Blog

The Salesloft incident: A wake-up call for SaaS security and IPSIE adoption

Okta Security — Tue, 02 Sep 2025 18:06:49 +0000

The Salesloft incident: A wake-up call for SaaS security and IPSIE adoption jess.bagherpou… Tue, 09/02/2025 - 11:06

A recent security incident involving the compromise of Salesloft Drift, a popular marketing automation tool, has affected a large number of organizations.

During this event, threat actors stole and replayed the OAuth tokens that connect the Drift tool to Salesforce, Google Workspace and many other applications, leading to widespread exfiltration of data.

This incident has impacted many of our technology peers. These events naturally raise questions for our customers and partners: "Was Okta impacted?" and "What is Okta doing to protect our data?"

We want to be crystal clear: Okta was not impacted by this incident.

Our security team thoroughly investigated our systems and confirmed that while we observed evidence of attempts to access our resources using stolen tokens, our defenses worked as designed to prevent a breach.

Defense in practice: The impact of a single control

When our team learned of the Salesloft Drift compromise, we immediately reviewed our logs. We discovered attempts to use a compromised Salesloft Drift token to access an Okta Salesforce instance. These attempts failed. When we later compared these attempts to the Indicators of Compromise (IOCs) from the Google Mandiant blog post, the data confirmed that we were indeed a target.

The single most important control that prevented this breach was our enforcement of inbound IP restrictions. The threat actor attempted to use a compromised token to access our Salesforce instance, but the attack failed because the connection originated from an unauthorized IP address. This security layer proved essential, blocking the unauthorized attempt at the front door before any access could be gained.

Our security strategy is to apply this fundamental control to all of our SaaS applications. However, our ability to implement this is often limited, as it's entirely dependent on whether the SaaS vendor provides this capability. Unfortunately, many providers in the cloud-first world do not offer this foundational security feature, creating a significant challenge for protecting interconnected systems.

For an application as critical as Salesforce, which does support this feature, we undertook the significant effort required to configure these restrictions for both APIs and users. This deliberate investment, made as part of the Okta Secure Identity Commitment, included the work to ensure all Okta employees use a cloud-based VPN with private IP exit nodes to create a trusted corporate network. This foundational step ensures that for our most vital applications that support this feature, we can enforce the network-level security necessary to defend against this type of attack.

Beyond IP restrictions: Securing tokens with DPoP

Another pillar of the Okta Secure Identity Commitment was to create market-leading, secure identity products and services. As a result of that commitment, both Auth0 and Okta built support for Demonstrating Proof of Possession (DPoP) for application developers using our services.

Where IP allowlisting constrains the use of a token by IP, DPoP can constrain the use of a token to a specific client. This security mechanism cryptographically binds an access token to the specific client that requested it. In simple terms, it's like a key that is uniquely paired with its lock. Even if an attacker stole the key (the token), they couldn't use it because it wouldn't work on their own machine (the wrong lock). This control prevents the replay of stolen tokens, which was the central issue in this supply chain attack.

Building a resilient SaaS ecosystem with IPSIE

This incident is a stark reminder that a breach of one service can have a ripple effect across today's interconnected SaaS ecosystem. To defend against this, we must move beyond securing applications individually and ensure they are all part of a unified identity security fabric. Such a fabric, built on open standards, is what allows organizations to detect and respond to identity-based threats with the required speed and scale.

This is why, almost a year ago, Okta announced our commitment to driving a new industry standard called the Interoperability Profile for Secure Identity in the Enterprise (IPSIE) in partnership with other members of the OpenID Foundation. IPSIE aims to create a baseline for security and interoperability across SaaS applications.

Two of the fundamental controls that are part of the IPSIE framework are particularly relevant to the Salesloft Drift incident:

Shared Signals: This allows for real-time communication of security events between applications. For example, if a user's account is compromised in one application, that information can be instantly shared with all other connected applications, which can then take action to protect the user's data.
Token Revocation: This provides a standardized way to revoke access tokens. In the case of the Salesloft Drift incident, if a token was known to be compromised, it could be instantly revoked across all integrated applications, severing the attacker's access.

These are just a few examples of the many ways that IPSIE helps to create a more secure and resilient SaaS ecosystem.

A call to action for the SaaS industry

The Salesloft Drift incident is a wake-up call for the entire SaaS industry. We can no longer afford to operate in silos. We must work together to establish and adopt a common set of security standards.

The future of SaaS security is already here, it's just not evenly distributed.

We urge all SaaS companies to join us in supporting the IPSIE initiative. By working together, we can make the entire SaaS ecosystem safer for everyone.

What you can do to protect your organization

This isn't just a problem for vendors to solve; all organizations have a critical role to play in raising the bar for the entire ecosystem. Here’s how you can act now:

Demand IPSIE from your vendors. The security of the interconnected SaaS landscape is a shared responsibility. As a customer, your voice is the most powerful driver of change. Ask your vendors about their roadmap for adopting open standards like IPSIE. When providers know that security and interoperability are key purchasing criteria, they will prioritize them. Your demand is what will turn these standards from a good idea into an industry-wide reality.
Implement an identity security fabric. While we push for better industry-wide standards, it is imperative that you act to secure your own digital environment. The days of treating identity on an app-by-app basis are over. By implementing a unified identity security fabric, you can weave together access control, threat detection and response, and governance across all your applications and identity types. This provides a single, consistent layer of defense, allowing you to proactively secure your organization from the inside out.

To learn more about IPSIE, please visit the OpenID Foundation website.

Saas Security IPSIE data breach Okta Security

Building AI-ready identity security with Okta Identity Security Posture Management

Sat, 30 Aug 2025 02:00:00 +0000

Building AI-ready identity security with Okta Identity Security Posture Management jess.bagherpou… Fri, 08/29/2025 - 19:00

When machines inherit dangerous permissions

It's 3 a.m., and an AI agent is negotiating between your Salesforce instance, AWS infrastructure, and ServiceNow workflows. The agent operates tirelessly, making thousands of decisions per minute.

But here's what should terrify you: This AI agent isn't using its own credentials. It's borrowing the identity of an application — and that identity might have permissions that could compromise your entire organization.

Welcome to the world of workload app identities, where the promise of autonomous business operations collides with a security reality most organizations aren't prepared for.

The new identity landscape

As we explored in our recent blog on the convergence of human and non-human identities (NHIs), organizations have begun addressing traditional service accounts and API keys. Workload identities represent the next evolution in this challenge.

