Okta 2018 Investor Day

Okta 2018 Investor Day
Oct 9, 2018 at 1:30 PM PDT

Customer testimonials

Catherine Buan, Vice President Customer Relations

  • Next big secular growth story

Todd McKinnon Co-Founder & CEO

The CEO starts the conference off by breaking down the two main uses for Okta

Work Force Identity: Used for Secure Access in the work place

  • See slide page 23 of slide presentation for history of Workplace Identity: https://seekingalpha.com/article/4210941-okta-okta-investor-…

  • Okta has a lot more opportunity left by becoming a universal platform

  • Over 5000 customers on identity cloud and there’s lots of things that can be done by connecting customers across a identity platform. Collaboration with partners or vendors becomes easier.

(Note: The more customers that Okta gains for it’s Work Force Identity product, the more useful things that Okta can do by connecting different companies’ users by identity. This would be a strong network effect that would be growing with each user of the Okta platform)

  • Companies that use Work Force Identity: Cardinal Health, Newscorp, Nasdaq, Warner Media, Nordstrom, Lyft, Slack, Discovery, Levis

  • It’s turning into a Hybrid Cloud world

  • See slide page 27 of slide presentation for Workforce Identity Market Opportunity: https://seekingalpha.com/article/4210941-okta-okta-investor-…

Customer Identity: Used by companies so their customers can logon

  • Companies that use Customers Identity: JetBlue, MLB (Major League Baseball), Adobe, FICO, Albertsons, MGM Resorts, Dignity Health Con Edison, Experian

  • Second biggest trend after the cloud is every organization is trying to become a technology company themselves. This has been called the “Amazon effect” or “Digital Transformation”

  • Software is eating the world

  • See slide page 24 of slide presentation for history of Customers Identity: https://seekingalpha.com/article/4210941-okta-okta-investor-…

  • Yesterday: companies built custom built identity apps with limited tools

  • Today: all of the tools have changed for building identity for apps have changed.

The CEO Todd McKinnon mentioned something interesting about the concept of micro-services.

Micro-services provides single function services for application developers. A explanation of Micro-services: https://www.youtube.com/watch?v=CKL3fV5UR8w

Examples of Micro-services would be Stripe (built strictly as a payment function) or Twilio (built strictly as a communication function). If a App developer uses Stripe and Twilio then they do not need to build payment and communication functions into their app from scratch. They simply use Twilio and Stripe for those specific functions.

Okta would be a example of a Identity Micro-service.

To give people a idea of the size of the Okta opportunity, the CEO Todd McKinnon mentioned that not every app needs a payment function and not every app needs a communication function but every app will need a identification function.

(Note: That’s a nonchalant way of saying that Okta’a opportunity would be far larger than Twilio or Stripe)

Future: In the future Okta wants to be the identity platform standard

Cloud has Changed Everything

  • 8x Rate Growth in cloud vs non-cloud spending

  • $500B spent on hardware software and services by 2020

  • 75% of organizations will have deployed a multicloud or hybrid cloud model for It by 2020

  • The Cloud is the biggest secular trend of Todd McKinnon’s career and will have a profound impact on Okta’s business

Security

  • Risk comes from all the current secular changes, especially security risks which is where Okta comes in.

  • Over 80% of data breaches have come from companies opening up and providing more capabilities and more access to end users

  • See slide page 25 of slide presentation for history of Security

Yesterday’s Security was “Network is the Perimeter” defined by Firewall, VPN

Today’s Security is “People become the Perimeter” defined by Identity driven security

Tomorrow’s Security is “People are the only Perimeter” defined by zero trust and customer privacy

  • Zero Trust means “Don’t trust the Network” but make decisions based upon the person, the device and what they are trying to access.

(Note: A brief history of Zero trust security https://www.okta.com/security-blog/2018/08/a-brief-history-o… )

Vision of Okta

End Of first segment of the investor day

People can listen to the whole presentation here: https://investor.okta.com/events/event-details/okta-investor…

I might do further notes later but it will depend on how much people want to read notes like this. There would be no written transcript on the internet that I can find where I can conveniently cut and paste excerpts of what gets said.

