Okta Increases its Cybersecurity Commitment

Following a cybersecurity intrusion in November 2023, Okta, the Identity and Access Management (IAM) provider, has announced an increased investment in cybersecurity, a restructuring of its customer support, and the launch of its Secure Identity Commitment, as part of their long-term strategic plan aimed at strengthening the company’s security posture.

Okta’s products and clientele suffered a series of cyberattacks, stemming from the malicious intrusion from one of its employee’s Google accounts. This resulted in the theft of 18,000 client credentials and nearly one billion monthly Customer and Workforce Identity Clouds user credentials. These stolen credentials were used to compromise support case management systems and access customer data, affecting companies such as 1Password, BeyondTrust and Cloudflare.

"When we look at some of the recent press articles and trends in the industry, it is clear that the perpetrators of these attacks are prioritizing identity theft and vendor database access," said Okta Director of Information Security in Europe, Middle East and Africa (EMEA), Stephen McDermid. "This commitment is about recognizing that we must be at the forefront of addressing these issues."

In response to this threat, Okta implemented "Project Bedrock," an operation that brought functional development to a halt for 90 days to focus exclusively on strengthening its security posture. 

"This project meant an enormous amount of work for internal security teams, as well as a considerable increase in our cybersecurity investments, but it has also provided us with the opportunity to turn Okta's enterprise security into the true strong force it should and must be to defend against these attacks," stated McDermid

In this context, enhancements introduced during Project Bedrock were unveiled, including mandatory session timeouts for inactive administrators and data access restrictions for administrators. In addition, Okta aims to improve its customer outreach through a "more transparent" relationship, a policy introduced by Ben King, the company's Vice President of Trust, following a previous incident in 2022 where Okta faced criticism from users for its perceived lack of open communication.

In acknowledgment of the imperative to prepare for new methodologies and emerging strategies employed by threat actors, the company has instituted a Secure Identity Commitment — a comprehensive, long-term strategy aimed at spearheading the industry's efforts against identity attacks. The commitment is comprised of the following focus areas:

• Provide secure identity products and services

• Promote customer best practices to be better protected

• Elevating the industry to be better protected against attacks that originate through identity.  (Part of this includes a $50m funding injection through a programme called Okta for Good, which is extending assistance to non-profits working in areas such as social justice and climate change, and investing in security skills)

• Strengthen corporate infrastructure

"It has become clear that we need to think about the relationship between identity and security differently than in the past: security must come first," said Todd McKinnon, CEO, Okta.