Unlike traditional service accounts that rely on human-born users with static passwords, workload app identities use modern, token-based authentication (usually OAuth or certificates) with fine-grained permissions that are not tied to a human user's lifecycle and are purpose-built for automation. In theory, that makes them perfect for our AI-powered future. In practice? They've become the most overlooked attack surface in your environment.

Modern enterprises run on workload identities, those critical authentication mechanisms that allow applications to connect securely. Examples include:

Entra ID service principals and registered apps
Salesforce connected and external apps
Google custom apps and GCP service accounts
AWS IAM roles
Okta Integration Network apps and custom app integrations
GitHub OAuth apps
Snowflake OAuth integrations

The AI agent inheritance problem

When AI agents and MCP Servers interact with your applications, they inherit that application's workload identity permissions. The app's identity dictates the maximum scope of what an AI agent can do autonomously.

This creates unprecedented risks:

1. Highly privileged identities: Admin-level access granted during "just make it work" moments becomes a permanent backdoor for attackers — with far less visibility than human breaches.

2. Unused privileges: That OAuth app from a six-month-old POC? Still active, still has privileged production access, still a door any compromised system could walk through.

3. Toxic privileges combinations and segregation of duties:

Individually reasonable permissions become dangerous combinations when inherited by autonomous systems operating at machine speed. Real scenarios keeping security teams awake:

A GitHub app with read access to private repos AND write access to production. A single identity holds the power to steal valuable IP and directly attack and compromise the live, customer-facing product
An AWS role with write/delete privileges on dev AND production. A compromise in the less-secure dev environment can then directly impact the critical production environment.
A Salesforce connected app accessing customer data AND modifying security settings. An attacker who compromises this one identity gets the keys to the kingdom: They can steal data and cover their tracks by disabling audit logs or other security features.

4. Unrotated secrets: Without automated rotation, credentials become permanent. An AI agent could make thousands of API calls with tokens that should have expired months ago.

5. Missing network controls: Workload identities lack IP restrictions, exposing your systems to being accessed from anywhere, making it easier for malicious actors, and you'd never know.

6. Misconfigured trust: Overly broad trust relationships create attack paths that machines can exploit faster than humans can detect.

The Okta Identity Security Posture Management advantage

Okta ISPM provides the foundation for securing the entire identity perimeter, including human, non-human, and agentic identities as they become more prevalent across your technology stack. Whether it's a Salesforce admin service account with a password, a GitHub OAuth app, an AWS IAM user with an API key, or an Okta Admin with a token, Identity Security Posture Management gives you the visibility and control to manage these powerful permissions before they’re exploited.

Cover your most critical apps — including IdPs, SaaS, and Cloud infrastructure: Unlike tools focused on infrastructure or individual applications, Okta Identity Security Posture Management provides comprehensive discovery and management across your identity landscape.

Cover the most critical NHI types: Okta Identity Security Posture Management supports a wide range of NHIs, from legacy service accounts, through API keys and tokens, to modern OAuth apps and Salesforce AI Agents.

Work on scale: Okta Identity Security Posture Management automatically discovers and classifies NHIs across your environment.

The path forward: Future-ready for AI agents and NHIs

Every workload identity is a potential superpower — or vulnerability — for AI agents and automated systems. The question isn't whether you need a comprehensive identity security strategy. It's whether you'll implement it before your first AI agent incident.

In a world where AI agents make autonomous decisions through inherited identities, identity security isn't just about protection — it's about enabling your business' AI-powered future. Okta Identity Security Posture Management gives you the visibility and control to embrace AI agents confidently, starting with comprehensive identity discovery and management across your entire environment.

Because the organizations that solve the workload identity crisis won't just survive the AI revolution — they'll define it.

Ready to secure your workload identities? Discover how Okta Identity Security Posture Management helps leading organizations protect their autonomous future.

Okta Identity Security Posture Management AI Company + Product

Johnathan Campos

Product Marketing Manager

Johnathan Campos, originally from Miami, FL, is based in Miramar, FL, a southern suburb of Fort Lauderdale.

Before his career as a Product Marketing Manager, he was a DevOps/ITOps engineer for Citrix and several other healthcare organizations, where he developed a wealth of knowledge in Cloud and DevOps culture. Prior to Okta, he was part of the product organization as a PMM for the Observability product suite at Splunk, where he focused on GTM strategies and developer advocacy. Before that, he was part of the product organization at Citrix as a PMM for Citrix Endpoint Management, where he focused on GTM strategies, customer adoption, and field enablement.

Outside of work, he enjoys riding his motorcycle, spending time in the garage, learning new things (especially cool new tech), and spending time with family and friends.

Lior Tamir

シニアプロダクトマネージャー

Okta Identity Security Posture Managementのプロダクト管理およびデザインチームを統括。サイバーセキュリティ分野での豊富な経験を持ち、Oktaによる製品買収以前は、MicrosoftにてSOC関連のインシデント検知・調査・対応に取り組む。

Oktane 2025 preview: Identity security as the public sector’s AI-ready control plane

Thu, 28 Aug 2025 00:16:01 +0000

Oktane 2025 preview: Identity security as the public sector’s AI-ready control plane jess.bagherpou… Wed, 08/27/2025 - 17:16

AI is rewriting how every industry, including the public sector, works — from how residents discover services to how adversaries craft attacks. In that shift, identity has become the control plane that personalizes interactions, enforces policies, and makes new AI capabilities safe to use.

At Oktane 2025, our public-sector sessions will be built to help leaders and practitioners turn that idea into action. You’ll hear how a state is unifying millions of resident identities, how global integrators run identity as a shared service, how universities are modernizing decades-old stacks, and how security leaders are countering AI-powered threats with identity-first defenses.

If you work within the U.S. government or education ecosystem, this is your playbook.

Four big questions we’ll answer at Oktane

1) How do you make identity the foundation for modern resident and workforce experiences?

Session: The Public Sector CIO’s Playbook on Identity, Security, and Cultural Change in the Age of AI

CIOs across the public sector are reshaping service delivery around a unified identity platform — not just to simplify logins, but to build a durable security layer and a business-led culture of transformation. Expect candid lessons from a top public sector leader on aligning policy and technology, sequencing modernization without service disruption, and measuring outcomes that matter to residents. Moderated by former Arizona CIO and Executive Government Advisor at AWS, Morgan Reed.

2) What does identity-as-a-shared-service look like in the real world?

