Thoughts from the Sony Breach

Sony has made big headlines – for all the wrong reasons – for having sensitive company data stolen and posted online in late November. (For full details, I’d recommend WIRED’s “Sony Got Hacked Hard: What We Know and Don’t Know So Far.”)

The event has sparked a lot of debate as to the source of the attack and how it was achieved, with the conversation now expanding to legal concerns and calls to media to stop publishing hacked documents. I certainly don’t know all the facts (and probably never will), but I do know that this was a catastrophic attack for Sony Pictures. It reminds us that any infrastructure is vulnerable to a well-funded, determined attacker.

Whenever breaches get sensationalized and garner the attention of seemingly every publication imaginable, I tend to think about some basic security strategies companies could use to help avoid these incidents.

Here are a few of them:

A Day in the Life of Ren Buenviaje: Engineer, Baker and Javascript Extraordinaire

For Ren Buenviaje, an unplanned career move (implementing identity management solutions) and years of experience developing user interfaces were just the background she needed to land a job at Okta. Now a senior UI engineer at Okta, Ren is helping engineering teams make their code beautiful and empowering people to work better and smarter, and embodies what it means to be a part of the user-centric IT initiative.
In addition to bringing beautiful products to life with code for both Okta customers and employees, Ren helps Okta look and smell fantastic. You heard that right. From implementing a company-wide tradition of dressing up for “Fancy Fridays,” to baking delicious, gluten-free treats that have quite the following, Ren is instrumental in defining the aesthetic and snack habits of this company.

To learn more about Ren’s responsibilities and to hear about all her extra-curricular initiatives, check out the latest “Day in the Life” segment below!

Western Union on Oktane: Looking to the Future and the User

The countdown to Oktane14 has begun! In the next few weeks, we’ll be sharing guest posts from our amazing customers about their experiences at Oktane and why they’re looking forward to this year’s conference. Follow along on the Okta blog and on Twitter with #Oktane14.


From Mike Bartholomy, IT Manager of Corporate Information Security at Western UnionI had never heard of Okta when I came to Western Union as a consultant in 2012 to help implement a number of initiatives for the company’s Information Security group. Fast forward one year and I’m a WU employee celebrating six months since our Okta implementation. Around the same time, Okta invites my boss, David Levin (director of InfoSec) to speak at Okta’s first user conference – Oktane13 – about our success with the solution and I go along for the ride.

Getting the Most Out of the Cloud: Webcast with Okta, Netskope, Box and Universal Music Group on Thursday, June 26

It’s a wild, wild world when it comes to enterprise technology right now. Vendors are promising “faster, better, cheaper” versus the traditional systems of record, and analysts are constantly chattering about the “hypergrowth” of new technologies grabbing more IT spend globally. And with systems now designed to serve users instead of the other way around, IT is no longer stuck simply managing systems, holding down the geek squad and keeping the lights on. Enterprises increasingly look to IT to empower their employees and to strengthen the organization as a whole.

But it’s easy to fall victim to the “hype machine” and invest in a solution without spending the necessary time to determine how it fits into your long-term IT strategy first – and how the rest of the organization will get the most out of it. With so many apps, brands and solutions vying for dollars, CIOs and CISOs need to choose the ones that not only meet their business needs on surface level, but that will also innovate quickly and partner with them to see real business impact – whether in terms of employee productivity, data security, sales volumes, the list goes on.

Cloud Framework Panel Recap: "Started From the Bottom, Now We're Here"

It’s not every day that a panel we’re involved in will prompt coverage with Drake lyrics. And yet, just that happened last week after our CSO David Baker participated in a panel on the ‘New Cloud Framework’ with executives from Druva, Birst and CipherCloud.


As CITEWorld’s Matt Weinberger opened his story on the panel, “the cloud may have started from the bottom, but now it's here.” And it’s true – despite security concerns and a few late-to-the-game legacy players, the cloud is undoubtedly here and it’s here to stay.

Throughout the event, the panelists discussed how we got to this point and what we can do to continually secure and reassure our customers in the present and future. Rachel King at ZDNet highlighted David’s emphasis on the importance of education and transparency in this process in her piece on the panel.

