Okta Selected for NCCoE’s Implementing a Zero Trust Architecture Project

Okta recently conducted a Zero Trust survey, polling 600 security and business leaders from around the world on how Zero Trust security fits into their current frameworks and roadmaps. According to that report, in 2020, 41% of organizations said they were working on a Zero Trust initiative or intended to start one in the near future. This year, that number spiked to 90%. 78% of respondents called it out specifically as an area of growing priority, and are committed to increasing their investments in it.

As part of a growing effort to help organizations adopt this mission-critical security framework, Okta was included in a group of vendors selected by the National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE) for their Implementing a Zero Trust Architecture Project.

The goal? To develop practical, interoperable approaches to designing and building Zero Trust architectures that align with the tenets and principles documented in NIST SP 800-207, Zero Trust Architecture. The proposed example solution(s) will integrate commercial and open source products together that leverage cybersecurity standards and recommended practices to showcase the robust security features of a Zero Trust architecture applied to several common enterprise IT use cases.

A Zero Trust approach to security is no longer just a suggestion. It's essential. With the entire country focused on staying protected from the onslaught of adversaries and attackers, it’s become clear that prioritizing a Zero Trust mindset and model is the best defense. Okta is proud to partner with NCCoE and other collaborators to help both agencies and enterprises realize their Zero Trust vision.

NIST 800-207: The Zero Trust Approach

When NIST 800-207 was issued back in September 2019, we had no idea what was about to befall us. We had no idea that, in just a few short months, we would be shown the ever-present “why” we all needed to embark on this journey. However, we did know that the NCCoE was going to be working on some representative architectures to help government agencies and private enterprises with the overarching Zero Trust question that has been percolating in our minds over the past two years. 

That all changed when the pandemic started. The rapid adoption of remote access and cloud tools means that organizations could no longer operate within a network perimeter-centric view of security. Instead, they must securely enable access for various users regardless of their location, device, or network.

Enter NIST 800-207: The Zero Trust approach (ZTA). As NIST 800-207 outlines, Zero Trust security is intended to ensure the right people have the right level of access, on the right device, to the right resources, in the right context. The concept of “never trust, always verify” means organizations can no longer assume trust based on whether or not the user is on the agency network. Zero Trust is the logical step in reinstating secure access in a way that removes the dependence on physical presence.

Identity is the foundation of a modern, Zero Trust approach to security. Building out a Zero Trust security framework is essential for all modern organizations, including government agencies worldwide. The existing technology debt that government agencies bear combined with the rise in the number of cyber attacks and the need for agencies to enable their distributed workforces have increased federal agencies' challenge to protect against today’s cyber threats. This challenge is apparent in light of several recent security incidents affecting government agencies. In response to these challenges, the White House issued an Executive Order (EO) on May 12, 2021, to improve the nation’s cybersecurity posture.

Okta and Zero Trust

There is no single technology that solves for all challenges related to a Zero Trust strategy, which is why projects like the NCCoE’s Implementing a Zero Trust Architecture are so critical. For many organizations, Okta’s policy engine serves as the core Zero Trust control plane, enforcing strong authentication to applications, APIs and infrastructure (all both cloud and on-prem), helping to reduce the risk of breach. Equally importantly, we also work closely with security partner technologies to offer additional insight and capabilities for managing the security of organizations. These partnerships focus on two key areas:

Okta Contextual Access Management

Today, Okta’s Risk Engine comprises ThreatInsight and Risk-Based Authentication. Okta ThreatInsight, which launched in 2019 as a part of Okta’s Insights Platform Service, serves as our threat detection and response system. It leverages data from the Okta customer network, admins, and end-users to protect customers from identity attacks. Risk-Based Authentication launched in early 2020 and takes into account our own risk signals on IP, user, and device state to generate a risk score that can be evaluated against policy. 

Risk Signal Sharing and Orchestration 

Okta is also investing in ways to further integrate third-party risk signals (i.e., WAF, bot detection, fraud, or other threat feeds), to layer identity into the evaluation of security posture to provide higher confidence in risk assessment as well as expand options for enforcement: for example, step up authentication for a high-risk login instead of denying access. 

Through the Okta Integration Network, Okta invests in and maintains deep integrations across components of the Zero Trust ecosystem. This expansive category of integrations supports a best-of-breed, vendor-neutral approach. Examples of integrations include: 

  • Skyhigh and Netskope as cloud security gateways for data security;
  • Palo Alto Networks and Cisco for network security;
  • VMware, CrowdStrike, Tanium, and Carbon Black for endpoint security;
  • Splunk, Sumo Logic, and IBM QRadar for analytics; and
  • ServiceNow and Splunk/Phantom for orchestration.


As a leader in identity and access management, Okta can support organizations through their Zero Trust security journey. Okta can help organizations build and implement a comprehensive identity-driven security strategy that ties the complexities of protecting people and assets together in a seamless experience.

To learn more about how Okta can support your Zero Trust journey, visit https://www.okta.com/zero-trust/.


Okta is collaborating with the National Cybersecurity Center of Excellence (NCCoE) in the Zero Trust Cybersecurity: Implementing a Zero Trust Architecture Building Block Consortium to develop practical, interoperable cybersecurity approaches that address the real-world needs of complex Information Technology (IT) systems. NIST does not evaluate commercial products under this Consortium and does not endorse any product or service used. Additional information on this Consortium can be found at: https://www.nccoe.nist.gov/projects/building-blocks/zero-trust-architecture.