OK1_Brochure_pages

LioraBlum

Okta IT 2018

IT Operations in a

Cloud-Based Company

I


Okta

Okta provides cloud-based solutions for managing identity information and

securing access to critical business systems by an organization's employees,

suppliers, partners and customers. Over four million individuals use Okta

on a daily basis to access more than 20,000 on-premise applications and

cloud services.

Okta IT

Okta’s business operations are supported by a team of 50 IT professionals

whose responsibilities are very similar and very different from those of their

counterparts at larger, older companies. Business operations are enabled

by an extensive suite of SaaS applications. We have no on-premise appli ca tions

to support and no data centers to maintain. Our applications team focuses on

integrating data across multiple SaaS tools and introducing new capabilities

to support the rapid expansion of Okta’s business operations. Our engineering

team ensures that Okta employees can access the systems and services they

need via a wide variety of endpoint devices. Finally, our data warehousing team

provides critical information about the adoption of our commercial services and

the efficiency of our sales and marketing efforts.

Okta IT @ Work (and Play!)

1


A company born and built in the cloud

IT’s Customers

Okta’s workforce is young, tech-savvy, globally dispersed and Always On!

Seattle

San Francisco

Toronto

Washington, DC

London

Sydney

Corporate Headquarters

Development Center

Regional Offices

Workforce Demographics

Business operations are supported by over

150 core SaaS applications, some of which are illustrated here

25 and younger

46 and older

40%

10%

20%

30%

Age

26 to 35

36 to 45

Back

Office

Customer

Success

25%

15%

20%

40%

Job Function

Product

Development

Sales and

Marketing

2

3


Application Entitlement

USA Apps

Functional Apps

Functional and Location entitlement privileges are

defined by an employee’s cost center and work

location, respectively. These privileges are activated

on an employee’s first day on the job, using Okta’s

Lifecycle Management service. The success of this

process is measured by the number of application

access requests submitted to the IT Service Desk by

new employees during their first 60 days on the job.

On average, new employees typically submit only

one request for such additional privileges.

To protect our corporate data and manage our software

licenses prudently, access privileges to any application

are suspended if they go unused for 90 consecutive

days. They are terminated altogether on an individual’s

last day of employment.

Single Sign-On Access

Number

of Current

Applications

SSO Authentication Method

Birthright Apps

Enhanced access privileges allow selected users to view

sensitive information, configure aspects of an individual

application, and administer the access privileges of others.

Enhanced access is enabled by establishing multiple user

groups for individual applications.

97

SAML (Security Assertion Markup Language)

An internationally recognized standard for

exchanging authentication information between

security domains, specifically between Okta

and individual applications.

Individual Okta employees are entitled to a personalized

suite of applications based upon their employment status,

functional assignments and working locations. Common

collaboration tools such as Office365, Box and Zoom are

provided to all employees and are referred to as Birthright

applications. Specialized apps that are uniquely associated

with an employee’s job responsibilities are considered to

be Functional applications. Finally, cloud-based services

that support operations within specific geographic regions

are referred to as Location applications.

This diagram illustrates both the commonality and diversity

of apps assigned to Marketing, Finance and Engineering

employees in the United States. Note that this diagram

is only a partial portrayal of the apps used by employees

in these functions.

Many companies employ credentials stored in Microsoft

Active Directory (AD) as an authentication mechanism.

We exclusively use Okta’s Universal Directory as our

identity credential store and consequently make no use

of Microsoft AD in authenticating employee identities.

Multiple authentication methods are employed to expose

cloud-based applications to Okta's Single Sign-On (SSO)

service, as illustrated in the table to the right.

192

18

SWA (Secure Web Authentication)

An Okta-developed protocol that associates

encrypted user credentials with user-specific

private keys. When a user clicks an application

icon, Okta securely posts the user credential

to the application login page via SSL.

Bookmarks

A url link to an existing application or a portion

of an application, for example a frequently

used wiki.

