Businesses @ Work

Popularity matters. Our most popular apps chart has been featured in Businesses @ Work since the very first report. To date, we’ve defined the most popular apps as those with the largest number of customers with the application provisioned. But is that methodology the only proxy for popularity? This year, we’re also analyzing most popular apps based on the number of monthly active users (defined as users who have logged into an app, via Okta, at least one time in the past 30 days).

When comparing the two graphs, here’s what we found for 2017:

• Office 365’s lead as the most popular app is even more notable when considering the number of monthly active users.
• Workday is #2 based on number of monthly active users, but isn’t in the top 15 based on number of customers with the application provisioned. Workday’s core HR functionality make it a company-wide business app, compared to other apps that are department specific. The same is true for ServiceNow, which is the 3rd most popular application based on the number of monthly active users, compared to 15th based on number of customers with the app provisioned.
• Department specific apps like AWS and DocuSign continue to be actively deployed in organizations (with 56% and 51% year-over-year customer growth, respectively), but not as widely used.

In every Businesses @ Work report we’ve published to date, there is the inevitable comparison between G Suite and Office 365. While Office 365 has had the lead in terms of popularity, this year’s report reminds us that the email race is never over. Notably, Google has been adding G Suite customers faster than Office 365 over the past 3 month time period, 6 month time period and even year-over-year. It appears G Suite’s renewed focus this year on the enterprise is paying off. G Suite grew its customer base 49% this past year, compared to Office 365, which grew its customer base 40%. According to Prabhakar Raghavan, VP of Apps at Google Cloud, "Today, more than 3.5 million paying businesses, including companies like Verizon, Nielsen and Colgate-Palmolive, rely on G Suite’s intelligent productivity and collaboration apps to transform the way they work. We’re excited to see the uptick in G Suite’s adoption among Okta’s customers, and we look forward to seeing the momentum continue in 2018."

	Trailing 3 Month Growth	Trailing 6 Month Growth	Trailing 12 Month Growth
	9%	22%	49%
	7%	16%	40%

Jamf, which provides software for managing and securing Apple devices, was the fastest growing app in our network this past year, with 389% growth. Security awareness training platform, KnowBe4 was the third fastest growing company with nearly 300% growth. According to Gartner, in the security awareness training market “growth projections for the next several years remain strong, with a Gartner forecast compound annual growth rate (CAGR) of 45% from 2016 to 2021, and revenue reaching over $1.5 billion in 2021.”

Our fastest growing apps chart also tells us the messaging and collaboration race isn’t over! For the first time since we began publishing Businesses @ Work in 2015, Slack competitors are on the fastest growing apps chart. Cisco Spark is the second fastest growing app in Okta’s network this year with impressive 377% growth. The product’s new, innovative features like virtual office assistant seem to be intriguing enterprises. Workplace by Facebook, which just launched in October 2016, was the 5th fastest growing app and made some critical product improvements this past year (key integrations with Box, Dropbox, Microsoft and others; bots; partnerships with compliance companies). While Slack is not featured as one of the top 15 fastest growing apps in Okta’s network for the first time in several reports, we believe this is primarily due to the scale they have achieved. (Slack is the 7th most popular app in our network based on number of customers and 13th based on monthly active users.) That said, the messaging and collaboration space remains hotter than ever, with competitors popping up on our fastest growing apps chart as they attempt to challenge Slack.

Zoom, which was the fastest growing app in our network in the last report, continues to show impressive growth as the 4th fastest growing app with 164% year-over-year growth.

* Gartner, Inc., Magic Quadrant for Security Awareness Computer-Based Training, Joanna G. Huisman, 26 Oct 2017.

We’ve closely examined how end-users are getting work done. We know what email, HR, document storage and collaboration tools are most popular in the enterprise. But in today's global economy, we were curious what else is important to a person’s success in business? What do modern workers need to be productive, grow their careers, travel and pay their bills?

So we started digging into work-related app categories. That is, the apps employees frequently use that aren’t technically considered “business apps.” What are their go-to news sources? What sites do they use to book travel? Are they continuing their education? If so, what eLearning tools are they using? And what banking sites are most common? Here’s what we found:

Southwest and United Airlines are the top 2 travel apps in our network, by a significant margin. (Everyone wants that Southwest Companion Pass!) Hilton, Starwood, and Marriott are the top hotel apps. But, industry disrupter Airbnb isn’t far behind, as the company’s new focus on business travelers has paid off. According to Forbes, more than 250,000 businesses use Airbnb for travel today, compared to just 250 in 2015. (Airbnb usage grew 39% in our network year-over-year.) While Airbnb doesn’t offer reward points, they do offer new business-centric perks such as self service check-in, one-click expensing, and the ability to easily rent an entire home for your entire team.

There’s a gap between the skills people have and the jobs that they want — especially given that many of the hot jobs (machine learning, data scientist, dev-ops engineer, etc.) require hands-on training. Both individuals and businesses are prioritizing lifelong learning. 31% of Okta customers accessed online learning courses in 2017, either for corporate or personal use. Lynda.com, which was acquired by LinkedIn in April 2015, is the number one eLearning app in our network. Lynda focuses more on courses for individuals — adding skills (via certificates) to their resumes — whereas the #2 player in the space, Pluralsight targets enterprises first. Pluralsight’s adoption within our customer base grew 22% in the 6 months ending October 2017, and is closing in on Coursera, which only grew 9% in this same period.

As we reported in our October 2017 EMEA Businesses @ Work EMEA is the leader in the adoption of developer tools with 48% of customers using at least one dev tool, narrowly beating out APAC and North America with 44% and 47% usage, respectively. Today, 47% of our global customer base is using at least one developer tool, compared to 43% one year ago. JIRA is, far and away, the most popular developer tool among our global customers who are using dev tools. 48% of these Okta customers are using JIRA. GitHub is the clear #2, followed by PagerDuty and New Relic.

Using Okta’s security data, paired with open source threat intel feeds, we were able to analyze attacks targeted at the cloud authentication layer.

While we’re seeing significant diversity in threat origins, a high volume of attacks are from IPs geolocated as originating from China. When looking at the global threat landscape, 48% of all attacks are coming from IPs geolocated in China, followed by 7.7% from the US, 4.5% from France and 3.4% from Russia.

This threat geo landscape does not include attacks from Tor (dark web) exit nodes. The Tor network encrypts traffic to disguise user identity as traffic moves from one Tor server to the next. Tor nodes receive traffic on the Tor network and pass it along. We found 23% of all attacks were from Tor exit nodes.

One way to slice the data is to compare the attacks on the cloud authentication layer with intel from open source threat feeds. According to our data, 47% of the threat actors that were involved in the attacks we see have hits on open source threat intel, meaning the security community was already aware of that IP as a possible threat. Of this group of “flagged” threats, we see the majority (67%!) coming from China. Russia, the US, and France have the next largest percentage of attacks, at 3% each.

53% percent of global threats we see do not appear on open source threat feeds. While we still see 35% of these threats originating in Asia (specifically 21% in China), the largest percentage of these originate from countries in Europe at 36%.

Of these European threats that do not have open source intel, we found that the threats originated from IPs geolocated across 33 different European countries. 19% are from France, 12% from the Netherlands, 11% from Russia, and 10% from Germany. The remaining 48% come from the rest of the European nations.

So what does the threat landscape tell us? Cloud services are getting attacked — a lot. And these cloud attacks are not evenly distributed throughout the world. To better protect themselves, organizations should conduct their own security detection and monitoring, and leverage threat feeds from multiple sources (both open source and paid). Furthermore, if organizations aren’t anticipating any business will come from dark web or certain higher risk geographies, they should attempt to block them.

* Any data referring to external threat feeds is static, current in the moment it was pulled, as of November 29, 2017.

So, we wanted to look at the effectiveness of the current state of password policies. In other words, how are organizations using passwords to protect assets, and how are users contributing to organizational security?

Because all passwords stored in Okta are encrypted, we (rightly) can’t analyze them. We can, however, see the various password policies that organizations have put in place. To better understand how our customers approach strong passwords, we reviewed the common set of password policies our customers are enforcing.

Today, the typical organization in the Okta Identity Cloud enforces the following password policies:

1. A minimum length of eight characters
2. At least one lowercase letter, one uppercase letter and a number
3. A maximum of ten password attempts before locking a user out of his / her account
4. Recovery tokens expiration period is set at one hour
5. Prohibit any password that includes the username

We know how companies are approaching strong passwords. But do these policies make a difference? How do policies impact user choice?

Because we (rightly) cannot see user passwords in Okta, we checked a representative sample from a breached password list against the average policies in use by Okta’s customers. We found that only 49.5% of those passwords used at least 8 characters. We also found that only 4% of the passwords would meet the average policy of more than 8 characters and at least one uppercase letter, one lowercase letter and one number.

We can clearly see the impact that policies have on users’ password choices. When given the option, users often choose shorter passwords. But the real money question is: does password complexity equate to increased security? With NIST’s updated recommendations saying complexity is better achieved by length than additional symbols, should companies change their password policies? Or more simply, is the current average policy complexity good enough to mitigate online credential-based attacks?

There are three common tactics used to obtain credentials: credential phishing, password spraying and brute force attacks. Credential phishing we’ve all heard of, and probably received emails with a “security alert.” In a phishing attack, the attacker pretends to be a trusted user, website or organization with the goal of tricking another user into sharing their credentials. In a password spray attack, attackers use common passwords (i.e. password123) and “spray” them across many domain accounts or domains using a cloud service, essentially playing a game of guess and see, with the hope of one working. Brute force attacks are a more extensive version of a password spray that we see far less often; they use a scripted computer algorithm to attempt to guess passwords.

Does the policy help mitigate these types of attacks?

With the average Okta policy based on the alphanumeric, case-sensitive set of 62 characters (A-Z, a-z, 0-9), we calculated the total number of password combinations possible across those characters. To cut right to the mathematical result, the number of combinations would be 62^8, or 2.2E+14. Assuming a purely online threat vector, and allowing for a rate of 1,000 requests/second, it would take approximately 70 centuries (yes, that’s 7,000 years) to try every possible character combination as a password based on the average policy. When we run the same computation across the entire 255-character ASCII (American Standard Code for Information Interchange) range, with the same assumptions, we calculate 7,000 centuries, or 700 million years to try every character combination of an 8-character password.

But, the reality is, attackers also know that an exhaustive brute force attack isn’t their most effective course. That’s why they employ more sophisticated strategies like first adding special characters at the beginning or end of a password. And because hundreds of millions of passwords that have been exposed in past breaches are available online, attackers are able to attempt to login using these previously used and common passwords (i.e. password or password1) across many accounts. Furthermore, attackers are able to successfully compromise accounts by capitalizing on bad habits like adding special characters at the end, including usernames in passwords, or adding uppercase characters at the beginning, and making just enough attempts to remain any lockout thresholds.

It’s imperative that organizations take steps to weed out bad passwords, including those that have already been exposed through a previous breach. Resources like HaveIBeenPwned.com allow companies (and their users) to see what passwords have been exposed. Vendors should offer the capability to prevent using common passwords.

Despite the increasing sophistication in password guessing algorithms, organizations can still minimize the risk of both brute force and password spraying attacks by (1) increasing the minimum password length and optional complexity and (2) enforcing policies that rule out common/breached passwords, and (3) enforcing MFA on all logins.

How does that compare to NIST’s length requirements?

NIST guidelines requires a minimum length of 8 characters (consistent with the average Okta customer password policy), and also encourages increasing security by increasing password length, rather than alternate character types. And what we’ve found in our analysis shows that while strong, smart password policies are a start, they’re not a silver bullet — and they’re not going to help at all if you’ve given over your credentials through a successful phishing attack. As NIST also recommends when it comes to credential protection, one of the most secure ways to effectively mitigate all credential-based attacks is by combining strong password policies with MFA.

Our data also shows that, increasingly, enterprises are balancing their needs for MFA with end-user experience. One way they are doing this is by providing end-users with factor choice. The average number of factors deployed by customers with MFA continues to rise, with nearly 70% of customers offering their users 3 or more factors today (compared to 62% last year).

MFA certainly is a critical piece of the security puzzle, but it’s not the only piece. The policies set around MFA are essential. Organizations should require all privileged system users to use MFA, and every user account should be protected by MFA. In addition, access to critical apps should be prompted for a second factor, and organizations should leverage MFA automation based on user context to further mitigate risk. They should consider using certificate-based device trust to determine whether a device is managed or unmanaged by their IT team, and leverage this state to determine whether step-up is requ ired or if access is allowed at all. And, they should require MFA when a user is attempting to mask their IP address through an anonymizer such as Tor or a proxy service.

Ultimately, organizations need to take action to stop the 81% of hacking-related breaches that involve compromised credentials. To improve their overall security posture, companies should:

• Use internal, open source and if possible, commercial threat intel to properly monitor services and update authentication policies as needed to mitigate the latest threats.
• Allow end-users to choose only the most secure MFA factors, and remove security question and SMS as factor options deployed to users. (In July 2016, NIST discouraged the use of SMS as a second factor because of the high risk of intercepting passcodes.)
• Enforce best practices in setting policies. For example, given that we see Tor exit nodes being used for attacks, deny access or enforce MFA for anything coming from Tor.
• Use compromised and common password protection. This will help preclude end-users from using passwords that have been exposed in a breach and those most frequently used to conduct password spray attacks.