ER Emerging
What is federation?
A trust to the IDP via SAML, OpenIDC, Oauth and WSFed
How does Okta get the HR data for HRaaM?
REST API sits on top of Okta and pushes all HR data to Okta. We can also pull that info in through the HR system's API on a scheduled basis
What are the most popular apps from 2017? (based on popularity and MAUs)
O365, Gsuite, SNOW, DocuSign, AWS, Workday, SFDC
Why do customers trust Okta from a security perspective?
Dedicated security team, SOC 2 audit, multiple cells for customers, FedRAMP, HIPAA, GDPR and much more.
microservices architecture
application development method that divides the application into small, well defined distinctive services, based on function so you don't have to reinvent the wheel. Uber is a perfect example
How does HR/IT provisioning reduce the risk of security vulns?
the solution automatically offboard people when they leave the organization. deprovisions unused accounts. log and track how users were granted access to apps. the solution provision users with the right access based off the user's attributes or group memberships.
SSO pricing
$2 per MAU
UD pricing
$2 per MAU
MFA pricing
$3 per MAU
LCM pricing
$4 for unlimited for only OIN apps. $6 for unlimited with OIN apps and for OPP connector to use with SCIM for on prem provisioning. Advanced Mastering is $2 add on
3 Zero Trust best practices
1. access all resources securely 2. Strictly enforce access control regardless of access origin 3. inspect and log all traffic
Why implement MFA?
A password is something that you know and a second factor is something you have or are
How are APIs written?
APIs are written in code, the code is the information, the API is the transferring of information
What's the definition of provisioning?
Attribute flow: passing of attributes from one service to another via API
Top content collaboration apps
Box and Dropbox
When is MFA free?
Comes with SSO but only with the OTP factor
What is a cell?
For example a FedRAMP or HIPAA cell - group of servers that are allocated to our customers
Decision process
How do they like to purchase software? "I see you recently rolled out Concur, what did your evaluation process look like? Was that a good experience for you? How can we take the mystery out of buying Okta?" (Ex: demo, POC, free trial, sandbox environment, BVA, references, etc.).
What's an installation wizard?
If a customer comes across an app that isn't in our OIN they can use the installation wizard that allows you to either federate access or used SWA/form based auth. The installation wizard is basically just us walking them through how to connect it.
Why would you put Okta MFA in front of a VPN?
If the company is already leveraging a VPN you can put Okta MFA in front to prompt for a second factor
How do you tie Okta to an on-prem directory
If you have AD we install a lightweight agent to a member server, or directly to the AD. Okta then has read only access to AD via outbound only communication through port 443. If a provisioning task or action is assigned or if a user authenticates, the agent will reach out accept that task and perform that action against the domain control.
How does Okta work with a SIEM?
If you use a SIEM tool like Splunk it can call our events API and pull the info into Splunk - consuming our logs
What is WSFed?
Microsoft's version of SAML
Top Sales and Marketing apps
SFDC and Adobe creative cloud
What product allows us to do Advanced Server Access?
ScaleFT
Top 2 trends companies are investing in - evident by the B@W report
Security and collaboration
What is Adaptive SSO?
That's when you can use your existing MFA solution and their factors but implement Okta policies.
How did Zero Trust evolve?
The Zero Trust Extended Ecosystem (ZTX) builds on the original model, offering a security framework developed for a cloud- and mobile-first world
Support
They are there for you anytime after the sale to make sure nothing goes wrong and to fix things if they are broken
How does Okta create user accounts?
Through provisioning. We support provisioning for around 120 apps.
What is Federation?
Type of authentication that uses the IDP to connect users to apps - replacing credentials. Okta domain is federated to the app domain while trying to log into the app instead of UN & PW. If you go to the app's log in, you will be redirected to the IDP (Okta). If you do not have an active Okta session you can not log into the app. The IDP (Okta) tells the application yes they can log in because they have an active Okta session. More of a token - no way to steal credentials.
What product can we not sell stand alone?
UD
What does LCM do?
Updates, creates, actives, deactivates, streamlines offboarding and onboarding
How do we put MFA in front of VPN?
Using a RADIUS agent
Steps to close
What do we have to do to get this signed? What are the remaining steps in their eval process? Outside of sales are there any steps? (Legal?)
Competition
Who else are they evaluating? Why? Are there limitations in moving forward with us? What do we need to prove to win the business?
economic buyer
Who is signing off on this? Do they have budget? Do they need approval from someone else? Who's budget would this be out of?
Champion
Who's a fan? Who's going to coach us through this process/act as the liaison? Can they influence everyone else?
How does SCIM work?
