Over the last few years, we have seen the identity provider Okta rise in popularity with many of our customers.
This article discusses the following:
- How Identity providers make companies more secure
- Why Okta has taken market share away from Active Directory
- How Okta’s reaction to a breach is an excellent example of operational security planning
In this article, we’ll be breaking down some key points called out in our Enterprise Mobility Roundup Podcast episode on Okta.
If you like more details than this article, give that podcast a listen.
Why Identity Providers are Important to Security
What is an IDP?
An Identity Provider (IdP) is a service that stores and manages users’ identity information. IDPs are an effective way to authenticate end users into workplace applications and systems. IdPs allow organizations to grant or remove user permissions without having to make changes within an individual application (or their data).
Some popular IDPs in the enterprise market include:
Azure Active Directory – Azure AD is based on Microsoft’s on-premise directory service Active Directory (AD). Microsoft initially released AD in the early 90s to help companies manage users’ identities on computer networks that leveraged Windows desktops.
Microsoft has taken many successful products over the last 30 years and migrated them to its cloud platform Azure. Azure AD is an excellent example of this strategy. Due to the prevalence of companies that leverage Microsoft’s Office 365 tools, it is easy for companies to purchase or add Azure AD licenses.
Okta – Okta is a cloud-based Identity provider founded in 2009 and focuses on Identity as a service (IDaaS). Since 2014, Okta’s risen as a significant player in fortune 500 companies. Companies are migrating to web-based cloud platforms, and Okta’s position on identity federation fuels its popularity.
Ping Identity – Ping Identity, founded in 2002, is an older company than Okta. But Ping also embraces a cloud-forward approach to helping companies manage identities and federations in the cloud. Ping claims usage in over 50% of Fortune 100 companies.
OneLogin – Founded the same year as Okta, OneLogin has not seen the same market traction as Okta. To grow its cloud IDaaS market share, One Identity/Quest acquired OneLogin.
How do IDPs help Control Access?
An IDP is the central source of authentication for a user. The first time a user comes across a restricted resource, the IDP prompts them to enter their credentials. With the correct credentials, the IDP tells the system to provide access to that resource.
This centralized management of users and passwords reduces the effort required by individual applications to provide security. Additionally, it makes your organization more secure since fewer applications deal with usernames and passwords. When an employee leaves, removing permissions is easy since the user only needs to be removed from one system (the IDP).
System access typically requires a username and password for authentication. However, many IDPs build support for multi-factor authentication (tokens, biometrics, text prompts, secret questions). Additionally, some IDPs have come to support password-less authentication. This system uses a token plus a PIN (or another factor) to reduce the number of passwords users must remember.
How do IDPs Grant Permissions?
IDPs allow companies to customize access to resources, services, and applications through what is known as Role Based Access Control. An organization places users into roles, and each has access to specific applications and resources (such as databases or networks). This hierarchy makes it simple for applications to delegate access management to a centralized system.
When a user logs into an IDP, the IDP will look up the user’s roles and will provide these roles to other systems. This centralized management of rights reduces the complexity of granting permissions, especially when users may change responsibilities or roles within a company.
What is Identity Federation?
Identity federation is the relationship between one system (a service provider or SP) and another (An identity provider) to provide information about what permissions and rights it may grant a user. Establishing trust between the two systems must occur before users request system access.
Identify Federation works within many websites that ask users if they want to use their personal Google or Facebook accounts to access a site. Those sites do not get access to your user credentials or account information; they get a response from Google or Facebook that you are an authorized user. As an end user, this benefits you because it reduces the number of sites you need to create accounts.
This exchange of information between the two systems happens in the form of a Token. An IdP will exchange a token with a user’s right to grant access to the service provider system. The SP does not hold any user data and will never have access to the users’ login credentials. Tokens help prevent vulnerabilities during the exchange by keeping user data secure.
What is Oauth?
The exchange of tokens is an open-standard authorization protocol (Oauth). With Oauth, applications can secure designated access without sharing password data. Oauth also ensures that user data doesn’t remain on shared devices.
What is OIDC (Open ID Connect Standard)?
OIDC is an open authentication protocol layer that works on top of Oauth2. OIDC allows users to use Single Sign-On to “access relying party sites using OpenID Providers (OPs), such as an email provider or social network, to authenticate their identities.”
The Rise of Okta's Popularity
As an Identity Provider, Okta has become a market leader with Open ID Connect (OIDC standard). Okta’s popularity stems from being one of the first solutions to push a cloud-based Identify as a Service offering. Other Identity providers, such as AD and Ping, started as legacy on-premise Identity Providers that required customers to install software onto servers on their infrastructure.
Okta also features great developer and API documentation. For developers like ours at BlueFletch, Okta makes it easy to generate a sandbox environment. Okta also hosts significant learning events and an annual conference focused on educating its customers and partner ecosystem.
Another reason why Okta has become increasingly popular is its user synchronization features. Okta provides an efficient way to migrate user accounts from other directory services.
To migrate users into Okta, you can synchronize user information from your existing Active Directory (AD) or federate authorization.
