Oktane19: Embracing The Kanyes of Our Organization



Gen Buckley: Good afternoon. So that's that lovely Safe Harbor Ford statement that has already been explained. So my name is Gen Buckley and I work for Okta. I'm on the security team and I work in compliance and assurance for Okta what's interesting is that we report directly to the CISO who reports directly to the CEO and that means that we have top level influence and visibility into every department. So that's operations product, IT, sales, engineering, everything. So we are really comprehensive in how we look at security across both the company and across the service that we provide. Background on me before I joined Okta, I was working for a bank. I'll let you guess as to which one. I was there for ten years and I was a security engineer in identity management.

Gen Buckley: So I actually helped support an on premise tool and it was in our data centers. It was the exact polar opposite of the cloud in every possible way and it was go figure really terrible at scaling as in it didn't. It didn't scale at all. So the more we provisioned and the more we increased provisioning and de-provisioning in order to make ourselves more secure, the more logs we generated, and the more logs we generated, the more dispace. It was almost comical what an easy problem it was to solve, but yet it was really difficult to do in a large bureaucratic organization. So at the time I didn't even really think you could do identity management in the Cloud. I thought, what no you can't do that. That doesn't sound like a thing. But I kinda kept up in the industry and I saw wow Okta's doing it and they're doing it right.

Gen Buckley: So the way that Okta's doing it right is through compliance. It's through our third party audits and that's how we demonstrate the effectiveness of our controls. Third party audits are our way of saying you don't have to trust us. We're gonna have somebody else verify it, transparency. We want you to know that we as the identity standard, take it really seriously. It's like yeah we're gonna make sure that we can prove we're doing what we say we're doing. A lot of that in terms of building trust is also it supports the whole ecosystem, right? Rise and tides lifts all boats and following standards and best practices, that makes this all more secure.

Gen Buckley: Okay so quick shout out, forgive me. This is my own little thing that I got put together and the last year, if you are a current customer, your Okta administrators can go and download whenever they want self service all our audit information. All our third party audits, all our reports. You don't have to ask for it. You can just go get it off of the help center.

Gen Buckley: Okay so let's talk about password policies, right? The key note there was a reference this morning from the CISO of a personal capital about security friction, right? What's the source of security friction now? It's password policies. So what drives our password policy? Let's have a quiz. Is it whatever will be the most difficult and inconvenient for our employees? Compliance requirements that are driven by best security practices? We have no free will we just do whatever our AI overlords tell us to do? And shocking we are driven by FedRamp, right? Our end user requirements for in scope Okta employees are driven by FedRamp requirements which have complexity and length and they can't match the previous 24 passwords and they have to be changed every 60 days and this is driven by FedRamp.

Gen Buckley: Now we also enforce second factor, right? Everybody. Everybody has to use second factor. Doesn't matter where you are. Doesn't matter in the office, at home, you're using a second factor. That's just a good practice, right? Everybody should be doing that, but complex password policies always rubs people the wrong way cause it gets in the way. Right people just want to do their jobs and a complex password policy it makes people want to move around. They don't really want to follow it if they don't have to. Having a policy does give peace of mind, right? It says okay, we've determined this is a way you can be secure, right? We're trying to take that thinking off your plate and so follow the policy and that's what will help you.

Gen Buckley: Now the thing about password policies is I love security friction, right? So security friction threshold, that's mine. Trademark, patent pending. My security friction threshold, my SFT score is super high and so basically if we say it's on a scale to one to three, I'm like a nine. I'm like all the MFA, all the complexity, whatever you want I'm gonna do it. Now that's because though I come from the financial services world where we have super, super complex convoluted step up authentication and I really just got used to it. From my perspective, it gave me peace of mind, right? So I had a lot of privileged server access so I actually appreciated the fact that it was contained so that I was an attack vector.

Gen Buckley: Case and point, years ago I actually had a situation where there was a password spay attempt on a financial services account I had elsewhere and my account got locked out and it was like four AM on a Saturday. It's like well that wasn't me and I knew I had 2FA installed. I was like okay, wait I didn't get a text. This was still SMS. We know SMS isn't the way to go. We'll talk about that more later. But at the time it was really frustrating trying to figure out how to get it reset, but I was like no, no, no I use second factor it's okay. It ended up being fine and I was able to reset it. So it's like again the second factor gave me the peace of mind, okay somebody was just locking up my account, but it's still not compromised.

