Beyond compliance: Elevating Okta’s ESG with security and trust

As the front door to all digital interactions, Identity is the connection between people and technology. Over the last 15 years, Okta has built an incredible ecosystem across our nearly 19,000 customers. Those customers trust Okta to connect their most precious assets: their employees and customers, and they trust Okta to do it securely while safeguarding their privacy. But security and privacy aren’t just features of Okta products; they underpin these critical connections and build the foundation of trust with our stakeholders. 

Security and privacy are core to Okta’s vision: To free everyone to safely use any technology. “Everyone” means ensuring digital access for all. “Safely” means secure access and protecting the right to privacy. In an increasingly digital world, where our lives are moving online for employment, banking, health, education, commerce, and more, the role of trust in these connections has only increased. Security and privacy are the prerequisites for establishing trust. 

Given the importance of privacy and security to our business, it’s no surprise that they’re two of Okta’s most relevant Environmental, Social, and Governance (ESG) issues. In an effective ESG strategy, the most material ESG issues are also the most material business issues. The goal of our ESG program is to foster responsible and sustainable business practices across all aspects of the company that positively impact society and contribute to Okta’s financial success.

Few people spend more time thinking about the relationship between security, privacy, and trust than Ben King, VP of Customer Trust at Okta. To better understand Okta’s approach to security and privacy across the business and within our ESG framework, I recently sat down with King. 

What does trust mean to you?

“From my time working in cybersecurity and technology strategy, I’ve settled on a definition of trust as the combination of establishing a commitment to act in a certain manner … and then doing everything in your power to meet that expectation. An individual or organization must have the capability to carry out what’s expected of them, and of course, they need to be competent, and they also need to establish that they will act in a certain way regardless of the external factors at play. 

You can validate this from historical observations, or even more tactically through third-party attestations, which brings in themes such as integrity, where you have a demonstrated track record of acting in a certain way, again regardless of what else is happening in the world. Because being trustworthy when it’s entirely in your interest isn’t really a compelling skill. It’s the commitment to sharing potentially tough news that shows you can really be trusted. 

At Okta, I believe we’re fully committed to showing you both the things we feel great about, the features and products we’re delivering, but also when there are missteps, we’re going to share that with customers as well. Our customers expect transparency so they can trust and verify we’re living our values here. 

I’d also think trust is fundamental to security and privacy leadership, success in a digital world, and mission critical to Okta. Customers need to trust that our service is reliable and secure. A safe and secure digital Identity enables people to be productive at work, and provide the best user experience for their customers. 

Trust drives better outcomes for our customers, our partners, our employees, and our communities, which drives better business outcomes for Okta as well. Without trust, the tools and services we rely on as a global community fall apart rather quickly.” 

Why do you work in trust and security?

“In the world we live in, I think there’s no aspect more important to get right than securing our digital identities. I find it incredibly motivating to think I can be part of the solution to that because we’re really talking about the underpinning of the world economy here.

If you can’t trust your data online, or you can’t trust that when you’re interfacing with a company that it’s a secure transaction, then what’s the next step? Not transacting online? Or not having a digital identity? When people start making those types of choices, opting out of trust exchanges, it's because they don’t believe the systems that are intended to protect them are doing so. 

Then you’ve got a really massive problem on your hands. Getting to work on establishing and maintaining trust is incredibly motivating, because the alternative isn’t remotely sustainable or positive.” 

What does your team do at Okta, and why is it important to our customers?

“In early 2022, I created a team within Okta Security with the sole ambition of strengthening security outcomes for Okta customers as well as the communities they support. One of the ways we do this is by communicating best practices when using Okta, or across cybersecurity more generally, and by championing feedback from customers to continually improve our products. 

I call this service, ‘Customer Trust’ and from an external point of view, whether it’s customers, partners, supply chains, or communities, that trust is the glue that provides Okta operational cohesion. 

Okta’s vision is ‘to free everyone to safely use any technology,’ and we do this by providing the world’s leading digital Identity service. But we know that customers don’t love Okta just because of the technical provision of a digital Identity, they love Okta because we provide a service they can trust is available and secure.”

