Solving IAM Security Risks

Zero data is the idea that organizations can store much less data than they used to - sometimes zero data- because of the advent of just-in-time identity streaming technologies like verifiable credentials. Verifiable credentials, combined with ubiquitous fine-grained access control can provide significant benefits to organizations using zero trust principals to secure their applications and internal workloads.

This talk will discuss how just-in-time data that is easily verifiable can streamline workflows while reducing the burden of data management and increasing security. 

This is an implementation and enterprise change management story about how we moved Okta from a baseline of traditional MFA gating app/resources access to a far more dynamic & secure app/resource access policy position using ZTA principles, passwordless, & eventually, phishing resistance. It’s about cross-departmental partnership, iterative improvement, and performance benchmarking to deliver a data-driven transformation in our security posture in a short, yet realistic, time frame.

This session will show WHY and HOW we managed both the technical and cultural enterprise changes needed to make this a success, and provide attendees within all industries with ideas and examples they can take back to undertake iterative security improvement in their own organizations.

We will start by introducing Okta on Okta. OoO are the identity practitioners within Okta, and just like other EIC attendees, we have to deliver solutions to business identity challenges. Though we may wear “team colors,” we talk shop with the credibility that comes from having to actually implement, own, and iterate it - without the marketing mission to distract us.

We will highlight the status quo and the drivers for this change. We will then move on to the foundational work needed to overhaul our security signals and access policies based on said signals, including how we kept the enterprise from experiencing change & security fatigue, how passwordless was a QoL feature to start, but evolved as the program did to emphasize phishing resistance as the real value. As the program went on, we began layering security feature after feature at sign-on time, including user behavior analysis, managed and BYOD device profiling and security signals, CrowdStrike signals, and more until organically we got to a place were we authenticate every user, every device, and constantly review and adjust our policies based on new security threats.

We will share the metrics on how we tracked our objectives, including auth metrics we tracked to know we were making an impact. We will share the business value impact as well in terms of UX, security hygiene, and worker hours saved - and emphasize this is how we kept exec attention on this program so it wouldn’t peter out. We will end by highlighting that our phishing-resistant journey is not “complete” until all aspects of the user’s identity lifecycle are secured with PR credentials, including onboarding, desktop sign-on, and credential recovery.

This is an implementation & ent. change management story. It IS set w/in Okta & executed by Okta employees, but this is not about the product- it is about the doers getting this done. This is a universally applicable story on passwordless as the first step toward the real goal of phishing resistance, and the iterative process toward ZTA using diverse identity & security tooling signals.