Okta

Andy (buynholdisdead) kindly allowed me to cross-post an excerpt from his excellent post on the MF Stock Advisor Okta board (again, if you are not a Stock Advisor subscriber, you should be as one great recommendation will pay for 20 or 30 years subscriptions). The following is Andy’s words:

…I was curious where the passwords were stored with OKTA. All passwords are stored with OKTA. Your company Admin can not even see the password.

Okta must be available for any other app to be accessed and therefore there’s no good time to be down. As a result we are built for high availability – no planned downtime, no maintenance windows - and we guarantee 99.9% uptime…

Yes, your information is secure. Okta protects your information with extensive security measures and controls that are audited by third parties. Among other measures, Okta offers flexible, MultiFactor Authentication. With MFA, you’ll authenticate yourself with both your regular password and a second factor of your choice. For example, you may authenticate with a pin number that you receive via text message, a six-digit soft token, a security question, or by simply accepting a push notification on your phone through the Okta Verify app.

Yes, Okta protects your information with rigorous security measures and controls. These controls are audited and attested to in our SOC2 report, and all passwords are 256-bit AES encrypted. For more information see: https://www.okta.com/security. Just as we use strong encryption to secure your data at Okta, we use strong (256-bit AES) encryption for your username and password credentials as well. This information is stored and maintained by Okta.

Before Okta IPO’d many companies tried to buy them out, but Okta did not want to go that route. They wanted to IPO … Okta works with any of the cloud companies and I could see one of them trying to buy Okta out, but I do think Okta would fight against it for the following reason:

The customers of Okta have to be able to trust the company. If that trust is broken, then so is the company. Okta controls the keys to the kingdom and once they get into kingdom, that is their moat. They build relations with all of the companies they work with at a much deeper level in my opinion. This isn’t like any Software as a Service company. How many companies are going to be able to convince someone else and give up their passwords?..

Okta is gaining customers at 8% to 10% per quarter sequentially… Every customer they gain will only keep paying them a subscription and even buying more product from them.
Andy

Here is the site that Andy pulled the information from :
https://www.okta.com/faq/

[Saul here] Just thinking about what Andy pointed out, it points out how incredibly unlikely it would be for any company to change away from Okta once they sign on. Once you entrust a company with all the keys to everything in your company, you are not going to suddenly decide that you’ll try another company. It’s a question of trust! And if Google or Facebook or Microsoft or some other BIG company came up with a similar solution, do you think another company is going to leave Okta and trust one of those giants with all their passwords. No way! Okta has them forever!

Just my opinion!

Saul

36 Likes

Not my area of expertise - but the fact that Okta stores all of its passwords for its clients gives me some pause as it now has one glaring, obvious, single point of failure: cyber security.

When it comes to cyber security I tend to believe it’s not a matter of if, but when, a company will be attacked.

For some companies the ramifications are much less than others.

Okta may be audited by a third party - but I’d prefer they were constantly under going redteam attacks to hack their own systems. Hopefully it’s what they meant.

Posting for others who know more to share more and shed light into why my intuitive fear is misplaced.

Long on Okta, hesistant about taking a larger position

15 Likes

Hi JAF, It’s just a non-techie guess, but I’d think that a company whose main business is something else entirely, and has a small security department of two or three guys, is much more likely to get hacked than a company whose whole business is security and is totally focussed on it. But that’s just my guess.
Saul

4 Likes

Forgive me if I’m misunderstanding what Okta does or missing something. Still trying to learn more about them. What makes it hard for me to get on board with Okta is that both me and my wife would in health care and have worked at multiple places which require single sign on and other access management. Maybe a dozen places including insurance companies, retail pharmacy and stores (that ran pharmacies), hospitals, and University systems. I’ve never seen Okta in use – and it’s not because there’s some other single competitor. I’ve asked some who still work at our former locations and not much has changed since we left.

I get that Okta has other products as well but they seem to promote SSO and multi factor authentication most. There seems to be so many options whether in house systems built on top of Active Directory or some other companies.

Maybe Okta is just way better, more modern, etc. But if they can sign up new customers that currently have different solutions then clearly the switching costs aren’t insurmountable. Would another company providing for example continuous biometric authentication be able to replace Okta with an even better security option?

