IAM and Okta
Okta is a premium, platform-agnostic set of services that helps organizations with efficient and modern identity and access management (IAM). One of Okta’s biggest strengths is its ability to work with a variety of platforms and integrate its features and services into these platforms’ own solutions to provide seamless IAM. This strength has made Okta the leader in the IAM field, as it’s valuable in helping us manage our organization’s systems to ensure easy and efficient user account management.
In this chapter, we’ll learn about Okta and its features. This information will serve as the foundation with which to approach this book and pick up the skills we require to integrate Okta with our systems and learn how to use it in the best way possible. In this chapter, we’ll explore the following topics:
- The origins of Okta
- Exploring Okta
- Okta’s basic features
- Okta’s advanced features
- Okta and NIST
Exploring the origins of Okta
Okta was founded by Todd McKinnon (CEO) and Frederic Kerrest (COO), two former Salesforce employees. They saw that the cloud wasn’t just a product for the big leagues and predicted it would be necessary for anyone who wanted to grow their business. They started the business in the middle of the 2008 recession, with Andreessen Horowitz investing as one of the first capital injections for Okta in 2010. In 2017, Okta went public with its IPO and valuation of $1.2 billion.
The name Okta is derived from the unit of measurement for clouds covering the sky at any given moment. On the scale, 0 okta is a clear blue sky and 8 oktas means complete overcast. The wordplay in Okta (in Greek, octa is 8) and the fact that Okta wanted to cover all cloud access by becoming the identity standard, thus creating a complete overcast (8 oktas), is well thought out. As of 2022, Okta has grown its clouds by specifically creating two offerings: the Workforce Identity Cloud (WIC) and the Customer Identity Cloud (CIC). This book will only cover WIC.
Since Okta arrived in the IAM space, it has steadily grown to become the leading vector and has been in the leading segments of market investigation firms (Gartner, Forrester, etc.), bypassing giants such as Oracle, IBM, and Microsoft. Their take on being completely vendor-neutral has allowed them to gain customers, big and small, across all verticals. This particular focus makes sure that Okta can serve all applications, without being tied to or biased toward any relationship or partnership. It gives the customer complete freedom in choice, setup, and tools.
In recent years, Okta has been socially active, taking the 1% pledge; committing to giving back time, product, and equity to the community and supporting non-profit efforts in different ways. As Okta understands what it is like to start up and grow, during its annual conference in 2019, it announced an investment fund of 50 million dollars under the name Okta Ventures to help other start-ups in the identity and security sector ramp up and grow. Currently, over two dozen start-ups have benefitted from this venture seeding.
Understanding IAM and Okta
- Manage the roles of users within an organization
- Manage the privileges that users have to access company resources while using user context
- Configure scenarios to determine whether access is granted or denied
Beyond these actions, IAM can do much more, such as the following:
- Orchestrate the user’s lifecycle during their time within the company
- Constantly determine whether access is allowed according to company policies and rules to gain access to needed resources, content, and data using the best available security features
The time of perimeters is behind us. Organizations can no longer just trust their networks and secure access mainly through their infrastructure. Nowadays, access is needed by every device and every application, at any given moment, with any reason or intent. This shows that security needs are dynamic and their requirements are continuously evolving.
Outdated directories are being replaced by different tools, and they all have to be maintained, secured, and fortified outside of the comfort of the company’s network. This is bringing a lot of extra consolidation and rethinking of the concept of using the cloud and also how to manage it all for the workforce.
This brings us to the start of a new era where new IAM solutions were born in the cloud and existing solutions started a shift toward the cloud. This didn’t mean every organization all of sudden dropped its network and pushed everything and everyone to the cloud. Vendors had to become hybrid, delivering tools to connect the ground to the cloud with integrations. By consolidating the two, the shift slowly started to pick up pace and organizations began to understand the possibilities of using tools such as Okta as their IAM solution of choice.
A complete user and system management setup isn’t just in one product, nor is it dependent upon a single vendor. A complete view of all sections within and outside of the organization is best done by utilizing different tools.
This combination and their deep integrations make it possible to create a fine-knit layer of security and insights on top of everything, flexible enough to allow exceptions, but strong enough to fight off anything considered harmful to the user, content, data, systems, or organization.