Gen Buckley: The thing about security friction, right, is you have to meet your users where they are. They want to get their work done so you have to think in terms of what policy is appropriate to the risk, right? You don't want to make it too complicated. So you have to think what should drive your password policy?

Gen Buckley: Whatever makes sense for you, right? So Okta is platfrom agnostic. Our goal is to support you wherever you are. We want to meet with whatever your requirements are. We want to help you integrate with however you need to integrate with your mutuals. We're not here to dictate those terms to you. We're all about supporting you, helping you be more secure, maintain best practices, baseline. Let's face it, right complex passwords by themselves, as security practice they're kind of hard for humans to remember, but they're actually easy for computer programs to break right? I actually prefer length over complexity which is really best illustrated by Randall Monroe as we all know from his XKCD comic, yeah I'm seeing a lot of nodding heads. We all know this one right?

Gen Buckley: In terms of first you start okay so I got a base word. So now I'm gonna swap out the O for zero and four for the A or maybe I'll make that an @ sign and how many characters do I have? Oh I have 11 characters, that's pretty good right? Is that really that hard? It's actually not very hard for a program to crack that though right? But it's really hard for a human being to remember that. It's kinda like that's not actually the best way to go. Oh and now you've locked out your account cause you tried too many different swaps and combinations and now you have to beg your admin to reset it and now they're kind of annoyed with you.

Gen Buckley: So actually length is much better so taking four random common words put in making them really long, getting at least 25 characters long. That's actually much, much better. You get a lot more entropy right? Which gives you a much more robust password and in terms of not being able to be cracked. Right it's actually much harder. So the thing is you have to remember that at this point correct horse battery staple has zero entropy. Everybody knows it, so you should definitely not use it. Right cause we all know what that one is. But I think what we all have to remember is that we want people to get to the tools that they need. So with that I'd like to introduce Aaron Zander from Hackerone. He's a company customer that security team absolutely loves and I'd like to bring him up and he's gonna talk to you more about how to reduce password friction.

Aaron Zander: Cool, so as Gen said I'm Zander. I work for a company called Hackerone and a little bit about me, I'm mononymous just like Kanye. I love IT automation. I'm not the most technical person in the world which is why I love Okta because I can do most of the stuff that I spent months and months and months trying to figure out how to do on Powershell in Okta in hours or minutes or days instead of months. I like working and building organizations that grow fast. The first time that I really went into an enterprise organization we went from 500 people to 1100 people in about 18 months and we dropped 250 people which is equally as difficult as building that quickly. Since then I've been at a couple of startups, a company called Maskdrop and then now I'm at Hackerone. I also really love my HR department which despite all the Okta videos say we should actually try to get along. So a little bit about Hackerone and it's important to understand what Hackerone is and what we do to get the context of where our security mindset comes from.

Aaron Zander: We work with a bunch of really cool companies like Spotify, Lyft, Okta, Google, Slack, Get Hub, Air BNB, Sales Force. We work with the department of defense, department of digital services, the Singapore ministry of defense, the European Commission. What we do is apply them with a bug bounty or vulnerability disclosure platform that hackers around the world can go to these companies and report the vulnerabilities that they find in their mobile apps, their websites, their on premise applications, whatever it is to them in a secure way. They can be paid in a secure way back and you can help launch these security efforts in your company. So a little bit by the numbers, we have 1300 customers. We have 330000 hackers. This number of 48 million is actually out of date. I think we'll hit 50 million dollars today or tomorrow. In total bounties paid out, that's not money that we have. That's money that we have given to our hackers around the world and each one of those dollars represents security at a company like Hackerone, like Okta, and like all your companies out there.

Aaron Zander: But more importantly it means there's 100000 vulnerabilities that we found that have been sources through our platform. While we think vulnerabilities are really cool and we like disclosing them, what it really means for our customers is it's 100000 nightmare that we store in our databases and more importantly, when we have those nightmares, your average company if their database leaks, it's really bad for that company and their customers are annoyed. If our database leaks, our company tanks and your company tanks too. So it's very scary, right? So we work with all these great hackers and we represent our hackers like this. This is our E-twin Elite. These are the best of the best hackers and once a year we build out five of these new comic book posters based on our best hackers and we work with these great people all the time and they're always trying to do new and innovative things to get into your applications, your systems, stuff like image tragic sources through Hackerone.

