Protecting our digital identities online has never been more important as cybercriminals have become increasingly adept at gaining access to our data. The identity and access management company Okta is working to make authentication easier for organizations and individuals with its single sign-on which provides end users with a fully customizable way to access all of the applications and services they use each day without having to remember multiple passwords.
TechRadar Pro attended this year’s Oktane 19 event where we caught up with Okta’s CTO and SVP of Engineering, Hector Aguilar who provided us with further insight into how the company is helping to keep the digital identities of its customers secure.
- Okta wants to help your business ditch passwords forever
- Okta Ventures will fund the next generation of identity startups
- Taking back control of our digital identities
What does your role at Okta entail, and how have things changed during the seven years you've been with the company?
Basically I run all technology for Okta. That means that from a service perspective, the people that are writing the code, so basically all of the developers, and the technical operations team, meaning the team that is keeping the servers running and deploying the new system, and monitoring and keeping them secure. So all of that and I also handle the internal corporate IT, which is basically the systems that power Okta as a business.
So that's my scope. Been with the company for about seven years and obviously the role has changed quite a bit. When I joined the company, it was all kind of an idea of really trying to build cloud first, multi-tenant, identity management product delivered as a service. But the team was very, very small. And frankly, the scale was a completely different place than where it is right now. And I think that's one of the things that has changed my job quite a bit, because it's not the same thing if you're dealing with a system that scales through, I don't know, a thousand users, versus a system that scales through 10,000 users. That alone is very different.
Now, if you fast forward seven years and make a system that scales to hundreds of millions of users, it's a completely different ball game. Now, the architecture has evolved over time. We have taken account of the good things that we were doing 10 years ago and made them better, but also we have learned to adopt new technologies to really deal with the scale that we have right. I don't think eight years ago, dealing with something like Albertsons, MLB, Major League Baseball, was impossible with the architecture that we had at that point. But now we're basically looking into even bigger scalability requirements now.
Can you give us a bit of insight into the war game simulations you put new engineers through?
So the war games are very important, because when you're building a platform, you never really know... You're always designing for the unknown, you don't really know how people are gonna be on your platform, and if somebody's attacking you don't really know how they're gonna be attacking you. And so war games I think are a very important part of our culture because we wanna get people to operate on their, a high degree of stress. There is a problem in the system, you need to be very fast at troubleshooting, you need to be very fast at basically correcting it. You need to be very fast at asking for help if you don't know what's going on.
The war games are a really great simulation because we're trying to basically get that stress level to our employees, to make sure that they can actually operate. And again, maybe if they don't know what's going on that they know how to ask for help, and they know what are the roles of people working on an incident, because you cannot ask for... It's too much to ask for a single engineer to deal with the incident while you say, "Well this is a database problem I need some DBAs." Well, then you need to have an incident response manager getting the DBAs on line so they can help.
So incident response for us is incredibly important, and because of that we have to go through this exercise just to make sure that people get into the groove of what an incident response is at Okta, because we have to be maniacal about that. We have war rooms. We have roles and responsibilities for incident response, and so doing this simulation is to basically try to get people to that kind of level of focus on one of the things that is the most important for us, which is making sure that we're reliable and robust, and we're always focusing on providing this service for our customers.
What role do you think emergent technology such as blockchain can play in protecting identity?
Blockchain is very interesting. I think it's very new, and it's kind of still in its infancy. There's a lot of hype around it. It's a great concept, it's an absolute great concept, and we're basically paying intention and making sure that we can contribute, and know what's going on. You heard the keynote presentation, all of us kind of decentralized the internet. It's very, very important for identity. And so we are definitely involved and being in touch with that. It's still in its infancy. So, is it gonna change the world? I think in some industries it will.
In identity it might. And I think as Okta, our responsibility is that we need to be there when it happens, and that's why we basically have to... Keep our eyes open, and to make sure that we follow it. The concept is revolutionary, making sure that you have a decentralized identity, is fantastic. And I think we definitely need to participate on that. There are other things that it doesn't solve. Because you still need somebody that takes care of all of the integrations, and somebody that is responsible, and accountable for making sure that the integrations work. And I think there is still a lot, about identity that is beyond just the blockchain. There's a lot of other factors. And I think, that's when we still believe, Okta has a big part to play in that as well.
How has Okta's, single sign-on helped businesses improve their security posture?
So there used to be a time where you had to sign up for all of these services. And then you had to go through different policies for your password. And one of the ways that you could do that is that you can sign up, and use the same password everywhere. And so, let's say, you use 10 different applications, and you're using the same password for all of them. The problem that... Then you basically create 10 points of breach. If one of them gets hacked, you're already hacked. And so the reality is that with a new, kind of more modern approach of single sign-on, where there is no real password exchange, it's all about trust and certificates.