Even though a company is providing all their passwords and access to Okta, it’s not irreplaceable data. Passwords and access can be changed. Unless Okta is going to hold their access hostage, I don’t see why a company wouldn’t switch to a better and/or cheaper alternative.

11 Likes

Very interesting discussions on Okta. Since I’m an technology SVP at a big bank with tangential responsibility for security, this should be something in my bailiwick. I haven’t heard of it up to now, but then we’re not always on the latest tech, so that doesn’t say anything. I have been seeing a lot of ads for it recently. Just a couple of comments on the discussion

I’d think that a company whose main business is something else entirely, and has a small security department of two or three guys, is much more likely to get hacked than a company whose whole business is security and is totally focussed on it. But that’s just my guess.

This actually cuts both ways. Hackers trying to break security for commercial purposes are also likely to train much more resources on a company like Okta.

Also it is almost impossible to make things perfectly secure. Even if the technology is good, there is always social hacking and the human element. If Okta really does contain the passwords of companies that work with it, any breach of security could have a huge (even company-ending) impact. Not only will clients leave, they will also sue. Now, I’m not sure that is their technology model, and I have some doubts as it would be a huge Achilles heel, but this is just something to delve into more deeply.

[Saul here] Just thinking about what Andy pointed out, it points out how incredibly unlikely it would be for any company to change away from Okta once they sign on. Once you entrust a company with all the keys to everything in your company, you are not going to suddenly decide that you’ll try another company. It’s a question of trust! And if Google or Facebook or Microsoft or some other BIG company came up with a similar solution, do you think another company is going to leave Okta and trust one of those giants with all their passwords. No way! Okta has them forever!

Switching away in this case doesn’t seem as hard as you are saying here. In general with most authentication systems, you can force any user to reset their password - in fact you usually use this to force password resets on a periodic basis. If any enterprise company wanted to move away from Okta, they would probably force all their users to reset their passwords on their main authentication systems. It would be annoying to employees, but not horribly so, and they would be using automated systems that make it easy to do for the admins.

Just to be clear - I’m in no way saying Okta isn’t a good buy - I just need to do my own homework to understand them better - which won’t be for a week or so - but I just wanted to add my experience to tweak some of the understandings here.

17 Likes

Switching away in this case doesn’t seem as hard as you are saying here.

Perhaps I’m being misunderstood. I’m not claiming that it would be DIFFICULT to switch. I’m claiming that it would be UNLIKELY that they would switch, because of the trust element. If a company trusts Okta with all their passwords, that even their own IT people can’t see, it means they researched Okta extensively, they sat down with them and got to know them, that they trust Okta explicitly with all that, and that Okta is like family in a sense. That’s why they are unlikely to switch. Not because they COULDN’T just change all their passwords and move to another company, but because they most probably WON’T.

Saul

9 Likes

Sorry Saul, I disagree for a bunch of reasons.

First, in my 30 years of IT experience (and particularly my frequent interaction with the IT security folks) I never saw any s/w package that was forever. No applications, no middleware, no network s/w, no security s/w, no nothing. I don’t think OKTA is any different in that regard. I’m not suggesting that customers will leave in droves if someone comes out with a shiny new mousetrap, but they’re not immune from customer abandonment. It’s not all that different from investing if you think about it. You sold Veronis because you thought Okta was a better investment. Security officers and executive management look at it pretty much the same way. If the middle term opportunity (forget long term in IT, there is no long term in IT) to switching is advantageous from both a financial and security perspectives, customers will transition to a new solution.