4 5


Application Usage Patterns

Okta logs can also be used to obtain more granular

insight into the ways in which individual applications are

being consumed by Okta’s employees. The data shown

below is based upon the same 90 day averaging period

(March to May 2018) used in the diagram on the opposite

page. This diagram illustrates the frequency of usage

by employees who accessed a specific application

at least once during that period.

Employees who logged into an individual app 6 or fewer

times during that 90 day period are considered to be Casual

users. Those who logged in 7-24 times are treated as Regu lar

users. And those who accessed an individual application

25 or more times are considered to be Frequent users.

There are several very obvious differences in the usage

of individual applications. Salesforce and NetSuite have

large communities of Frequent users, while Concur, Slack

and JIRA/Confluence have significant communities of

Casual users. Information of this nature helps IT identify

applications that are currently underutilized and focus

future training efforts accordingly. It also provides a basis

for restructuring subscription costs around specific levels

of usage.

Application License

Management

Okta logs can be used to track the actual utilization of

individual SaaS services. The diagram to the right illustrates

the utilization of allocated SaaS licenses by Okta employees

over a 90 day period extending from March through May

2018. It’s readily apparent that licenses for NetSuite and

Workday have been fully utilized, whereas a quarter or more

of the allocated licenses for Marketo, Coupa and Tableau

have not been used.

Salesforce

Marketo

NetSuite

Concur

Coupa

Workday

Unused licenses represent an obvious cost savings

opportunity. Subscription costs for the unused licenses

Slack

77%

displayed to the right represent 7% of the total cost of the

allocated license pool. This underscores the importance

JIRA/Confluence

90%

of reclaiming unused licenses and allocating them to new

employees as a means of reducing unnecessary expen -

ditures and minimizing the growth of subscription fees.

Tableau

License Utilization

73%

(March - May 2018)

Box

74%

69%

96%

100%

94%

100%

99%

9% 11%

80%

24% 30%

46%

16% 11%

72%

Casual Users

40% 45%

16%

33% 30%

36%

25% 46%

29%

21% 39%

40%

64% 19% 18%

41% 27%

32%

31% 24%

46%

Regular Users

Frequent Users

Salesforce

Marketo

NetSuite

Concur

Coupa

Workday

Box

Slack

JIRA/Confluence

Tableau

6 7


Application Access Administration

Contractor Management

The access privileges of individual employees are managed in

a hierarchical fashion through the following administrative roles

Organization

Administrator

Group

Administrator

Application

Administrator

We currently employ all three levels of this hierarchy.

All Okta employees have been placed in a single

Okta organization. They've been assigned to roughly

150 groups. Access to 25 applications containing our

most sensitive business information is controlled by

Application Administrators.

Note that there are two additional administrative roles

not shown here. The Super Administrator role is basically

the ‘administrator of administrators’ and is responsible

for designating individuals holding the responsibilities

referenced above. In addition, there’s a Help Desk

Manages the creation and deletion of user groups.

Groups typically consist of employees working

within common teams, functions or departments

Can view, add, activate, deactivate and

remove users from individual groups

Can view groups and users and

assign employee access privileges

to individual applications

Administrator role that provides operational support for

clearing user sessions, unlocking accounts, resetting

passwords and resetting MFA configurations.

The processes established by the Organization, Group

and Application Administrators are documented within

the Okta application. This documentation can be used to

satisfy auditors that consistent business rules have been

followed in granting access privileges. This documentation

also provides concrete evidence that an appropriate

segregation of duties has been maintained between

individuals requesting and granting system access.

Every IT organization struggles to provide

temporary contractors with the

access privileges they need to perform

their assignments. Provisioning delays

inevitably occur for a variety of reasons.

Contractors may begin their assignments

any day of the week, arriving onsite

or requesting remote access with little

warning or prior notice. They rarely

go through any type of standardized

onboarding process. Hiring managers

frequently give very little forethought

to the applications their contractors

will need. Consequently, it’s not uncom ­

mon for an IT Service Desk to receive

multiple on-off requests for access to

individual applications as a contractor’s

roles and responsibilities are clarified.

