Okta doubles down on cyber in wake of high-profile breaches

Okta launches Secure Identity Commitment to shore up its technology in the wake of a damaging breach and elevate best practice around identity

Identity and access management (IAM) provider Okta has announced it is to double its investment in security over the next 12 months and launched a Secure Identity Commitment, a long-term plan comprising four key initiatives – cementing market leadership, advocating for best practice around identity, elevating the identity sector, and hardening its own infrastructure.

Nearly six months after Okta’s products were exploited in a series of cyber attacks – including two dramatic and high-profile compromises of prominent Las Vegas casino operators by a ransomware gang and other attacks on other IT firms that used its products – the organisation is increasingly cognisant that it needs to do more to help its customers adopt best practice around identity, and to prevent its products from being taken advantage of in the future.

“When you look at some of the recent press articles and trends in the industry, it’s evident that threat actors are targeting identity, and targeting providers, a lot more,” Okta’s EMEA chief inforamation security officer, Stephen McDermid, told Computer Weekly. “This commitment is about recognising that we need to be at the forefront of challenging these issues.”

The attacks on Okta’s customers originated when attackers broke into one of its own employees’ personal Google account and stole credentials, which they then used to breach the firm’s support case management systems and access customer data. Among those impacted were 1Password, BeyondTrust and Cloudflare. The scope of this breach was initially thought to be quite limited, but later widened to include every Okta customer that has ever used its helpdesk.

Recognising the magnitude of the issue, Okta’s immediate response was to batten down the hatches and order all hands to the cyber pumps in an operation it dubbed Project Bedrock, which saw the organisation suspend all functional development of its products for 90 days.

“Okta being a market leader, we are always going to be under attack, so it’s important to be prepared for some of these new methods and strategies we’re seeing from threat actors”
Stephen McDermid, Okta

“For those 90 days we did nothing but focus on security, and that’s an incredible step to take,” said McDermid. “That has turned into a huge amount of work for the internal security teams, but also gives us the opportunity to turn Okta’s enterprise security into the real strong force that it should be and must be to defend against these attacks.

“Okta being a market leader, we are always going to be under attack, we are always going to be a big target, so it’s important to be prepared for some of these new methods and strategies we’re seeing from threat actors and make sure that our systems are capable of defending against those.”

McDermid said Okta was now in a much better position than it was three months ago. “We’re not taking anything for granted [but] the reality is that Project Bedrock has allowed us to expedite the delivery of some of the security initiatives we had on the way, in tandem with some new ones once we identified the cause of the incident.”

Some of the enhancements that can now be revealed include enforced session time-outs for administrators if they go idle for longer than 15 minutes, and restrictions on how admins can access support cases.

McDermid said this had created a challenge for customers by introducing more friction in how admins use its products, but once the need for these changes has been properly communicated to them, the user base has, by and large, been very understanding.

Coupled with this, Okta is continuing to enhance its customer outreach in the service of creating a more transparent relationship with customers. This is an evolution of a policy that the firm’s vice-president of customer trust, Ben King, introduced following a previous incident in 2022, in which Okta was criticised over a lack of communication.

The four pillars of Okta’s Secure Identity Commitment

  1. Providing market-leading identity products and services, baking in security-by-design through a major investment to harden and secure its products, including some of the enhancements and new features made as a result of Project Bedrock.
  2. Championing customer best practice to help users get the best out of their Okta experience.
  3. Elevating the industry to be better protected against attacks that originate through identity, going beyond just Okta, its customers and the third parties in its supply chain. Part of this includes a $50m funding injection through a programme called Okta for Good, which is extending assistance to non-profits working in areas such as social justice and climate change, and investing in security skills.
  4. Hardening its corporate infrastructure to extend the boundary around its people, processes and partners, treating everything with the same threat profile as it would its customer-facing environment.

“Customers want to see us take a more active role in communication – they want greater understanding of the threats we’re seeing and they want partnership,” said McDermid.

“I’ve held a number of calls, hundreds, with customers to walk them through the incident, walk them through the changes we made, walk them through some of the details, help them understand what Okta looks like moving forward, and provide them with that reassurance that we’re taking this seriously and we’re committed to improving our own security as well as supporting them to do that,” said McDermid.

“It’s not been ideal to have had this experience, by any means, but certainly through the discussions we’ve had with customers, they understand what we’re doing, how we’re responding to it…. [Some] customers want to spend some time shouting at us, but the majority of customers understand that these things do happen.”

Timeline of TechTarget’s Okta HARfile breach coverage

  • 24 October 2023: Customers of identity specialist Okta have been attacked via a compromise of its systems, and are claiming Okta’s response leaves something to be desired.
  • 25 October 2023: After breaches at BeyondTrust and Cloudflare, 1Password, a third customer of Okta operating in the same space, has revealed that it too was impacted in a breach of the IAM house’s support systems.
  • 26 October 2023: TechTarget Security's Risk and Repeat podcast covers the security breach suffered by identity vendor Okta involving its customer support systems, sparking criticism from customers.
  • 3 November 2023: Okta provided a detailed timeline of the events surrounding the breach against its customer support case management systems and said five customers had sessions hijacked.
  • 6 Novemberc2023: Okta now believes the initial access vector in a series of damaging breaches was one of its own employees who used a corporate device to sign into their personal Google account.
  • 29 November 2023: Okta has widened the scope of the October breach of its systems to include every customer that has used its helpdesk service, after new information came to light.
  • 2 February 2024: Cloudflare initially believed it contained an attempted cyberattack last October by a threat actor using an access token stolen in a breach of Okta's customer support system, but has now disclosed a breach.

Read more on Identity and access management products