Session: Identity challenges in an enterprise shared service model

Running identity for complex, regulated enterprises is hard — especially when you’re integrating acquisitions, meeting global mandates, and hardening against evolving threats. Leaders from Huntington Ingalls Industries (Chris Soong, CIO), Leidos (J.R. Williamson, CISO), and ManTech (Mike Uster, CIO/CTO) will compare operating models, governance patterns, and the “gotchas” they wish they’d known earlier. Bring your toughest questions. Moderated by Okta’s VP of Federal, Amy Johanek.

3) How are higher education institutions leaping from legacy to leading edge?

Session: From legacy to leading edge: Identity transformation journeys in higher education

Identity leaders from higher education institutions, including Harvard (Gretchen Gingo), will share how they moved from aging stacks to modern platforms — and what it took organizationally to get there. You’ll hear how identity can streamline student journeys, secure research, and unlock responsible AI on campus. Moderated by Okta’s Chief Security Officer, Sean Frazier.

4) How do you defend when attackers have AI, too?

Session: Rethinking defense for the AI-Powered threat landscape

Deepfakes, convincing phishing at scale, and credential abuse are changing the game. Executives from AWS (Maria Thompson), Zscaler (Adam Ford), and CrowdStrike (Karan Sondhi) will walk through identity-centric, Zero Trust moves that actually blunt today’s attacks — think phishing-resistant authentication, continuous risk signals, and policy automation that meets people where they are. Moderated by Okta’s AVP of Public Sector and Strategic Alliances, Ralph Figueiredo.

Don’t miss the opening keynote with Todd McKinnon

Our headlining keynote, from Okta co-founder and CEO Todd McKinnon, will set the tone for the event. Todd will share his view of how organizations can maintain a strong security posture while investing in AI-driven transformation, provide updates on the Okta Secure Identity Commitment (OSIC), and outline Okta’s vision for an identity security fabric that connects people, devices, apps, and AI services. He’ll also preview product announcements that help teams accelerate innovation with confidence.

What you’ll take back to your team

A clear definition of an AI-ready identity: You’ll leave with a shared language for what “AI-ready” means — how identity underpins secure AI use cases, data access, and governance — plus where to start and how to measure progress.
A north-star architecture for identity as critical infrastructure: See how a unified identity layer spans people and non-human access, applies adaptive policy, and plugs into your existing stack using open standards.
Scalable change patterns: Learn proven governance rhythms, funding models, and rollout sequences that work across agencies, campuses, and partners — so progress isn’t tied to any one tool or team.
Confidence to act: Ground your roadmap in cross-sector lessons and the latest capabilities, with practical frameworks you can adapt to your mission and risk profile.

Who should attend

Agency and campus leaders driving digital service, CX, and transformation programs
CIOs, CISOs, and architects building Zero Trust and AI governance roadmaps
Practitioners who want real implementation detail — from directory migrations to policy design and incident response

Why Oktane

Okta’s public-sector track brings together government leaders, higher-ed innovators, security strategists, and integrators operating at a national scale. It’s a rare, cross-sector conversation where you can validate your roadmap, compare notes with peers, and leave with an execution plan that prioritizes security and is human-centered.

Join us at Oktane 2025 to see how identity becomes your agency’s control plane for the AI era — so you can deliver mission outcomes faster and defend them better.

Ready to go? Register for Oktane 2025 and bring your team.

oktane AI public sector Industry Insight

Daniel Watts

Product Marketing Manager

As Okta's SLED Industry Product Marketing Manager, Daniel Watts develops strategic messaging that showcases how Identity solutions can address the unique challenges facing state and local government and educational institutions. With a deep background in the GovTech space, Daniel translates complex Identity technologies into clear strategies that support digital modernization initiatives across the public sector. His work helps technology leaders implement solutions that improve workforce, citizen, and student experiences while building trust in government and educational services.

The next chapter for Okta Privileged Access: Integrating Axiom to accelerate our roadmap

Wed, 27 Aug 2025 18:39:13 +0000

The next chapter for Okta Privileged Access: Integrating Axiom to accelerate our roadmap jess.bagherpou… Wed, 08/27/2025 - 11:39

We recently announced something exciting: Okta signed a definitive agreement to acquire Axiom Security, a modern, identity-centric privileged access management (PAM) solution. Our teams plan to integrate key Axiom functionality into Okta Privileged Access over the coming months, which will allow us to expand access controls to more sensitive resources for Okta customers.

Okta Privileged Access is and will continue to be the single control plane for our customers’ privileged resources, whether on-premises or in the cloud, streamlining access and governance while eliminating standing privileges. Below, we answer some questions current customers might have.

What’s changing?

We’re excited to welcome new team members to help us build the leading neutral and independent identity platform. We believe Axiom and Okta Privileged Access complement each other in their approach to providing a modern PAM solution.

Both solutions help organizations unify access to critical infrastructure through centralized policy controls and full traceability to tie access back to an individual. Over the coming months, Axiom will be integrated into the Okta Privileged Access product, expanding capabilities available to existing customers.

Why Axiom?

It’s simple: Axiom allows us to deepen functionality and increase value to our customers.

Today, Okta Privileged Access supports passwordless, just-in-time access for Windows and Linux servers, a vault for privileged accounts (server local, SaaS service, Okta, and Active Directory), secrets management, and governance and auditing.

This acquisition allows us to accelerate our roadmap for expanded functionality around just-in-time access for databases and Kubernetes, while maintaining velocity on delivering other core functionality, such as support for Active Directory accounts.

What are the benefits for Okta Privileged Access customers?

This acquisition will help Okta customers extend their identity security fabric to more privileged accounts and resources, providing a single control plane for managing privileged access, whether on-prem or in the cloud.

Just-in-time access: Eliminate standing privileges by providing automated, time-limited access only when needed. This reduces risk and operational overhead by helping ensure that elevated permissions are temporary and auditable.
Unified control: Gain a single point of administration for privileged access across resources. This simplifies management and provides a holistic view of your security posture across on-premises and multi-cloud infrastructure, including critical resources like databases and Kubernetes.
Deep coverage: Secure access to a broader range of critical resources. With new connectors and an AI-based application connector builder, the solution extends security to databases and Kubernetes environments, helping ensure least-privileged access and full traceability for auditing and compliance.

How much will it cost?

Okta Privileged Access will continue to be available under its current pricing model, based on resource units. Today, it’s available as part of our Okta Platform Suites or through stand-alone licensing. The functionality gained through this acquisition will be delivered as an enhancement to the existing product, which means customers will benefit without needing to purchase a separate product.