I am actually listening to the conference and noting what I think would be most important and that takes time…lots of time and interferes with the pleasure of watching lots of great football games. Wow, LSU beat Georgia!!! Penn State lost to Michigan State!!! Notre Dame just barely beat Pitt!!!

I am probably not going to pour more time into creating these notes unless people want to read more about Okta.

Also, these notes would be sort of out of order to the way the presentation was made. The CEO Todd McKinnon jumped back and forth between discussing the Workplace Identity Cloud and the Customer Identity Cloud and I decided to organize everything under those headers, instead of jumping back and forth in the order of the presentation.

Starrob

67 Likes

<<<Zero Trust means “Don’t trust the Network” but make decisions based upon the person, the device and what they are trying to access.>>>

That is exactly what Zscaler is focused on as well. The internet is the network and everything is a node. A data center is a large node, an iPad a small node, and with 5G the number of nodes proliferates to no end. Just posted an article that I called very bullish towards TTD with 5G on NPI. Does not discuss TTD but what 5G proliferation means to mobile communications. Hint: it changes everything and particularly the delivery of advertising in mobile when you have unlimited bandwidth and minimal latency.

That will all need to be secured by user on the net. Perhaps Okta will not be involved with the majority of IoT nodes as that will be machine to machine communication, but 5G will proliferate IoT devices that not only speak machine to machine but to persons.

Tinker

1 Like

Thanks Starrob, that was a very well-organized and useful summary of the Okta Presentation. I, for one, really appreciated it.
Saul

4 Likes

Thanks Starrob, great summary. I haven’t looked at Okta, but this is a good place to start. I’m just never sure what Okta has that the (lots of) other competitors don’t.

We utilised Auth0 (eg: https://ponyfoo.com/articles/okta-auth0-and-the-goblet-of-id…, https://hackernoon.com/authentication-as-a-service-an-honest…) which was a pain in the ass to re-integrate with the existing (badly designed) application.

I’m not quite sure where the competitive advantage for Okta actually is, or if the market is big enough for all the players. It certainly doesn’t seem to be a winner-take-most market. Amazon (AWS) compete with Cognito, and I assume the other cloud providers to as well.

Maybe its a case of follow-the-money?

cheers
Greg

The security market is not that difficult to follow. If you want traditional fire walls and appliances Palo Alto is your company. They are still growing in high 20s, low 30%, something like 40k customers or something (you guys can correct me on that) and billions in deferred revenue.

In the SWG (Secure Web Gateway) market, which is the fastest growing and the most disruptive segment of security there are only three players that matter, and one niche player that is “visionary” and would like to matter (meaning it will probably be bought out) these are: Zs, Cisco, Symantec, and iBoss. All the other players have sales forces, existing customers to sell into and viable products, but they do not really compete well, nor will they ever really compete well in this market against the top 3.

Of these top 3 Symantec is losing its shirt. If you look at the history of Gartner, where Symantec now is, is where BlueCoat was before Symantec bought them. The problem with BlueCoat is that although the technology works great, it is expensive and relies on multiple lines of appliances. That is old school trying to address the new school problem.

If you follow the money you will see that Symantec’s business crashed to the point that the largest shareholder revolted and is calling for a new board of directors and strategy. As you dig deeper into the problem, the problem is almost all based upon the BlueCoat product, which is their SWG product. Their end point security products are performing at least adequately. I made this comment months ago but was challenged that I was reading too much into it. Since then an industry insider came to the same conclusion. Symantec’s BlueCoat business is fallling apart. So Symantec is not likely to be a large player moving forward given its reliance on expensive appliances and the like unless they completely revamp their business, face their innovator’s dilemma, and acquire another company or two or three.

IF you read Okta’s Listing of the fastest growing companies that they see in their numbers of people using their product to log on to a product a funny and very telling thing is found if you know what you are looking for. The #1 fastest growing product Zoom, #2 is Cisco’s Umbrella product (which is their SWG product), #3 is Slack, and #4 (in a virtual statistical tie with Cisco) is Zscaler (all Zscaler is SWG). No other security companies or products in the top 10.

Zscaler is the only cloud only, internet only product and it is completely disruptive. Cisco is doing a great job with its expansion into the security business and leveraging their sales channels and installed base. These two are the only players you need to concern yourself with in the SWG market that is expected to grow into the billions and Zscaler will probably be the largest beneficiary of this market.