Then, if one of your applications gets compromised, none of the other ones are compromised. And that is a huge step in the right direction. Because the problem with the old traditional way of basically having all of these accounts, is that you're leaving the security of all of those accounts to the user. That the user had to sign up for the services, and they have to select their password. And not only that, you also had to comply with the policy of that third party. So, you were basically letting the security be a responsibility of your user and your cloud provider, whatever cloud provider that is.
With single sign-on, and things like OpenID and SAML, you basically centralized through strong authentication. And then not only you're taking that responsibility from them and basically putting in a central place, but also in that central place you can enforce policy, you can enforce multi-factor authentication. So not only you make it better, but you also can add policy that creates even stronger authentication for those users. So you can say, "Now, to access this particular application, not only you don't have to select your own password, but we can actually put it behind an MFA policy." So now you can do strong authentication on top of that. So, at the end of the day it's a huge, huge step forward. And I think, the good news is that the industry is moving there. So our responsibility as a provider, follow these single sign on protocols. Is that we need to make it very easy, and very convenient for people to just adopt it.
We have actually seen really, really great adoption of these new standards and so we are basically contributing to the security posture being better for our customers. The customers do not have to care anymore. This just happens magically. You're magically more secure. There's nothing better than that.
Do you think that more businesses will adopt physical security keys given how successful they've proven to be? Say, for instance, at Google, where they use them to stop phishing?
I think they will, but only if the experience is awesome. If your enrollment is a pain, if it's not convenient because you need to use a specific browser or you need to jump through some hoops to be able to make it work. Or if it doesn't work... If it only works on a specific operating system, then I think it's gonna be a problem. And I think our responsibility as Okta is making sure that our strong partnership with companies like Yubico, so that it's very convenient and it's just... You stumble upon it. It just works, and it's really beautiful. And then, of course, you're going to use it. But I think it's not can be adopted unless we, as an industry, make it very easy and transparent for customers to use it. Because I think customers wanna be secure. At the end of the day, nobody wants to be catfished.
And also, it makes you feel like you're not smart. If somebody compromises your account, you feel like, "Oh man, I was hacked. What did I do wrong?" So I think as an identity management service, you need to basically provide the tools for your users so that they are secure, but it's not inconvenient and they almost kind of a stumble, and trip over security, rather than, something that they need to go through. It's just like it's there. You're just walking, you're just secure. And I think that's our responsibility as a company, and we spend a lot of time making sure that the user experience is just absolutely fantastic because if it's annoying to us, it's probably annoying for our customers and our users.
What are your thoughts on the California Consumer Privacy Act? And do you think the US is gonna adopt greater data protection regulation anytime soon?
I think we should and I think we're prepared to do that. I think it's important that people know what is happening to your data and I think as a company, it's important for us to be very clear about the data that we keep and the data that we would delete and when it's needed, and data that is gonna age out for services. And also, I think it keeps everybody honest and that is very, very important because I don't want my data to be in places where I don't want it to be. I wanna know what people are doing with my data. I wanna make sure that if I want you to delete my data, my data better be deleted. Especially with authentication, especially with what we do.
We know a lot of our users because it's identity. An identity, it's obviously personal. We know your first name, last name, email and for some of our customers, we may even capture more about you because we have the Universal Directory feature, which is awesome, because we can store encrypted stuff there. You can put more profile, but at the end of the day, it is very, very valuable for a end user, and we know a lot about it.
For us, we spent a lot of time when the GDPR regulation started and we put a lot of our resources making sure that we could trace all of our places where we are storing personal data, and we can guarantee and test that we are gonna remove it when needed, or we at least track it and we're very transparent about what we do with that data. I think it's a good thing. From a technology perspective, it's really hard, because again, we have to spend a lot of resources and they can show the way you got it right. And it's also evolving so we need to make sure that we keep documenting every time we capture any piece of information and basically, the data flow of everything that flows through our system, but it's necessary.
One last one, on that kind of the same note, do you think that businesses in the US have learned from watching their European counterparts struggle to comply with GDPR?
Absolutely, yeah. But most companies in the US I think will have some sort of kind of customers in the EU, which is something that happened to us, where we needed to care that regulation even though we're not, we're not there.
Even if it doesn't apply to me personally, we have to deal with that or we need to deal with those issues. There's a lot to learn and I think it's definitely in the right direction. Again, it's painful. I mean, from a technology perspective it's very painful. There's a lot of research that you need to apply, but it's kind of necessary. And it actually makes you feel better, that at least somebody's thinking about it, and at least my data is gonna be safe and people are talking about it. So from an engineering perspective, yeah, I had to look at a lot of resources to make it happen, but it makes you feel good about it
- We've also highlighted the best ways to share files securely