At Okta, contractor access privileges

are managed through a combination

of interlocking workflows orchestrated

by the Okta Lifecycle Management

tool and ServiceNow. Hiring managers

initiate a request for a contractor’s

privileges by selecting specific applications

and services from a standard

checklist. Some of these requests can

be implemented directly by an Okta

Applications Administrator based

upon preestablished business rules.

For example, all contractors at Okta

receive access to Microsoft O365 and

Zoom whereas only those contractors

working within the Engineering func tion

would automatically receive Jira access.

Access to more sensitive business systems,

such as SOX systems, require

explicit authori za tion by Business Approvers.

As the diagram below indicates,

ServiceNow orchestrates the business

approval workflow. Business approvals

are documented within ServiceNow and

can be audited whenever necessary. The

Okta Lifecycle Management tool orches ­

trates the implementation of access

privileges once the Business Approver

has formally authorized access.

Hiring

Manager

Business

Approvers

Application

Administrators

Contractor

Initiates

the Request

Business

Approval

Required?

NO

Approve Provided

for Produtivity Application

SERVICENOW WORKFLOW

Approve

ServiceNow

Request

APPROVED

Contractors frequently return to work

after completing an engagement, either

to continue work on a recent project or

embark on a wholly new assignment.

To avoid future provisioning delays,

we suspend each contractor’s access

privileges for 60 days at the conclusion

of their assignments. This makes it easy

to reinstate their privileges in the event

they return to work at Okta during that

60 day period.

YES

ACCESS

DENIED

Approve

ServiceNow

Request

APPROVED

Approve Provided

for Business Application

OKTA WORKFLOW

Manager

Notified of Denial

ACCESS

DENIED

8 9


Password

Hygiene

The Path to

‘Passwordless'

Multifactor authentication (MFA) is required to access all Okta business systems.

Employee-designated pass words serve as the primary authentication factor during

the login procedure. Okta Verify Push — a one-time notification sent to the

employee’s smartphone requiring a touch acknowledgement — is the most

commonly used second factor, but physical tokens and biometric credentials

are in use as well. This is consistent with practices in other companies. 45% of

Okta’s commercial customers also employ four or more factor choices.

Passwordless login procedures can be achieved by selecting a factor other

than a password as the primary authentication factor. In the future, an employee

might find it more convenient to use a biometric credential or a physical token

as a primary factor, followed by Okta Verify Push as a second factor, avoiding

the use of passwords altogether.

It's important to balance the freedom of choice users are given in selecting their

preferred factors with the ease of factor administration and auditing by the

IT group. Experience has shown that it’s always easier to expand the

variety of factor choices following the initial implementation of an

MFA policy. It’s much more difficult to eliminate factor choices

after such a program has been launched.

Passwords are a part of everyday life in the 21st century.

We’re all conditioned to employ passwords in our professional

and personal lives. Although many individuals would

prefer to abandon the use of passwords altogether, they

still serve as a useful security safeguard and are unlikely

to disappear anytime soon.

Okta manages millions of passwords for its commercial

customers. On average, our customers require passwords

to be 8 characters or longer and contain at least one

upper case letter, lowercase letter and number. Pass words

containing user names are frequently prohibited. Users are

typically locked out of their accounts after 10 login attempts

and recovery tokens commonly have lifetimes of 1 hour.

Okta’s IT and security organizations subscribe to

many of the same practices. We enforce minimum

length and character type standards. Password

reset frequency depends upon the role of individual

employees. Employees who routinely access

sensitive or proprietary information are required

to reset their passwords more frequently. In addition

we blacklist the use of common passwords that are

known to have been hijacked in the past.

Login credentials for company laptops have been

synchronized with Okta login credentials so users

have a single authentication experience upon

opening their laptops.

