The Security Stack

Before looking at the position of OKTA in the Security stack, I have been wondering how the COVID related compression of the adoption curve for Digital Transformation is effecting OKTA. Todd McKinnon recently presented for Goldman Sachs. The transcript is behind a paywall at Seekimg Alpha.

Here’s just a little of what he said…

Todd McKinnon-
In terms of the time to migration and so forth, I think the biggest thing is people are seeing that identity can help lead that migration [in a sense] because it’s really a lot about getting the services accessible from anywhere and identity can help get that service accessible from anywhere.
It’s not just like you can take the cloud apps and a modern identity stack like Okta, and turn remote employees on immediately, you have to build our API’s into your mobile app or your website. So, we’re seeing the benefits of that, I think, play out over a longer period of time and will continue in the next year and beyond.

I had owned OKTA before and I always kinda wondered where OKTA fit among other Security Companies. I still have questions; but, I believe Bill Losch, the CFO at OKTA, recently answered this at the Needham Conference, somewhat.

Question from the interviewer: If you see something that is out of line with behavior, land analytics that you’re doing, you can then feed that into other systems, for instance, a CrowdStrike system, as a data point, or alternatively CrowdStrike can feed back to you that they’re seeing something that’s looks out of line, and those things can then be used to put a containment around a particular device or a particular user, or a particular data traffic flow. That’s the type of deep integration you’re talking about, is that a good example?
Bill Losch-
Yes, that is a good example. I think that makes sense. And you think about it that is an example that we do with numerous other technology partners. And I think that again security specifically, but certainly in other areas, we believe that there isn’t going to be one singular solution to security, but having us bring these best-of-breed solutions together and having the identity platform, which to your point, the solution has to be identity centric to make it as secure as it can be. That’s the real value we add.

It’s mostly just a repeat of known information. I just felt like I often do when re-reading something Saul has written. It’s like I read it for the first time. If anyone else here could suggest a read for my further understanding the position OKTA holds in the Security Stack I’d really appreciate it.

My take away from reading the transcripts of both of these recent conferences: Zero Trust is Identity-centric. This led me to re-start a position in OKTA and it’s now 6% of my portfolio.




I wish they would talk using simple straight forward sentences.
Something like -
Yes, that is a good example. I think that makes sense. We do that with numerous other technology partners. There isn’t going to be one singular solution to security, but having us bring these best-of-breed solutions together would be the way. Identify platform will make it as secure as it can be. That is the real value we add.


Good question security has alot of domains and a lot of jargon. In an effort to help with the security stack concept:

Identity & Access Management Security - Controls identities and provisioning of users to systems and applications (Okta, Ping, Microsoft AD, many others)

EndPoint/Device Security - Protects devices and threats against them (Crowdstrike, VMWare/CarbonBlack, Microsoft, Mcafee, Symantc, and everyone else and their brother. Top 3 are listed in no particular order).

Data Security or Data Loss Prevention - Protect sensitive data sets through various mechanisms (ForcePoint, Microsoft, Mcafee, Symantec etc…)

Network Security - Protect networks from threats. (Palo Alto, CheckPoint, Cisco)

Cloud Security - Protect cloud systems (, microsoft 365, etc) and access to data there. (Microsoft, ForcePOint PaloAlto, Cisco)

Email Security - Protect inbound/outbound email from threats (ProofPOint, Microsoft, Mimecast)

Security Monitoring Centralized (SIEM) and operational tracking - SOlutions that monitor overhealth health and stability and correlate a lot of data from a lot of places (Splunk, Elastic, Datadog, SumoLogic, Microsoft is trying, and others). This is the hardest group to compare across as they are all the most different vs. other categories.

Disaster Recovery and Backup - Backup and recover systems that have operational or security issues (Commvault, Zerto, Resq, nutanix)

Vulnerability Security & Management Tools - Find problems and fix before bad guys cause problems (Qualys, Rapid 7, many other small niche players).

Security is the ever changing decision between do I go best in breed in all these areas (and have it so complex I cant manage it likely or its super $$$) or try and integrate across the stack. Microsoft is the biggest threat as a powerful integrated play across these entities and is CrowdStrike and many other companies biggest mid term/long term competitors. They can use security as a loss leader for their OS and Microsoft 365 productivity platforms.


Thanks for the overview. Not trying to get too much into the weeds; but, In an interview at CSO McKinnon sounds like OKTA would/could be a full fledged alternative to ‘in Route control’ (eg Zs or Cloudflare’s Magic Transit). I’m not saying that a Zero Trust Security Stack couldn’t be cobbled together minus identity; but, McKinnon sounds like OKTA should be the platform for best enabling Zero Trust. What are the odds that McKinnon gets this wish?

My favorite quote by McKinnon…
“So, the challenge is like … why does Coinbase exist? There wasn’t a part of the crypto standard that kind of defined how you got sovereign currency in and out of it. There’s no part of the standard that specifies how you get identity in and out of it, either. - Todd McKinnon” OKTA CEO/Founder

Long OKTA,



February 15, 2021 CSO Magazine Interview with Todd McKinnon here:…

It’s not behind a paywall

Here’s a little:

CSO: Another big issue is multicloud security. The big three clouds have different security models, different security controls and features. That makes it easy to make a configuration mistake and leave the door open. How can you help with that?
McKinnon: The vision for Advanced Server Access is to be that security layer for the clouds.
CSO: A meta-layer of security for the clouds?
McKinnon: Yeah, exactly, like the common security layer. Basically, you authenticate your admins, you log-in to the cloud through Okta, so that you don’t have to tightly couple your security and your processes and your governance and so forth to one platforms’ toolchain.



1 Like