From an existing AD, you can synchronize user data directly into Okta. Synchronization is an easy way to transfer users and doesn’t require moving more than an email. Once migration is complete, a user can authenticate through Okta.
BlueFletch's Experience With Okta
Overview of the Enterprise Toolset
BlueFletch provides a toolset for shared Workforce Android devices that allows shift-based employees to log in to a device and securely access all of their applications without ever having to re-type in their password.
The core of the BlueFletch toolset is our Launcher. The BlueFletch Launcher can tie into any of the IDPs mentioned above to authenticate users and provide secure Single Sign-on (SSO) on shared devices.
The BlueFletch Launcher is a highly configurable home screen replacement (Android Launcher) that provides lockdown, login, SSO, IDP integration, secure notifications, badging support, widget support, intent triggering, motion lock, data clearing, GDPR compliance, and FIDO2 support.
In addition to SSO on these shared devices, the BlueFletch Enterprise toolset also provides several other tools that help securely manage shared Android devices. These features include
- Support Agent – An agent that collects device data, including system health, application information, custom log pickup, user login information, and app usage information. We also have the option to enable complete remote control for certain manufacturers.
- Playbook tools – A tool to use a lightweight device management app (MDM light) or to sit on top of existing MDMs such as SOTI, Intune, or Work Space One.
- Device Finder – A tool to view device check-in/out information. See devices on a map. Ping and locate lost devices. It also includes battery beacon support for newer Zebra/Honeywell devices.
- Secure Browser – A secure chromium-based browser that supports SSO tokens, password management, and FIDO2 support. Data cache clearing and multi-tab viewing/switching.
- Secure Chat – A communication app that supports local text chat (with media), asynchronous PTT, and 1:1 voice/video calling. We built to fill the gap between Microsoft Team (too heavy for shared workforce devices) and VOIP calling apps ( not required for many manufacturing, warehouse, and retail workers).
How we Leverage Okta
Many of the IdPs we work with come with their own challenges when operating in a shared enterprise environment. Of the solutions we work with, we have found Okta to be one of the cleanest from an implementation standpoint.
We tie Okta into our login flow for handling authentication and providing the BlueFletch Launcher with OIDC tokens that we use for SSO of all applications we secure.
The applications within our authenticated session request Okta OIDC tokens for accessing backend resources, generating an application authentication flow. We containerize this session so the entire session wipes from the device when a user logs out, times out, or shuts down.
The BlueFletch Launcher clears tokens, and user-identifiable data clear when a user logs out. In addition, we can easily make a call to Okta’s APIs to secure the end users’ session for their shift. This prevents stolen devices from becoming a key to breaching a company’s network since gaining access to their authorized applications would be impossible once a session has expired.
2022 Data Breach
Bad guys are out there
In January 2022, one of Okta’s 3rd party support vendors, Sitel, was a victim of a data breach that exposed Okta support data.
Sitel is a third-party support group that assists with support desk calls. At the time of this incident, a Sitel support engineer unknowingly used a compromised desktop while servicing customers. A threat actor gained remote access to the employee’s workstation and attempted to acquire sensitive information.
The hacker saw a minimal amount of company data, and the breach only lasted about 25 minutes. Okta said a maximum of 366 customers were at risk during this time. Upon further review, they found the threat minimal and released a statement explaining the investigation’s findings.
Based on our observations, Okta did an excellent job of monitoring for, identifying, isolating, and root causing the breach.
With this incident in the past, we can learn from the mistakes made and appreciate Okta’s aggressive handling of the situation.
The following are some of the key takeaways and lessons you should learn from the breach:
- No company is 100% secure – It’s unfair to label Okta as an unsecured platform, as the incident was due to a breach in a third-party system. Additionally, adapting to the internet environment is challenging. As bad actors find new ways to infiltrate secure systems, new threats appear daily. These attacks serve as learning opportunities to reconstruct existing security protocols.
- There’s no Silver Bullet – We cannot expect one piece of software, like Okta, to protect from all outside threats. One particular software or hardware is not going to solve all security problems. Identity security is the job of an entire system or strategy.
- Prepare for breaches – Detailed plans and healthy security structures are the best ways to prepare for a breach. It is not a matter of if but when a breach will occur, and a backup plan is an essential security element.
- Protect your systems – Don’t use shared accounts; create in-depth defense strategies and have a process for root causes and impact analysis.
Take advantage of federated accounts and authorization – Minimize synching data by using federated accounts and authorization strategies. Also, consider adopting zero trust principles because you can limit the threat’s spread even if one user is compromised.
Okta is an efficient and easy-to-use Identity Provider that offers a valuable way to consolidate user accounts and federate authentication. Securing permissions and managing user authentication are vital components of a healthy security setup. And since migrating to Okta is so simple, making the switch may be worthwhile.
However, there are a plethora of IdPs to choose from, and they’re not all a single, silver bullet solution for a secure enterprise. Consider the other factors mentioned to assemble your ideal security solution.
If you wish to hear more about BlueFletch solutions, don’t hesitate to get in touch with us at firstname.lastname@example.org.