Aaron Zander: We love these guys. They look in real life, more like this. This is from a live hacking event we did recently and at the end of the day, we are trying to protect them. We're trying to protect you guys and we're trying to protect our employees from being vulnerable to whatever things are out there so we can protect all our your data. So how does that represent this guy? What about Kanye are we actually gonna talk about? So first off, I'm not actually a really big Kanye fan. I'm just gonna state that. I stopped listening after College Dropout, I think that was his best album and he's never gotten that good again. But let's talk about Kanye and let's talk about Kanye taking a shortcut.

Aaron Zander: So for those of who have never seen this, this is sitting in the White House talking to our esteemed president Donald Trump and you see he uses this ultra secure password. Now the important thing to understand is Kanye's actually using a six digit passcode here. He got a new phone, his iPhone recommended he has a new password, he probably has face ID but he's too nervous to use it the lights are messing it up. So he just enters a whole bunch of zeroes because that's the easiest thing for him to enter and it's easy for him to remember and that's just what he set up. So at the end of the day, Kanye's sitting there and he's doing what he thinks is the best thing for his security. Six digits, that's a lot of digits, but it's all just zeroes and he just kind of has really poor opsec and did it on live TV.

Aaron Zander: Kanye isn't that different from me or you or realistically most of the employees at our organizations. Gen talks about her high security friction threshold. Most people don't have a high security friction threshold and they're gonna take the shortest route from point A to point B. So we have to understand that our coworkers are like Kanye and we have to learn how to identify them and embrace them. How do we make those people safe and hopefully not have them enter passcodes on national TV? In general what we're gonna take a look and to see maybe we can spot our coworker Kanyes in a couple of example photos that I have. You've got this one. This is coworker Kanye, the accounting assistant. Coworker Kanye's working really hard, has a really bad password, and enters her passwords into a spreadsheet she can share with her coworkers. Not great.

Aaron Zander: This is Sales bro Kanye. Sales bro Kanye makes deals close all the time. He's never used the password manager that you gave him and uses the same password since his first fantasy football event in 2005. Lastly this is executive Kanye. Executive Kanye hard to change, a little fickle, and just again shares all their passwords with their EA, doesn't really think about the consequences of what they're doing. What's important to remember is that these are funny and the whole point of this is funny, but our coworkers aren't our enemy. There's the constant IT versus them. It's IT versus the world or security versus the world or compliance versus the entire company and it's not about that. It's about learning to identify and understand your coworkers and colleagues so that we can all work better together more securely.

Aaron Zander: Now have any of you guys ever heard of desire paths? Desire paths are this theory in city planning that people are going to go where they want to go no matter what you build and desire paths look something like this. No matter how much we architect and make this beautiful path around this tree and everything is really lovely, people are just gonna take the shortest possible path and that's what Kanye did. Kanye took the shortest possible path around a six digit password and just put six zeroes, right? So a lot of the times we see this and we try to block it off or we try to do something about it. Sometimes we see something like this, right? We see a desire path across the snow and I like this example, this example to me is when that desire path that one coworker does becomes codified into a new higher deck for sales training and they're just taking that shortcut that you really don't want them to do and teaching it to every new employee.

Aaron Zander: See architects take these paths and they take stuff like people walking in the snow and where people do and they learn to embrace those changes and make them better, right? Figure out where they went wrong. Sometimes frankly they're just mistakes. This is obviously a nice security thing so people don't ride their bikes down the path, but it doesn't do anything. When you have to throw something up and at the end of the day it just doesn't do anything and you end up just frustrating people. We need to avoid doing stuff like this. We need to avoid giving these presentations of security that don't actually do anything because not only do they frustrate our coworkers an dour colleagues, but they kinda make us look silly. Instead we gotta figure out what went wrong. We have to build security and compliance models that match what people are doing and we have to think about what our goals are in comparison to what people actually want to do or are willing to do.

