An identity management service is a critical component of your IT infrastructure. It controls how employees, contractors, partners and customers gain access to applications. Okta is designed from the ground up to help you meet your security and compliance needs and also be the enterprise grade service you can trust. Okta has invested heavily to provide an enterprise grade service. Those investments include:
A comprehensive approach to security
Okta takes a comprehensive approach to building and operating a secure service that spans people, process and technology.
Deep layers of security
Organisation
At Okta our focus on security starts with our most important asset – our people. Our Chief Security Officer (CSO) reports directly to our CEO and is responsible for the security of the Okta service and the organisation. Both financial and criminal background checks are performed on all employees and contractors. Security awareness and secure development training is an ongoing requirement for all employees throughout their time at Okta.
Software development
Okta’s engineers adhere to an audited Security Development Lifecycle (SDL) program. By utilising attack surface analysis and threat modelling before code is even written, our engineers build in security that is to our platform. The development team also leverages peer secure code review and third party white- and black-box penetration testing to ensure security standard operating procedures are followed as well as to validate our development and production security controls.
Operations and data
The Okta team has deep experience in architecting, operating, and securing Internet-scale, on-demand services, and we have partnered with Amazon Web Services (AWS), the industry-leading infrastructure as a service provider.
We leverage their physical security which is controlled 24/7/365 by armed guards, surveillance, and multiple layers of digital and biometric multifactor authentication. Network security is ensured with multi-homed internet peering, Okta technical operations controls all management access to the service via multifactor VPN tunnelling. The production environment employs strict controls to prevent unauthorised intrusion, traffic spoofing, and service reconnaissance. Even at the compute layer Okta uses hardened, purposefully-built and fingerprinted virtual machine instances.
Multiple investments are made to ensure all customer data is secure. All communication with the service is protected using strict transport layer security and by enforcing only strong ciphers. Data at rest is encrypted with industry standard AES-256 with a unique context specific key for each customer. Our strong key management system ensures that the organisational data is segmented from the secured and encrypted organisational key store.
Extensively audited platform
Okta maintains a SOC 2 Type II report where we are audited against Security, Availability, and Confidentiality Trust Principles. Okta’s entire organisation, from admin to CEO, is placed within scope of the SOC 2 audit. We have been awarded TRUSTe's Privacy Seal signifying that our privacy policy and practices meet their TRUSTed Cloud Program Requirements. Okta meets EU Safe Harbor requirements and we have published our controls in the Cloud Security Alliance Registry Security, Trust & Assurance Registry (CSA STAR).
Zero downtime architecture that scales
Okta must be available for any other app to be accessed and therefore there’s no good time to be down. As a result we are built for high availability and scale and deliver a 99.99% availability.
When we say 99.99%, we mean it for all of our customers. With Okta there is zero planned downtime. The Okta service never shuts down for maintenance purposes.
Okta’s Zero Downtime Architecture is
- 100% multitenant: all of our customers share the same underlying environment that we make extremely robust in terms of scale, redundancy, monitoring and processes.
- Stateless: User transactions to the Okta platform are completely stateless. All of the components of our system can be scaled at will and any individual component can fail and the system will route around it.
- Extremely redundant: Our architecture exceeds n+1 redundancy. We replicate the service live across six availability zones and two geographic regions within AWS and have an additional time delayed replication in a seventh. For backups we do incremental EBS snapshotting to S3 and take full portable backups in case we need to restore outside of AWS.
A partnership based on trust
Transparency in how we operate is a critical part of being an enterprise grade partner. The success of Okta with your organisation is built on trust. And trust starts with both our expertise and focus on customer success and the transparency Okta provides into our company, product development, and operations.
All customers receive a weekly update from Okta giving them visibility into new functionality that is added to the service, and we do quarterly updates on the overall service roadmap. Detailed information on any outages is also provided to our customers and we publicly post our past availability statistics on https://status.okta.com.