Okta eats own dog food on WFH, tightens supplier access after Lapsus$ breach

Okta eats own dog food on WFH, tightens supplier access after Lapsus$ incident

Image:

Okta eats own dog food on WFH, tightens supplier access after Lapsus$ incident

Okta contracts are 100% work from home, says senior solutions engineer Craig Hinchliffe

Okta could be said to have had a 'good pandemic', demand for its SaaS identity and access management (IAM) services soaring with the need to secure WFH.

The company itself has fully bought into the new ways of working, said senior solutions engineer Craig Hinchliffe, with 100% of its staff on work from home contacts, with the company paying for their broadband and phone services.

"The things we thought were bad turned out not to be quite so bad after all, and now we can get some advantages from them," said Hinchliffe, speaking during the Computing Cybersecurity Festival last week.

While WFH can improve employees' work-life balance and bring efficiency benefits to organisations, CISOs instead worry about the security holes that can be created. Hinchliffe said Okta's mission is to "remove the friction" in securing access to applications and SaaS services to reduce the risk of shadow IT.

"So give people the right experience and give the right level of security. Because if it's a crappy user experience, quite frankly people won't want to use it. They'll try and get around it, whether they can or not, they'll just get irritated."

Okta looks to solve common UX issues with single sign on (SSO) - one password for all services covered.

It also alleviates joiner mover leaver (JML) difficulties by "automating the employee lifecycle", according to Hinchcliffe.

Once administrators know who the person is, the device they are using and their location, they can make decisions about the level of access to grant. For example, devices running MDM solutions can be trusted and their users given a seamless experience without the need for authentication, whereas an untrusted device may require logging in each time, or be blocked.

"You can give people security and a nice user experience together, without worrying about one or the other. You can bring those things together. And of course if it's an untrusted device you can deny access."

Hinchcliffe also tackled a recent an incident where threat group Lapsus$ hacked a third-party supplier Sitel and claimed to have compromised Okta customer data, insisting that Okta had learned a lesson. Not only would communications be handled better in future, he said, but Okta has also tightened its access management approach for suppliers as a result.

"I think it's fair to say what we did is we took an identity-only approach, we didn't take a full zero-trust approach to that. What I mean by that is we didn't think about the devices, and we didn't think about the location."