Aaron Zander: We can't forget about the end user. When we forget about the end user and we don't put ourselves in their shoes and we take our naturally, high security friction thresholds and just accept that this thing is gonna suck, people dislike it and they don't really want to do what we want them to do. Then we fight against these desire paths. Sometimes we squash out those issues that we see and we block the area and we never really take into consideration what the reason was that people were taking these shortcuts in the first place. So again it's not us versus them. We all need to work together in a security environment. Hackerone is very open company. We share a lot of access and privilege because we're able to build not only trust on a human level, but trust in a systematic level. So we can't do this. We can't just put up a sign and expect people not to walk across the grass and not to take these shortcuts. We actually have to do something about it. The other day city planners take these desire paths and they make successful pathing out of it.

Aaron Zander: So this is a university in Midwest and this is what the desire paths look like and over the years this is what the actual paths across this campus have become. You can see no one would design this normally, but it's literally the shortest path from one place to the other have all been paved because someone probably got sick of redoing the lawn all the time. You have to embrace what these people are doing and you have to take the evidence that is given to you and move forward and do something with it.

Aaron Zander: So when we look at these desire paths, you have them in different veins and different thoughts. You can have something really short right? And you can fix them in just a small patch. Maybe that's just pushing out a small change to make something easier or adjusting the length of a session time in Okta so people won't get timed out every four hours, maybe it's eight hours or 12 hours or 24 hours. So you have a full day of working without having to get logged out. When you do those paths and you embrace these little changes, you really highlight that you can make small fixes. Then when you have something bigger right, this is a path that's going through a larger change that maybe is becoming institutionalized and there's not a lot you can do about it unless you rip everything out. What you can do instead is you can embrace it and make people more secure. So if there's an application that your marketing team has bought behind your back, maybe instead of just saying no to it, you okay we're gonna pay for the tier of the tool that lets us use single sign on.

Aaron Zander: So now it meets our security criteria. We're gonna do a security review on it and we're gonna say you're gonna use this tool no matter what. Let us at least take ownership and do the right thing with it. Then lastly, sometimes you have to go all out and you really have to invest and build something more than you were expecting. You have to take a look at these holistic problems and you have to say hey we're gonna put the effort and we're gonna do something and when you highlight these tools and you look at it, that can be something like moving off the VPN into a zero trust network into a beyond court model and saying we don't want to put these pressures in front of you and we don't want to make these tools so difficult that you don't want to use them. We're gonna not only make these easier, we're gonna make things faster. You're not gonna get locked out of the VPN all the time. You're not going to have to look down at your Google authenticator key and deal with that ring of time of running out. We're gonna push your 2FA to you.

Aaron Zander: You're gonna accept the push on your phone. You're gonna go through a proxy gateway. You're just gonna land at your site. There's not VPN. It doesn't matter where you are. It's all fine. So what does this look like at HackerOne? It's always nice to talk about all these great things, but what do we actually do? We try an SSO or no go policy. It doesn't always work, but our general thing is if there is a tool that's going to be bought, do they have single sign on? If they do, it makes everything a lot smoother. If they do at a specific tier, then we're gonna look to see if we can secure the extra funds to buy that tier and purchase that. Nine times out of ten that's what we do. Usually it involves me calling Avender and getting very angry with the sales person understand why it's charging $10,000 for an implementation fee for single sign on is crappy. It's really just paying the SSO tax and that's important to keeping this methodology going.

Aaron Zander: We try to keep everyone with two passwords, right? The main password for your computer and then a password for the password manager. That's the only two passwords that most people should have to know at any point in the organization. We give everyone a password manager at the organization so they have it. It allows them to share passwords through vaults. So when you have an accounting team and they want to share all these passwords throughout, everything is good and it's easy to go. But more importantly, when we're onboarding people we basically have them generate a 64 character password, put it into that password vault, and then use that password of Okta which gets them to use these password managers. We MFA everything. We never use SMS. We basically skip Google authenticator unless we have to use it and we use push base authentication. When your base push for most tools is a push base authentication, it's a lot easier to get people to adopt those tools especially people who have maybe in your finance department or your sales team, maybe aren't really used to using 2FA all the time.