With SCIM, user identities can be created either directly in a tool like Okta, or imported from external systems like HR software or Active Directory. Since it is a standard, user data is stored in a consistent way and can be communicated as such across different apps. This enables IT departments to automate the provisioning/deprovisioning process while also having a single system to manage permissions and groups. Since data is transferred automatically, risk of error is also reduced.
How do you build provisioning for on-premise apps?
You can build provisioning through OPP for on-premise provisioning for on-premise apps
How does Okta integrate to on-prem apps when not on the network?
You can do so via reverse proxy. We would do this by partnering with F5 (our competitive advantage is this deep integration) or we can integrate with their RADIUS instance if this is what they are using.
What is our reporting functionality?
You can view in Okta where different users are logging in to different apps from. You can also see when access is provisioned, what roles and permissions are pushed to apps. We can run a report of certification to see what the user is supposed to have and compare to what's actually in there.
What is ScaleFT?
an access management platform that provides secure, remote access without the need for a VPN
SSO high level definition
authenticate into all of your apps one time, by logging in with one user name and one password. You don't have to reauthenticate during the same session
Apps we provision
best of breed apps in our OIN - you have to memorize them
What does onboarding/offboarding employees require?
collaboration between HR and IT. Since HR is the first to change an employee's status (e.g., hire, update, or terminate), they must relay the information to IT, who then creates app accounts, assigns devices, etc.
What is the benefit to automating onboarding/offboarding process with HR driven IT provisioning?
eliminates the pain of managing user lifecycle processes while reducing your security risks.
REST APIs
for web applications. They are literally resting - ready to be used at any time. Sitting on the web for anyone who wants to use them
Where does our authorization server sit?
in the cloud
What does Okta's UD allow you to do?
self service password resets, stores temporary employees so you don't have to store them in your master/AD, acts as an identity bridge, allows your company to scale, improves M&A agility (all by tying identities together quickly).
Why do we write APIs?
so that people can use to get a very specific piece of information or function
Why implement SSO?
stronger credentials, less credentials, productivity, reporting/logging purposes
AMFA pricing
$6 per MAU
What is a limitation of AD?
AD doesn't allow you to set an unlimited number of customizable attributes
What apps can you use as a master?
AD, LDAP, Gsuite, O365, HR apps, SFDC. BUT you can leverage any API driven app as a master via CSV. We can automate the CSV process to pull users based on groups.
what is an authorization server?
An authorization server defines your security boundary, for example "staging" or "production." Within each authorization server you can define your own OAuth scopes, claims, and access policies. This allows your apps and your APIs to anchor to a central authorization point and leverage the rich identity features of Okta, such as Universal Directory for transforming attributes, adaptive MFA for end-users, analytics, and system log, and extend it out to the API economy. At its core, an authorization server is simply an OAuth 2.0 token minting engine. Each authorization server has a unique issuer URI and its own signing key for tokens in order to keep proper boundary between security domains. The authorization server also acts as an OpenID Connect Provider, which means you can request ID tokens in addition to access tokens from the authorization server endpoints.
UD high level
Arguably the most critical piece of Okta. Can be used as the user store/source of truth, but more than that it is the gateway/bridge that makes Okta work. User store in the cloud.
ZTX best practices
1. Encrypt data in transit and at rest, and protect it with classification schemes 2. People, workloads, and devices are just as untrustworthy as network traffic 3. Automate and orchestrate more processes for efficiency
What are groups?
Based on your attributes you are put into groups with similar attributes
What is the OIN?
Besides our extreme competitive advantage, it's a catalog of 6,000+ preintegrated/prebuilt connections that allows for seamless SSO and provisioning. There are very specific roles and permissions populated into these apps that are based by UD or AD. These connections allow you to provision from AD/LDAP to Okta and do the reverse.
What is the Okta Businesses at Work report?
Businesses @ Work takes an in-depth look into how organizations and people work today — exploring employees, partners, contractors and customers, and the apps and services they use to be productive.
What does the B@W report tell us about the breadth and depth of applications?
Companies are using a bunch of different apps for the same thing, and they are continuously adding more apps
Where is Okta hosted? What are the benefits to this?
Completely hosted on AWS on a zero downtime architecture. There is no maintenance, we make updates on a weekly basis, multi-tennant is in beta.
How does HR/IT provisioning increase agility and enable efficient business processes?
Ensures there is no mix up between two different "John Smith's". Bidirectional sync between IT, HR, and downstream apps. Contract employees can transition into full time.
What is an API gateway
Examples are Apigee and Mulesoft. They sit on the receiving end of the API that allows someone to grab the info via the API
Zero Trust came from?
Forrester research in 2009
What are the 3 types of MFA?
Free version: comes with SSO and allows you to use all of the Okta factors except for Yubikey and PIV. MFA basic: Basic policy engine that includes on/off network policies, group bases policies, application based policies, or policies that deny access completely when off the network. AMFA: Advanced policy engine including IP address, whitelist/blacklist, Geographic location (down to the cities in the USA), and device trust (mobileiron or airwatch).
