Clarifications on #PassBleed and the Value of Monitoring the IAM Layer

21/07/2022 • Gabriel Avner

On Tuesday (July 19 2022) we published our research on the #PassBleed security risks in Okta. Okta’s SVP of Product Management, Arnab Bose, published a very detailed set of advisories and best practices to help customers use Okta securely. 

Authomize is the Cloud Identity and Access Security Platform. We make it exceedingly easy to secure all of your cloud apps and services in any environment. If you missed our initial research, then take a look at our detailed breakdown and our shorter explanation. You are also invited to join a Live Webinar with our CTO, Gal Diskin, to review the risks, and how to identify and mitigate them.  

One of the risks described in our research is the ability to extract passwords in clear text. 

Using passwords in clear text has its merits. It allows Okta to provide its customers a flexible solution that can handle a wide range of use cases and integrations. 

To mitigate the risks of this approach, customers are advised to monitor their environment and make sure it is not compromised. 

We at Authomize strongly believe that this is not just a best practice, but rather essential to protect your cloud environment from identity-related cyberattacks. Just like organizations would not think about running without email security, network security, and data security solutions, an independent security layer for cloud identity and access will become a no-brainer.

Okta’s Advice to Customers — Great Practices that Authomize fully supports (on our platform)

In his list of best practices for Okta customers, Arnab lays out eight points. 

Here are just the top three that not only do we think are great practices, but we have incorporated into our product to make it easier to do and enforce.

  1. Always use HTTPS and enable MFA for all user accounts. Setup these policies in Authomize to continuously monitor them and ensure they are enforced across your IaaS, SaaS, and IdP solution.
  2. Periodic access reviews are essential for ensuring that everyone in your organization has the right, secure level of access. They help to create the baseline for moving forward in establishing and maintaining a state of Least Privilege and reducing your threat surface. 

    Authomize helps customers streamline and automate access reviews to save thousands of man-hours, and provides ML-generated rich context for faster and better decision making around the right level of access.
    Read here how Authomize automates access reviews to save organizations hundreds of hours and perform more accurate reports that security teams and auditors trust.  
  3. Monitoring activities of admins and all users across the cloud environment is required in order to detect suspicious behavior. Authomize provides continuous monitoring and analysis of all activities to identify and respond to threats. 

Rethinking Security Risk Appetites in IdPs

Okta’s response to our research was that the risks we found are not categorized as vulnerabilities. A few thoughts on that:

  • Are these not vulnerabilities but inherent security risks that are part of Okta’s operational risk assessment? 
  • If so, then how are they thinking about the balance between the usability needs of their customers to do as much as possible with minimal friction and the acceptable security restrictions? 
  • Do we maybe need to ask the question of how we secure our critical IAM infrastructure?

From my POV, the answer for Okta, and every IAM solution out there, here is pretty clear. They are going to choose making a product that will allow their customers to do more, even if it increases risk.   

And that is probably the right way forward.

Okta customers have embraced them because they make it easier and overall more secure to manage their identities and access. Tools like SSO and directories for provisioning access privileges are not only essential, but they play an extremely positive role in making us all more secure and productive. 

We believe that Okta, and IdP and SSO solutions in general, need an extra layer of security to make sure that their customers have the visibility and control to mitigate the inherent risks that come with using them. 

Think about it like the cloud. 

The business case for using IaaS and SaaS in terms of productivity, flexibility, and all the other positives are clearly there. As an industry, we accept the risks that come with using these tools and utilize security solutions to protect our clouds. 

We need to do the same for IAM.

Where Do We Go Next?

Gartner has already coined the term Identity Threat Detection and Response (ITDR) for this new category of solutions that will work to secure IAM products from themselves being exploited. We think that Gartner is on the right track and have embraced this new category. You can read our thoughts on it in this post

If you are interested in learning more about how Authomize can help you secure your Okta and everything else in the cloud, please fill the form below to request a FREE assessment.

FREE Risk Assessment

Join our FREE Assessment to:

  • Detect if your Okta is configured securely
  • Assess if you have likely been impacted by these risks
  • Establish a secure IdP posture


Next read

Download
Solution Brief

Learn how Authomize's solution is changing the way companies are managing authorizations

Download