Aaron Zander: They hate that ticking clock or transcribing information back and forth. My wife hates them. She's dyslexic and can never type them right the first three times. Push base authentication gets rid of that completely. You can also go to something like a Ubeki, you can use Duo, there's lots of open source tools for this too.

Aaron Zander: We make sure people understand the updates are not just the job of IT. There's something that you need to schedule. There's something that you need to take as seriously as anything else you do in your job. If you're gonna schedule a business call, you can schedule 30 minutes for an update. We use our MDM to push updates and at some point if you're not up to date, you literally just won't be able to log in to our tools. So it's gonna force you to do it and then our MDM will eventually force it on you too and it'll restart you in the middle of a meeting.

Aaron Zander: We do a lot of compliance stuff. We are going through FedRamp and we have Stock two type two and our amazing security and compliance team fights with our auditors all the time when they ask us why don't you do this and we say, well this is better. Why do we have to do it this way when it's less secure? Gen talks about hey we have this complex password policy because it's what FedRamp is, that's more of what FedRamp was and now as FedRamp has evolved and these policies evolved because of the push back that all of us push back on these auditors and on these standards, they become better. So now okay we can rotate our password once a year, but everything is multifactored all the time. People are happy with that. We have to fight on those different hills and we have to choose which hills we're gonna actually die on.

Aaron Zander: So it's important to understand what your desire path is and Gen and I are gonna talk a little bit more about what friction looks like in an organization and then we'll have some time for some Q&A.

Gen Buckley: Okay so I have to ask, on a scale let's say one to five.

Aaron Zander: Yeah.

Gen Buckley: What do you place your SFT, your security friction threshold score at?

Aaron Zander: I'm pretty high. I've been using a password manager for the same password manager for 11 years so I'm always down to do really long passwords and I will go to the point if a password manager won't accept my really long password, finding the exact character count it is. I've also gone so far as to report bugs in stuff like DirecTv Now when they have an internal SSO that won't accept my long password, but their website will. So when you transition to different tools. I fight for it. I'm with you.

Gen Buckley: Awesome. That's fighting the good fight right there. All right, so let's actually take a quick paw, right so SFT your personal security friction threshold one to five. Who's a one? Excellent. If anybody raised their hand I was gonna have to come and smack you. That's not okay. You should have some friction. Right you should have some threshold for security friction, right? Okay how about two? Excellent, I love you all already. How about a three? Three's respectable.

Aaron Zander: Three's good.

Gen Buckley: Three is good.

Aaron Zander: Three is where most of the people.

Gen Buckley: I think most people would be at a three and that's okay. Relative to what you're gonna do and the risk factor in terms of what you have access to and the tools you're using, having a friction threshold of about a three is actually perfectly acceptable. How many would give themselves a four? Okay right on. Where are my fives? Yeah there are my fives. Right on.

Aaron Zander: Is there anyone that thinks that five is too low? All right.

gen buckley: Sorry yeah. Old habits are hard to break. Ten years in financial services will do that to you.

Aaron Zander: Yeah.

Gen Buckley: Speaking of financial services, one thing and I know we'd spoke about this that I do not like, are security questions.

Aaron Zander: Oh I hate them.

Gen Buckley: I hate them.

Aaron Zander: We got rid of them at HackerOne. We don't use them because they don't do anything. We also don't let people reset their own passwords for security reasons. We have to physically check who they are.

Gen Buckley: Okay.

Aaron Zander: Again we're scared of a lot of things and that's a cross that we bare, but I also think it's really like some of them are so bad and have you ever used a password manager to make up your security questions and answers?

Gen Buckley: Yes. Absolutely, right. Was there somebody else? Back when I spoke about earlier about that brute force attack I endured where the financial service account, in order to reset it I had to go in and answer a bunch of security questions. At the time I had set that up, these were canned questions. So it's like what's the middle name of your maternal grandmother or something like that. At the time I had set that up I was stupid and I actually answered those questions truthfully cause I thought I had to. Like I thought they had the answers and I had to match. I know, right? Then I realized afterwards, I should not be using real information here and of course now it's all gobbley gook that I generated.

Aaron Zander: Have you ever had a time where you've had to call in for help and they ask you a security question and then you have to give them your 32 characters of garbage and they hate you?

Gen Buckley: Yes.

Aaron Zander: Okay.