Our flexible resource unit licensing model will remain the same. Customers purchase a pool of resources units that can be applied to any combination of resources. This allows you to use your existing units to protect servers, users, service accounts, Active Directory accounts, and soon databases and Kubernetes.

As we integrate the technology into our roadmap, we’ll share more details on pricing, particularly for databases and Kubernetes. Our goal is to keep pricing straightforward and aligned with the value customers get from securing their privileged resources.

Why choose Okta for privileged access?

In today's dynamic, multi-cloud environment, managing privileged access is more complex than ever. Manual processes for permissions lead to security risks, compliance gaps, and operational inefficiencies, especially with the rise of non-human identities like AI agents. At this scale, siloed solutions and fragmented identity won’t work.

We hear from customers that this is true even when the products come from a single vendor. A unified contract is not the same as a unified platform. A collection of acquired tools without a unified view is a different kind of fragmentation, and it doesn’t make security or IT’s jobs any easier.

This is one of the key reasons organizations need to adopt an identity security fabric — a complete set of identity tools orchestrated up and down your tech stack to detect, prevent, and respond to identity attacks quickly. Orchestration is imperative. This allows organizations to leverage risk signal sharing to take real-time action when needed.

PAM is an integral part of an identity security fabric. Axiom will strengthen our existing PAM solution by broadening our reach into critical infrastructure resources, specifically databases and Kubernetes, which are highly privileged, valuable, and requested by today’s Okta customers.

If you have additional questions or want to learn more about Okta Privileged Access, reach out to your Okta representative.

Okta Privileged Access Privileged Access Management Identity security Company + Product

Elizabeth Baier

Senior Product Marketing Manager

Elizabeth Baier is a Senior Product Marketing Manager at Okta. In this role, Elizabeth is responsible for go-to-market strategy for Okta Privileged Access — a PAM solution for modern infrastructure and the newest addition to Okta Workforce Identity Cloud. She has over 10 years of cybersecurity experience and previously worked in areas of PKI, IoT, secrets management, operational technology, and industrial control systems.

Introducing Universal Logout for all Adaptive MFA customers

Mon, 18 Aug 2025 23:40:25 +0000

Introducing Universal Logout for all Adaptive MFA customers jess.bagherpou… Mon, 08/18/2025 - 16:40

Secure sessions, on your own terms. Okta is expanding the power of Universal Logout to more customers, providing better control over session management so that you can strengthen your organization’s security posture with minimal complexity.

The power of Universal Logout for session security

Managing sessions and tokens across distributed applications has long challenged identity teams. Universal Logout is a powerful capability that allows admins to revoke sessions and tokens across federated applications.

Starting today, Universal Logout is now available for all Okta Adaptive MFA customers (with some restrictions as stated below). This feature enables Super Admins to manually clear sessions and revoke tokens from the Okta Admin Console, expanding their security toolkit for session management.

Why change?

Whether responding to a compromised session, meeting compliance mandates, or cleaning up stale sessions, revoking all user access in a timely and effective manner is a critical capability.

Without Universal Logout, even if a user’s Okta session is cleared, downstream app sessions (sessions from the other applications that the user signed in to) might still be active, leaving a critical security gap. AMFA customers previously lacked a reliable, built-in way to close that gap.

What’s new for Adaptive MFA customers?

Before today, Adaptive MFA customers were able to leverage session management capabilities like

Clear all Okta sessions (active sessions on all devices)
Revoke OIDC/OAuth tokens, requiring fresh re-authentication
Clear “Keep me signed in” states

With this launch, AMFA Super Admins can now:

Revoke access for logout-enabled apps and Okta API tokens

But there are some important restrictions to be aware of:

*Note: This means Super Admins can manually revoke access for three users per minute via the Okta Admin Console but can’t currently automate this process via API or Workflows integrations.

Why choose Okta?

This enhancement underscores Okta’s Secure Identity Commitment by expanding advanced security capabilities to more customers. We're helping more organizations reduce session-related risks and respond quickly to security incidents.

And because you can access the feature through a familiar admin console, there's no need for complex setup or reconfiguration.

What you can do today

Curious about how you can access Adaptive MFA? Wonder no more.

If you're an Adaptive MFA customer, you can access Universal Logout from the Okta Admin Console today.
Not yet on Adaptive MFA? Learn how Adaptive MFA helps protect against phishing and session hijacking: Explore Adaptive MFA
If you’re an Identity Threat Protection customer, good news: You already enjoy full Universal Logout functionality, including API-based triggers and automation.

Your feedback helps shape our product roadmap. Let us know how you’re using Universal Logout and what capabilities you'd like to see next.

Get started

Ready to start using Universal Logout? Follow these simple instructions:

Configure Universal Logout for an application.
Once configured, log in to the Okta Admin Console → Navigate to a user profile → Click More Actions → Clear sessions and revoke tokens
Learn more about Universal Logout in our help docs.
Want to try out building UL? Sign up for the Okta Dev Org

These materials are intended for general informational purposes only and are not intended to be legal, privacy, security, compliance, or business advice.

Universal Logout Adaptive MFA product Okta Secure Identity Product Blog Series Company + Product

Bhavik Thakkar

Product Manager

Bhavik is a Product Manager at Okta leading the Inbound Federations team and driving the development of Universal Logout functionality. He previously led Okta’s Access Request team and the Developer Community Products team, where he oversaw back-end SDKs and Okta’s Terraform provider. Bhavik holds an MS in Computer Science from Indiana University Bloomington and is passionate about all things identity and user experience.

Bridging the gap in browser security with Google and Okta

Fri, 15 Aug 2025 15:20:27 +0000

Bridging the gap in browser security with Google and Okta jess.bagherpou… Fri, 08/15/2025 - 08:20

Browsers are today’s primary work portal. Most corporate applications and sensitive data now live behind SaaS and other cloud services, and we reach them through browsers like Chrome, Edge, and Safari.

This elevates the browser from a mere application to a critical policy enforcement point, which makes browser security a foundational element of a modern Zero Trust architecture. However, one gap continues to undermine enterprise browser security: employees using personal profiles to access corporate data.

Mixing personal and work browsing creates outsized risk, and managed browser profiles can help restore control without sacrificing user experience. Google and Okta have partnered to make managed Chrome profiles practical to scale.

