoning Okta, this approach is not only impractical but also fraught with challenges.

What options do organizations have to protect themselves?

  1. Migration: Many organizations are considering a complete migration in order to avoid being impacted by another Okta breach. This can be complicated but we provide actionable steps below to help you strategize and prioritize your migration. 
  2. Protection without migration: For organizations that are not ready to migrate away from Okta, there still are ways to fortify your defenses against Okta breaches past and future. Plus, these defenses can be generalized across any IDaaS provider so you can rest assured that security assurances are in place around one the most critical solutions in your security stack. 

It is also important to note that both strategies can be deployed simultaneously – that is, you can protect your Okta environment in the short-term while taking the time you need to plan and de-risk a migration down the line. Regardless of the approach you choose, being proactive with security against an IDaaS provider that has suffered a breach every quarter for the last two years is a good idea. 

Approach one: migration

Firstly, the last five years have seen a surge in third-party application integrations, making the prospect of switching SSO providers a daunting task involving the migration of over 200 SAML applications. Additionally, years of evolution in policy, workflow, and entitlements have led to complex configurations that might not be easily replicated or correctly set up in a new system. Furthermore, switching costs – including new licenses, administrative training, and user education – can be significant and unpredictable. But the rewards of migration, namely a more secure IDaaS solution can pay dividends in the long term. 

How can you migrate frictionlessly?

A measured and effective response lies in methodically deconstructing the architecture of the bundled IDaaS offering. 

By treating components such as directory, identity lifecycle automation, SSO application integration, entitlement management, and authentication policy as separable entities, organizations can devise a strategy for evolution and migration that is less overwhelming.

Components Step-by-Step Assessment Items
Directory
  1. Directory migration can occur in phases, allowing systems to coexist during evaluations and migrations; retire systems as the final step
  2. Carefully inspect new IDaaS/IDP secure administrative access: 
    1. Enforce the principle of least privilege for access controls with role-based access control
    2. Mandate phishing-resistant MFA for admin access
  3. Ensure access security: limit session durations, enforce device trust policies, ensure non-repudiable audit logs, integrated security ecosystem
Identity Lifecycle Automation
  1. Validate and automate input data from HRIS as the source of truth
  2. Establish organizational hierarchy awareness with role-based access controls
  3. Automate strict access review capabilities
  4. Ensure strong binding between user identity and device identity on enrollment and re-enrollment
SSO Application Integration
  1. Inventory all SaaS applications for SSO integration ability
  2. Allocate 30 minutes per integration for new applications
  3. Inventory SaaS applications already integrated with IDP/SSO using a script with API token (assistance from Beyond Identity is available)
  4. Budget 15 minutes per integration being moved from existing IDP/SSO
  5. Validate strict key management procedures
  6. Ensure continuous authentication with shared signal support (CAEP/RISC)
Entitlement Management
  1. Ensure validation of access request
  2. Implementation of assured separation of duties
  3. Automate review of user entitlements
Authentication Policy
  1. Assess credential availability of IDaaS solution to ensure support of passwordless and phishing-resistant factors
  2. Enforce passwordless and phishing-resistant factors
  3. Implement lockout policies for devices not complying with organization security postures
  4. Mandate continuous risk-based authentication
  5. Ensure an immutable record of authentication events

Approach two: protection without migration

With breaches being a primary concern, addressing the threats associated with initial access and lateral movement is crucial. Modern IDaaS solutions like Okta allow for delegate IDP integrations, shifting the focus from password-dependent directories and legacy multi-factor authentication (MFA) to passwordless and inherently phishing-resistant MFA solutions. This approach can significantly reduce the attack surface of an IDaaS system without necessitating a complete overhaul.

Implementing a delegated IDP gives organizations the space to make more deliberate decisions regarding other components of their IDaaS solution. Not all organizations will need to move away from Okta, but for those seeking to further minimize their attack surface, attention should be paid to gaps in security, such as legacy protocol interfaces and SSOs lacking vital key storage protection and bring-your-own-key models.

To understand if you were impacted by previous Okta breaches and protect against future ones, you can leverage the free Okta Defense Kit to assess indicators of compromise in your environment to prioritize remediation. 

Conclusion

To summarize, organizations should start by deconstructing and reassessing the components of their IDaaS solutions. Prioritizing the replacement of existing MFA with a phishing-resistant, passwordless MFA solution via a delegate IDP as a critical first step functioning as insurance against security vulnerabilities of Okta and other IDaaS solutions. 

Subsequent actions should focus on appropriately resizing and replacing other components based on risk sensitivity. Ultimately, organizations can establish a robust authentication foundation, significantly mitigating the risks associated with social engineering and initial access breaches prevalent in Okta and similar IDaaS environments.

While Beyond Identity offers the strongest phishing-resistant, passwordless authentication, organizations interested in ensuring a tolerable level of security and risk mitigation level in their digital infrastructure should consider PKI-based or FIDO2-certified solutions as a necessity. 

Learn more about Beyond Identity and go on the offense with your defense.