An overlooked aspect as well of Zscaler is that Zscaler is the sole security system integrated into 365. You will see a bunch of firms announcing their switch to 365 also going with Zscaler. They often go hand in hand.

*****Data Center HCI market.

There are only two players you need to follow: Nutanix and VMWare. Nutanix has 35% marketshare, VMWare 34%, Dell (that owns VMWare actually sells more servers with Nutanix on it than VMWare by about 2 to 1). All the other players, lead by Cisco at 6.5% and HPE at 5% are also rans. It is a duopoly. Either invest in Nutanix of VMWare. Sure NTAP and EMC (also owned by DELL) have HCI announcements but they are not the same thing as what Nutanix and VMWare are doing.

******Identity market

Follow the money. This is a market where the networking effect plays a big role. If you are a 365 shop, as so many are, Microsoft security is usually the first option you will look at. And many do. But not all, and when they don’t stick with Microsoft they go with OKTA.

If you look at growth rate OKTA is winning this market and the more they win the more they keep winning. There is not really anyone else to be concerned about. Just follow Okta’s numbers from Q to Q.

When you look into the details of these markets, and all the headlines, claims, clutter, etc., investing in these security markets is no more difficult than this.

There are high barriers to entry, the economics are wonderful from a cash flow basis, and a company like Zscaler has multiple years head start on anyone else who may want to enter their market, and Cisco is doing very well in this market (unlike many others it tries to enter) and will also be difficult to move out. We shall have to see where Symantec goes. But it is not a market where someone out of the blue is going to suddenly become material.

Hope this helps. Too much information is as much a problem as too little information. The key is understanding the gist of the information that counts.

Tinker

45 Likes

By pushing a Zero Trust model, Okta is actually pointing out that they’re just one piece of a potential solution. As they point out in their own blog post: https://www.okta.com/resources/whitepaper/zero-trust-with-ok… , Forrester’s Zero Trust white paper (http://www.virtualstarmedia.com/downloads/Forrester_zero_tru… ) has three main parts:

• Ensure all resources are accessed securely regardless of location
• Adopt a least privilege strategy and strictly enforce access control
• Inspect and log all traffic

There is nothing in Okta that I’m aware that inspects all traffic. They’re an Identity Management company. If there’s a virus on your machine, once you’re logged into that machine, the virus could potentially do bad things with your identity.

This is where ZScaler comes in. It literally looks at all traffic before it gets to its destination, in both directions and even if SSL is used.

Okta actually acknowledges its solution set isn’t complete. From the above link: The Okta policy framework is a condition and actions engine that acts as the first line of defense in keeping your organization secure, and based on the conditions you have defined, the policy engine will respond with actions such as allow, deny, prompt for MFA and more. Our upcoming behavioral detection policies enhance the Okta policy framework to track unusual activity such as anomalous location, anomalous IP, and anomalous devices. (emphasis added)

In short, Okta’s solution will involve using AI to determine what might not be actual authorized requests. But, as far as I can tell, that’s not in place today.

That said, it would seem that integrating Okta into an existing environment is easier than integrating ZScaler, and currently doesn’t require that you trust a third party with all your traffic, both internal and external.

3 Likes

An overlooked aspect as well of Zscaler is that Zscaler is the sole security system integrated into 365.

This is not true. For instance, MS integrates their own Windows Defender ATP. ZScaler is but one alternative. Another is BlueCoat, as documented by MS here: https://blogs.technet.microsoft.com/onthewire/2017/05/03/off…

Note that I believe ZScaler technology continues to advance, and whereas it used to be that you had to use Proxied Access for ZScaler with 365, one can now use Direct Routing with ZScaler. Someone should check me on that, though. The advantage here is the performance of Direct Routing over Proxied Access.

On another front, iBoss pitches themselves as a better ZScaler. See their whitepaper here: https://www.iboss.com/sites/default/files/downloads/whitepap… . Mostly it reads like Beta vs VHS to me, so I don’t expect some technical aspects for iBoss to really matter as long as ZScaler doesn’t screw it up for existing customers. If you must know, ZScaler puts everyone on the same cloud infrastructure that they (ZScaler) runs, whereas iBoss sets up more dedicated servers.