Top email apps
Gsuite & O365
Why can't you be locked out of an app while using Federation as the authentication method?
It always redirects you to the IDP to verify an active session within the IDP (Okta)
What is Advanced Server Access?
MFA on top of Unix, Linux, SSH, RDP
How does HR usually communicate with IT?
Manually which can lead to mistakes or security vulns
Metrics
Measurements that encompass why someone is evaluating us, and what measurements they will need to meet their requirements. (Ex: 50 password resets a day - with Okta you will have 0. $2M worth of data breaches last year, Okta will bring in BVA to demonstrate what a breach could cost, how much you are spending on Okta, and how much Okta can save you). TCO, ROI, any value that can be measured
Why implement Zero Trust?
Necessary when becoming a cloud/mobile enterprise
Do we do desktop MFA?
No because it's not really a security feature. You can't do it unless you are connected to the network and that defeats the whole purpose of us being cloud based.
Can you give customer references?
No they should only be used if the customer intends on buying and the reference is the last step to seal the deal
Can we store identities device to device?
No we don't do identity management for machines, for example: printers.
Do we do end to end provisioning of devices?
Not on our own, but we partner with VMware Workspace One, MobileIron, Airwatch, and JAMF to do so. We don't have a very clean integration with windows devices
What protocol does our authorization server leverage?
Oauth 2
What is API Access Management
Okta APIAM monitors who has access to the API prior to accessing it to get the information
How does Okta connect to on prem applications? What are the integrations?
Okta's capabilities for on-prem applications continue to grow, and include robust integration to VPNs via SAML and RADIUS for network access, as well as SSO. Okta can integrate to on-prem apps via federation standards, RADIUS or our own Secure Web Authentication capability. Most recently, Okta has partnered and developed deep integrations with leading network gateways to simplify network access behind the firewall for Okta users and integrate apps that use other protocols such as Kerberos or Header-based authentication. Today, we are excited to announce that Okta's solution has been verified as Citrix Ready with Citrix NetScaler Gateway to provide Single Sign On (SSO) capability using SAML, oAuth and RADIUS protocols to XenApp and XenDesktop Sites as well as any enterprise web application.
What is OPP?
On premise provisioning. Outbound only communication. SCIM connector which is standard for provisioning
What does OPP stand for?
On-premise provisioning agent
Password and 2FA trends
Passwords aren't a silver bullet to protect your apps and data. They're just one piece of what should be a much more sophisticated puzzle. MFA adoption among Okta customers continues to grow, as does the average number of factors they deploy. Nearly 70% of Okta customers are offering three or more factor options to their users today (compared to 62% last year). While implementation is a good first step, there's more you can do. Our data shows our customers continue to use less secure factors like SMS and security questions. The infamous security question is the most popular factor we see deployed and adopted, and it's growing. 38% of MFA users are using security questions today, compared to 30% last year.
Decision criteria
Requirements based on their environment that will need to be met for them to evaluate us. What do they need from us? (Ex: Needs to be cloud based, have homegrown apps, needs to sit in front of their VPN, their source of truth is O365, want to use Yubikey).
What are the 4 federation protocols?
SAML, WSFed, Oauth, OpenIDC
What are the different factors of Okta MFA?
SMS, OTP, push (Okta Verify), voice, touch ID, security questions, email. we can integrate with Yubikey, PIV, physical OTP
What is secure web authentication (SWA) or form based authentication?
SWA is not an industry term it's the Okta term. The industry term is form based authentication. This is a type of authentication where the IDP (Okta) stores credentials via plugin and pushes that into the login page.
Top messaging apps
Slack and Hipchat
What is an SDK?
The bundle of APIs that we have as a template to allow people to build Okta's user management into their app or portal
How can you create users in UD?
The user object you create can have any custom user attributes that you can fully define. You can define password policies based on user groups.
Professional services
They will help you set everything up. Can be done in waves depending on if you roll out more Okta in a second or third wave
What are the limitations of UD?
We are not a directory as a service provider (machine to machine). We can't manage objects within the directory.
Zero Trust Basic Definition
We must assume all network traffic is vulnerable and we shouldn't assume trust based on where the connections are coming from.
How do we do device trust?
We push a token onto the device to authorize it?
Okta platform products
We store customer user authentication and authorization and maintain it so the company doesn't have to
Difference between internal and CIAM?
We stripped away the user interface and do everything through API calls
What does the identity attack landscape look like?
