It’s no secret that identity is in the crosshairs for attackers. But what’s less clear is how to thwart them in a threat landscape that seems to grow more complex by the day.
Okta CEO and Co-Founder Todd McKinnon joined Salesforce’s Chief Trust Officer, Brad Arkin, at Dreamforce’s Security Keynote to discuss the need for a simplified yet comprehensive approach to security today.
Complexity can compromise security
The old security model of defending only the most sensitive accounts won’t cut it anymore, according to McKinnon. Attackers are agile and can use initial access to move laterally, making every account a potential vulnerability. And complexity can make matters worse by obscuring accounts, including those of AI agents, and their access.
This reality requires companies to move away from fragmented security systems towards a unified identity security fabric that covers all identity use cases, leaving "no gaps or corner cases to sneak into," McKinnon said. Crucially, "to get that to happen … it has to be pre-integrated, simple, connected to everything."
‘Every risk has to be managed’
Security also means sweating the small stuff, according to McKinnon. “Every risk has to be managed … no matter how infrequent or how much of a tail risk it is,” he said. At Okta, “that changes … how we prioritize things, how we prioritize our internal IT infrastructure, how we prioritize our product roadmap to make sure the products don't just have great capabilities, but they're secured by default.”
A breach avoided
McKinnon shared that this due diligence was the key to preventing a breach during an industry-wide supply chain attack last August. Okta had completed a painstaking program to lock down applications, including limiting the IP ranges from which other system-to-system integrations could connect.
“When someone stole our tokens, they couldn't use them because they were locked down by IP address. So it's about this risk management,” he said. “It's about having the diligence and the foresight to push this kind of change through the organization.”
But the onus to stay secure isn’t just on individual companies. The industry must work together to create new standards that make robust security effortless for all organizations, McKinnon said. “We're really focused on that because it’s one thing to do the hard work, but it's another thing to have it be easy for everyone. And that's where we're trying to go.”
Catch the full conversation above.