4 Likes

I did mention iBoss in my report as a niche player wanna be that will probably be acquired.

Microsoft security is not a replacement for what Zscaler does and Zscaler is integrated to the point that more than half the links to Azure are on extreme speed fiber to enhance performance. If you already have Blue Coat in your data center that is great for 365 but very few, if any, will adopt BlueCoat as a new security paradigm for themselves just because they also want to switch to 365 and pure cloud that 365 provides. This is one reason why, as I discussed in my post, that BlueCoat/Symantec is doing so awfully during the last 2 qs. Research it yourself.

In the end Okta, like Twilio, is an API that forms part of the software stack. Zscaler is the security platform that combines the security stack. Okta is easy to implement into your systems and therefore switching costs are also lower. Zscaler is not a just switch on the light switch product, it does take integration that can take months of work. However, still about half the time to switch to another legacy product

One advantage of Zscaler is what if you acquire multiple companies and try to integrate all their disparate security systems? Zscaler resolves this problem by making integration with new acquisitions much easier. Switch everyone over to Zscaler and have them up and running in half or less the time it takes to integrate security systems.

Either way there are much higher switching costs for Zscaler than for Okta. Okta benefits from ease of adoption and that the more persons on Okta the more Okta can do for you. Although this may not end up as valuable as one might think in the enterprise (it may prove very valuable in the consumer space). Another company clearly could create a similar product. But why would an enterprise switch to a nobody players who does the same thing to save a few thousand dollars when one security breach can be worth tens of millions? Simply they will not. Perhaps they may switch to Microsoft from OKTA or Google from Okta but they are not going to switch to some new player. If Okta loses their market advantage you will see it in their quarterly numbers. At present not even a concern.

Tinker

15 Likes

Tinker, I am constantly amazed how you, as an attorney, and presumably a non-techie like me, can have such a great grasp on these tech issues. Thanks for your discussion.
Saul

20 Likes

Hi Smorg,

There is nothing in Okta that I’m aware that inspects all traffic. They’re an Identity Management company. If there’s a virus on your machine, once you’re logged into that machine, the virus could potentially do bad things with your identity.

I am trying to see how this would be possible. First, all of the apps or programs have to be accessed through Okta in the cloud. They also employ dual factor authorization.

11. Data Encryption.
a) Encryption of Transmitted Data: Okta uses Internet-industry-standard secure encryption methods designed to encrypt communications between its server(s) and the customer browser(s), and between its servers and customer’s server(s).
b) Encryption of At-Rest Data: Okta uses Internet-industry standard secure encryption methods designed to protect stored Customer Data at rest. Such information is stored on server(s) that are not accessible from the Internet.
c) Encryption of Backups: All offsite backups are encrypted. Okta uses disk storage that is encrypted at rest.

14. Malware Control. Okta employs then-current industry-standard measures to test the Service to detect and remediate viruses, Trojan horses, worms, logic bombs, or other harmful code or programs designed to negatively impact the operation or performance of the Service.

And Finally

19. Intrusion Detection. Okta monitors the Service generally for unauthorized intrusions using traffic and activity-based monitoring systems. Okta may analyze data collected by users’ web browsers (e.g., device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) for security purposes, including to detect compromised browsers, to help customers detect fraudulent authentications, and to ensure that the Service functions properly.

https://www.okta.com/sites/default/files/OKTA-Security-Priva…

Since Okta sits between the customer and the data I just do not see how an infected device would be a problem. But who knows the hackers always seem to find away around it.

Andy

1 Like

Starrob,

Your write-up of OKTA Investor Day is great so far. Thank you! I’ll be interested in what, if anything, you do with the revenue projections and margin targets.

For my calculations I used 30% annual revenue growth with target free cash flow margins of 20%-25%. Under these assumptions, five years from now OKTA’s revenue will be about $1.2 billion with free cash flow of $240 million to $300 million. I haven’t posted these numbers before because I’m unsure how useful they are. See:(https://seekingalpha.com/news/3396374-okta-minus-4_6-percent…)

BTW, your annotated write-up of OKTA’s 2Q earnings conference call is outstanding. You taking the to define the technical terms was extremely helpful. It must have very time consuming. Recommended reading:
(https://discussion.fool.com/4056/okta-inc-okta-ceo-todd-mckinnon…)

Again, thank you for all you do on these boards!

