Sony has made big headlines – for all the wrong reasons – for having sensitive company data stolen and posted online in late November. (For full details, I’d recommend WIRED’s “Sony Got Hacked Hard: What We Know and Don’t Know So Far.”)
Ensuring security has always been an omnipresent concern for businesses. But in today’s world of increased cloud adoption, more of a focus on mobility and the ubiquity of connected APIs, the number of malicious threats has amplified – driving enterprises to rethink traditional security postures. New security models must include both the context of the enterprises’ cloud service providers and, at the same time, that of the knowledge worker’s mobility experience.
You’ve likely read about the Heartbleed vulnerability that has affected much of the Internet. The short version: Heartbleed is a bug that affects the way online services encrypt connections between their service and their users, and if not corrected can lead to sensitive information being revealed. Most services and sites on the Internet use OpenSSL, the code that was affected, making Heartbleed a top story this week. We want to tell you about Okta’s response.
Transparency is a great way for cloud providers to demonstrate and prove good security practices to their customers. Often times, however, the transparency stops when outages or service hiccups occur. During an incident, how a cloud provider communicates to its customers says a lot. In a guest post for the Cloud Security Alliance, I discuss why customers should expect clear, transparent SLAs from their service providers, what customers should expect during an incident and why transparency is so important from a security and trust perspective.
I recently kicked off a blog series about the importance of securing Layer 7, otherwise known as the application layer in the OSI model. It’s a critical part of Okta’s security program because Layer 7 is closest to our users, and also because Okta’s cloud-based IDM solution integrates with on-premises and external SaaS identity stories, mobile devices — and more. Layer 7 security is top of mind for me.
Building and maintaining Okta’s security program is an interesting job, to say the least. The stakes are high: Not only is identity management core to IT, it is central to an enterprise’s security. Plus, Okta delivers IDM from the cloud, so between mobile devices, third-party partners and the inherent security concerns associated with user habits, my job as CSO is truly one-of-a-kind.
“What’s your disaster recovery plan?”
It’s a question I’ve been getting from customers quite a bit lately. And it caught me off guard the first time I heard it. Typically, inquiries on disaster recovery come from someone on an audit team who has the daunting task of creating a disaster recovery and business continuity plan across the entire company. To assemble such plans, they must robotically evaluate each of the company’s business partners and service providers. During these conversations, I’ve glimpsed the perfect disaster recovery service and wanted to share a few thoughts.
The New York Times recently ran an interesting profile of Peter Neumann, one of the preeminent computer scientists in the world. The story, “Killing the Computer to Save it,” details Neumann’s ideas for how to solve the inherent security vulnerabilities in computer systems that have been repeated again and again for the past 50+ years.
Last week, Ars Technica’s Dan Goodin published a story detailing how downloaded Android applications have the potential to expose the sensitive personal data of more than 185 million users. Vulnerabilities due to inadequate or incorrect use of SSL/TLS protocol libraries expose everything from online banking and social networking credentials to e-mail and instant-messaging contents. A group of computer scientists identified 41 applications in Google's Play Market that could leak data from a