[maldeh]

A more poignant elegy to the modern landscape of compliance theater I have never seen:

> Security Standards. Okta's ISMP includes adherance to and regular testing of the key controls, systems and procedures of its ISMP to validate that they are properly implemented and effective in addressing the threats and risks identified. Such testing includes:

> a) Internal risk assessments;

> b) ISO 27001, 27002, 27017 and 27018 certifications;

> c) NIST guidance; and

> d) SOC2 Type II (or successor standard) audits annually performed by accredited third-party auditors ("Audit Report").

I don't think storing AWS keys within Slack would comply to any of these standards?

[hughrr]

Yep. All these standards are tick boxing for liability. Nothing more.

They are not effective security controls and never will be and should never be a measure of that.

[dvtrn]

We’ve been monitoring this internally, as customers of an Okta-like service.

I’ve also been closely monitoring the responses from our CTO and VP of Security when someone from our DevOps team posted a link to the Verge article in slack this morning.

Which brings me to this inquiry: How are your orgs responding to this? We have a dependency on an Okta-like provider and my first thought when reading this news was “you know, wonder if we should give our shit a sanity check”, and someone beat me to this, proposed it in slack but the idea was turned down by our SecOps team.

[lurker91283]

I moved over to Azure AD this morning (we only have a few devs and were already using Azure DevOps so this was doable). I requested that Okta cancel our account and let them know the reason was the potential data breach and their CEO's response on Twitter. Okta's response was that we signed an MSA agreement and that cancelling isn't an option, nor termination of fees.

[hughrr]

They sound like they're running the organisation like a dating site.

More reasons to look elsewhere.

[judge2020]

Or like Adobe: https://news.ycombinator.com/item?id=30222165

[Spooky23]

You’re buying Okta when you get Adobe too. :)

[hughrr]

Having just paid for Lightroom for a year this one really annoys the shit out of me.

[neurostimulant]

> Okta's response was that we signed an MSA agreement and that cancelling isn't an option, nor termination of fees.

Interesting. Does this agreement also works the other way as well (Okta can't just decides to terminate your account no matter the reason)?

[droopyEyelids]

Okta is the Oracle of identity management.

https://auth0.com is the "still cares about customers" vendor

I'm not affiliated with them, just traumatized by working in IT

[haneefmubarak]

Auth0 was acquired by Okta (https://auth0.com/blog/okta-acquisition-announcement/), although Okta claims in the post that

> There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers.

[Hawxy]

Auth0 is run as an isolated subsidiary in its own infrastructure, with the old CEO still overseeing operations. Due to the massive difference in Okta & Auth0's implementations I don't see that changing anytime soon.

[djbusby]

That's what ASCAP does too! Scummy!

[hughrr]

Sounds about right. Here there will be a staff security training symposium that runs everyone through a training course bought in from the lowest bidder that is tangentially related to the issue followed by a self-congratulatory management meeting and that will be the whole issue resolved to satisfaction.

[disillusioned]

I don't know if tick boxing was a spoonerism or intentional or a real thing but I love it and am stealing it.

(Upon further review, it appears to be the more UK way of saying it! Ha!)

[hughrr]

Yep UK here. Normal here :)

[stefan_]

And yet Okta is the ultimate in box-ticking technology. They are bought to tick the boxes. So what happens now that the box tickers are not ticking the boxes?

[hughrr]

Usually a mass exodus to a similar service with the same guarantees resulting in months of capacity problems as they try and scale out from customer influx.

There are no winners.

[Spooky23]

They aren’t security controls at all. Just puffery.

I’d look at stuff like FedRAMP as a starting point for the control environment and explore further.

[api]

A lot of compliance theater comes from the requirements of insurance companies.

The decision makers have absolutely no idea how any of this stuff works.