Passwords

Security

Questions

SMS,

Voice,

& Email

Software

One Time Push

123 456

Physical

One Time Push

Tokens

Stronger Assurance Credentials

Okta

Verify Push

U2F

Tokens

Biometrics

10 11


Contextual Authentication

Network Context Device Context

Location Context Business Context

Authentication policies are becoming increasingly

sophisticated. In the past, a single set of authen -

ti cation credentials could be used anywhere,

anytime, from any device to access a company’s

business systems or websites. Experience has

shown that this type of one-size-fits-all policy is

not sufficient to protect proprietary or personally

identifiable information.

Contextual information is increasingly being used

to establish risk-based authentication procedures.

Okta policies are built around the four contextual

parameters illustrated above. We employ Okta

Threat Insight to blacklist specific IP addresses

and determine if access is being requested from

a new IP address for the first time. We query the

device being employed by a user to determine

if it has been used to access Okta in the past;

if its operating system is being actively managed

by JAMF or some other tool; and if it possesses

specific security safeguards. Finally, we note the

user’s geographic location and the business

criticality of the system they are trying to access.

Okta’s Multifactor Authentication service is used

to define the nature and frequency of multifactor

authen tication procedures required to access

specific systems under different contextual

circumstances. Access to sensitive systems

is denied altogether to devices that fail our trust

criteria. Step-up authentication (i.e. a repeti tive

authentication challenge) can be triggered

by any of the para meters referenced above.

We routinely require step-up authentication

to engineering systems that directly support

Okta's commercial services.

Contextual authentication policies are complemented

by continuous authentication practices. Timeout

periods for user session length and usage lapses

vary. They are longer for employees working from

Okta office locations and shorter for employees

working remotely. In addition, timeout periods are

shorter for employees who routinely access sensitive

customer support and engineering systems.

Endpoint Security

IT equips all employees with a laptop of their

choice. 85% use Mac machines, the remaining

15% use PCs. Okta maintains a BYOD smartphone

policy that lets employees select their

own mobile devices. They are reimbursed

for monthly phone expenses withn a predeter

mined dollar limit. The vast majority of

employees use Apple iPhones.

Jamf and Saltstack are used to manage the

operating systems of our Mac and PC laptops,

respectively. All hard drives are encrypted.

Our laptop asset inventory is updated on a

continu ous basis and maintained in ServiceNow.

Machine passwords and Okta passwords are

synchronized so users can easily login with

a single password. Carbon Black and Sophos

are installed on all laptops and are used to

detect malicious processes or files.

Okta Device Trust is used to secure employee

access to Okta business systems via any type

of device. Employees download a permanent

certificate on each device. This certificate

is queried every time they open their Okta

homepage in lieu of establishing a more

traditional VPN connection.

Okta maintains the security certifications

shown to the right. Our endpoint management

proce dures adhere to benchmarks established

by the Center for Internet Security (CIS), an

internation ally recognized standard-setting

body that provides guidance on the secure

management of infrastruc ture assets. CIS

benchmarks are routinely employed as industrywide

standards by security auditors. Our endpoint

management practices are currently CIS 1.0

compliant and they directly support Okta’s

enterprise-wide security certifications.

12 13


Arming our Threat Hunters

Measuring Customer Success

100%

Okta logs can be used to monitor the full

range of attack scenarios and suspicious

events listed to the right

Okta’s information security

team makes extensive

use of Okta logs to detect

malicious attempts to

access our internal business

systems. Alerts are routinely

triggered by the following

scenarios:

• User location has

changed unreasonably

over a short period of

time (e.g. San Francisco

to Sydney in 3 hours!)

• Repetitive (brute

force) access attempts

employing one or more

unknown passwords

• Password spray attempts

in which a few common

passwords are used in

conjunction with a wide

variety of user IDs

• User ID enumeration

attempts employing

various combinations of

user IDs and passwords

• Authentication surges

that exceed established

rate limits

Other events may provide

early warning signals of

potential instrusions, such as:

• Deactivation of MFA

policies for individual users

or limited user groups

• Addition of low privileged

users to highly privileged

or sensitive groups

• Creation of new Okta

administrators

• Okta admin access

from outside standard

corporate IP domains

• Network zone

modifications

While none of these events

constitute a proven threat

in and of themselves, they

can provide pathways for

unauthorized access to our

internal systems.