Gen Buckley: Yeah and you have to lowercase and yeah.

Aaron Zander: Yeah.

Gen Buckley: Oh no, I know. But it's interesting to me that there is still in financial services, especially banks that actually still rely on that. They rely on security either canned questions with canned answers or canned questions or just write your own and it's like you know what?

Aaron Zander: The canned answers are the worst. We have like a dropdown like what was your favorite band of the '90s and you're like I don't remember.

Gen Buckley: Well your favorite vacation, beach, mountain. It's just like that's not hard man. So not a fan of security questions, yeah. Totally. I know we do still support them because part of that again since we're agnostic and we try to supply what our customers want, we do try to support anything that we feel that they're gonna need, but yeah I don't care for that personally.

Aaron Zander: What do you find, I mean obviously you go through all these audits and you deal with all these, what do you find is the hardest thing to convince these, especially some of the older auditing companies out there that they just don't want to understand the cloud based stuff.

Gen Buckley: Right.

Aaron Zander: What do you find is the hardest thing to convince them of? Like this is totally okay that we do this.

Gen Buckley: So for FedRamp in particular, there's a whole process with the authority to operate so you actually have to come up with something that's gonna appease everybody you work with. So for us, part of that challenge right is dealing with all our government, our public sector customers, and coming up with a policy that satisfies all of them. Cause we can't have different password policies based on different, so we need to have one consistent one. So I'd say that's, I actually really related to the part where you talked about you have to pick your battles to die on. So we had to pick the battles saying we're not thrilled with this, but this is what's gonna meet the requirements we have for all our ATOs that we currently are having issued with all the various government agencies that rely on Okta. That's hard to say. The dream is still password authentication and that's definitely where we're all moving to.

Aaron Zander: Yeah I think the web authen standards are really great and it would be great to see how those evolve and then in 20 years when the agency actually embrace letting us do that, that'll be also great.

Gen Buckley: Absolutely.

Aaron Zander: What's the silliest thing you've ever had to explain to someone?

Gen Buckley: What's the silliest-?

Aaron Zander: In an audit.

Gen Buckley: That's a really good question. I guess it would be why can't we visit the data center? That would have to be the silliest. It's just like okay so Amazon doesn't let anybody visit their data centers. We don't get to visit their data centers. But we review their auditor reports regularly and they've been audited and they're very transparent and it's like nobody gets to do that. So people ask well we want to do an on site audit of the data center, it's like that's never gonna happen anywhere actually. That's not really gonna work. The other question I've gotten we still get is when people ask about oh why shouldn't we use SMS which is still surprising to me because there's been. Here's a question actually for you.

Aaron Zander: Let me count the waves, right?

Gen Buckley: Yeah, so what do you think is preferred? Either if SMS is the only MFA that someone would use, versus no MFA?

Aaron Zander: Okay so if-

Gen Buckley: Yeah it's hard.

Aaron Zander: Here's the actual advice I would give someone especially if you're high profile or a celebrity or even if you're just a popular Twitch streamer where you're actually a really big target for this kind of stuff, is either buy a phone or a SIM card and have that be your two factor for that specific thing. Now if you have a second service that you need, you buy another phone and another SIM card.

Gen Buckley: That's actually pretty good.

Aaron Zander: It's the only way to almost secure them just because the way that people start to breach these things is as soon as they know your number, they can start trying to clone that number or try to port that number away from you through back channels through your carrier. No matter how strong you are, you're only as strong as the weakest support person that someone can talk to. Or sometimes they're completely out of that loop and people know people in retail or directly associated with those carriers and they just port them away. So if people don't actually know what number you're using for that service, then it becomes slightly more secure to an extent.

Gen Buckley: Right, and does everybody understand why in addition to just the social engineering aspect of somebody stealing someone's phone number, the fact the phone numbers get reused, they get recycled so if you change your number you've just handed your tokens off to somebody else. SMS the cellular network can be man in the middled. That was actually something that's happened several times. It's all clear tax. None of it's secure and they can just, don't use SMS for 2FA.

Aaron Zander: Honestly I think if you're setting it up in your company and you're setting up Okta and you're rolling out 2FA for everyone and you turn on SMS, you're going to make people dislike the process of authenticating more than if you just went straight to an Okta verified solution of Ubeki solution.

