Introducing the Okta Secure Identity Commitment

Earlier today, Okta CEO Todd McKinnon sent the following email to Okta employees. 

Hi everyone,

Last month Okta celebrated its 15th birthday. After reflecting on this milestone, I’m incredibly proud of the progress we’ve made together and the strides we’ve taken to establish Okta as an iconic company. We power every identity use case, we support over 18,000 customers, and we have nearly 1 billion unique monthly users across the Customer and Workforce Identity Clouds. We are the leading independent and neutral identity company* and we’ve made major progress executing our vision to enable everyone to safely use any technology. 

While we’ve seen a lot of success, we recognise that none of it matters if our customers and community can’t rely on our security. It has become clear that we have to think about the relationship between identity and security differently than we have in the past – security must come first. 

The leadership and security teams at Okta have thought critically about how we operationalise and refocus Okta to ensure that security always comes first. We have talked with our customers, partners, and advisors to come to a consensus on the right path forward. Today, I’m proud to announce that we are formally launching the Okta Secure Identity Commitment. This is our long-term plan to lead the industry in the fight against identity attacks. It’s made up of the following focus areas:

• Provide market-leading, secure identity products and services
• Champion customer best practices to help ensure our customers are protected in the best way possible
• Elevate our industry to be more protected from identity attacks
• Make our corporate infrastructure more resilient

Our current company-wide sprint (referred to internally as Project Bedrock) is just the beginning. The Secure Identity Commitment is a long-term journey, and because it’s of the utmost importance, we all need to start with the same mindset and approach. This is something every single one of us should embrace at all levels of the company. It’s going to take all of us. We all need to step up our game. 

Back when we founded Okta in 2009, our focus was all about IT enablement. We saw identity as a means of connecting people with technology. And while identity is still the entry point to the digital world, it has grown into so much more – and so have the expectations our customers have of us. Because Okta is the entry point to an organisation’s most important data and infrastructure, we are a big target with a massive attack surface: Just last month, we protected our customers against more than 2 billion security attacks. The stakes are high and we need to answer the call. This large number of attacks offers us a unique advantage. Every attack makes Okta stronger. We take in additional signals. We enhance our protection measures and we share lessons with the security community. We all become more secure.

Considering the sheer volume and intensity of threats we face, it would be foolish and idealistic for us to presume we can stop every single attack. A promise of this level of perfection ignores the reality of the world we live in. But what we can promise: We will relentlessly invest in our approach to defence in depth and a zero trust security architecture to reduce our attack surface, mitigate the impact of a compromise when things go wrong, and prevent the threats of the future. With the Okta Secure Identity Commitment, the goal is not perfection. Instead, the objective is to minimise vulnerabilities and incidents as much as possible, stay ahead of attackers, and establish a culture that prioritises security first and above all else. 

What I'm asking all of you to do is embrace this culture and mindset shift as the first step of the Okta Secure Identity Commitment. Read on to learn how we’re structuring the plan and our key focus areas. 

Details of the Okta Secure Identity Commitment

The Okta Secure Identity Commitment is our long-term plan to lead the industry in the fight against identity attacks. It’s made up of four key initiatives:

Provide market-leading, secure identity products and services

This is all about being secure by design and by default. We relentlessly invest in keeping our products hardened and secure – it’s why we’ve made MFA a requirement for all admin consoles and why we released session binding for admin sessions. Looking forward, we’ll do even more with products such as Security Centre, Identity Threat Protection with Okta AI and integrating our acquisition of Spera Security. Our products are the foundation of our company and we will keep innovating to further strengthen these products and services to provide market-leading protection. It’s why the world’s most trusted brands trust Okta.

Champion customer best practices to help ensure our customers are protected in the best way possible

This is all about helping our customers use the best of Okta. Our products are very flexible and can adapt to any needs the customer may have. It’s critical for each customer to choose the correct identity configuration for their unique needs because misconfigured identity is just another entry point for a bad actor or negligent insider. With over 15 years of experience and over 18,000 customers, we have the expertise to help ensure our customers have the most secure Identity configuration. We launched Okta Expert Assist last year to help with exactly this. We’re also focused on modelling security best practices to our customers: We have 100% of Okta employees using FastPass and phishing-resistant passwordless authentication and we encourage customers to do the same. In the future, we’ll expand our in-product best practice guides to help ensure customers are protected.

Elevate our industry to be more protected from identity attacks

This pillar acknowledges our responsibility to detect and mitigate identity attacks across the industry and throughout society. Considering the critical role that identity plays in the technology stack, we can set the security standard that every company requires their vendor to abide by. Beyond the industry, we can’t lose sight of the broader community that needs support bolstering security: It’s a societal issue. Today, we are announcing that Okta for Good is contributing $50 million over the next five years to extend Okta’s Secure Identity Commitment to our communities. These funds will strengthen the cybersecurity posture of nonprofit organisations, expand the field of qualified cyber talent and ultimately contribute to a more secure world. When one of us is more secure, we all are more secure.

Make our corporate infrastructure more resilient

While we’ve always had high levels of focus, priority, and rigour around the security of our products and production environment, this initiative is about applying that standard to our entire corporate infrastructure – all of our systems, third parties, people, and processes. To stay ahead of attacks, we must treat all of this with the same cyber-threat profile as our customer-facing profile. We’ve already made a series of recent changes, upgrades, and enhancements to Okta’s corporate infrastructure, and we’re continuing to accelerate our investments to further harden our ancillary (i.e., production-adjacent) and corporate systems.

Our vision is to enable everyone to safely use any technology. Protecting Okta, our customers, and society is our most important work. I’m confident of the Okta team's ability to tackle this responsibility head-on. The road ahead won’t always be easy, but the outcome will be more than worth it. 

Thank you for your dedication to this critical initiative. 

Todd

Learn more about the Okta Secure Identity Commitment.

*IDC, Worldwide Identity and Access Management Market Shares, 2022: CIAM Grows Fastest, Document number #US49367523, June 2023.