Ross

5 Likes

Here is an interesting article about a competitor or OKTA.

http://fortune.com/2017/06/02/onelogin-password-security-bre…

Andy

Product Strategy

Todd McKinnon Co-Founder & CEO

  • Okta’s platform has been constructed with the following considerations:

How can the product be built for maximum reach and maximum scale? How can Okta get connected to everything? How can Okta get embedded in everything? How can it be made into the most flexible, customizable system?

See Page 35 on Okta (OKTA) Investor Presentation - Slideshow https://seekingalpha.com/article/4210941-okta-okta-investor-…

  • Okta has created one integrated platform for all use cases

  • Okta is a multi-tenant cloud service.

(Note: A multi-tenant cloud is a cloud computing architecture that allows customers to share computing resources in a public or private cloud. Each tenant’s data is isolated and remains invisible to other tenants. https://searchcloudcomputing.techtarget.com/definition/multi…)

  • Okta future proofs solutions for customers

  • Identity is starting to take more and more of the overall security market

  • The two families of products that Okta has listed are:

  1. Workplace Identity Products

Single Sign On - https://www.okta.com/products/single-sign-on/
Universal Directory - https://www.okta.com/products/universal-directory/
Lifecycle Management - https://www.okta.com/products/lifecycle-management/
Adaptive MFA - https://www.okta.com/products/adaptive-multi-factor-authenti…
API Access Management - https://www.okta.com/products/api-access-management/

  1. Customer Identity Products

Developer - https://developer.okta.com/
One App
Enterprise

See Page 36 on Okta (OKTA) Investor Presentation - Slideshow https://seekingalpha.com/article/4210941-okta-okta-investor-…

  • Only product in the industry that fully multi-tenant and fully cloud based. All other solutions are either completely on-premise or largely on-premise or has key pieces that only work on premise and were not built for cloud world

Built from the beginning as a cloud service. One of the features of being built from the beginning as a cloud service means that Okta products don’t have to be taken down out of service while service is being updated. Every week Okta releases new features with zero down time.

Over 40,000 Unit tests or automated QA (Quality Assurance) to make sure that as updates get released, the quality stays high.

Globally redundant, fault tolerant and highly reliable products

Open line of transparency with customers whenever things do go wrong to build trust

Hard to replicate and takes multiple years to build the type of Infrastructure as a Service (IaaS) architecture like Okta has.

See Page 37 on Okta (OKTA) Investor Presentation - Slideshow https://seekingalpha.com/article/4210941-okta-okta-investor-…

  • Taking Okta Platform to the Next Level

Okta wants to take things to the next level by Integration, Embedding, & Connection

Integrate - Okta integration network. Okta was the first vendor to use a pre-integrated approach to integrating applications. Over 5500+ Application integrations.

(Note: Information on the Okta integration network: https://www.okta.com/okta-integration-network/)

Okta wants to broaden and extend lead in depth (how deeply Okta is integrated with other applications) and breadth (number of applications in network) of Application integrations.

Depth of integration example: Integration between Okta, Splunk and Servicenow. If Splunk detects a security issue it can send a automated feed in to Okta which would then make Okta step up the authentication and require a higher level of authentication while then also using Servicenow to send a ticket to have a security team re-mediate the issue. That example is far beyond a simple Single Sign On (SSO) integration.

(Note: Single Sign On (SSO): Single sign-on (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials. SSO is a common procedure in enterprises, where a client accesses multiple resources connected to a local area network (LAN). https://www.techopedia.com/definition/4106/single-sign-on-ss… )

A Ecosystem Network effect is helping Okta extend it’s lead in the space.

See Page 40, 41, 42, 43, 48 on Okta (OKTA) Investor Presentation - Slideshow https://seekingalpha.com/article/4210941-okta-okta-investor-…

  • Zero Trust

Application integrations is a key piece in the movement toward Zero Trust architecture.