Gen Buckley: Right.

Aaron Zander: I think a lot of people say oh you're gonna install an app that's gonna increase friction. That's gonna increase friction for the first minute or two minutes, but after that SMS is gonna increase the friction every time someone authenticates. You have that delay in text. You have the security risk. You have the literally reading the text message and typing it in and I will tell you after helping people for years with SMS authentication, no one likes it. It is really hard for some people and push base verification is so much quicker.

Gen Buckley: Absolutely and this is kind of random. I think it's been solved now, but there is actually an issue where T-Mobile wasn't formatting the sender code for the SMS verification and it was showing up like the phone number was from Russia.

Aaron Zander: Yeah.

Gen Buckley: People were freaking out because they're like Russia's hacked my phone. I'm getting text code, SMS codes from Russia.

Aaron Zander: Worse than that, some carriers have blocked services like Twilio by accident and so now your users can't authenticate because they literally won't get those SMSs.

Gen Buckley: So we're all gonna use push base, MFA, or Ubeki. We're on agreement right? Excellent.

Aaron Zander: Cool. So I think we have some time. We wanted to leave a lot of time in the session to ask Q&A so we have our lovely assistants helping us pass out microphones. So all of you if you have a question, please raise your hand and we'll bring you a microphone and really across all topics, please feel free to ask questions whether that's positioning anything or anything that you saw in the presentation or anything like that. Great. I see one back there.

Speaker 3: Cool, thanks. Just a quick note, you were saying about the security questions. I've since changed mine, but it was really awkward because they were all Verizon sucks or whatever the vendor was we were calling which got really awkward when you did have to talk to that person on the phone. My question was, with the desire path thing I don't control my marketing departments SAS budget for example, so software product day is five grand. Software product day with SSO Saml is now 15 or a $10,000 startup cost or something. It's not on their annual plan. They're not gonna pay for it. I can't afford to absorb that across however many apps it is. How do you partner to solve that challenge?

Aaron Zander: Yeah so we have an open policy. One we've definitely denied applications at Hackerone from getting rolled out. I am the first person that says I hate when IT just says no, but we had an application just a couple months ago that was like we're still on TLS 1.0 that's cool right? We said no. We have an open policy that says hey look, submit whatever app you want and then we try to understand a couple things. One what application are you wanting to use and why? What type of application? This is a marketing app that helps you reach other journalists for your PR team right? Understanding what the flaws are in their authentication model or what's going on and then also the fact that hey we're happy to talk to these sales people too. You don't have to go to this war on your own. We're gonna come to it and I am now at a point where my sales team brings me in to do trainings with our sales team because I'm that customer. We have these conversations with every one of our vendors about hey, why are you charging so much for this?

Aaron Zander: Why don't you care about security enough to charge less for this? I love all the answers I get back for that and they're like all terrible and then just turning them around and answering them and trying to drive that price down. So that's step one. Step two is sometimes we go to finance and say hey look this is the budget, but realistically if they want to use it, we need to pay this. Otherwise we're not sure if we can sign off on it. Sometimes the companies that don't have single sign on do say like email link authentication. So okay, now the only way to get into this application is through email which means that okay the only way to get into our Gmail account is through SSO. So it's okay, it's not the best, but we try to work around what we can to do that and if it's something that's really just a username and password and there's no MFA, there's no protections on it, it's probably not gonna end up getting througha full review anymore.

Gen Buckley: Yeah I can say that we push back a lot. When some vendor is like oh that looks cool, go find one that supports SSO. If this exists in the market, somebody's implementing it with a proper security posture and that's SSO. I actually love the SSO tax. I kinda feel like we should all band together and fight the SSO tax right?

Aaron Zander: SSO.tax.

Gen Buckley: Yeah.

Speaker 4: So to follow up on the SSO tax, does the compliance and assurance team audit Okta partners and is that something you would ding them for if they don't support SSO? Can Okta help us with 60000 integrations is something Okta can do?

Gen Buckley: Let me make sure I understand the question. So do we audit our partners?

Speaker 4: Yeah like those companies that are integrated with Okta, is there a security process that they have to go through?

