We understand that identity is mission critical. Our customers depend on Okta to manage and protect access to applications and data. That trust requires our service to be highly available and secure.
Secure, Audited Infrastructure and Processes
Okta has used the SOC 2, Type I and Type II processes to successfully audit the operational and security processes of our service and our company. Current customers can search for “SOC” on support.okta.com.
It spans our hiring practices, the architecture and development of the software that powers Okta, and the data center strategies and operations that enable the company to deliver a world-class service.
Security awareness is an ongoing educational process throughout employment with Okta. Our security team performs progressive social engineering tests and awareness campaigns to mitigate phishing attacks and build security into the culture of the company. We actively reduce the attack surface by limiting the number of personnel with access to production. Additionally, Okta's Chief Security Officer reports directly to the CEO to ensure top-down prioritization of security throughout the company and service.
We conduct yearly exercises to train employees on how to mitigate spear phishing
We limit users with highly secure access to production to maintain a small attack surface
Secure Development Lifecycle
We practice security by default by baking security best practices into every step of our development lifecycle. Security is built into checkpoints from when a developer begins design and checks in code to when a build is validated and deployed. Okta works with both independent external security researchers as well as its own internal security team to regularly validate the security of its design and service implementation.
All developers are trained annually on secure coding practices as well as secure code review techniques
All code is peer-reviewed and inspected by in-house security researchers as well as independent third-party security assessors
The Okta build includes weekly automated web application assessments
Secure Customer Data
We employ the the state of the art encryption key management to secure customer data. Using our next-generation cell technology, all Okta customer data is encrypted at the data field level. Moreover, data is encrypted in transit from the user's browser down to interactions with an AD Agent. Protection of customer data is audited in accordance with FedRAMP and NIST 800-53, HIPAA, and ISO 27001 requirements.
All customer data is encrypted at data field level
All customer instances have unique encryption keys
Okta leverages AWS' highly secure key management service
Transparency in how we operate is a critical part of being an enterprise-grade partner. We believe in a customer's right to conduct an audit on Okta. We provide independent third-party penetration test reports and will set up environments for customers to conduct their own penetration testing.
All customers receive a weekly update from Okta giving them visibility into new functionality that is added to the service, and we do quarterly updates on the overall service roadmap. Detailed information on any outages is also provided to our customers and we publicly post our past availability statistics on okta.com/trust.
Okta has demonstrated, not just to us, but to industry analysts and security experts that they take security very seriously, and that it's a service that we'll be able to trust.