Early-bird Discount
expires in
Register Now


An Identity Company's Own Enterprise Journey to ZTA, Passwordless & Phishing Resistance

An Identity Company's Own Enterprise Journey to ZTA, Passwordless & Phishing Resistance

Combined Session
Friday, June 07, 2024 11:10—11:30
Location: B 07-08

This is an implementation and enterprise change management story about how we moved Okta from a baseline of traditional MFA gating app/resources access to a far more dynamic & secure app/resource access policy position using ZTA principles, passwordless, & eventually, phishing resistance. It’s about cross-departmental partnership, iterative improvement, and performance benchmarking to deliver a data-driven transformation in our security posture in a short, yet realistic, time frame.

This session will show WHY and HOW we managed both the technical and cultural enterprise changes needed to make this a success, and provide attendees within all industries with ideas and examples they can take back to undertake iterative security improvement in their own organizations.

We will start by introducing Okta on Okta. OoO are the identity practitioners within Okta, and just like other EIC attendees, we have to deliver solutions to business identity challenges. Though we may wear “team colors,” we talk shop with the credibility that comes from having to actually implement, own, and iterate it - without the marketing mission to distract us.

We will highlight the status quo and the drivers for this change. We will then move on to the foundational work needed to overhaul our security signals and access policies based on said signals, including how we kept the enterprise from experiencing change & security fatigue, how passwordless was a QoL feature to start, but evolved as the program did to emphasize phishing resistance as the real value. As the program went on, we began layering security feature after feature at sign-on time, including user behavior analysis, managed and BYOD device profiling and security signals, CrowdStrike signals, and more until organically we got to a place were we authenticate every user, every device, and constantly review and adjust our policies based on new security threats.

We will share the metrics on how we tracked our objectives, including auth metrics we tracked to know we were making an impact. We will share the business value impact as well in terms of UX, security hygiene, and worker hours saved - and emphasize this is how we kept exec attention on this program so it wouldn’t peter out. We will end by highlighting that our phishing-resistant journey is not “complete” until all aspects of the user’s identity lifecycle are secured with PR credentials, including onboarding, desktop sign-on, and credential recovery.

This is an implementation & ent. change management story. It IS set w/in Okta & executed by Okta employees, but this is not about the product- it is about the doers getting this done. This is a universally applicable story on passwordless as the first step toward the real goal of phishing resistance, and the iterative process toward ZTA using diverse identity & security tooling signals.

Lana Grechko
Sr. Principal Technical Program Manager
Lana Grechko is a Senior Principal Program Manager and Portfolio Lead at Okta. In this capacity, she’s focusing on ensuring Okta products and systems meet Federal Security Standards such as...
Secure your ticket
Be quick before the Early-bird Discount expires in
00d 00h 00m 00 s
Get a ticket
Almost Ready to Join EIC 2024?
Reach out to our team with any remaining questions
Get in touch