Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Okta Launches Identity-driven API Access Management Solution

Three of today’s biggest IT evolutions are digital transformation; a move from binary-based to probability-based security; and the search for a single seamless fabric for related areas of security. In new announcements its Oktane16 conference today, identity firm Okta seeks to cover all three within access management.

Three of today’s biggest IT evolutions are digital transformation; a move from binary-based to probability-based security; and the search for a single seamless fabric for related areas of security. In new announcements its Oktane16 conference today, identity firm Okta seeks to cover all three within access management.

One of Okta’s major announcements is the launch of an identity-driven API access management product.

“Companies everywhere are transforming their business and going digital,” comments Eric Berg, Chief Product Officer at Okta. This involves developing apps to allow customers, partners and staff to access legacy datasets. Internal developers produce APIs to allow external applications access to limited data.

However, unless fully controlled, the handshake between the external apps and the API can become a critical vulnerability. With the new products, adds Berg, “We are able to extend out from just managing identity, to managing service to service access, and enable the creation of richer, more secure user experiences while also making it easy to centrally administer API access policies across all of your apps.”

Okta’s API Access Management system can use standard-compliant OAuth 2.0 support for any app or service. It provides centralized administration across the APIs for consistent creation, maintenance and audit of the access policies. And it also works with other API management systems — such as those from Apigee and Mulesoft — to create a complete digital transformation solution.

Okta’s Nadav Benbarak has confirmed that the product would scale to handle industrial internet of things (IIoT) devices as enterprises accelerate their digital transformation.

The move to probability-based security is often associated with machine-learning zero-day malware detection — but it is also increasingly being found in identity and access management. Traditionally, identity is based on knowledge of a long and complex password. It’s binary — if you know it you are in; if you don’t know it, you are out. But memorizing and using those passwords creates friction, leading either to disgruntled users and interrupted workflows at best, or insecure workarounds at worst.

The probability approach works on context without necessarily requiring a password. The system automatically knows a lot about the user; for example, the device that is seeking access, its IP address, its location and so on. If this information is put into context, such as the time of day and the data being accessed, there is a strong probability that the user can be assumed authorized or unauthorized without requiring any further proof from the user.

Advertisement. Scroll to continue reading.

Okta’s new approach works on the basis of user context triggering enterprise policy to allow or disallow the requested access. This integrates with the Adaptive MFA solution so that if the policy requires additional security in a certain context, multi-factor authentication can be required. Integration with Okta Mobility Management further provides certificate authority ability to generate and distribute certificates to Mac OSX, iOS and Android devices (with Windows 10 expected later this year). Thus policy could tie the location of a certificated device to a particular state or country for an additional layer of security.

Where Okta was a company that once focused on securing the access of people to devices, it is now expanding its remit to all types of access, whether that is user or device — and including the API that might lie between. Its philosophy is that identity should only need be set up once, and then be portable to any kind of project.

Together with the Okta Application Network, it now claims to have the largest ecosystem of vendor-neutral integrations within a single fabric covering the entire identity and access management enterprise requirement. It is an area, claims today’s announcement, “where you will continue to see us innovate over the quarters and years to come.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...