An IAM system can be seen as a collection of different elements and tools to deliver this. It can be considered that the following functionalities are part of, but not limited to, an organization’s toolkit:
- A password vault to store and maintain access to applications and systems. This can be advanced by using protocols that allow single sign-on (SSO).
- Provisioning integrations to create and manage user identities within directories, applications, databases, and infrastructures.
- Security enforcement applications to secure access to applications, as well as securing the data of these systems and others.
- Unified reporting systems allow fine-grained insight into the array of tools to create oversight and provide better knowledge of what is happening within and outside of the corporate network.
By staying true to their form, they are capable of excelling in being an agnostic system. By allowing any application vendor to create integrations with Okta and delivering applications broadly on request from customers, Okta has been able to grow its reach to over 7,000 pre-built and maintained integrations in the public catalog Okta Integration Network (OIN). While creating these integrations, Okta also invested heavily in delivering more and more functionality to ground-to-cloud visibility and launched their Okta Access Gateway product. On top of these out-of-the-box integrations, Okta has added their no/low-code Workflows engine, allowing any identity-driven event to use Okta’s abilities internally and even on applications not in their integrations library.
Looking further than users, the world consists of more and more IoT applications, and the need for machine-to-machine management is becoming a much larger element within organizations’ business models. By offering API access management and Advanced Server Access (ASA), Okta creates more functionality to fill the needs of every aspect of the IAM situation within any organization.
Let’s now take a look at the things that set Okta apart in the IAM space.
As organizations shift away from on-premises applications by making sure the workforce can decide how and when they access the data they need, Okta makes it possible to incorporate forward-thinking concepts, such as zero trust. Zero trust is the framework where no physical or non-physical entities within or outside of the corporate perimeter are trusted at any given moment in time. This allows for insight and control to manage users, identities, infrastructure, and devices accessing business resources and data. Threat detection and remediation are a part of the cycle that makes sure that this concept is enforced.
The zero trust principle of least-privileged access can be incorporated into the organization’s security policies. It allows users and machines to only get enough access for that given moment and that task. This can be hard to manage on a case-by-case scenario (for example, allowing and denying access to individual corporate content and files), but by understanding the concept, it can be used as a rule of thumb to only give out need-to-access privileges. A couple of examples are as follows:
- A support agent needs administrator rights in a system but might not need full super admin rights. Role-based access can be applied here.
- A machine reading data from a database needs read-only access, not write access. This would reduce the risk of an attacker being able to change or delete data.
Acquiring an IAM tool is not enough by default to make sure your organization lives up to a zero trust approach, but it is a starting point for many organizations. When it comes to IAM and zero trust, Okta divides the journey into four stages of maturity.
Stage zero – fragmented identity
An organization in this stage typically has an Active Directory (AD) or some other on-premises structures as a user directory. Cloud applications might be used, but there is no integration into the directory. Passwords are not consolidated, but rather separate logins are everywhere. Security is done on a case-by-case basis, or rather, app by app. In stage zero, most services and devices will reside within the corporate infrastructure, as seen in Figure 1.1:
Figure 1.1 – All applications and access are managed with networks and directories
Usually, more traditional organizations fall into this category. Their history is based more upon older infrastructure, and the move toward the cloud is slowly happening. Companies with on-premises servers, fierce reliance on firewalls, and VPN access are often found in this stage.
Stage one – unified IAM
Once you open the gates, there is no coming back to a perimeter-based security practice. It’s important to make sure certain access is managed for employees, partners, and contractors. Delivering unified SSO relieves the user of the responsibility to create, maintain, and manage strong passwords per application, portal, and infrastructure. By adding multifactor authentication (MFA), the organization is capable of creating more policies that incorporate different activities to confirm the user’s identity while accessing corporate content.
Examples of this are as follows:
- Using an application such as Google Authenticator or Okta’s own application, Okta Verify, to receive a one-time code
- Using SMS to receive a one-time code
- Biometrics such as a fingerprint reader or a YubiKey
In stage one, you will see a shift. Users will access corporate data outside of the network. Slowly, SaaS will make its way into the organization. Even so, old structures will still stay in place to maintain legacy and non-cloud access as follows:
Figure 1.2 – An outline of what stage one might look like
You will find organizations of every trade in this stage. Moving to the cloud is part of their strategy. They will most likely start to embrace Software-as-a-Service (SaaS) options over their own capabilities. This is where perimeters start to fade and the call for more flexible security and management is needed.