Single Sign On User Adoption

80%

60%

40%

20%

0%

7/15/2017

Customer A

Okta manages the identities of more

than 140 million unique users. 4-5 million

users employ Okta Single Sign-On (SSO)

on a daily basis. Each unique daily

user typically logs into Okta SSO eight

or more times during their workday.

All login events are recorded and

stored in a data warehouse maintained

by the IT group. These records are

used to monitor the adoption of Okta

services to ensure that our customers

are realizing the full value of their

Okta investments.

Customer B

11/15/2017 3/15/2017 7/15/2018

This graph portrays SSO adoption

as a percentage of total enrolled

users by two different Okta custo mers.

Customer A achieved roughly 70%

adoption within the first two months

of SSO implementation, followed by

a gradual transition to full adoption

during the subsequent four months.

Customer B achieved roughly 15%

adoption during the first two months

of their implementation, and then

grew to roughly 80% adoption over

the subsequent nine months.

Slow adoption patterns such as those

exhibited by Customer B are red flags

that trigger proactive outreach by

Okta’s Customer Success Managers

(CSMs). Slow adoption may be intentional

or circumstantial. The CSMs

work with our customers to ensure

that the customer isn’t experiencing

adoption issues related to the configuration

of Okta services or a failure

to provide appropriate user training.

14

15


Preparing for Lightning to Strike

Best Practices in SaaS Management

Salesforce.com is a foundational plat -

form within Okta, supporting the majority

of our sales, marketing and customer

success activities. Our dedicated Salesforce

instance was established shortly

after the founding of the company

in 2009. This instance has evolved

considerably since then. A variety of

fields and objects have been added

to enable new business capabilities.

These enhancements have been

implemented by members of the IT

team with the assistance of many

different contractors and consultants.

Salesforce launched the next

generation of its platform — called

Lightning — in 2015. This version

is superior to the Classic version

currently in use at Okta in terms

of its functionality, usability and speed.

Lightning customers have ex perienced

significant improvements in the productivity

of their customer-facing teams.

They’ve obtained deeper insights into

the behaviors and pref er ences of their

customers as well. We’re planning to

move to Lightning in 2019.

Our existing Salesforce instance has

accumulated significant technical

debt over the past 9 years. We currently

maintain 2500+ custom fields,

83 managed application packages,

90 custom objects and over 40,000

reports. This complexity directly

impacts the usability of the platform.

Account and Contact pages sometimes

take over 30 seconds to load.

Users may have to scroll through

several hundred fields, up to 11 em bedded

frames, and more than 20 related

lists to find what they’re looking for.

Project Medusa is an internal initiative,

launched in 2018, to clean up our existing

Salesforce instance in preparation

for the transition to Lightning. Our

specific goals are to reduce custom

fields by 20%, managed packages

by 15%, custom objects by 30% and

reports by 50%. We plan to reduce

page load times to 10 seconds or less,

reduce the number of fields employed

in commonly used page layouts to

100 or less, and reduce the number

of related lists to 10 or less per page.

In addition to the cleanup efforts being

conducted as part of Project Medusa,

we’re establishing new standards

and governance practices to limit the

growth of technical debt in the future.

These steps include:

Mapping and documenting all API

connections

Multiple applications and websites

exercise Salesforce APIs to transfer

data into or out of our instance. We

are cataloging all API connections and

documenting the nature of the data

being transferred. We are hoping to

reduce duplicative connections and

eliminate references to APIs that

are not being actively used.

Establishing consistent data

definitions for key business terms

We are documenting the name, data

type, description and host object of

all fields and establishing consistent

naming conventions for interrelated

fields that appear in multiple objects.

Standardizing architectural, coding

and testing practices

Standard construction practices for

custom object development will

enable greater reuse of such objects

in the future and make it easier to

maintain customized enhancements

implemented by temporary contractors

and consultants.