Zero Trust (Identity is the Perimeter): https://www.okta.com/security-blog/2018/08/a-brief-history-o…

See Page 44, 45, 46, 47 on Okta (OKTA) Investor Presentation - Slideshow https://seekingalpha.com/article/4210941-okta-okta-investor-…

Embed

  • To gain both reach & scale it’s necessary to both integrate into everything possible and be embeddable in everything.

  • App developers do not need to re-invent the wheel for many sign on/security functions. They can use Okta.

  • The things that make Okta emeddable comes down to three things:

  1. Developer Tooling - Supports All developer platforms/languages

  2. More granular APIs - meaning Identity platform can’t be exposed in such big chunks that to use one chunk you don’t get a bunch of things you don’t need. APIs chunks have to be the right size…not too much, not too little but just what developers need without unforeseen consequences because the granularity is wrong.

  3. Extensibility - (Note: Extensibility is a software engineering and systems design principle where the implementation takes future growth into consideration. https://en.wikipedia.org/wiki/Extensibility )

See Page 49, 50, 51, 52, 53 on Okta (OKTA) Investor Presentation - Slideshow https://seekingalpha.com/article/4210941-okta-okta-investor-…

  • Developers Should Not Be In the security business *

It’s one thing to get the functionality right but another thing to make things secure

  • Types of Assurance Credentials from weakest to strongest that Okta supports:
  1. Security Question

  2. Passwords

  3. SMS & Voice

  4. Software OTP (one-time password)

  5. OTP (one-time password) Push

  6. Physical Tokens

  7. Biometrics based (Apple Touch, Windows Hello)

See Page 54, 55 on Okta (OKTA) Investor Presentation - Slideshow https://seekingalpha.com/article/4210941-okta-okta-investor-…

  • Every Application Needs a Identity (Gives a idea of the size of the opportunity)

1,000s of ISV/SaaS apps

(Note: ISV stands for independent software vendor https://www.techopedia.com/definition/140/independent-softwa…)

100,000s of custom apps

1,000,000s of Mobile apps

100,000,000s of secure websites

See Page 56 on Okta (OKTA) Investor Presentation - Slideshow https://seekingalpha.com/article/4210941-okta-okta-investor-…

Connect

  • Connect different companies and users in identity cloud which includes small companies, Partner Collaborations, Multi-divisional enterprises, Hub & Spoke Organizations, Channel Enablement, and Direct To Customers all on one cloud

  • Sign In with Okta: Sign in with Okta makes it easy for users to securely log into apps and websites using their Okta credentials. Developers can add the Sign in with Okta button to their app in just a few lines of code, saving weeks of development time while meeting enterprise authentication requirements.

https://www.okta.com/programs/sign-in-with-okta/

  • Okta wants to be the platform to connect everything by making the connection infrastructure more seamless and secure

See Page 57, 58, 59, 60, 61, 62 on Okta (OKTA) Investor Presentation - Slideshow https://seekingalpha.com/article/4210941-okta-okta-investor-…

https://investor.okta.com/events/event-details/okta-investor…

My comments: When I first heard of this company, I was really not interested but the more I learn about the company the more my interest rises. When I first heard of this company, I thought…well anyone can make a sign on application easily but I now think it’s really not so easy to build in all of the features that Okta has from the ground up in the cloud.

I think Okta has established a lead on most competitors and their position grows stronger and more unassailable each day. Okta has a nice flywheel effect of more customers brings more App developers wanting to integrate with Okta which in turn brings more end customers. The Network effect be strong with this one Obi Wan.

After this portion of the conference, there was a Q&A of Major League Baseball. I am not going to do the notes on the customer testimonials/Q&A.

If I get enough time. I will do the next segment which is the Okta “Go To Market Strategy” by Charles Race, President, Worldwide Field Operations

Starrob

27 Likes

Since Okta sits between the customer and the data…

How do you mean? They’re not like ZScaler, they’re just Identity Management.

The link you provided does not describe how Okta integrates with customers. It describes Okta’s own internal security policies.

2 Likes

Hi Smorg,

The link you provided does not describe how Okta integrates with customers. It describes Okta’s own internal security policies.

I would agree that most of it was about Okta’s internal security policies but I think 11 and 19 that I italicized in my post pointed out how they are set between the customer and their apps. OKTA is a pure cloud based project that will also comply with on site security apparatus. Here is some more information.