Next, let’s look at security from a higher level. What are we trying to accomplish with security? The goal of IT security is not to inhibit all access. In fact, the ideal security would make access (to apps, programs, databases, networks and other IT assets) completely transparent to authorised users while making those same assets completely opaque to unauthorised users. Transparent means there is no interference with access. Opaque means the asset does not even appear to exist for someone unauthorised. UID and password coupled with MFA is a pain in the ass. Google email (and I’m sure most widely used, publicly available s/w) supports MFA today. I use Google email but have not enabled MFA because it’s an inhibition to access. In fact, to be totally honest I’ve allowed my favorite browser (Chrome, another Google product) to remember my access keys to almost all my web enabled applications. Only a few (like my bank account) require entry of my password on every access attempt. I think I’m fairly typical in this. What I’m getting at is that UID and password is a tired security measure. It’s cumbersome for users and it’s not altogether that secure. Do you have a file saved on your computer with your UID and passwords for a number of applications? A lot of folks do. Maybe it’s encrypted and requires a password for access, but really, how secure is that in the face of the sophisticated security hacks out there. What I’m driving at is that UID/password security is due to be retired in favor of biometric security. Most people already use fingerprint security on their phones. What’s Okta’s advantage over MFA biometric security, say fingerprint, iris scan and body temperature (just to prove that person is alive).

And I won’t even delve into “social engineering” (if you’re unfamiliar with the term, it simply means convincing someone to divulge there access credentials). This is essentially how the Russians broke into the DNC’s email server. There’s no s/w measure that will protect against social engineering (although MFA inhibits it).

I’m long Okta, but not to a very large percentage and with significant caution. I don’t view this as a high confidence investment.

19 Likes

…but the fact that Okta stores all of its passwords for its clients gives me some pause as it now has one glaring, obvious, single point of failure: cyber security.

This is my main concern with OKTA. My original analysis of Okta did not return much information on what information is stored. Looking at an old knowledge base article shows that at least Okta is taking the right steps to ensure the data is secure:

https://support.okta.com/help/Documentation/Knowledge_Articl…
Published: Jan 10, 2015 - Updated: Nov 18, 2016
Please note: this page is no longer being updated and may not show current information.
. . .
Okta uses strong encryption to secure sensitive customer data. For example, we encrypt the unique customer SAML keys that are created to perform authentication on our customer users’ behalf. We also store and encrypt credentials that users submit for downstream SWA applications (apps), configured within their SSO environment.
. . .
The passwords and keys for each customer org are encrypted using AES and a 256-bit, randomly generated symmetric key.

This key-store, containing the customer symmetric encryption keys, is then encrypted with a Master Key that is held only in memory and only accessible to the Okta app.

At startup, the app is provided a master passphrase allowing it to access, decrypt, and store the Master Key in memory.

A technical operations administrator inputs the master passphrase. Only eight administrators know this master passphrase.
. . .
This process, using application level encryption, protects sensitive data, even in the event of partial compromise. As a result, attackers lack the ability to decrypt the data if armed with 2 out of 3 of the following: Master Key, Key Store, and/or the user’s app context.

Exploits are a risk for most tech companies. I believe that most companies would be better off using a service like Okta as oppose to rolling their own. Personally, I would never use an authentication device/company where that company’s main focus was not authentication (but something like search and ads).

My original analysis of OKTA
Elevator Pitch: Identity as a service.

? Okta is a cloud-based Sign-on and Single Sign-on (SSO) for enterprise systems.
? SSO has become a requirement for any medium to large business.
? Software company (pro). Not selling authentication devices (plus).
? Supports: OAuth, Active Directory, VPN, LDAP, OpenID, Social-Login.
? Prices:
SSO: $24 / year / user.
Provisioning + Universal Directory: $1,500 / year.
Lifecycle Management: $48 / year / user
Adaptive MFA: $36 / year / user
? Developer API:
Free: up to 7K active users, 10 custom apps.
https://developer.okta.com/pricing/
Okta is making money on both sides of the fence!
? Good usage reporting and monitoring.
? Good brute-force detection.
? Customer lock-in. Once implemented in a company this will be hard to change. (pro)
? Since this is a cloud service, enterprises could be brought down with a simple DOS attack. (con)
? This seems like a hacker’s dream! A cloud storage for multiple company’s usernames and passwords. A single hack or bad actor could kill this company over-night [imo]. (con)

ktcfool - long OKTA 2%

2 Likes

fwiw, I don’t believe any Company can’t be hacked eventually. Having said that I have owned OKTA for several months now with just a small opening position.

Perhaps I’m being misunderstood. I’m not claiming that it would be DIFFICULT to switch. I’m claiming that it would be UNLIKELY that they would switch, because of the trust element.