Ensuring that material changes to all

of the above are formally reviewed

and approved

We’ve established an IT Change

Approval Board which meets weekly

to review all material modifications

to our instance.

Finally, we intend to implement new

tools to proactively monitor system

health by continuously measuring

database response times and page

loading times.

16 17


Okta Workplace

Okta’s corporate motto is ‘Always On’. It’s intended to be

a reference to the reliability of Okta’s commercial services.

However, it’s also an apt description of Okta’s workforce.

Okta employees operate in many different time zones

and routinely perform work activities outside the confines

of the normal 8 AM to 5 PM workday.

To support the needs of our workforce, our digital workplace

needs to be accessible, reliable and responsive.

Network connectivity needs to be device-agnostic and

virtually available from a wide variety of work locations,

including but not limited to Okta’s offices.

Like many other companies, we’ve attempted to simplify

the IT infrastructure required for employees to perform

their jobs. We’ve intentionally tried to create an end user

experience that mimics the reliability and ease of use

of a Starbucks, Marriott Hotel or United Airlines Club.

Specific features of our workplace infrastructure are

listed to the right:

Company owned and managed laptops — 85% of our

employees use Mac machines, 15% use Windows PCs

Wifi everywhere — fewer than 10% of the employees

working in Okta offices employ physical cable connection

No on-premise file servers or shared drives —

Box is our cloud-based file sharing service

No complex directory trees to manage file servers,

printers or network devices

No VPN connections required to access business

applications

Unified Communications in the Cloud — Ring Central

provides cloud-based UCaaS services, eliminating the

need to manage PBX or SIP trunking technologies

BYOD mobile device policy — employees choose

the mobile devices they prefer and are reimbursed

for phone expenses

Concierge IT Service Desks — employees who would

rather talk to an IT team member instead of submitting

an online trouble ticket can use our walk-up support

desks during normal business hours

Talent wins games,

teamwork wins

championships

— Michael Jordan, 14-time NBA All Star,

6-time NBA champion

Collaboration tools take on special

significance in a workplace that

is becoming more physically dispersed,

data driven and real time responsive.

350,000 inbound emails per day

75,000 Slack messages per day

105,000 Box uploads per month

4,000 ServiceNow incidents per month

2,800,000 Zoom minutes per month

Activity

Engineering Management

Information Sharing

File Sharing

Document Co-Authoring

Messaging

Project Management

Email

Video Calls/Conferencing

Audio Calls/Conferencing

IT Support

Collaboration Tool

Jira

Confluence

Box

Google Drive

Slack

Smartsheet

MS O365

Zoom

Ring Central

ServiceNow

18

19


Next Steps

Mindy Lieberman

VP, Business Systems

Ming Wu

VP, Data & Analytics

Chris Flynn

VP, Employee Enablement

Anya Darrow

VP, Program Management

Two key projects are currently underway to ensure that

Okta customers obtain the maximum benefit from the

use of our services. The first is Federated Search. Okta

provides its customers with a wide variety of productrelated

information, including such things as product

descriptions, implementation white papers, product

release notes, user community blogs, Oktane video

presentations, etc. This information is available through

a variety of channels and is not cata logued in a consistent

fashion. Consequently, it can be difficult for customers

to locate the information they need when they need it.

A new Federated Search capability will go live in 2019

to directly address this problem.

Our second customer success initiative is focused on

cus to mer training, specifically the training of Okta administrators.

Our Cornerstone OnDemand system is being

extended to manage progressive training pathways for

individuals seeking different levels of administrative authority.

We are also streamlining the ability for customers to purchase

blocks of training hours and then simply use them

as needed, instead of procuring courses on a one-off basis.

The current focus of the Data & Analytics team is upon

ensuring the scalability of our data warehouse, improving

data quality and expanding self-service data access by

Okta colleagues and customers. Our data warehouse

currently receives over 250 Million events per day from

Okta’s commercial platform. We are migrating our warehouse

to the cloud-based data storage and analytics

platform provided by Snowflake Computing. In parallel

with this transition we are making a concerted effort

to identify and retire legacy data from Okta production

tenants that are no longer in use.