Why personal profiles are a problem

BYOD and hybrid work normalized the habit of using personal devices and browser profiles for work. On corporate machines, users commonly sign in to personal Chrome or Edge profiles to sync bookmarks and passwords. But that convenience comes at a cost. Key risks for personal browser use in the workplace include:

Credential leakage: Personal profiles make it easy to save work passwords into personal password managers and sync them beyond corporate oversight. When personal accounts or devices are compromised, attackers inherit corporate logins. Poor password hygiene compounds the risk: many employees reuse passwords between personal and work contexts or save work passwords straight into the browser.
Insecure or unvetted extensions: Browser extensions are ubiquitous and powerful. Many request permissions to read and change site data, capture keystrokes, access cookies, and interact with local files. Employees can install anything — from helpful tools to risky adware — in a personal profile without review. That opens credible paths for data exfiltration, credential harvesting, and session hijacking. Because personal profiles sit outside your extension allowlist/denylist, they become a blind spot for prevention and forensics.
Policy evasion and shadow IT: Web filtering, download restrictions, data loss protection (DLP), and other controls are often attached to managed browser contexts. A personal profile may sidestep those controls. Users can visit blocked sites, upload corporate files to personal drives, or use unapproved SaaS services. This activity wouldn’t show up in your SIEM, and remediation is harder because there’s no reliable audit trail.

The case for managed browser profiles

The solution is to create a clear separation: bring all work-related browsing under corporate management while leaving personal use untouched. Managed browser profiles enforce your policies, support your identity stack, and provide the visibility your security teams need while allowing employees to maintain a separate personal profile. Google’s managed Chrome profiles do precisely this and can be easily configured via the Google admin console and federated with Okta.

The control points for managed profiles are consistent and comprehensive. Identity and sign-in are anchored to a dedicated work profile and authenticated with corporate single sign-on or SSO (e.g., Okta), keeping work credentials, tokens, and cookies isolated from personal contexts. Administrators can enforce multi-factor authentication (MFA), disable password saving to personal vaults, and check device posture during authentication. Security policies like web filtering, safe browsing, DLP enforcement, certificate pinning, and VPN or SASE routing can be applied directly to the work profile and enforced uniformly across managed and unmanaged desktops. Extension control is also centralized, enabling IT teams to define allowlists, block unvetted add-ons, and auto-install trusted tools.

Managed browser profiles offer four clear benefits:

Data isolation: Work credentials and session data stay within the managed profile, while personal browsing artifacts — like cookies, extensions, and passwords — remain separate. This limits risk if a personal account or device is compromised and prevents accidental data leaks (e.g., uploading sensitive files to personal cloud storage).
Consistent security policies: Security controls — such as MFA, DLP, download restrictions, and password rules — follow users across devices. That helps ensure that access to SaaS apps stays protected through the managed profile, whether on corporate or personal machines.
Reduced risk and faster response: Organizations reduce the attack surface by eliminating common threats like stored work credentials in personal profiles or unauthorized cloud uploads. Managed browser telemetry enables faster incident investigation and response.
Improved user experience: A managed profile minimizes distractions, seamlessly enforces security, and separates work from personal browsing. Users benefit from seamless SSO with pre-approved local network access policies and tools like Okta FastPass.

In short, managed profiles strike the balance between enterprise-grade security and employee productivity. They transform the browser from an unmanaged risk surface into a more secure, policy-enforced workspace, no matter where the user logs in.

How Okta and Google simplify the rollout

Okta and Google make managed profiles practical to deploy across managed and unmanaged Windows, macOS, and Linux devices. Provisioning the work profile starts with Okta federating sign-in to Chrome so that users authenticate with their corporate credentials. On first sign-in, a managed Chrome work profile is automatically created and bound to your organization’s policies, eliminating the need for a device management solution. For step-by-step setup guidance, see Sign into Chrome with Okta, which walks through creating enterprise Chrome profiles that automatically receive your configured policies. The example below shows the end-user experience when launching the Chrome profile setup from the Okta dashboard.

Sign in to the "Setup Chrome Profile" app in the Okta end-user dashboard.
Sign in with FastPass.
Complete setup in Chrome

How to deliver a seamless, secure user experience

Through Chrome Device Trust Connector for Okta, admins can enforce device assurance policies such as password restrictions, safe browsing, and site isolation, which are applied before the user accesses any corporate resources.

For many organizations, delivering a smooth, passwordless sign-in experience is as important as enforcing strong security policies. Features like Okta FastPass help achieve both by enabling phishing-resistant authentication with minimal user disruption. However, Chrome’s new Local Network Access (LNA) prompt can interrupt these flows if not pre-configured.

To support FastPass and other authentication flows that rely on a local loopback server, administrators can configure the LocalNetworkAccessAllowedForUrls policy for their Okta sign-in domains, suppressing Chrome’s network access prompt and maintaining a seamless sign-in experience. This should be paired with LocalNetworkAccessRestrictionsEnabled to ensure consistency in enforcement. Once users sign in to the managed Chrome profile with Okta, they receive single-click access to their work apps, with all policies and approved extensions applying automatically, while personal browsing remains untouched. See Configure Chrome to Suppress the Local Network Access Prompt for Okta FastPass to learn more.

Secure browsers make a secure organization

It’s no longer enough to think of the enterprise endpoint as just the device — it's also the browser session. Treating that session as a managed, secure workspace is one of the most effective ways to protect identity, data, and access.

Managed browser profiles, or secure enterprise browsers, offer clean separation between work and personal use, consistent policy enforcement across desktops, improved observability for security teams, and a smoother, less disruptive user experience.

With Okta and Chrome Enterprise, you can roll this out pragmatically. To make the browser your most defended app and bootstrap managed Chrome profiles with Okta, look at the documentation mentioned above. Learn more about Okta’s Chrome integrations and device assurance policies by visiting the Adaptive MFA webpage.

These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein. Okta is not liable to you for any loss or damages that may result from your implementation of any recommendations in these materials. Okta makes no representations, warranties, or other assurances regarding the content of these materials. Information regarding Okta's contractual assurances to its customers can be found at okta.com/agreements.

Okta Secure Identity Product Blog Series Google Customer identity Okta Fastpass Customers + Partners

Karthig Balendran

Group Product Manager

Karthig is a Group Product Manager on Okta's Access Management team, where he leads strategy and execution for Device Assurance, FastPass, and Okta Verify. His work focuses on strengthening Zero Trust security by making it easier for organizations to enforce device context and deliver phishing-resistant authentication. He’s passionate about bridging enterprise security and user experience, especially in complex, cross-platform environments. Before joining Okta, Karthig worked on Microsoft Teams and Intune. Outside of work, you can find him riding through the hills outside Seattle with his kids in tow.

