What is Okta?
Okta is an identity and access management (IAM) service built for the cloud.
It connects any person with any application securely through its features, such as:
- Single Sign-On (SSO),
- Active Directory (AD) and LDAP Integration,
- Multi-Factor Authentication (MFA),
- User Management,
- B2B Integration for 3rd party access,
- Mobile Identity Management, and others.
Okta Security Best Practices for Cloud Access
Okta can be configured as an external identity provider to enable SSO in the cloud.
Let's look at the best practices recommended by Okta and how you can make sure you're implementing them correctly to secure your cloud environment and keep your solutions protected.
1. Use multi-factor authentication (MFA)
An employee uses a weak password for their accounts. The password was cracked through a brute-force attack by an attacker.
The employee re-uses their password for Okta SSO, and MFA is not implemented in the company, so the attacker now has full access to all of the employee's accounts.
MFA is a type of authentication that requires an entity to provide at least two different types of credentials.
They should be of the following:
- What you know (example: a PIN)
- What you have (example: a security token)
- What you are (example: a fingerprint)
Okta recommends you use a one-time password or a biometric verification in your authentication scheme in order to add an extra layer of security.
2. Stop using passwords
An employee writes their password on a post-it note and leaves it on their desk.
An employee from another department finds it and can now login into the employee's account.
Passwordless authentication is possible by providing a public identifier (such as a username or an email address) and then using a different way of proving your identity (through a phone or a token, for example), thus eliminating the use of passwords.
This type of authentication is secure because:
- Weak passwords are no longer a concern for your company
- Solutions for password storage are not an issue anymore
- The credentials cannot be breached; therefore, you're reducing the number of points of failure
Okta suggests solutions that can help you go passwordless. You can use:
- Okta Fastpass, which allows you to authenticate passwordless from any device or location to any Okta-managed application;
- WebAuthn, a standard that simplifies authentication.
3. Manage user access by following the Least Privilege Principle
Although they do not require such privileges, an employee was assigned administrative rights.
The employee accidentally deletes an asset—this action results in permanent data loss.
The Least Privilege Principle states that users should not have more permissions than they require to perform their tasks.
User access control management is a security best practice recommended by Okta that helps minimize the risk of data breaches or accidental misconfigurations.
For example, a regular user should not have administrator rights unless they need them for daily tasks.
Make sure to restrict users as much as possible in accordance with their jobs.
4. Ensure the Separation of Duties
The administrator goes on vacation. They are the only ones with administrator privileges.
A critical vulnerability appears in the cloud infrastructure, but nobody has the necessary rights to patch it. The administrator cannot be contacted and is out of the office for a few weeks.
The Separation of Duties Principle helps eliminate a single point of failure by assuring no entity has the rights to execute a critical task by themselves.
Configuring at least two administrators eliminates the single point of failure. It ensures that if one of them is missing, the other can still perform tasks requiring administrative privileges.
5. Monitor activity
An attacker manages to gain control of an employee's account and authenticates from a different device or an unusual location.
This authentication is logged, but the logs are not carefully monitored, so the breach goes undetected.
The hacker can now move laterally and compromise workstations, databases, and other accounts without raising any alarms in the company.
Logging and monitoring are two features that should be implemented in your cloud environment.
These technologies can help you identify suspicious behavior, such as:
- an impossible log-in, for example when a user authenticates from two different parts of the world in a few minutes,
- a user connecting to an application from a different device than expected, and others.
Okta recommends that you constantly look for odd activity in your cloud infrastructure and make sure you take actions when you identify them, such as verifying a user's identity through MFA.
6. Automate onboarding and offboarding
A software developer leaves the company, but their account is not correctly deprovisioned.
They can still contribute to GitHub repositories and modify production code.
The process of onboarding or offboarding an employee can be tedious.
There should be a well-defined set of steps when an employee leaves the company. Automate as many of them as possible, to make sure that:
- You correctly deprovision their account, and
- They cannot access and make changes to your systems anymore.
Are you following these best practices in your company?
With Cyscale, you can detect drifts from some of these best practices recommended by Okta.
Cyscale checks if access to your cloud environment is correctly configured and is implementing the following:
- Multi-Factor Authentication (MFA),
- Logging and monitoring,
- Access control,
- Strong credential policies and many more.