All Passwords are stored with OKTA. Your company Admin can not even see the password.

Okta must be available for any other app to be accessed and therefore there’s no good time to be down. As a result we are built for high availability – no planned downtime, no maintenance windows - and we guarantee 99.9% uptime. You can verify our reliability metrics and learn more about the availability of our service at trust.okta.com.

Yes, your information is secure. Okta protects your information with extensive security measures and controls that are audited by third parties. Among other measures, Okta offers flexible, multifactor authentication. With MFA, you’ll authenticate yourself with both your regular password and a second factor of your choice. For example, you may authenticate with a pin number that you receive via text message, a six-digit soft token, a security question, or by simply accepting a push notification on your phone through the Okta Verify app.

Yes, Okta protects your information with rigorous security measures and controls. These controls are audited and attested to in our SOC2 report, and all passwords are 256-bit AES encrypted. For more information see: https://www.okta.com/security

Just as we use strong encryption to secure your data at Okta, we use strong (256-bit AES) encryption for your username and password credentials as well. This information is stored and maintained by Okta.

This how I see Okta working. Do you see it differently?

https://www.google.com/search?q=okta+and+their+customer&…

Andy

2 Likes

Andy,

I am not sure what your point is. If your point is that Okta does what Zscaler does then your point is not correct. Okta does not protect against viruses, malware, and other software attacks. Okta has a specific product layer of security and that is identity, to make sure the person logging on is the person who they say they are, and to make sure that person only accesses that which that person is allowed to access.

Okta has no role, except as it might apply to identifying persons, in regard to viruses or malware or other software attacks.

And yes, Okta is in-between the user and the application because it is a cloud app and there is no other way that the cloud app can work in that regard. But is only there in regard to the identifying layer of the app. Once your identified and it is determined you are allowed access to what you are trying to gain access to, Okta has done its work. It is up to other software to do whatever else other software does for any other security.

Tinker

7 Likes

Hi Tinker,

If your point is that Okta does what Zscaler does then your point is not correct.
That isn’t my point. I do not think that OKTA is as sophisticated as Zscaler but I do think it does monitor devices connecting to it’s network. I also think it might be able to detect malware. In my previous post it stated on Item 19

Okta may analyze data collected by users’ web browsers (e.g., device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) for security purposes, including to detect compromised browsers, to help customers detect fraudulent authentications, and to ensure that the Service functions properly.

So I am not sure if I am correct Tinker so I have an email into IR to see what they state.

Andy

1 Like

This how I see Okta working. Do you see it differently?

Yes, I think you’re not understanding what Okta is and does. Okta has your user’s usernames and passwords, and what you’re linking to tells us how they protect them.

Okta provides (https://developer.okta.com/product/)::slight_smile:
• Authentication
• Authorization
• User Management, including Policies

It does not look at your user’s nor application data.

1 Like

Hi Smorg,

You and Tinker were correct. Here is my email.

I am a private investor in OKTA and have a question. If my phone or computer had a virus and I used MFA to access OKTA would that virus be able to infect any of my apps? How would OKTA interact with an infected device that was trying to access my private network through OKTA?

and here is Okta’s respone

Thanks for reaching out. Okta MFA is independent from the device, so that device getting infected wouldn’t necessarily affect Okta. Typically, malicious software is designed to include a keylogger to capture your user credentials or will steal a session cookie. Okta MFA is a great way to protect data from these threats since additional authentication is needed in order to access the data. Additionally, if this was a bad IP address trying to access your data, Okta may be able to detect that this activity is suspicious and shut down that IP address across the entire Okta network.

So OKTA is only an identity management service without any real ability to detect malicious activity. This makes me think that they most likely will be bought out sometime in the future.

Andy

5 Likes

So OKTA is only an identity management service without any real ability to detect malicious activity. This makes me think that they most likely will be bought out sometime in the future.

Thanks for running that down with IR, Andy. I’ve always thought Okta, which I’ve never owned, sounded more like a feature than a product. Seems like a great and valuable feature, but that’s about it.

I guess someone could buy them. What I’m more concerned about is that someone (or multiple someones) will incorporate a similar solution into their more valuable and increasingly ubiquitous product (say Zscaler) and render Okta somewhat obsolete.

Bear

4 Likes