Cynthia Luu

Principal Product Marketing Manager

Cynthia is a Principal Product Marketing Manager of Okta Workforce Identity Cloud. She covers solutions for devices and security. Prior to joining Okta, she spent four years supporting IBM security in various marketing roles, managing IBM’s portfolio of data protection solutions, initiatives on Zero Trust and data privacy, and their market development and customer insights programs.

Scaling success: How the Oktane Ambassador Program unleashed the power of our people

Wed, 13 Aug 2025 23:53:08 +0000

Scaling success: How the Oktane Ambassador Program unleashed the power of our people jess.bagherpou… Wed, 08/13/2025 - 16:53

If you’ve ever attended our customer conference, Oktane, you know it unites the Okta community to share what’s next in the world of identity security. But as the annual event has continued growing, we’ve faced a challenge that many scaling programs encounter: Our internal resources struggled to keep pace.

Demand for information and on-site support was higher than ever, and as the program lead, I couldn't be everywhere at once. How could we ensure every attendee — internal and external — had a world-class experience? The answer wasn't in a larger budget (though I’ll never turn that down) or headcount (though I won’t turn that down either), but in a priceless, untapped resource: our own employees.

This passion project of mine had been top of mind for several years. I can’t remember exactly why 2024 was the year that I was determined to get it off the ground. But I knew if it didn’t happen now, I would keep telling myself, ”I’ll do it next year.” This realization sparked the creation of the Oktane Ambassador Program (OAP), an initiative that has solved our scaling challenges and fostered a deeper sense of ownership and pride in our company's flagship event.

A shared vision to build the Oktane community

It all began as a simple idea. I needed a way to decentralize information and extend my reach. Maybe playing into this being the year, I quickly learned that our Customer Success team was simultaneously exploring the creation of an “Ambassador" program to bring more Customer Success Managers to Oktane. The stars aligned: we joined forces, and the official Oktane Ambassador Program was born.

We launched an internal application, unsure of what to expect. To my pleasant surprise, the response was astounding. Over 100 Okta employees from every corner of the company — spanning different teams, organizations, regions, and skillsets — raised their hands, eager to be a part of Oktane in a meaningful way. From this incredible pool of talent, we selected our inaugural class of 35 Ambassadors. My partners from Customer Success quickly became my support system and sounding board, leading to the creation of the invaluable Oktane Ambassador Program Leadership Council, and together, we embarked on this exciting new chapter.

In the months leading up to Oktane, our Ambassadors became extensions of the core event team. We armed them with the latest information, and they disseminated it to their respective departments, answering questions and funneling key themes and feedback back to us. They took on special projects, assisting our Core Team and bringing fresh perspectives to the table. Throughout the planning process, we kept direct lines to our Ambassadors open through a team Slack channel and bi-weekly check-ins, ensuring they felt supported.

Once on-site, the Ambassadors were instrumental to the success of the event. Decked out in exclusive swag, they took on critical roles, from commanding the control center of the expo hall — the Okta Hub — to supporting our customer speakers in breakout sessions. One Ambassador even stepped into the role of an events producer for our Live News Desk, a cornerstone of the Oktane Online experience. Their presence was felt everywhere, and their contributions were immeasurable.

Creating a culture of advocacy

The first year was a resounding success, but we knew we could make it even better. As we prepared for this year's program, we refined our approach. We made our application questions more intentional, focusing on specific skill sets and each applicant’s passions and interests. The result? Nearly double the applications and a wave of innovative ideas, including a proposal to leverage AI to help elevate the Core Team’s efficiency and enable employees to get self-serve answers to their questions in Slack.

To further streamline our efforts, we've structured this year's Ambassador program into four key pillars: Customer Success, Go-to-Market/Field, Global, and Special Projects. This has allowed for even greater focus and impact. In fact, the head of our Sales Development Representatives team wanted to get in on this program and supported funding stand-outs from his own organization to be part of the Oktane Ambassador Program.

All levels of Okta, including company leadership, has shown enthusiasm for the Oktane Ambassador Program. It's a testament to the power of finding untapped potential within our own walls and giving our employees a true sense of purpose and ownership in something bigger than their day-to-day roles.

This year, we've also empowered our Ambassadors to be external advocates. We've armed them with social media posts to share on platforms like LinkedIn, proudly announcing their participation and inviting their networks to connect with them. This has amplified the program’s reach while strengthening the Oktane brand externally.

The program’s success is a powerful reminder that sometimes the most innovative solutions are right in front of us. It’s become a model for other teams at Okta, demonstrating how to effectively leverage the diverse talents of our people to achieve extraordinary results. We've solved our scaling problem, created a vibrant community of champions, and are inspired to make Oktane better than ever before.

Advice for scaling your own ambassador programs

Here are some key learnings from our journey that you can apply to your programs:

The power of internal partnerships: Look for opportunities to collaborate and find shared goals within your organization. A seemingly independent initiative can gain significant momentum and resources by partnering with other teams working towards similar objectives.
Invest in your ambassadors: Provide comprehensive training and resources, ensuring they have the information needed for success. Foster an environment of open communication through regular check-ins and dedicated channels, and they will feel supported and connected. Finally, make their work meaningful by matching their interests and expertise with key event pillars, filling gaps, and ensuring their contributions truly enhance the program.
Keep evolving: Solicit feedback throughout the process, not just once the event is over or at the end of the year. Adjust the questions you ask and be willing to learn to curate a more intentional experience from the start.
Executive buy-in is priceless: Embrace leadership support, even just financially. It signifies the program’s value and can attract more internal talent.

The countdown to Oktane is on, and we can’t wait to see what this year will bring.

Oktane Ambassador Program Oktane 25 #lifeatokta Industry Insight

Katie Batten

Director, Strategic Event Marketing

Katie Batten is the Director of Strategic Event Marketing at Okta and has over a decade of experience in planning and executing events. Prior to Okta, Katie led the corporate and trade show event strategy at Jive and Achievers in the Bay Area and HRCI in Northern Virginia. She is originally from Portland, OR, and her passions include travel, sports (Go Blazers!), and all things Disney. She currently resides in the Bay Area and holds an MTA from The George Washington University.

