Okta, with a bruised reputation, rethinks security from the top down

After four years at Okta, CSO David Bradbury found himself in arguably the most consequential role at the identity and access management provider.

Okta is rolling out a series of security controls that, in retrospect, should have already been part of its products and internal IT operations, according to Bradbury.

“Okta hasn’t been keeping pace with the changing threat environment around us. You can criticize, I think, our reactiveness to security in a lot of ways,” Bradbury said. “The conversation is no longer where does security fit — it’s where does everything else fit.”

The company's mea culpa and reorientation around security became its top priority after a series of reputation-damaging cyberattacks over the past couple years and a previous plan to improve security that didn't take.

It's a defining moment for the beleaguered company.

Bradbury on Monday previewed more than a dozen security enhancements Okta is announcing later this week, part of a companywide effort catalyzed by a September cyberattack that exposed all of its customer support system clients.

Okta CSO David Bradbury

Courtesy of Okta

The company shared with Cybersecurity Dive its long-term commitment, spread across four pillars, to improve its internal defenses and the identity-based security of its 18,800 business customers.

Okta pledged to harden its corporate infrastructure, embody secure-by-design principles across its products, champion best practices, and invest $50 million in a fund to address cybersecurity challenges outside the company over the next five years.

Mounting woes

In 2022, Okta got hit by a phishing attack, a breach and had its GitHub source code stolen. Last year, a string of attacks hit high-profile customer environments over the summer and a third-party vendor attack exposed health information on nearly 5,000 current and former Okta employees.

Then came the September attack against Okta’s support portal. BeyondTrust, Cloudflare and 1Password all came forward to say they were downstream victims of that attack. And Okta's early estimations concluded that just 1% of its customer support system clients were impacted.

But by the end of November, Okta concluded all of its customer support clients were affected by the attack.

Cybersecurity Dive spoke with the security leaders at Cloudflare and BeyondTrust before Okta determined the full extent of damage caused by the support system attack. While the intrusion and resulting impact on the organizations strained their relationship at the time, trust in Okta was not irrevocably broken.

Okta is “a trusted provider of identity to some of the most critical organizations in the world” — it needs to show it’s taking this seriously by ensuring “there are no more breaches in this fashion,” Cloudflare CSO Grant Bourzikas told Cybersecurity Dive in late October.

The widescale incident was a breaking point for Okta and its status quo, revealing the pitfalls of an unbalanced and ultimately ineffective approach to cybersecurity.

“An aspect of working at a place like Okta is that there is always that personality conflict of are we a security company or are we an identity company? Which comes first?” Bradbury said.

The comprehensive breach of Okta’s support portal put that question to rest. Okta’s executive team determined a change was imperative — leadership paused product development for 90 days starting in early November and elevated security to priority No. 1.

“The internal focus is, we recognize there’s a gap, there’s a disparity between the security of our own system and the things that are around it. We need to raise that bar,” Bradbury said.

“We’re going to have to be one of a handful of companies around the world who don’t have that disparity across systems,” Bradbury said. “Every system is treated with the same threat profile, no matter whether it's the paper clip ordering system or whether it’s the production service.”

When Okta is the point of intrusion for an attack, the responsibility for defense isn’t shared with the customer — the easy response, Bradbury said — it falls on Okta. “My cyber defense team owns this. They own it in everything they do,” Bradbury said.

Shift to secure by default

After Okta initiated its second security action plan in the span of 18 months, Bradbury and his security team identified the paths of attack it or its customers fell prey to and mapped those vectors to features required to prevent future phishing, social engineering or token theft attacks.

“One of the first things we did after this incident was constrain your login session cookie to the network that you’re on,” Bradbury said.

Okta applied IP binding to its products, admin console, and privileged access — a feature that automatically revokes sessions when an IP address change occurs. It is also instituting multifactor authentication requirements for all Okta admin roles and protected actions in the admin console.

As part of these changes, Okta is incorporating secure by design principles into its internal and external tech stacks, but not all of the new features are secure by default — some are optional or otherwise require customers to implement and properly configure settings to strengthen their defenses.

Bradbury acknowledged this approach has created risk for individual customers and Okta as a brand, but as more features are rolled out in early access mode, the company intends to turn the controls deemed most beneficial on by default.

“We don’t think we’ve got the right balance there. The historical preference has always been freedom of choice, in allowing customers to create their own stack their way and use the Okta product as they deem fit,” Bradbury said.

“Our position right now is that we think customers shouldn’t be asking us for advice about how to secure their platform. We should just be turning these features on for them as we go.”

Rebuilding trust from a bruised reputation

Okta’s security revival stretches beyond features and technology changes. This time around, after the previous concerted effort to boost security didn’t go fast enough, the company overhauled its values to make security the only priority, Bradbury said.

“Historically, security has never been a value of Okta,” Bradbury said, adding this change to company values creates a cascading effect across the organization’s culture.

“I feel that this is different this time and we’ve acknowledged that we didn’t quite get the speed right, but we also didn’t get the priority right,” Bradbury said.

Now, with Okta’s reputation acutely bruised, more than 400 of its 1,000 person engineering team are working on security-related activities on a full-time basis, bolstering the efforts of its security team of more than 200 employees.

The company, which has yet to report a quarterly profit since it went public in 2017, will report its fourth quarter fiscal 2024 earnings on Wednesday.

“Okta built up a brand over a decade and then watched that brand be tarnished with some incidents over the past couple of years, and I don’t think we’ve bounced back yet,” Bradbury said. “There’s still a substantial journey for us to go on to rebuild that trust.”

Shaking that reputational damage and regaining the trust of its customers will take more than time or words.

“We need a track record of zero breaches. That’s what builds trust,” Bradbury said. “The score sheet for us needs to be a clean sheet. It needs to be zero for the next few years.”