I think the key word here is TRUST. Trust takes a long time to build, and can be destroyed in an instant.

A successful hack of Okta (with just one client) could destroy everyone’s trust. They would lose a significant percent of their clients overnight and would have a long lonely road to rebuild. Okta knows this and will have the best possible controls to prevent this from happening.

But still, it is not possible to guarantee you will never get hacked, and a company like Okta will be one of the biggest targets in the world for hackers with huge resources - even state actors. For most companies, this would be some reputational damage and a one-time loss, and then they would go on. But for Okta it could be company-ending.

I’m not going to estimate the chance of this happening (though I will try to do a half-assed guess of my evaluation of the risk before I make an investment decision). But I would say this is an additional risk that Okta has over other companies. After I do my research I may still invest in it - all investment has risk. But I just want to be aware of it.

4 Likes

Similar to what some others have stated, my biggest concern with investing in a security company is how damaging a hack would be (because I believe any/all companies can/will be hacked eventually).

I think it would be similar to what happened to Chipotle. Their whole business was based on “food with integrity” and then they had multiple food safety incidents that completely blew that model up (and took the stock price down with it). BTW, Chipotle has popped 25% today on just a decent report, but hopes of good changes coming with new management now in place. I’m finally out of my last shares in that one with today’s pop.

Not saying it will happen with Okta, just that I’m not going to take that risk on this one.

1 Like

IF (big if) Okta is using a salted AES-256 key like the documentation says, it would take …

Fifty supercomputers that could check a billion billion (10^18) AES keys per second would, in theory, require about 3×10^51 years to exhaust the 256-bit key space. https://en.wikipedia.org/wiki/Brute-force_attack

… to crack each user’s data.

Please don’t get me wrong, there are risk! Imo, social engineering (mention by brittlerock) and code defects are the biggest risk. Just putting password/SAML-keys security into prospective.

ktcfool

… but in a couple more years a set of NVIDA CUDA cores will probably be able to crack the data in a few minutes. :slight_smile:

3 Likes

Fifty supercomputers that could check a billion billion (10^18) AES keys per second would, in theory, require about 3×10^51 years to exhaust the 256-bit key space. https://en.wikipedia.org/wiki/Brute-force_attack

… to crack each user’s data.

Not my area of expertise (hmmm…do I have an area of expertise?), but I wouldn’t be worried about that aspect of their security, more likely something similar to the recent incident where a careless employee of some company (forget which it was) unintentionally causes the breach by leaving laptop in car and it gets stolen (or something to that effect that hasn’t happened yet, so safeguards aren’t in place).

http://www.experian.com/blogs/data-breach/2016/06/01/employe…

What keeps your cyber security team up at night, and does it weigh equally on the minds of managers? Do they lose sleep worrying about malicious attacks from outside your organization? Or do they fear a careless employee will leave a laptop in an unlocked car or use an unsecured personal mobile device to access proprietary company information?

Employee-related security risks are the top concern for security professionals, our new study, Managing Insider Risk Through Training & Culture, found. The Ponemon Institute polled more than 600 information security professionals at companies that have a data protection and privacy training program. The study found that while 55 percent of those surveyed have already had a malicious or negligent employee cause a security incident, few are taking adequate steps to improve security from within.

Fifty supercomputers that could check a billion billion (10^18) AES keys per second would, in theory, require about 3×10^51 years to exhaust the 256-bit key space. https://en.wikipedia.org/wiki/Brute-force_attack

Tech companies cite those types of numbers, but real hacks almost never occur from brute force attacks like that.

As an example, 2 decades ago I was working at a high security high tech firm in the midwest, and had set up a very secure environment (for the time). We had a security audit which included a contest for hackers to break into our system.

They couldn’t break through our tech defences. However, 2 execs had used a password that used some variant of “the Kansas City Chiefs” with numbers and special chars added. They were able to break into these weak password accounts in a few hours. Once a real hacker gets in through a high level account like that, they can keep going and going, bit by bit breaking into other parts of the network.

Weak passwords, social engineering, dumpster surfing - this is how most security breaches start.

