InnovationSpotlight
authenticate the device and make the session secure, which is why it’s great they can authenticate through the Okta Identity Cloud by using the Touch ID or facial recognition apps they use on their smartphones.”
Security researchers have found that 34 percent of people use the same login credential across multiple application accounts. Recent Okta research reported that while we’re still in the early days of passwordless adoption, at least 10 percent of organizations across all regions and industries have taken steps to move in the passwordless direction. North America leads the charge with 18 percent of organizations reported planned passwordless projects in the next 12 to 18 months.
“The onus for doing authentication has always been
on the end user,” says Frazier. “We have to change that by eliminating the password. While zero-day attacks get a lot of play in the media, the vast majority of the security incidents are from phishing attempts, credential theft, account takeover and bad password management. We need to put more of a focus on these identity management issues.”
“We have to authenticate identities quickly so users are not punished and there’s as little friction as possible.” Sean Frazier, federal chief security officer at Okta
The shift to Zero Trust
Technologies like the Okta Identity Cloud have become central to organizations moving to a Zero Trust model because they lay the groundwork for secure access. Okta research found a significant amount of growth in Zero Trust over the past year. Nearly three times the number of organizations now have defined Zero Trust initiatives or plans to deploy Zero Trust. The number went from 16 percent in 2019 to 60 percent today— showing that Zero Trust has become more than a buzzword.
According to Okta research, Zero Trust has become recognized as an important security framework developed by Forrester Analyst Jon Kindervag in 2009 that moves away the idea of a trusted internal network versus an untrusted external network.
Kindervag and his colleagues at Forrester argue that security teams should consider all network traffic untrusted. They say security pros should revamp the network perimeter and need to inspect all network traffic in real-time. The
three principles of Zero Trust include the following: all resources must get accessed in a secure manner, regardless
of location; access control must get set up on a “need-to- know” basis and be strictly enforced; and organizations must inspect and log all traffic to verify users are behaving properly.
“The idea of Zero Trust is that security teams don’t trust anybody and consistently verify so we can deliver a consistent end user experience,” Frazier said. “In many ways, Zero Trust is more of a lifestyle choice, a way of doing business versus any one specific product an enterprise can buy.”
Frazier adds that he thinks DOD and many other federal agencies will embrace Zero Trust. He points to the National Security Agency’s move in late February to issue guidance
for all of its customers on how the NSA plans to adopt a Zero Trust model. And there’s a great deal of interest across the federal government in Zero Trust, which Okta highlights in this whitepaper.
Ready for DOD’s IL4
All of these modernization efforts, including integrations with cloud-based apps and support for WebAuthn and specifications such as SAML, OpenID and OAuth2 put
the Okta Identity Cloud in a strong position to receive authorization to run missions at the Defense Department’s Impact Level 4 (IL4).
The various impact levels run from 1 to 6, with 6 being classified and secret data and information. IL4 was based on NIST SP 800-71, which protects controlled unclassified information in nonfederal systems and organizations.
The impact levels are developed and designated by the Defense Information Systems Agency (DISA), which also develops and maintains the Defense Department’s Cloud Computing Security Requirements Guide (SRG). The SRG defines the baseline security requirements used by DOD to assess the security posture of a cloud service provider (CSP), supporting any decision to grant a DOD Provisional Authorization (PA) that lets a CSP host DoD missions,
“It’s really not up for discussion,” says Frazier. “If we want to be a part of an IL4 deployment, we have to have that authorization.”
Okta expects DISA to grant the PA for the Okta Identity Cloud sometime later this spring.
https://www.okta.com/resources/reports/state-of- zero-trust-security-in-global-organizations/