We took a look at the identity threat landscape and found that while we may see China in the news for hacking, the real threats are coming from, well... everywhere. Yes, 48% of all threats are coming from IPs geolocated in China. But that means 52% are coming from elsewhere, including 7.7% from the United States, 4.5% from France, 3.4% from Russia and 2.6% from the Netherlands. We may not hear about them because more than 50% of global attacks we analyzed do not have prior intel from the open source community. Of these attacks with no prior intel, 36% are coming from Europe, including 19% from France, 12% from the Netherlands 11% from Russia and 10% from Germany. But the real non-starter for most businesses? The 23% of attacks coming from Tor exit nodes (more commonly described as the dark web). Unless you have a reason to interact with Tor, we'd suggest just blocking those IPs.
Identify pain
What problem do they need solved? What are their challenges? (Ex: No sense of truth, manually provision user access, keep track of credentials in a spreadsheet).
How does HRaaM work?
When a user is created in their HR system it is pulled to the Okta UD (user profile). Then we can push it to AD/LDAP or directly to the cloud apps. Not just the pushing of data is important but also the fact that they need a license assigned to them for that app - specific roles and permissions for each app based on roles and groups established in the HR system.
How did the need for APIs come about?
When people started using microservices architecture
Compelling event
Why do anything? Why do anything now? Why would they consider us? (Ex: drug got FDA approved, had a security breach, plan to hire 700 more employees in the next year, coming up on audits).
How does Okta integrate with SNOW?
With Okta and ServiceNow working together, application provisioning becomes a simple workflow-based process. The user requests access to an app from the ServiceNow catalog; this triggers a workflow and creates an approval task for the app owner. Once the owner approves the request, the Okta Activity Pack item is called to add the user to the app's user group. Okta assigns the user to the group, which automatically provisions the app.
What does ScaleFT allow us to do?
With ScaleFT, employees working remotely log in to their work systems using client certificates that are aware of the login context (including information on the endpoint device) and expire after each use. Enables remote access in the cloud/mobile that is completely secure under the Zero Trust model
Top HR apps
Workday and Ultipro
How do you assign policies?
You are pulled into groups based on attributes and then each group are assigned policies.
What's the workaround with SWA/ form based auth?
You could theoretically bypass the IDP (Okta) to get into the app if you know the credentials. To prevent this there is an Okta admin who can see the credentials for the app, but the end user is never allowed to know the credentials.
What are attributes?
Your characteristics: title, seniority, team, role
LCM high level definition
automated provisioning and deprovisioning of users. Pulling a user out of your user store and creating accounts in all of your downstream apps.
how does HR/IT provisioning increase employee productivity?
automatically onboard people a few days early to get them fully provisioned by the time they start
How does HR/IT provisioning stay updated?
automatically update IT accounts when personal data (such as last name) or professional data (e.g., job title) changes
what things do you expect when automating your identity lifecycles by connecting HR and IT?
create accounts, update them, and deactivate them based off triggers from the HR Information System
Benefits to Okta's integration with SNOW
easier for users to gain access to the apps they need, and relieve your IT department from having to manually manage onboarding, offboarding, and app provisioning—all while keeping your enterprise's apps, data, and users safe. Real time self service.
What is the developer tool trend?
enterprises are using at least one developer tool and Jira is leading the pack. Organizations across all industries are adopting developer tools, building their own apps and moving to the cloud
MFA high level definition
putting a second factor of authentication in front of your resources: portal, app, VPN. Okta's MFA is great because you can set it up to prompt for a second factor only when there is risk.
What problem arises when legacy infrastructures move towards the cloud?
seperate user stores, directories, and sporadic credentials, many different credentials
What is a microservices architecture?
the way an application is built in different chunks based on function. You can leverage functionalities that are already created so you don't have to re-invent the wheel. Benefit to this is you can change the app by individual microservice or function without rebuilding the whole app
How does Okta create the businesses at work report?
we anonymize Okta customer data from our network of thousands of companies, applications, custom integrations, and millions of daily authentications and verifications from countries around the world. Our customers and their employees, contractors, partners and customers use Okta to log in to devices, apps and services, and leverage security features to protect their sensitive data. Our customers span every industry and vary in size, from small businesses to enterprises with tens of thousands of employees. As you read this report, keep in mind that this data is only representative of Okta's customers, the applications we connect to and the ways in which users access these applications through our service.
What is a SCIM?
web provisioning agent that you can use to get attributes to flow if they aren't provisioning enabled. System for Cross-domain Identity Management, is an open standard that allows for the automation of user provisioning. It was created in 2011 as it became clear that the technology of the future would be cloud-based. SCIM communicates user identity data between identity providers (such as companies with multiple individual users) and service providers requiring user identity information (such as enterprise SaaS apps).
authentication
you are who you say you are
Different ways you can use Okta MFA
you can MFA into the Okta session or put MFA in front of individual apps
authorization
you have access to what you are supposed to based on who you are