SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Exclusive: Okta CSO on scaling security alongside business growth
Fri, 3rd May 2019
FYI, this story is more than a year old

Identity and access management solutions provider Okta recently marked its ten-year anniversary, announcing revenue of US$115million last year and an employee count of 1,500.

As the company continues to expand its identity platform, security continues to play a major part in the development of its products and strategy.

TechDay spoke to Okta chief security officer Yassir Abousselham about scaling security in tandem with its growth, Okta's recent acquisitions, and the journey to secure second factors.

In terms of security strategy, what's changed for Okta since last year?

For us as a company, the challenge is to be able to grow the security capabilities at the same speed as the business.

We are acquiring more customers, and a lot of them are high-profile organisations who constitute better targets for attackers.

At the same time, we are acquiring companies and creating and releasing more features, which translates into more lines of codes and more things to make sure we secure.

In the context of all that, the challenge for any security team is to be able to maintain the effectiveness of the security environments while supporting the business.

That means not slowing it down and positioning security as a differentiator as opposed to something that cuts into the velocity of our releases and our products.

How active is the security team in the development of Okta's products and services?

We are deeply entrenched in every aspect of the business, whether it is our product roadmap, the service, defining the strategy, and being there to define the requirements for a security organisation.

We're involved in branding, in making sure that our marketing campaigns have the right message, to be able to resonate with the security team.

So we're involved in every aspect of our business, and we want to continue doing so as we scale as a company.

Okta is making quite a few acquisitions at the moment – have you found it challenging bringing them to an acceptable level of security hygiene?

If you can get involved in the merger and acquisition cycle early on, then it's not going to be a challenge.

We do two things very well.

Security is involved in the early stages of any acquisition in the sense that we have those conversations, we do our due diligence on the acquisition and we make sure the target's security is on par with what we expect for a company that's going to join Okta.

The second thing is that we have a process and a framework - we've established a roadmap for how any company acquired integrates within the information security programme at Okta.

Once we complete the acquisition, we do a number of things including deep dives into their security and penetration testing.

If there are any issues or any kind of improvements that we need to make, we make sure that those are completed even before we make the product available to our customers as an Okta product.

We integrate or take over a lot of their security processes.

For example, identity and access management, application security, and compliance.

In fact, for a company such as ScaleFT, which we acquired a few months ago, we're well underway and have made significant progress in getting them compliant, or showing at least compliance with things like SOC2.

We're also working on a number of additional compliance mandates, to be able to position them at the same level as Okta when we have these conversations with our current customers.

Okta is focusing on multifactor authentication (MFA), but attacks like SIM swapping can compromise it. How does this impact the effectiveness of MFA?

With approaches we take to security, there's always going to be vulnerabilities along the way.

You look back at the introduction of FaceID or TouchID on the iPhone, you have researchers that came up with ways to circumvent that.

These are small things that slow us down, but they do not necessarily speak to the effectiveness of the solution as a whole.

SIM swapping is an issue, but it is one that has a couple of things that make it not necessarily material in the larger scheme of things.

The first is that it is a vulnerability or attack that's executed on a one-on-one basis - it's not something that can be done at scale.

It's very tricky and very hard to execute.

The second thing is that it's a known issue now.

A lot of the players in the industry are going to improve their controls to make sure that's no longer an issue and that the security of their customers is not going to be impacted.

If a threat actor is able to trick them into considering them as the owner of that phone number, it's a breakdown of a control on the telecom operator side.

But I have to believe that telcos are taking the necessary steps to close those holes, and this is something that has existed for a while.

The verdict is that this is one very small roadblock, but it does not speak by any stretch to the effectiveness of multifactor authentication as a control to protect access.

Does Okta use phone numbers as one of the key ways to authorise the second factor?

Okta is a platform and we have to give our customers the flexibility to choose any factor that they need.

In some cases, some customers choose not to use a second factor and rely solely on password.

You have to be able to allow your customers to make those choices.

As much as it can appear as a given that an organisation will go for two factors from the get-go, it's not always obvious.

For organisations that have been in operation for a while - the more traditional industries, even - it's hard to manage the change between those technologies.

Going from password to a second factor is not something that's done overnight, it takes a lot of work and it takes a lot of organisational change management to make sure that you get to the endpoint.

To be able to achieve that goal, a lot of organisations have to take that intermediate step of using something that's available to all of their users - and that would be a phone number.

Not every organisation is going to have the ability to make that change to a stronger factor because of a number of different reasons.

In some cases, it's pushed back, there's a reluctance to change from their users, many of those users can apply pressure through the executive representative and so on.

And in some cases, those reasons are economic.

Not every company is going to have the budget to invest in second factors that do cost and represents a significant line item in their IT budget.

So I think a lot of the other organisations, and at least security teams, have this target of getting all of the users to have a second factor that is strong.

But it is a journey.

And sometimes you have to be able to take intermediate steps to get there.