Security Experts:

Okta Launches Identity-driven API Access Management Solution

Three of today's biggest IT evolutions are digital transformation; a move from binary-based to probability-based security; and the search for a single seamless fabric for related areas of security. In new announcements its Oktane16 conference today, identity firm Okta seeks to cover all three within access management.

One of Okta's major announcements is the launch of an identity-driven API access management product.

"Companies everywhere are transforming their business and going digital," comments Eric Berg, Chief Product Officer at Okta. This involves developing apps to allow customers, partners and staff to access legacy datasets. Internal developers produce APIs to allow external applications access to limited data.

However, unless fully controlled, the handshake between the external apps and the API can become a critical vulnerability. With the new products, adds Berg, "We are able to extend out from just managing identity, to managing service to service access, and enable the creation of richer, more secure user experiences while also making it easy to centrally administer API access policies across all of your apps."

Okta's API Access Management system can use standard-compliant OAuth 2.0 support for any app or service. It provides centralized administration across the APIs for consistent creation, maintenance and audit of the access policies. And it also works with other API management systems -- such as those from Apigee and Mulesoft -- to create a complete digital transformation solution.

Okta's Nadav Benbarak has confirmed that the product would scale to handle industrial internet of things (IIoT) devices as enterprises accelerate their digital transformation.

The move to probability-based security is often associated with machine-learning zero-day malware detection -- but it is also increasingly being found in identity and access management. Traditionally, identity is based on knowledge of a long and complex password. It's binary -- if you know it you are in; if you don't know it, you are out. But memorizing and using those passwords creates friction, leading either to disgruntled users and interrupted workflows at best, or insecure workarounds at worst.

The probability approach works on context without necessarily requiring a password. The system automatically knows a lot about the user; for example, the device that is seeking access, its IP address, its location and so on. If this information is put into context, such as the time of day and the data being accessed, there is a strong probability that the user can be assumed authorized or unauthorized without requiring any further proof from the user.

Okta's new approach works on the basis of user context triggering enterprise policy to allow or disallow the requested access. This integrates with the Adaptive MFA solution so that if the policy requires additional security in a certain context, multi-factor authentication can be required. Integration with Okta Mobility Management further provides certificate authority ability to generate and distribute certificates to Mac OSX, iOS and Android devices (with Windows 10 expected later this year). Thus policy could tie the location of a certificated device to a particular state or country for an additional layer of security.

Where Okta was a company that once focused on securing the access of people to devices, it is now expanding its remit to all types of access, whether that is user or device -- and including the API that might lie between. Its philosophy is that identity should only need be set up once, and then be portable to any kind of project.

Together with the Okta Application Network, it now claims to have the largest ecosystem of vendor-neutral integrations within a single fabric covering the entire identity and access management enterprise requirement. It is an area, claims today's announcement, "where you will continue to see us innovate over the quarters and years to come."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.