Stage two – contextual access
Context-based access plays a large part when you want to expand your zero trust initiative. Understanding your users, their devices, location, systems, and even time and date can be of importance to accelerate your dynamic zero trust parameters. By incorporating all these components, you now allow your security team to widen their view of a user’s posture and activities and set fine-grained policies and rules that are applicable to that user.
Having such deep control and the capability to interact on such a low level with users fits perfectly with the concept of zero trust. Of course, automation is the magic sauce. Using all these different elements in your security risk assessment is the first step, setting policies on top of that is step two, but automating it all and having the systems grow stronger is what adds even more value. This is step three.
Within this stage, usually, you will observe that corporate APIs and systems have, or leverage, APIs that need to be protected as well. Allowing API management ensures that even your systems are only allowed access based on the least-privilege framework.
Figure 1.3 – An outline of what stage two might look like
Organizations might have a complete roadmap for themselves set out with regard to their zero trust initiative. Cloud-driven, cloud-native, and cloud-born organizations will quickly adopt it, and there are many of them in this stage. Traditional organizations that have made it to this stage have come a long way; they truly were able to reinvent themselves.
Stage three – adaptive workforce
When system automation increases, risk-based analysis can be added. This is when we are capable of creating a fully flexible and adaptive workforce. The incorporation of more security systems becomes a large addition to the whole security practice. Usually, external values from third-party applications such as mobile device management (MDM), cloud access security broker (CASB), security information and event management (SIEM), and other connected systems will deliver even more user and machine context that can be used within policies.
Unknown vectors are detected, and policies start to act upon these discoveries. Adding alternative access controls when it’s needed or required allows for more security. While security might go up, the users’ access can now be more controlled with the help of seamless access methods. Passwordless and dynamic authentication policies become a more common situation in which users are prompted to show who they are based on the risk they present to the systems that are controlling the access:
Figure 1.4 – An outline of what stage three might look like
Organizations that fall into this category will be front-runners in this initiative. They not only understand it, but they have also implemented it and made it their mantra. High-tech organizations with global workforces and dynamic management will fit this picture perfectly.
- Start by researching the concept
- Assess your own organization
- See what solutions you can keep and what needs to change and mitigate the gaps in your solutions
- Get your users on board
Now that we’ve learned about the steps to take with your organization to move toward a zero trust approach, let’s look at the basic features in Okta that we can use to start our journey.
Discovering the basic features of Okta
- Universal Directory (UD)
- Adaptive Multifactor Authentication (AMFA)
- Lifecycle Management (LCM)
It’s not always obvious in the administrator portal where one product starts and another one ends. This will be clarified in this book. The products will all be explained with practical examples in the coming chapters, but here is an initial overview.
UD can be considered the foundation of any Okta setup. UD is the directory of your users, groups, and devices. Users can be sourced by Okta, other directories, an HR system, or even any source that contains user data. For organizations with multiple directories, such as AD, LDAP, G Suite, and an HR system, Okta can offer a complete 360-degree view of the users and their attributes consolidated into one system. Users can be sorted into groups created in Okta and imported from a directory or an application. With Okta’s attribute sourcing feature, the attributes of any user can be sourced by different sources.
SSO lets us connect applications and lets our users access them through Okta. End users will only have to log in to Okta once and can thereafter access any application they have assigned to them. This is done with integrations based on SAML, WS-Federation, or OpenID Connect or with a simple Secure Web Authentication (SWA), where Okta stores credentials and passes them along to the application in a secure way. In the OIN, more than 7,000 integrations are available, and more are added every day. If the required application isn’t available in the OIN, customers can create their own integrations. This will be described in depth in Chapter 3, Using Single Sign-On for a Great End User Experience.
Multifactor authentication and adaptive multifactor authentication
Included in Okta’s SSO product are basic MFA features. You can easily set up policies to let your users utilize different kinds of authenticators after entering their password. Using the basic IP settings, you can set up network zones that protect your users and block bad actors from the outside.
