This is my follow up post to my last weeks post where I travelled to #Oktane19 down on the West Coast of the US in San Francisco where I explored what's next for Okta in the coming year.
What a week and what an experience in San Francisco for their yearly #Oktane conference which was jam packed with events over 3 days. A special thanks to @Deloitte for sending me over with the wider identity team from Melbourne and Sydney and @Okta.
Here's my take on #Oktane19 and key points I took away from the conference and the key trends to our cyber industry.
I was lucky enough to part of the team @Deloitte that was awarded two awards on the first night, winning both the Okta APAC Partner of the Year award and GSI (Global Systems Integrator) Partner of the Year which is a massive achievement for the whole team.
This year @Okta's, CEO Todd McKinnon announced a tonne of updates through the company opening keynote which were distilled into 5 key takeaways for the coming year. With over 4,000 people in the audience, the core theme behind this years Oktane conference is that Trust is the new frontier in technology and without it, technology won't reach its full potential.
"Trust is the new frontier, Identity is key to security and key to the user experience. It’s the connection between people and technology. Trust is about how people feel and identity is key to trust. It’s all connected and the foundation is user trust" in opening from Todd McKinnon the CEO of Okta
5 Key Takeaways
1) Inline Webhooks
Okta Web Hooks is a new capability which will extend the ability of developers to further integrate their third-party solutions with the Okta Identity Cloud platform with the functionality being designed to cater for distributed micro service architecture currently in use across the industry. Some examples of such were E-Commerce platforms, Marketing automation platforms and CRM (Customer Relationship Management).
Naturally all this is a outbound call from Okta to a piece of custom code which is triggered at specific points on the Okta identity process flows but it provides a degree of flexibility that was not originally provided by Okta allowing for even more integration points and use-cases to be catered for.
There are obviously some great use cases that already exist that could be tacked on to existing identity services for organisations, such as looking at legitimacy of emails signing up to e-Commerce or Enterprise platform before creating the user to identify potential fraudulent activity or by providing specific alerting and notification of identity related events to the business.
- During the execution of an Okta process flow, at the extension point between points A and B, Okta sends a request to the external service.
- The external service performs some processing.
- The external service sends a response back to Okta.
- Okta receives the response, acts on any commands it includes, and resumes the process flow that originally triggered the inline hook.
I would be interested to see if this idea of In-Line Hooks originally came from Joel's blog post or commit 2 years ago and pitched as an internal development project
No doubt there will be some great technical use cases to follow as the platform looks to expand its integrations network from 60,000 to more than 600,000 Integrations as a core strategic move.
2) Advanced Server Access
The Zero Trust framework as people like to call it, sounds a lot more interesting that it actually probably is. The core idea around Zero Trust is that access to corporate resources should be restricted until the user has proven their identity and access permissions. Okta is trying to make this a reality with their recent acquisition of ScaleFT
The premise of the solution lies around the fact that today, organisations are struggling to keep track of who has the keys to access servers running mission-critical workloads and storing valuable data, and are woefully limited when it comes to provisioning and de-provisioning powerful administrative accounts. This problem is now compounded by organisations moving towards and heavily relying on multi-cloud infrastructure such as AWS (Amazon Web Services), GCP (Google Cloud Platform) and Microsoft Azure which leads the business with limited visibility across their infrastructure and really no centrally controlled way of securing their hybrid environment which is traditionally very costly and time consuming.
The whole concept of this product is to provide Okta-driven identity security when accessing public and private cloud resources. This replaces static keys traditionally used to access these resources with Okta’s centralised identity security and administration, including a dynamic credentialing mechanism that allows contextual authentication of every login under one roof.
Identity has been a hot topic for a number of years with the advent of cloud technologies and with many business moving to a hybrid infrastructure approach to doing business. I think the time is now to shift this thinking towards PAM or (Privileged Access Management) which Okta is clearly starting to do too.
3) Risk-Based Authentication
Okta's Risk-based authentication adds machine learning to the authentication processes, building an understanding of user behaviour to detect anomalies that may suggest an attempted exploit, and an overall holistic understanding of a users actions in order to invoke adaptive authentication to validate a user’s identity with additional verification steps or other actions that are required.
Essentially the system works by building a profile on you and your authentication habits by analysing where you are authenticating from, what device you are on and whether you are on or off the network. Okta will then calculate a risk score which will be based off the contextual elements and will decide whether to allow you access, prompt you for another authentication factor or deny your access request altogether - pretty basic stuff but super functional from a fraud and malicious threat actor perspective.
4) Okta Identity Engine
The Okta Identity Engine is a new set of customisable building blocks that enable developers to adapt pre-defined authentication, authorisation and registration flows to meet their specific needs, shaping a user’s identity experience depending on the context. This is a great move by Okta as customers look to have an even faster and more seamless UX and UI journey and experience to perform specific functions.
What that essentially means is that as identity architects, we can create more seamless experiences for both Customer and Workforce use cases and start to further bridge the gap between user design and experience and those security requirements organisations need.
A great example provided by Okta is a scenario where a fan is buying a ticket to a game for the first time.
- The fan goes to a ticketing website and decides to register in exchange for a first-time user discount. To register, the user is prompted to enter their name and email address.
- Subsequently, an Event Hook pushes the user into the company’s email marketing system (e.g., Marketo or Salesforce). The user is now activated and can freely browse the website.
- Sometime later, the user decides to make a purchase, at which time another set of flows can occur because a more sensitive experience is being accessed.
- Starting with the click to purchase, the user is emailed a magic link to validate their email and register it as an authentication factor. Because the user has indicated higher engagement, the system can prompt for additional information, (known as progressive profiling), asking for geographic and other contextual information.
- Once completed, the flow can authorise the user to use other company products, such as a payment app.
This provides: Passwordless User, whereby we can create a user on the fly based on contextual information such as Device, Geo-location and Email, in which case a user is not asked to setup a password in order to not inhibit their browsing experience on an organisations website until such time as they do a credible transaction that would require further security measures such as buying the ticket above. In this case we can just prompt the user to set a password prior to purchasing the ticket through Progressive Profiling reducing the abandonment potential of a customer buying a service or product on our website.
5) Okta Ventures
Okta ventures is Okta's Investment fund providing $50 million to startups that are focused technologies such as Artificial Intelligence and Blockchain to address challenges in Identity, Security, and Privacy.
One of their first businesses they chose to invest in was Trusted Key which is a fascinating enterprise wide solution that has been built to prevent identity fraud, improve security and enhance the consumer experience with password-less authentication and transaction authorisation.
Oktane19 Guest Speakers & Sponsors
Throughout the time we were there, there were a number of guest speakers we heard from, telling us their own stories and ideas for the future:
A large amount of partners showed up for the event and were situated around the massive conference floor for conversations - some super interesting ideas and innovation coming into the mix!
Here is the Closing Keynote from Oktane19
Overall an absolutely fantastic experience and a lot of insight gained on whats to come in the Identity & Cyber Security Space.