Gen Buckley: There are, so in the Okta integration network, there are integrations that are verified by the engineering and they're actually marketed.

Aaron Zander: No but I think what he's asking is do you guys go through and actually look at what people are charging for that and see that hey this isn't that hard.

Gen Buckley: I don't know that we have actually. I actually don't know if we have. I mean we do look to see that they support it because that's where we all need to be. Rise and tides lift all boats. That's gonna raise the security posture for everybody. It helps us all if we all support SSO. It's a really good question though I'll have to do more research on that. Thank you.

Aaron Zander: Cool. Any other questions?

Gen Buckley: So I actually have a question for you.

Aaron Zander: Oh yeah.

Gen Buckley: So Hackerone, awesome, Bug Bunny, I know our pen test team did one of your live hacking events last year. They loved it. So what's something about Hackerone that people don't know that you wish they knew?

Aaron Zander: Don't know that we wish they knew. I would say those live hacking events we do these events throughout the year with various customers. When you actually get to meet these hackers, they're unlike our lovely keynote this morning, they're usually not wearing dark hoodies and hiding in the shadows. They're a really strong community and they're usually laughing and making fun of each other and trolling each other really hard. Literally going to the depths of the end of the world to try to find really obscure bugs to solve these weird problems.

Gen Buckley: Right on.

Speaker 5: So how do you go about increasing your user's friction level? We onboarded a lot of European users and they just have an aversion to doing any work stuff on their private phones so they were not accepting of SMS verification which was fine with us cause we didn't enable it. They did not want to install the Okta verify app, so for those users we bought Ubekis and sent them out, but how do you go about?

Aaron Zander: No you just answered the same question of exactly how we did it. We're really excited for web authen cause it solves a lot of those problems. We're already giving people Mac with a touch ID like okay. You don't want to devise, you don't want to work on your phone.

Speaker 5: It's a cultural thing.

Aaron Zander: Yeah exactly. It's almost August. They're gone for the entire month, we know. I used to work for a company that closes books and we had July 1 was the beginning of the fiscal year and they'd set up the whole new budget in Denmark and then they'd leave for the entire month of August and no one would know what the corporate budget is. Yeah we use Ubekis as a great way for that. Web authen is gonna be a great solution for that. The tricky part is not all of our tools work well with Ubeki. So we've had to figure out some other options like that. You can do call to verify stuff and only allow it for the specific apps, but it's still not great. Yeah in general, hardware tokens is the way to solve that.

Gen Buckley: Yeah and my pitch is always peace of mind. You don't want to be the weak link. You don't want to be the one who's account got compromised and that gave someone the foothold that enabled them to then access your address book and start sending emails out that had fishy links. You don't want to be the weak link and so it's like yes a little friction is peace of mind. That's how I try to spin it personally.

Aaron Zander: Cool. Any other questions?

Gen Buckley: One last thing, just so you know Ubecko is a partner with Okta and we do give out free starter packs two for Ubekis for customer Okta MFA adaptive MFA talk to your AE, get a Ubeki. Give it a try.

Aaron Zander: They're really cool.

Gen Buckley: Yeah. Only good till Friday. I just found out by this nice man.

Aaron Zander: Perfect. Well thank you guys all for coming and I hope you guys have a great rest of Oktane.

Gen Buckley: Thank you. Yeah.

Companies who blame employees for poor password and email hygiene aren’t spending enough time, money, or energy driving home security best practices within an organization. We all like to laugh at the "Kanyes” of the world for their poor operational security, instead of aligning our goals to meet theirs.

The role of IT and Security teams in the business world is to provide our employees a safe harbor to make as many mistakes as they can. If we think they’re going to use a simple password, we should ensure their devices and tools not only require stronger passwords, but we supply the tools and training on how to make safe, easier to remember passwords. We have to acknowledge the “desire paths” across the security landscape, and ensure that we not only keep up, but facilitate ease of access while maintaining our security perimeter. At the end of the day, there’s no guarantee on the tech savvy nature or level of care an employee will bring to the table, so we need to move the table closer to them.

In this Breakout Session Aaron Zander, Head of IT for HackerOne, and Gen Buckley, Senior Analyst for Security and Compliance at Okta, will discuss the various ways to enable a security culture without crippling your coworkers.