How is security connected to ESG at Okta?

“Okta demonstrates commitment to social and environmental wellbeing via our ESG program. Security and trust have a massive part to play here, alongside Risk, Privacy, Ethics, and the even broader environmental and social goals. 

Historically, Okta has demonstrated Security fundamentals within our ESG program by demonstrating security and privacy compliance supporting a variety of international, industry-recognized regimes, such as ISO certification and FedRAMP authorization.

In addition to reporting compliance, we’ve also made a Secure Identity Commitment to customers, which is intended to facilitate better security outcomes for Okta customers, their communities, and the technology industry more broadly."

How does Okta make the world a safer place? 

“Okta is at the forefront of the fight against Identity-based attacks. Okta ThreatInsights has detected and prevented over 2 billion malicious requests in the last 30 days alone. We’ve reduced credential stuffing attempts and malicious bot traffic by more than 90% for some of our largest customers just over the past 90 days.

At Okta, we see strong Identity as a fundamental requirement for a safe digital future. Three initiatives that enable this future are:

  1. Subscribing to Zero Trust frameworks: Within our products, trust is not assumed within a system, but established every-time access is requested in a process cognizant of assets being requested, user context, and risk of access. 
  2. Offering phishing-resistant authentication: Okta offers a choice of authenticators that meet the NIST definition for phishing resistance, including FIDO2 WebAuthn, Okta Verify FastPass, and Smart Cards, allowing for strong defense against this growing attack vector for Okta and our customers. 
  3. Championing an industry shift towards passwordless: Modern authentication using secure factors such as FIDO2 WebAuthn and Okta Verify FastPass support biometric authentication that is the perfect enabler for entities seeking to go passwordless. These secure factors, when combined with login context (e.g. user, device, location), can remove the requirement for a password in the authentication process in a Zero Trust aligned decision based on risk of access and strength of authentication required. A passwordless future can offer improved security outcomes and a better user experience at the same time.” 

How is Okta contributing to the broader security landscape?

“Okta recently made a public Secure Identity Commitment to lead the industry in the fight against Identity attacks. We're already securing more than 19,000 customers, and we're continually evolving in the fight against Identity-based attacks.

We have made available the definitive steps we’re taking to fight against Identity-based attacks and empower our customers and the industry to identify and mitigate emerging threats. Our commitment covers:

  1. Investing in market-leading products and services
  2. Hardening our corporate infrastructure
  3. Championing customer best practices
  4. Raising the bar for our industry

Designing Okta’s security controls to meet our own high standards enables us to meet the requirements of our customers, and also to improve the baseline for all customers using Okta and the broader ecosystem. This network effect is important to trust at Okta, to building secure connections, fostering a vibrant ecosystem, and to achieving our vision of freeing everyone to safely use any technology.

For example:

  1. Since its launch in 2021, Okta has been part of Minimum Viable Secure Product (MVSP) to provide a vendor-neutral application security baseline, designed to eliminate overhead, complexity, and confusion in the end-to-end process of onboarding third-party products and services.
  2. Okta develops solutions with partners, such as Google and Splunk, to assist with exporting Okta data to third-party solutions to improve overall security.
  3. Okta participates in and contributes to the OpenID Foundation, a non-profit open standards body developing Identity and security specifications that serve billions of consumers across millions of applications.
  4. Okta participates with global standards bodies such as the Cloud Security Alliance (CSA), a non-profit organization whose mission is to "promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing."

Clearly, the importance of trust is only increasing in the digital space, which means that the validation of trust, in the form of governance, will continue to be a primary focus over the next decade. At Okta, we believe establishing trust contributes to societal outcomes that are positive, and we value and model transparency as the means through which we keep customers informed.

And while we're protecting many of the world's largest organizations and governments, it's also imperative we protect those who may not have the same access to security expertise, such as non-profits and the groups that make up our local communities.

Check out “Building a more secure world: Okta for Good’s $50 million, five-year commitment” for what’s next in our work to free everyone to safely use any technology.