Many third-party MFA solutions can be integrated with Okta, allowing you to leverage existing and perhaps currently deployed solutions into your Okta MFA policies.
If the basic features of MFA aren’t enough for you, Okta’s Adaptive MFA (AMFA) product brings even more advanced options. With AMFA, you can set and use the context in your MFA policies. The context can be location awareness, device fingerprinting and posture, or impossible velocity. Okta’s device trust options allow you to integrate with your third-party MDM systems to generate even more context around your users and devices.
So far, the Okta products we’ve looked at have focused a lot on end user experience and security. LCM is all about automation, easing up the friction between HR and IT. With LCM, organizations are better set up for audits. For instance, with your Okta instance set up—with groups, rules, integrations, and system logs—and access given, it’s easy to show when a user had access to what. With the group rules feature, automation takes over access given, removing the risk of manual errors. This will streamline work for the HR and IT departments, allowing them to do the work by creating the user only once in the organization’s systems. The creation, management, and deletion of users and accounts has never been this easy. Automatic account creation also minimizes mistakes caused by human error. A predetermined setup allows the organization to invest time upfront to create and set up the provisioning, and after that, it will automatically run based on the user’s identity and profile.
With Okta’s LCM functionality, you can also automate access control in certain applications. This allows you, with minimal interaction, to manage users with the correct role, license, entitlement, and group access.
Advanced features of Okta
Okta Advanced Server Access
Okta ASA lets us extend our zero trust practices toward server accounts. Okta can manage access to both user or service accounts to Linux or Windows servers across different cloud vendors, such as GCP, AWS, and Azure, or on-premises servers. In Okta, your admins get a great overview of who has access to what and can see individual logins in log reports. ASA works with a lightweight agent and is installed in your infrastructure landscape.
With Workflows, you can automate many business processes using a simple if this, then that methodology with no-code configurations. Okta provides a library of connections to many popular cloud applications, and Workflows can also integrate with custom APIs. Some examples of where Workflows can be used include the following:
- On and off-boarding enhancements
- Resolving conflicts when new users are created
- Sharing reports on a monthly basis
Okta Access Gateway
Okta Access Gateway (OAG) makes it possible to implement modern cloud-based access management to on-premises legacy applications. With this product, you can gather all your identity needs in one place, making them easier to manage. It’s easy to integrate, with templates and native on-premises integrations. By replacing your current web access management (WAM) system, you can bring your applications to your users in a modern and non-restrictive way. Additionally, you can also secure those apps even more with extra MFA functionality.
API Access Gateway
Leveraging Okta’s API Access Gateway allows the developer of your tools, systems, and platforms to be securely managed by Okta, while they can focus on their primary tasks. The processes of adding security and allowing scopes to grant access to your own systems are managed by Okta. The shift of responsibility goes from the developer to the security and operations team. Focusing on management with out-of-box integrations and authorization servers is core to Okta’s API Access Management.
Okta and NIST
While you might be working on your zero trust initiative, many organizations will also refer to the cybersecurity framework from the National Institute of Standards and Technology (NIST). As with all guidelines and frameworks, there is no miracle product to implement for compliance. Okta doesn’t cover all aspects that are included in the framework but can indeed help organizations manage the elements relating to IAM and access control.
What the framework is basically saying is that organizations need full visibility and control to be secure. As we have seen from the introduction to Okta’s features, by implementing the core features, you get a full 360-degree view of all users, their roles, and their accesses. By implementing AMFA, you can fulfill the requirement of context-based MFA with factors that suit each type of user for each situation.
To find a complete list of the NIST controls that Okta can help with, visit https://www.okta.com/sites/default/files/pdf/Meeting-the-Latest-NIST-Guidelines-Okta-Final.pdf.
In this chapter, we learned basic details about IAM and how Okta works as a great solution to any IAM needs. We’ve learned about the scenarios in which Okta emerges as an IAM solution. Finally, we learned about the features of Okta and how they work with various platforms to give us dynamic control over user accounts within our organizations. All of this information forms the basis of our understanding for the rest of the book, where we will take a deeper look at Okta and how to make use of all its features.
In the next chapter, we will learn how to work with UD by setting it up and configuring it. We will learn how to add or import users and explore the most important features and policies to help us use UD efficiently.