Counter question, how has Okta proven that they have integrity and are competent and can be trusted to run critical IT?
What quantitive evidence have they ever demonstrated that shows they can stop the attackers who would like access to the billions of dollars of assets whose access they authenticate? A criminal enterprise can literally hire tens to hundreds of skilled hackers full time for years to target these systems and still turn a profit.
The default assumption is that systems are easily hacked. Claiming protection against even small teams of moderately skilled attackers, let alone organized crime, is a extraordinary claim. Where is their extraordinary evidence?
So I can just give you a cardboard box and call it a vault? You can not prove me wrong upfront so you have to believe me? That is ridiculous.
There is plenty of evidence you can provide to establish confidence that a certain degree of security has been achieved. Robust auditing, thorough review, formal methods, exhaustive testing, competent red teams exercises failing to find any vulnerabilities, etc. The only people throwing their hands up claiming security can not be evaluated have nothing useful to say about security because they do not even believe it is possible to know if they did anything.
Counter argument. Okta does all those things. Provides all the evidence, the red teams, etc. and still you don’t trust them (because they continue to have breaches) so to argue that one can prove security is false. One can only practice security and find assurance in certainty that they can identify events after or when they occur. No one can predict the future and no one can guarantee security in perpetuity. So I agree with you that Okta sucks. I also agree with the argument that you have to keep the knife sharp but you can’t just state the knife is sharp. You have to draw some blood to prove it. Likewise security postures are tested when incidents occur, through testing oneself or from another testing you. Complacency in this is when holes form. Security can only be evaluated at the moment in time. You can audit the past, but you can’t audit the future.
Counter argument, prove that Okta does any of those things to any meaningful degree. They are responsible for guarding the authentication to literally billions of dollars of assets. They are a prime target for organized crime who can field teams of tens to hundreds of hackers and state actors who can field teams of thousands for years. The recent Ceasar's attack had a 15 M$ payout, which means it would have been profitable to spend 5-10 M$ of hacking resources to pull off that attack. Okta is a much juicier target. They need to have security adequate to defeat a attack with 10 M$ of funding at a bare minimum.
So yeah, show me a red team exercise with 10 M$ of funding, they get a 30 person hacking team and 1 year fulltime, that failed to find any vulnerabilities and failed to gain access to any sensitive data, then we can talk about if they provided evidence of adequate security. I bet all they have is what everybody else has which is red team exercises that had 3 people for a month that reported 27 serious vulnerabilities, then another red team exercise that found a different 23 vulnerabilities, then another, then another, then another, always finding new ones because their systems are actually at the 100 K$ quality level. Those exercises do provide evidence and confidence in their security, you can be extremely confident their systems are grossly inadequate for their threat landscape. I have not looked, but the same can almost certainly be said about their certifications, audits, etc. since the gold standard that everyone aspires to is, when looked at objectively, grossly inadequate.
No and no, but I was just providing a counter argument so we can get past our bias and get to the heart of the issue. Can we trust Okta going forward? Do they understand the scope? The risks? Or are they full of Id and Ego that they think they are untouchable?
Having red teams, having audits, having scans, etc is simply not enough for some folks but in Okta’s eyes, it’s enough for C-suite talks of taking Authentication/authorization off the plate of their IT department.
I firmly believe for every individual who thinks they are untouchable, there’s a hacker who knows more and is willing to throw it all away to prove a point.
Great, so your argument is based on misinterpreting my single usage of the word “prove” to mean the mathematical definition rather than the colloquial definition meaning substantiated as is obvious to even the most casual observer based on how my statements talk about evidence, not logical inference rules.
I mean, do you seriously think that if person A says: “My vault is secure for 15 minutes against a human with a crowbar.” And person B says “Prove it.” That person A would ever respond with: “I can not because a vault is not a mathematical object and therefore proof is impossible, but I can substantiate it.” That would be ridiculous beyond belief. That is what you are doing.
Not that I am aware of, which bolsters my point. If airsoft pellets keep ripping through everybody's "bulletproof" vests and they all keep telling you to have faith in their new vest, and no, they will not provide you any evidence that it works, then any sane person would be running for the hills. You should be completely skeptical that an entire industry that can not even stop airsoft pellets can suddenly able to stop bullets, 354th times the charm for sure, until they show you some extraordinary evidence. Fool me once, shame on you. Fool me 354 times in a row for three decades, shame on me.
It’s actually comical that Cloudflare is trying to blame Okta for this. A Cloudflare employee uploaded secrets to Okta’s support tool. That is what caused the breach.
'Malicious Okta employee' who already has privileged access in the systems the customer has chosen to outsource their auth to?
If Okta employee is a high priority threat model... then the customer is better off not using Okta.
Not that it shouldn't be considered, but if Okta top-to-bottom penetration is expected and accepted, then that's taking Zero Trust to a whole new length.
It's literally a policy from Okta to investigate issues, which isn't Cloudflare's fault. The tool from Okta got compromised and all clients that needed support from Okta could/have been damaged as well.
Additionally, it was Cloudflare that SAW something was off and notified Okta. Cloudflare didn't get breached at all.
> The root cause is that Okta got compromised.
It's even suprising that Cloudflare's policies are so good in detection that they detected this at all, before Okta.
Purely anecdotal but their systems are designed very poorly, they outsource their support to some really low quality vendor (read: you get 0 support). This is not a company I would trust if I had the choice.
I was at an org who started using Okta a few years ago (left a few months later, unrelated). Among the issues, it wasn't confidence inspiring that the policies that org set (like requiring the Okta app for 2FA rather than TOTP, or enforcing certain properties about the passwords you're allowed to use) were only enforced in the browser and could easily be circumvented by just sending an appropriate request. Maybe they're fine otherwise, but my rule of thumb is that every security-critical single-point-of-failure like Okta will have major problems, and they certainly haven't presented enough evidence to sway that opinion.
What quantitive evidence have they ever demonstrated that shows they can stop the attackers who would like access to the billions of dollars of assets whose access they authenticate? A criminal enterprise can literally hire tens to hundreds of skilled hackers full time for years to target these systems and still turn a profit.
The default assumption is that systems are easily hacked. Claiming protection against even small teams of moderately skilled attackers, let alone organized crime, is a extraordinary claim. Where is their extraordinary evidence?