“If a cloud solution isn't transparent, then it isn’t the right one,” David told the audience, discussing how transparency around a vendor’s data security can be key to enabling productive solutions for their users.

Building Trust and Security Through Transparency of Service

Transparency is a great way for cloud providers to demonstrate and prove good security practices to their customers. Often times, however, the transparency stops when outages or service hiccups occur. During an incident, how a cloud provider communicates to its customers says a lot. In a guest post for the Cloud Security Alliance, I discuss why customers should expect clear, transparent SLAs from their service providers, what customers should expect during an incident and why transparency is so important from a security and trust perspective. Head over to the Cloud Security Alliance to read the full post.

With the growing movement of enterprises to the cloud, it’s more important than ever that service providers demonstrate and prove good security practices to their customers, in good times and in bad. During an incident, how a cloud provider communicates to its customers says a lot about its commitment to security. Sounds obvious, right? Well, three different times during the past seven months — and once while I was on a panel at the 2012 CSA Congress in Orlando — I’ve learned that it isn’t clear after all. As CSO at Okta, I work closely with our customers and they always ask, “What will you guys do if a breach occurs?”

Encryption in the Spotlight due to Vulnerable Android Apps

Last week, Ars Technica’s Dan Goodin published a story detailing how downloaded Android applications have the potential to expose the sensitive personal data of more than 185 million users.  Vulnerabilities due to inadequate or incorrect use of SSL/TLS protocol libraries expose everything from online banking and social networking credentials to e-mail and instant-messaging contents.  A group of computer scientists identified 41 applications in Google's Play Market that could leak data from an Android phone connected to webservers for banks and other online services.

In addition to the research paper that sparked the article, there was another body of research out of Stanford University and the University of Texas, which exposed additional security issues with Android apps as well as a plethora of other popular web applications, services, electronic banking sites, and more. Again, the security issues stem from the incorrect or inadequate use of SSL/TLS libraries within the applications.

Defining the Enterprise Cloud Service – Part 6: Strong Encryption Throughout

During the past few weeks, I’ve written about what it takes to build a cloud service that’s ready for the enterprise. Essentially, there are three characteristics that set true enterprise cloud services apart from their consumer counterparts: Security. Reliability. Trust. When evaluating an enterprise cloud service for those characteristics, there are five traits to look at:

  • Development for the enterprise
  • Endless 9s reliability
  • Benchmarked and audited service
  • Strong encryption throughout
  • Singular focus on the customer

I saved the “strong encryption throughout” category for the finale because it’s the most important component — and it’s very easy to do incorrectly.

Defining the Enterprise Cloud Service – Part 3: Benchmarked and Audited Service

I recently released the first and second installments of a six-part blog series about what it takes to have an enterprise-ready cloud service. While the identity hack of Wired’s Mat Honan (and the media fallout that followed) spurred the idea, the focus is on the three characteristics that differentiate an enterprise-grade cloud service from a typical consumer cloud service: security, reliability and trust.

So, what makes services like Box, ServiceNow,, and Okta enterprise clouds? As I outlined in my first post, there are five categories to look at when evaluating a cloud service for security, reliability and trustworthiness.

  • Development for the enterprise
  • Endless 9s reliability
  • Benchmarked and audited service
  • Strong encryption throughout
  • Singular focus on the customer

I am going to fast-forward a bit to discuss the “benchmarked and audited service” category in this post. In a classical sense, this means achieving a compliance certification by a trusted independent audit firm. This, however, can be a challenge for cloud-based services. Let’s use Okta as an example.

Defining the Enterprise Cloud Service

The barrage of articles and blogs that cropped up following the personal identity hack on Wired’s Mat Honan got me thinking about the importance of security in the cloud. In my experience, what happened to Mat is not a unique issue. In fact, it’s actually a somewhat typical downside to – what I call – consumer cloud services.

It was, no doubt, a horrible thing to have happen. But outside of the hack itself, I was troubled by how many articles generalized the Amazon and Apple consumer service weaknesses as blanket weaknesses for the cloud as a whole. At best that’s disingenuous. Enterprise and consumer cloud services cannot be conflated.