Risk-based policy-driven security with Device Logout

Tue, 12 Aug 2025 14:00:00 +0000

Risk-based policy-driven security with Device Logout jess.bagherpou… Tue, 08/12/2025 - 07:00

Automating actions through policies is one of the most effective ways to build robust and comprehensive security. For instance, when an employee leaves the company, all permissions can be promptly revoked via policies to avoid lingering access vulnerabilities. This is especially pertinent to organizations with employee turnover or temporary staff, such as contractors. With automated policies in place, the moment a worker’s time at the company has come to an end, their access to resources and devices is also terminated.

Defining clear security policies helps organizations automate granting and revoking user permissions based on user status, context clues, risk level, and minimum requirements. This helps ensure that users only have access to the resources they require and under the right circumstances, reducing the risk of privilege creep and insider threats.

With Okta Device Access, organizations can extend identity security to corporate devices. Okta Device Access supports a range of features to help secure device login, including Desktop MFA, Desktop Password Sync, Just-in-Time Local Account Creation, and more. With a new feature called Device Logout, managing user and device identities is even easier.

Introducing Device Logout with Okta Device Access

Device Logout is a new security feature that empowers organizations to log out risky or inactive users. By leveraging Desktop MFA, it forces users to reauthenticate, helping to ensure that only legitimate individuals have access.

Device Logout can work alongside Identity Threat Protection for Okta AI, highlighting the power of the Okta Platform as an identity security fabric in practice. With device access management driven by integrated and orchestrated identity security, Device Logout can be leveraged in the following flows:

An admin can manually trigger Device Logout for a specific user
An admin can automatically trigger Device Logout when a user is deactivated or suspended in Okta
An admin can automatically trigger Device Logout for a risky user by configuring an Identity Threat Protection entity risk policy (Identity Threat Protection is required)
An admin can use Identity Threat Protection to manually log a user out from their device(s) when clearing user sessions from the user’s profile page

With Okta Device Access and Device Logout enabled, a Universal Logout command will automatically log a user out of all applications, active sessions, and, now, their devices. This illustrates the value of Okta’s comprehensive approach to identity security and the power of secure identity orchestration, which unifies risk signals, policies, and automation to respond to threats in real time.

How to start using Device Logout today

Device Logout support for macOS is available today as a self-service Early Access feature with Okta Device Access. You must have access to Identity Threat Protection within your Okta tenant to enable device logout flows that depend on it.

Please refer to the product documentation to learn more about Device Logout. You can also visit the product web pages to learn about Okta Device Access and Identity Threat Protection.

Device Logout Identity Threat Protection Okta Device Access Okta Secure Identity Product Blog Series Workforce Company + Product

Cynthia Luu

Principal Product Marketing Manager

Making MFA mandatory for securing the admin console front door

Mon, 11 Aug 2025 14:00:00 +0000

Making MFA mandatory for securing the admin console front door jess.bagherpou… Mon, 08/11/2025 - 07:00

Okta is committed to providing our customers with the highest level of security. We were among the first technology providers to pledge our commitment to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA’s) seven Secure by Design principles, and a year ago, we launched the Okta Secure Identity Commitment.

Under these initiatives, we’ve announced and delivered a number of essential features and upgrades for our corporate infrastructure and product portfolio. This includes encouraging customers to use one of the most effective security measures available: a strong and consistent approach to multi-factor authentication (MFA). To help raise the security baseline for everyone, we began enforcing MFA for all Okta Admin Console logins in 2024. It’s a smart, necessary step in our shared commitment to identity-first security.

Today, we’re proud to share that Okta has achieved 100% MFA enforcement to the Okta Admin Console for all existing Okta tenants in one year. And for all new tenants, MFA is a default and immutable requirement for access policies to the Okta Admin Console.

Why is MFA being enforced for the Okta Admin Console?

The Okta Admin Console is the central hub for managing Okta users, Okta-protected applications, and Okta security policies. Unauthorized access to this console can have devastating consequences that include:

Data breaches: Attackers could access sensitive user information and application data.
System compromise: Threat actors can alter security settings, create backdoor accounts, and disable critical security features.
Service disruption: Unauthorized changes can lead to outages and impaired functionality for end users.
Reputational damage: A security incident can severely impact an organization's business and brand.

MFA significantly reduces the risk of these outcomes by requiring a second verification factor on top of a password, such as a time-based one-time password (TOTP) from a mobile authenticator app, a fingerprint scan, or a hardware token. While Okta only mandates MFA with any two of knowledge, possession, or inherence factors, Okta strongly encourages admins to move away from passwords and enable the most secure authenticators available, which include phishing-resistant authenticators like Okta Verify FastPass and FIDO2 WebAuthn authenticators.

Okta provides robust features to enforce MFA for administrative access. All Okta tenants come with a baseline number of supported factors, such as Okta Verify TOTP, FastPass, and email, in addition to passwords. Okta also provides a flexible policy that allows admins to enforce MFA specifically to the Okta Admin Console.

The application policy for the console has always required MFA by default. However, admins were allowed to downgrade the setting to one-factor authentication (1FA), which many opted to do for various reasons. Now, Okta prevents this default security stance from being downgraded, and we’ve helped all existing customers elevate their security posture with MFA.

How we convinced Okta customers to enforce MFA

Let’s jump into how we helped admins overcome their real and perceived need to maintain 1FA policies and embrace MFA to secure access to the Okta Admin Console. In general, customers accepted that MFA was a good thing to instill. However, there were several common reasons why they believed they had to stay at the 1FA assurance level:

Admins were unaware that they had policy rules that allowed for 1FA access.
Admins thought that they did not need MFA since they vaulted their passwords and rotated them upon every use.
Admins completed MFA with a different identity provider (IdP) than Okta and were federating into the Okta Admin Console.
Admins had automated test accounts that needed to log in to the console.
Admins were concerned about Lightweight Directory Access Protocol (LDAP) and Active Directory (AD) agent operations.

We took pains to address each of these hurdles and concerns. That last issue was easy enough to address with a simple confirmation that there would be no impact on normal agent operations.

However, as for the rest, we first published warnings to admins if they had a tenant with any rules allowing 1FA access via our HealthInsights feature.

We also published warnings from the Okta Admin Console policy, highlighting these offending rules.

For admins who believed they didn’t need MFA since they regularly vaulted and rotated their passwords, we reinforced that MFA protection is superior. While customers should continue to vault and rotate their secrets, they should also add an additional factor requirement, specifically a possession or biometric factor. If vaulted passwords were shared with multiple users, we recommended that each user have their own unique account instead.