As part of the Salesforce Project Medusa effort referenced

elsewhere, we are also performing a major overhaul of

the data dictionary we employ to characterize business

terminology employed within the warehouse. Standardization

of terminology is an essential step in broadening

the self-service channels available to our customers.

We also intend to make greater use of Tableau Live

in the coming year to provide customers with more

real time information.

Okta acquired ScaleFT earlier this year. ScaleFT is a

cloud-based service that enforces Zero Trust principles

in authorizing access to a wide variety of infrastructure

devices. We will initially use it to manage Linux laptops

employed within our engineering teams and deploy

it more broadly over the coming year.

Automated provisioning procedures are being refined

to enable finer-grained provisioning of end user access

privileges within large, complex applications such as

Salesforce, Workday and Netsuite. In addition, we are

automating contractor conversion procedures within

Workday to ensure that contractors preserve their

existing access privileges when they convert from

contractor status to full time employees.

Finally, we are implementing identity proofing procedures

to periodically verify the identities of consultants and

contractors accessing our business systems. Contractors

sometimes share their access credentials for the sake

of expediency. Identity proofing will help us guard against

this practice.

Okta has constructed a number of customer-facing

websites in the past to provide up-to-date information

on product features, host Okta user communities,

enable registration for Okta events and facilitate the

training of Okta administrators. These websites were

constructed on a serial basis to meet very specific

needs. During the coming year we plan to unify the

management of customer identities across these

web properties while maintaining distinctive login

experiences that are appropriate for each site. Many

of our customers face similar challenges in managing

the identities of customers who are procuring products

or services from multiple divisions or business units.

We performed a comprehensive review of all systems

containing Personally Identifiable Information (PII)

earlier this year to prepare for compliance with

GDPR regulations. We are planning to introduce

step-up authentication procedures on a selective

basis for consultants and contractors who access

some of these systems.

20 21


Okta at a Glance

Single Sign-On Universal Directory Lifecycle Management Adaptive Multi-Factor Authentication API Access Management Developer Toolkits

Comprehensive SSO solution for

authenticating access to on-premise

and cloud-based applications

• Pre-built integration to 5,500+ applications

and services

• Supports application level integration based

on SAML,SWA, WS-Fed, OpenID Connect

and OAuth standards

• Supports infrastructure level integration

via RADIUSand industry-leading firewall

(Palo Alto Networks,Cisco) and application

distribution controller(F5, Citrix) technologies

• Can be deployed on any user device

• Includes Okta Verify multi-factor authentication

• Highly intuitive and customizable

user experience

• Flexible policy engine based

on user and device context

• No requirement for dedicated servers

or changesto existing firewalls

• Enables real time security reporting

and comprehensive auditing of SOX

systems access

• Detection of anomalous authentication

requests or unusual user behavior can

be improved via pre-built integrations with

Splunk, ArcSight and QRadar SIEM (security

event and incident management) systems

An umbrella virtual directory that be used

tofederate identity information from any

pre-existing identity store

• Single source of truth for the identities

of employees, suppliers, partners

and customers

• Convenient place to manage the transient

identitiesof job applicants, seasonal or parttime

employees, contractors and consultants

• Pre-built two-way attribute synchronization

with Microsoft Active Directory (AD) and LDAP

• Supports attribute import in CSV format

or via Okta API

• Enables customized transformation of identity

attributes from pre-existing identity stores

• Unlimited extension of identity attributes

to support the needs of different end user

communities

• Prevents creation of duplicate identities

upon import

• Enables self-service management of end

user passwords in AD and LDAP, reducing

password reset and account lockout calls

to the Help Desk

• Serves as an agnostic source of identity

information allowing you to exploit the

richness of attributes collected in the

past while reducing dependence upon

application-specific or service-specific

attribute data

Workflow-based tool for managing end user

access privileges cradle-to-grave

• Supports the creation of user groups with

individual membership rules and access

privileges

• 150+ pre-built provisioning integrations

mastered from Microsoft AD, LDAP, HRIS,

ERP or CRM directories

• Supports role-based provisioning from

multipleHRIS systems, including Workday,

Success Factors and Ultipro

• Supports customized access request

workflowsto ensure consistency with

company-specific approval policies

• Enables detection of rogue or orphan

accounts that can result from employee

departures, merger & acquisition

activities, or changes in roles.

