Hello, Okta Advanced Server Access

We’re excited to launch Okta Advanced Server Access, a new product available today that brings continuous, contextual access management to secure cloud infrastructure. Advanced Server Access centralises access controls for organisations leveraging on-premises, hybrid, and cloud infrastructure in a seamless manner to mitigate the risk of credential theft, reuse, sprawl, and abandoned administrative account. Okta customers like Personal Capital, Workiva, MailChimp and VirtualHealth are already using Advanced Server Access today.

Protecting Your Most Critical Infrastructure: Servers

Infrastructure security has not kept up with the rapidly evolving security landscape. Given the high level of privileges they hold, traditional credentials used to access servers (such as SSH Keys and RDP passwords) are frequent targets for hackers. And the admins who use them, Sys Admins, DevOps Engineers, and SREs, usually maintain their own credentials—with no ties back to corporate identity systems. Far from best-of-breed in security, the legacy products in the infrastructure space are also difficult to operate, with a poor end user experience. So these products can be significant blockers as companies look to incorporate more automation across their environments.

Okta Advanced Server Access + Continuous Authentication

Advanced Server Access takes a modern approach to server access by entirely eliminating the need for static keys. Through a revolutionary ephemeral credential mechanism, Okta offers centralised access controls across any cloud environment supporting Linux and Windows servers (public, private, or hybrid), and cloud instances across AWS, GCP, and Azure.

Okta Advanced Server Access allows for granular access decisions about each login request, able to consider device, session context, and dynamic user information. In this scenario, Okta is the infrastructure, and Universal Directory is the single source of truth for local server accounts. Okta Lifecycle Management serves to automatically provision and deprovision accounts to the downstream servers, and SSO becomes part of the SSH/RDP authentication workflow. Lastly, for stronger authentication, we employ MFA.

How does it work?

Okta Advanced Server Access protects your critical infrastructure by employing single-use, ephemeral credentials for each login. The identity-led workflow dictates who can access which server, from which device, and when. Each client certificate expires after a single use—no credential management required. Both security and productivity are enhanced with easy adherence to security policies, and a seamless experience for your administrators.

1. Request session: A user logs in to a server directory from their local SSH or RDP tools, integrated with the client app.
2. AuthN and AuthZ:Okta authenticates the users and authorises the request against the associated Role-based access control and access policies.
3. Issue credential: A built-in Certificate Authority mints a short-lived client certificate scoped to the request, and delivers it back to the client.
4. Connect via SSH or RDP: The client uses the client certificate to initiate a secure SSH or RDP session with the target server.
5. Audit event: The login event is captured via the server agent and sent to the audit log or 3rd-party SIEM service.

The Advanced Server Access solution

Cloud-based and built on the core principles of Zero Trust, Okta Advanced Server Access serves to evolve the infrastructure landscape:

• Mitigate the risk of credential theft: replaces static keys and passwords with single-use, ephemeral client certificates. Each cert is tightly scoped to the individual request at a single point-in-time, significantly minimising a window for attack.
• Centralise access controls to servers: automates the end-to-end lifecycle of local server user and group accounts under a single directory. It delivers seamless SSO and MFA authentication to SSH and RDP workflows, while introducing contextual access controls based on dynamic user and device information.
• Remove barriers to automation: easily automate server enrolment into the configuration management of choice, including Chef, Puppet, Ansible, and Terraform. You can support multi-cloud environments, making every actionable event an API, allowing for custom workflows.
• Deliver a seamless end-user experience: works in line with the SSH and RDP protocols, integrated natively with CLI and GUI tools. Delivered as SaaS, Advanced Server Access abstracts the complexities of credential and account management. Automation allows for easy configuration of dynamic environments—without compromising security.

Availability

Okta Advanced Server Access is available starting today. For more information, check out our Advanced Server Access page.