The news recently broke: Okta was breached earlier this year and it potentially affected several hundred of their corporate customers. Though Okta is one of our competitors in the Identity and Access Management (IAM) world, we are not celebrating their recent breach. Security breaches should never be celebrated. We all need to learn from them and ensure that we are protected in the future – to prepare for the next cyberattack tactic that might come our way.
Well, the breach seems to have been traced to a sub processor that Okta uses for support services. Meaning Okta uses another company to help process customer-support requests, and it was in fact this other company that got hacked. Partnerships like this are common, if not expected at large companies. The issue was the hacker found a way to piggyback or tailgate a user through the front door to Okta’s environment. Clever.
It is common for large corporations to use outside resources, such as the one Okta uses to help provide services to their customers. And just because the contractor was breached does not mean that the practice of using third-party service providers should be stopped. Not by a long shot, as reliance on third-party providers will only grow as we continue to embrace more cloud technologies and remote working. However, it does mean that we all need to be extra vigilant when it comes to vetting and utilizing these types of services.
OneLogin has long had a thorough vetting process for all sub processors and does periodic review to ensure that they are still up to standard. As part of One Identity this practice will continue despite that, at times, this process has caused a bit of friction because it can extend the amount of time it takes to approve a sub processor. In the end, OneLogin’s long-held value of ‘security first’ is still at our core. We need to do our due diligence in vetting outside providers so that we are not vulnerable to breaches because of lapses on the sub processor's end. We take the responsibility of protecting our customers’ data very seriously.
As an industry when we work together to thwart these tactics, then our collective customer base stays safe and our robust and valuable industry will thrive. Learn more about all the vendors in the IAM space by downloading the Gartner Magic Quadrant for Access Management.
Transparency and Notifications
We do not know what kind of vetting process Okta has in place for its sub processors. We can only hope that they are reevaluating their current processes and perhaps instituting more checks wherever those sub processors are accessing internal resources. That seems to be the case as per published reports. But even by Okta’s own announcement, they could have gotten out in front of the news and informed customers sooner so that the customers could have initiated security protocols sooner, such as resetting passwords and assessing log data.
As per an article in Data Breach Today: Okta failed to control the breach message, especially after the Lapsus$ attackers on Tuesday (March 22, 2022) first publicized their intrusion. Practicing effective crisis communications doesn't mean having to tell customers, employees or the general public every last detail. Instead, it requires rapidly saying "we've got experts probing this, we're moving quickly, we don't have all of the facts yet, we will be transparent, and you can trust us," and then delivering on those promises.
A proactive step would have allowed the customers to better protect themselves from any sort of fallout.
In the end, however, Okta and their customers are victims of a cyberattack and we all need to realize that we need to work together to thwart these criminals wherever and whenever they try to attack us.