• Can be used to suspend access privileges

atthe conclusion of a consulting or contractor

engagement; such privileges can be readily

restored if individual consultants or contractors

return to perform additional work

• Can be used to document compliance

with IT general controls governing access

to critical business systems and audit the

usage of SOX in-scope systems

An essential component of any endpoint

security strategy, adaptive MFA enforces

strong authentication policies across multiple

services, devices and user access scenarios

• Authentication rules are based upon

a combination of user and device attributes

that define the context in which a specific

user is attempting to access a specific

system or service

• Employs a comprehensive set of authentication

factors — ranging from security

questions to SMS one-time passwords (OTP)

to OTP push applications to biometrics — to

balance degree of protection with ease of use

• Can be configured to support a combi nation

of company-required and user-selected

factor options

• Pre-built integrations with a variety of thirdparty

factor providers allow users to keep

usingfamiliar factors

• Unique opportunity to manage strong

authentication, provisioning and API

authorization policies in a consistent

manner when deployed in conjunction

with Okta SSO, UD, LCM and API

Access modules

Identity-based service that can be employed

byend users, application clients and devices

to access software systems via APIs

• Fully supports the OAuth 2.0 authorization

protocol

• Employs an identity-based policy engine

to manage authorization privileges for

employees, suppliers, partners and

customers at a granular level

• Provides a more consistent, scalable and

secure means of managing API access rules

than constructing customized authorization

logic for individual applications

• Eliminates the need to rotate hardcoded

API passwords

• Eliminates security risks posed by static

API keys

• Compatible with any API gateway, including

those offered by Okta partners Mulesoft

and Apigee (Google)

• Enables centralized auditing of API

access rules

• Accelerates the development of new applicationsby

letting developers focus on

businessfunctionality instead of building

service-specific authorization procedures

• Ideal for organizations seeking to create

new revenue streams or more efficient

internal processes by refactoring legacy

applications into microservices that can

be accessed via APIs

A collection of SDK tools and RESTful

APIs that developers can use to embed Okta

authentication and authorization capabilities

in custom-built applications and services

• Allows developers to leverage persistent

Okta-verified integrations with hundreds

of cloud-based services

• Contains out-of-the-box workflow widgets

for email verification, password reset and

registration-as-a-service

• OAuth 2.0 support enables social

authentication via Facebook, Google

or any third party OIDC provider

• Can be used to develop highly customized

branding and login experiences for customer

portals or business services

• Preserves the ability to build upon existing

identity directories and to continue the use

of current SMS providers

• Provides the ability to manage, monitor

and audit authentication and authorization

activities in real time on a consistent basis

across a broad spectrum of application

services

• Available in 10+ programming languages and

frameworks, including Javascript, Node.js,

.NET, Java, PHP, Vue.js, React and Swift

• Can significantly reduce custom code

development for new services, accelerating

time-to-market of new capabilities

22 23


For more information

please visit

Okta.com/products

for an overview of Okta product capabilities

Okta.com/okta-integration-network

for a description of application vendors that have

integrated Okta’s capabilities into their service offerings

Okta.com/blog

for commentary on industry trends by Okta product

managers and engineers

Okta.com/resources/oktane-content

for videos of all presentations at Okta’s 2018 user group

meeting

Okta.com/resources/content-library

for white papers regarding the implementation and use

of Okta products

Okta.com/businesses-at-work

for a description of the most popular applications being

used by Okta customers

24 25


26

More magazines by this user