At Okta, we run compliance differently. Most organizations place compliance under either the legal or finance team, who don’t work with their security team to ensure those controls are implemented effectively. At Okta, we use security to drive compliance.
Compliance is complex and regulations are a moving target, with GDPR and other privacy standards demanding significant changes from organizations. Okta continually increases its regulatory and compliance scope to meet the growing needs of our customers and help their IT teams focus on more strategic work.
We flipped compliance on its head
Traditionally, engineers implement each control framework individually—a method that doesn’t scale and isn’t secure. Frameworks can have competing requirements: financial regulations may have you remove accounts that aren’t being used, whereas FedRAMP asks that you to retain them.
At Okta, we look at our environment and map it back to the controls, instead of applying controls to our environment. We then build a controls database, which we map to the compliance frameworks that we want to achieve. That lets us move quickly—we completed our FIPS validation project in just three to four months.
Through our partnerships with AWS, we are able to inherit their physical security controls for our data centers. By building on their third-party audit reports, we take those controls off our plate and focus on what we do well. Our customers can then inherit those same capabilities.
The lifecycle of access control
At Okta, we’ve mapped lifecycle management to our SOC 2 report, and have specific regulatory controls that test each area of the employee lifecycle.
New hires are automatically provisioned on Day One, and given access to the systems they need to be productive immediately. Workday is connected to our learning management system, keeping us compliant by ensuring that users only get access to sensitive information once they’ve completed mandatory security training.
Traditionally, role changes were managed by IT, and were a timely process that could compromise an individual's ability to do their job. With Okta, a team can have ownership of an access workflow and add new members to systems without having to wait for IT.
For deprovisioning an employee, termination tickets come from HR, and Okta’s Lifecycle Management tool automatically shuts off access to every application under the employee’s single sign-on (SSO) simultaneously. This makes the Okta dashboard the one place auditors need to access to see that employees are properly offboarded.
Okta’s automations feature is built on a lightweight workflow engine that lets you build access reviews into your environment and can automatically disable an account that, say, hasn’t been touched in 30 days.
Auditing made easy
For Okta customer Medallia, audits were once a complex and painful exercise that required the use of cumbersome tools to export active directory. Once Medallia onboarded Okta, they were able to answer the two core questions of the audit—are any departed employees still active? do the right roles have access to the right things?—with a handful of screenshots from Okta’s dashboard.
Where generating this evidence used to take hours of observation and screenshots from multiple systems, Okta showcases the entire workflow, making for an easier audit experience for companies and auditors alike. With Okta’s automated Lifecycle Management, compliance and audits become simple tasks, without the time and effort that impacts productivity in the departments that need it most.
To learn more about Okta Lifecycle Management, check out our datasheet on the subject.