7 Likes

I’m claiming that it would be UNLIKELY that they would switch, because of the trust element.

And, of course, this implies that, if the trust is violated, a switch is likely.

Okta protects your information with extensive security measures and controls that are audited by third parties. Among other measures, Okta offers flexible, MultiFactor Authentication. With MFA, you’ll authenticate yourself with both your regular password and a second factor of your choice.

Hype. Target (et al) had these assurances as well. This isn’t differentiation. This is basic security.

🆁🅶🅱

Please don’t get me wrong, there are risk!

One of the conspicuous ones being quantum computers …

FYI - Okta was hacked late last year by a phishing scam. Seems this triple security system is not all it is cut out to be. Like so many things, sounds better in words than in actual real world performance:

https://www.fastcompany.com/40469670/vevo-hack-breach

The solution is to add a new step and that is two part login using one’s cellular phone or other device.

This did not take down Okta’s share price. This has not caused a loss of trust in Okta. Probably it has not because everyone expects some security breaches. They also expect that Okta will learn from this and fix it.

The switching costs for Okta is not insurmountable. Its basic features are commodity. What is not commodity is their higher level security capabilities. Certainly you can still switch, but it requires all your software, cloud and all, to be hooked back into all software, and all the rules based features re-programmed and implemented.

Things as detailed as security differing while in Moscow vs. in Toledo, watching for unusual use of particular software such as if suddenly a program is being used 8 hours a day, 5 days a week, when it previously was used 2 hours a week by this user, and things like terminating access to software for temps or consultants or people getting promotions, demotions, or simply switching projects.

In fact this latter aspect does have a tangled web of rules that would be a nightmare to reintegrate, and the larger the company the more difficult.

As for competition, it pays to watch actual real world results. The market is every material business in the world that uses multiple software and enough employees to make it impractical to individually or with simple software to keep track of it all.

That is a market, in terms of numbers that is nearly equal to SHOP’s total market.

If Amazon has built an internal system, and they want to then sell it, their is one possibility. However, try customer service with such a product. Microsoft would provide service, but a far more Microsoft, Azure centered product.

Tinker

10 Likes

No, Target did not have this level of security.

Target had Fireye installed (when they still sold s/w). They actually observed that their system had been compromised, but the CIO had quit and the CEO had been lackadaisical about hiring a replacement (remind me again, what does the CIO do?). There was no one in charge. No reporting lines to take action. They simply watched it happen until it was too late to take action.

2 Likes

Okta already supports MFA. It is not a failure to provide it, it is failure on behalf of their customer(s) to implement it. As I noted above, MFA is a pain in the butt. Few people will tolerate taking the extra step. Most companies don’t want to put their employees through the hassle. Therefore it is seldom implemented.

watching for unusual use of particular software
The ability to detect an intrusion by monitoring for anomalous use and activity is not new. Fireye was one of the first to offer this capability. It is probably more effective than looking for signatures (such as the names of viruses). I forget which company off hand provides this functionality, but it has been discussed on this board (Veronis?). The problem is, when it is detected, your system is already infected.

things like terminating access to software for temps or consultants or people getting promotions, demotions, or simply switching projects
Sounds simple enough, but scale that up to a company with 100,000 employees or more, most of whom log onto to something on a daily basis. Do you disable an employee’s security if they go on a 4 week vacation? How do you actually keep track of which project an IT guy in the job I had (enterprise architect) who worked on multiple projects on a regular basis. Or DBAs assigned to several applications, etc., etc. This is to assert, but difficult to implement in a large company. And, we had literally hundreds of applications (if you count all the purpose built engineering apps it was thousands). Many of those apps had no security features whatsoever, but were stored and executed on networked servers. A good hacker only needs to get through the door, any door.

Computing security is a nightmare. I’ve worked in the arena first hand. There is no such thing as a secure system, some are just harder to penetrate than others. Where I worked there were daily assaults on our systems, some of them highly sophisticated (aerospace/defense contractor, lots of IP, secret and black projects). One of the worst breaches we had (that was acknowledged) was when an IT guy working for HR downloaded tons of records to his PC and had it stolen out of the backseat of his car.

3 Likes