Connect with us

Hi, what are you looking for?


Identity & Access

Okta Launches Identity-driven API Access Management Solution

Three of today’s biggest IT evolutions are digital transformation; a move from binary-based to probability-based security; and the search for a single seamless fabric for related areas of security. In new announcements its Oktane16 conference today, identity firm Okta seeks to cover all three within access management.

Three of today’s biggest IT evolutions are digital transformation; a move from binary-based to probability-based security; and the search for a single seamless fabric for related areas of security. In new announcements its Oktane16 conference today, identity firm Okta seeks to cover all three within access management.

One of Okta’s major announcements is the launch of an identity-driven API access management product.

“Companies everywhere are transforming their business and going digital,” comments Eric Berg, Chief Product Officer at Okta. This involves developing apps to allow customers, partners and staff to access legacy datasets. Internal developers produce APIs to allow external applications access to limited data.

However, unless fully controlled, the handshake between the external apps and the API can become a critical vulnerability. With the new products, adds Berg, “We are able to extend out from just managing identity, to managing service to service access, and enable the creation of richer, more secure user experiences while also making it easy to centrally administer API access policies across all of your apps.”

Okta’s API Access Management system can use standard-compliant OAuth 2.0 support for any app or service. It provides centralized administration across the APIs for consistent creation, maintenance and audit of the access policies. And it also works with other API management systems — such as those from Apigee and Mulesoft — to create a complete digital transformation solution.

Okta’s Nadav Benbarak has confirmed that the product would scale to handle industrial internet of things (IIoT) devices as enterprises accelerate their digital transformation.

The move to probability-based security is often associated with machine-learning zero-day malware detection — but it is also increasingly being found in identity and access management. Traditionally, identity is based on knowledge of a long and complex password. It’s binary — if you know it you are in; if you don’t know it, you are out. But memorizing and using those passwords creates friction, leading either to disgruntled users and interrupted workflows at best, or insecure workarounds at worst.

Advertisement. Scroll to continue reading.

The probability approach works on context without necessarily requiring a password. The system automatically knows a lot about the user; for example, the device that is seeking access, its IP address, its location and so on. If this information is put into context, such as the time of day and the data being accessed, there is a strong probability that the user can be assumed authorized or unauthorized without requiring any further proof from the user.

Okta’s new approach works on the basis of user context triggering enterprise policy to allow or disallow the requested access. This integrates with the Adaptive MFA solution so that if the policy requires additional security in a certain context, multi-factor authentication can be required. Integration with Okta Mobility Management further provides certificate authority ability to generate and distribute certificates to Mac OSX, iOS and Android devices (with Windows 10 expected later this year). Thus policy could tie the location of a certificated device to a particular state or country for an additional layer of security.

Where Okta was a company that once focused on securing the access of people to devices, it is now expanding its remit to all types of access, whether that is user or device — and including the API that might lie between. Its philosophy is that identity should only need be set up once, and then be portable to any kind of project.

Together with the Okta Application Network, it now claims to have the largest ecosystem of vendor-neutral integrations within a single fabric covering the entire identity and access management enterprise requirement. It is an area, claims today’s announcement, “where you will continue to see us innovate over the quarters and years to come.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.