2025 have to be the yr where identity providers push hard to enhance every aspect of software quality and security, including red teaming, while making their apps more transparent and achieving more objective results that transcend standards.
Anthropic, OpenAI, and other leading AI firms have taken red teaming to latest levels and revolutionized their release processes for the higher. Identity providers, including OktaYou must follow their example and do the identical.
Okta is certainly one of the primary identity management providers to enroll CISAs Safe by design Promise, they're still having trouble getting the authentication right. Okta's current advice told customers that 52-character usernames may very well be combined with stored cache keys, bypassing the necessity to supply a password to log in. Okta recommends that qualifying customers examine their Okta system log for unexpected authentications of usernames longer than 52 characters between July 23, 2024 and October 30, 2024.
Okta points to it Best record in its class for introducing multi-factor authentication (MFA) to each Workforce Identity Cloud users and administrators. Today, that is a vital prerequisite for safeguarding customers and a matter in fact with a purpose to survive on this market.
Google Cloud announced mandatory multi-factor authentication (MFA) for all users by 2025. Microsoft has also required MFA for Azure starting October of this yr. “Starting in early 2025, we are going to begin phasing in MFA enrollment for Azure CLI, Azure PowerShell, Azure Mobile App, and Infrastructure as Code (IaC) tools,” said a current blog post.
Okta achieves results with CISA's Secure by Design
It is commendable that so many identity management vendors have signed the CISA Secure by Design Pledge. Okta signed and joined the initiative in May this yr seven safety goals. While Okta continues to make progress, challenges remain.
Adhering to standards when deploying latest apps and platform components is difficult. Even more problematic is keeping a various, fast-paced array of DevOps, software engineering, quality assurance, red teams, product management, and marketers coordinated and focused on adoption.
- Not difficult enough in the case of MFA: Okta has reported a major increase in MFA usage, with 91% of administrators and 66% of users using MFA Jan 2024. More and more firms are actually making MFA mandatory without counting on a typical. Google and Microsoft's mandatory MFA policies highlight the gap between Okta's voluntary measures and the industry's latest security standard.
- Vulnerability management needs to enhance, starting with a solid commitment to red teaming. Okta's bug bounty program and vulnerability disclosure policy are mostly transparent. The challenge they face is that their approach to vulnerability management stays reactive and relies totally on external reports. Okta also needs to speculate more in red teaming to simulate real-world attacks and preemptively discover vulnerabilities. Without red teaming, Okta risks leaving certain attack vectors undetected, potentially limiting its ability to handle emerging threats early.
- Improvements in logging and monitoring have to be accelerated. Okta is improving logging and auditing capabilities for higher security visibility, but many improvements are still incomplete as of October 2024. Critical features reminiscent of real-time session tracking and robust auditing tools are still in development, stopping Okta from providing comprehensive, real-time intrusion detection across its platform. These capabilities are critical to providing customers with immediate insight and response to potential security incidents.
Okta's security failures display the necessity for more robust vulnerability management
While every identity management vendor has handled its share of attacks, intrusions and breaches, it's interesting to see how Okta is using these as fuel to reinvent itself using CISA's Secure by Design framework.
Okta's missteps make a robust case for expanding its vulnerability management initiatives and taking the red teaming lessons of Anthropic, OpenAI, and other AI vendors and applying them to identity management.
Recent incidents Okta has experienced include:
- March 2021 – Verkada Camera Violation: Attackers gained access to over 150,000 surveillance cameras and thus uncovered significant security gaps within the network.
- January 2022 – LAPSUS$ group compromise: The cybercriminal group LAPSUS$ exploited third-party access to interrupt into the Okta environment.
- December 2022 – Source code theft: Attackers stole Okta's source code and highlighted internal gaps in access controls and code security practices. This breach highlighted the necessity for stronger internal controls and monitoring mechanisms to guard mental property.
- October 2023 – Customer Support Violation: Attackers gained unauthorized access to customer data for roughly 134 customers through Okta's support channels, confirmed by the corporate on October twentieth, Starting with stolen credentials is used to realize access to the support management system. From there, attackers gained access to HTTP archive (.HAR) files containing lively session cookies and commenced infiltrating Okta's customers by attempting to interrupt into their networks and exfiltrate data.
- October 2024 – Username authentication bypass: A security vulnerability allowed unauthorized access by bypassing username-based authentication. The workaround highlighted vulnerabilities in product testing, because the vulnerability might have been identified and remedied through more thorough testing and red teaming practices.
Red teaming strategies for future-proof identity security
Okta and other identity management vendors have to take into consideration how they’ll improve red teaming no matter standards. An enterprise software company shouldn't need a typical to excel at red teaming, vulnerability management, or integrating security across its system development lifecycles (SDLCs).
Okta and other identity management vendors can improve their security posture by leveraging the red teaming lessons from Anthropic and OpenAI listed below to strengthen their security posture:
Consciously create more continuous human-machine collaboration when testing: Anthropic's mix of human expertise and AI-driven red teaming uncovers hidden risks. By simulating various attack scenarios in real time, Okta can proactively discover and remediate vulnerabilities earlier within the product lifecycle.
Commit to excelling in adaptive identity testing: OpenAI's use of advanced identity verification methods reminiscent of voice authentication and multimodal cross-validation to detect deepfakes could encourage Okta to adopt similar testing mechanisms. Adding an adaptive identity testing method could also help Okta defend against increasingly sophisticated identity spoofing threats.
Prioritizing specific domains for red teaming makes testing more focused: Anthropic's targeted testing in specific areas demonstrates the worth of domain-specific red teaming. Okta may gain advantage from assigning dedicated teams to high-risk areas, reminiscent of third-party integration and customer support, where nuanced vulnerabilities might otherwise go undetected.
This requires more automated attack simulations Stress test identity management platforms. OpenAI's GPT-4o model leverages automated adversarial attacks to proceedoften tests his defenses. Okta could implement similar automated scenarios, enabling rapid detection and response to latest vulnerabilities, particularly in its IPSIE framework.
Commit to greater integration of real-time threat intelligence: Anthropic's real-time knowledge sharing inside red teams strengthens their responsiveness. Okta can embed real-time intelligence feedback loops into its red teaming processes, ensuring evolving threat intelligence is straight away incorporated into defenses and accelerated response to emerging risks.
Why 2025 will challenge identity security like never before
Adversaries are relentless of their efforts to expand their arsenals with latest, automated weapons, and each company is struggling to maintain up.
Because identities are the predominant goal of most security breaches, identity management providers must meet the challenges head-on and increase security in all features of their products. This includes constructing security into their SDLC and helping DevOps teams turn into comfortable with security in order that it's not an afterthought that's rushed right before release.
CISA's Secure by Design initiative is invaluable to any cybersecurity provider, and this is very true for identity management providers. Okta's experience with Secure by Design helped them find gaps in vulnerability management, logging, and monitoring. But Okta shouldn't stop there. They have to refocus and deepen their give attention to red teaming, drawing on the teachings of Anthropic and OpenAI.
Improving data accuracy, latency, and quality through red teaming is the fuel every software company must create a culture of continuous improvement. CISA's Secure by Design is just the place to begin, not the destination. Identity management providers entering 2025 must recognize standards for what they’re: useful frameworks for guiding continuous improvement. An experienced, robust red team function that may catch errors before they’re delivered and simulate aggressive attacks from increasingly experienced and better-equipped adversaries is amongst essentially the most effective weapons in an identity management provider's arsenal. Red teaming is crucial to remaining competitive while having a likelihood to remain on par with opponents.
Author's note: