An identity management service is a critical component of your IT infrastructure. It controls how employees, contractors, partners and customers gain access to applications.
Okta is designed from the ground up to help you meet your security and compliance needs and also be the enterprise grade service you can trust.
Okta has invested heavily to provide an enterprise grade service. Those investments include:
Okta takes a comprehensive approach to building and operating a secure service that spans people, process and technology.
At Okta our focus on security starts with our most important asset – our people. Our Chief Security Officer (CSO) reports directly to our CEO and is responsible for the security of the Okta service and the organization. Both financial and criminal background checks are performed on all employees and contractors. Security awareness and secure development training is an ongoing requirement for all employees throughout their time at Okta.
Okta’s engineers adhere to an audited Security Development Lifecycle (SDL) program. By utilizing attack surface analysis and threat modeling before code is even written, our engineers build in security that is to our platform. The development team also leverages peer secure code review and third party white- and black-box penetration testing to ensure security standard operating procedures are followed as well as to validate our development and production security controls.
The Okta team has deep experience in architecting, operating, and securing Internet-scale, on-demand services, and we have partnered with Amazon Web Services (AWS), the industry-leading infrastructure as a service provider.
We leverage their physical security which is controlled 24/7/365 by armed guards, surveillance, and multiple layers of digital and biometric multifactor authentication. Network security is ensured with multi-homed internet peering, Okta technical operations controls all management access to the service via multi-factor VPN tunneling. The production environment employs strict controls to prevent unauthorized intrusion, traffic spoofing, and service reconnaissance. Even at the compute layer Okta uses hardened, purposefully-built and fingerprinted virtual machine instances.
Multiple investments are made to ensure all customer data is secure. All communication with the service is protected using strict transport layer security and by enforcing only strong ciphers. Data at rest is encrypted with industry standard AES-256 with a unique context specific key for each customer. Our strong key management system ensures that the organizational data is segmented from the secured and encrypted organizational key store.
Okta maintains a SOC 2 Type II report where we are audited against Security, Availability, and Confidentiality Trust Principles. Okta’s entire organization, from admin to CEO, is placed within scope of the SOC 2 audit. Okta meets EU Safe Harbor requirements and we have published our controls in the Cloud Security Alliance Registry Security, Trust & Assurance Registry (CSA STAR).
Okta must be available for any other app to be accessed and therefore there’s no good time to be down. As a result we are built for high availability and scale and deliver a 99.9% guaranteed uptime.
When we say 99.9% we mean 99.9%. No ifs, ands or buts. With Okta there is zero planned downtime. The Okta service never shuts down for maintenance purposes.
Okta’s Zero Downtime Architecture is
Transparency in how we operate is a critical part of being an enterprise grade partner. The success of Okta with your organization is built on trust. And trust starts with both our expertise and focus on customer success and the transparency Okta provides into our company, product development, and operations.
All customers receive a weekly update from Okta giving them visibility into new functionality that is added to the service, and we do quarterly updates on the overall service roadmap. Detailed information on any outages is also provided to our customers and we publicly post our past availability statistics on trust.okta.com.