“Okta parses passwords in clear text”, What does that mean to me?
This is really NOT an Okta problem but an industry problem – my industry, cloud SSO authentication should always and only be against known “good” Authenticators such as Microsoft, Google, Apple and others for all cloud based SSO. Passwords should never be out in the open, just the same as the Serengeti, which I previously wrote about here, don’t be out in the open, because someone/thing is always watching you 👀.
The OKTA article is here on Dark reading and is interesting for a number of reasons, none of which are problems with OKTA, they are problems with interoperability between platform players, as well as our desire to avoid “Agents” in all cases.
The cyber attack use case proposed in the linked article is more ‘likely than is it unlikely’ as many organisations still are not thinking in a Zero Trust Least privilege architecture model for application access.
I want to repeat my opinion, that OKTA is not the problem here, their platform is just an indication of a bigger industry problem with Single Sign on. All application developers and vendors must start living and breathing secure by design into their products.
Looking to the future and one very important aspect that all organisations looking to implement new platforms should be adding as a critical decision point is: Does the vendor application I am purchasing support Single Sign on through SAML or another federation provider, where the answer is no then a serious discussion needs to be had around whether that vendor solution is the right one for your organisation.
If you have on premise applications that need the protection of Single Sign On and secure access from the internet and non domain joined machines then review Azure Application proxy here, Azure Application proxy is a part of M365 Business Premium and the E3 and above licenses and a great way to secure legacy on premise applications behind Azure Active Directory.
Single sign on will improve your organisations security and help with the cyber security maturity by:
- Centralising the identity store (no forgotten passwords)
- Making Multi factor authentication easy to implement via the identity provider
- Allowing many forms of risk based conditional access policies to be implemented
- Provide an easy route for 3rd parties to be able to access your platform if desired
- Allow for access to be reviewed regularly and therefore minimising privilege creep
- Ensuring that the credentials are safe
The Zero trust Network architecture requires least privileged access to be enforced and identities to be verified every time (I dislike “explicitly” as I am not at school anymore being told off by the headmaster!) they are used.
Ensuring that your software vendors can use these identity stores enables your business to leverage your single source of identity truth to provide the right access, “Just in time” for privileged users as well as full audit of all activities.
The Australian Cyber Security Centre is still catching up to this in their 38 mitigations, do not wait and start looking to how you can secure your apps today.
If you are still here…
As a side topic this article I came across recently is quite interesting in regards to who charges for Single Sign On, vendors needs to make money as without cash there is no product.
My question is, wouldn’t Single Sign On reduce password resets, role changes, Helpdesk tickets to the provider, make the application cheaper to develop (dropping the bespoke authenticator) make their application more secure, giving their users a better experience overall? Personally I think it would be a step forward for everyone to integrate third party Single Sign on at no cost.