As for other customers, some have chosen to complete MFA on an external IdP and federate into the Okta Admin Console. Until recently, Okta treated that inbound federation as a single factor. However, we now have a new feature called claims sharing. The IdP can send standards-based AMR claims within the SAML or OIDC response, and Okta will honor the factors completed with the other IdP as satisfactory for MFA assurance. Thus, another hurdle was removed.

For customers with automated test accounts that logged in to the console to complete tests, the admins believed that providing an additional factor would not be possible for such accounts. Okta addressed this issue by recommending that the test accounts enroll in a TOTP factor and vault the shared secret along with the password. After checking out the password, the shared secret can also be checked out and utilized to programmatically generate the TOTP at the time of login.

With all of these customer challenges resolved, our customers were ready to take action.

Preparing to roll out changes

Given the large number of Okta tenants we were dealing with, ranging from free trial and developer tenants to tenants with large and complicated implementations, it was necessary to stagger the rollout to help ensure minimal disruption to normal operations. Therefore, we employed several tactics to enforce MFA to the Okta Admin Console carefully:

Announce the initiative: In addition to public announcements and blogs indicating imminent MFA enforcement, we published in-product guides and banners on the Okta developer and support portals and sent targeted emails to admins to inform them of the upcoming changes.
Prevent the creation of all new 1FA access policies: As a first step, Okta rolled out changes to all tenants so that no new 1FA access policy could be established. The idea was to stop the bleeding before the complete fix rolled out.
Divide customers into cohorts for MFA enforcement: To mitigate the risk of a flood of support tickets to Okta and prevent unnecessary admin lockouts, we rolled out this change by customer cohorts. We first examined each tenant’s configurations and grouped them based on the remediation steps they would require to enforce MFA. Then we selected different enforcement dates for each cohort and prepared specific remediation instructions.

Admins were instructed to modify their Okta Admin Console policies in the following ways:

Rules with password-only assurance should be modified to require a password and another factor.
Rules with any 1FA assurance or possession-factor-only assurance should be modified to require any two factors.

Once the change was made, admins were not allowed to downgrade back to 1FA assurance. If an admin did not take action, Okta enforced MFA to the console for that tenant on a clearly communicated date.

Okta customers hit the ground running towards MFA

Within the first four months of the rollout, Okta completed enforcement of MFA on 99% of all applicable tenants. The remaining 1% were tenants that required additional support from Okta, either in the form of feature enhancements, like claims sharing, or time to update various processes to operate at this new required security level. Okta stayed in touch with this group of customers to understand their pain points deeply and collaborate with them until they were confident about moving forward in this new direction.

With 100% MFA enforcement to the Okta Admin Console, admins are now leveraging a variety of factors and authenticators to sign in to the console. The top three factors used include password, Okta Verify push notifications, and Okta FastPass. Common combinations of these factors used to complete an MFA challenge include password and Okta Verify push, as well as password and Okta FastPass.

Today, MFA access to the Okta Admin Console is a non-negotiable requirement for all current and newly onboarded Okta admins. By embracing this secure posture by default, customers benefit from a reduced attack surface and greater protection of critical identity infrastructure.

Learn more about Okta’s MFA product by visiting the Adaptive MFA webpage. Keep tabs on what Okta is doing to fight against identity-based attacks by learning about the Okta Secure Identity Commitment.

MFA Okta Secure Identity Commitment Industry Insight

Bhagya Prabhakar

Senior Product Manager

Bhagya Prabhakar is a Senior Product Manager at Okta, specializing in access policies. With a deep commitment to customer success, she focuses on crafting solutions that seamlessly blend robust security with intuitive usability, directly supporting organizational goals and positive end-user experiences.

Cynthia Luu

Principal Product Marketing Manager

Unlocking SaaS Security: How Identity can help

Wed, 06 Aug 2025 14:00:00 +0000

Unlocking SaaS Security: How Identity can help jess.bagherpou… Wed, 08/06/2025 - 07:00

SaaS developers and builders, SaaS users, enterprise security teams, and Identity Providers may all play seemingly disconnected roles in a SaaS environment. But everyone can support a unified SaaS Security strategy by focusing on Identity.

Read on to learn a simple three-pronged approach for kicking off your own SaaS security strategy.

What is SaaS security?

Software as a service (SaaS) security is the practice of protecting cloud and SaaS applications by securing accounts, data, and access. Whether you use multiple SaaS products at work or build them for enterprise customers, keeping these apps and tools secure is essential. While SaaS security can be a broad term, it generally refers to products used in a workplace context.

Why is SaaS security important?

Best-of-breed SaaS products enable businesses to ignite employee productivity. However, the SaaS landscape is sprawling, interconnected, and growing quickly. This poses challenges for security and IT teams tasked with managing employee access and usage across these disparate platforms.

Why is Identity security central to SaaS security?

Many common attack vectors target SaaS applications in the wild using Identity-based attacks. Enterprises can protect their data and users from SaaS-related attacks with a foundational Identity security strategy. Additionally, builders of these SaaS products can give their customers a security boost by implementing modern Identity solutions and standards.

SaaS challenges for enterprises

The proliferation of SaaS tools and cloud environments is challenging to manage. The decentralized landscape is an attractive target for malicious actors. Such challenges generally fall into two buckets: the user lifecycle and cyber threats.

User lifecycle risks to consider

SaaS tools can be accessed from anywhere, increasing the attack surface far beyond the company's internal network and traditional devices.
SaaS tools can be frequently added or removed, requiring manual effort to manage or decommission vendors. Likewise, user accounts need prompt onboarding and offboarding.

User and service accounts are varied and spread across multiple applications, so access to certain tools must be routinely reviewed and reported on to ensure regulatory compliance.

Cyberthreats to consider

Over-privileged accounts present undue risk.
Credentials may be long-lived and over-provisioned or shared.
Data shared with vendor tools may not be properly secured
Phishing attacks now target SaaS tools, so user security education as well as phishing-resistant login techniques are critical

Identity-based solutions for SaaS security

Although businesses cannot control the inner workings of SaaS applications, they can enforce consistent processes and policies across their environment using automation and partners such as an Identity provider (IdP). Businesses can also choose solutions that implement the most modern and secure protocols. The IdP can serve as the frontline enforcer of such policies, so the business can develop the security policies that will best protect its information, resources, and customers.

Implementing a new SaaS security policy can be daunting. We recommend keeping it simple with a three-pronged approach. Get all of these essentials right, and you’ll be well on your way to a more secure SaaS environment.

Standardize and secure authentication and provisioning

Consistently enforce SSO and MFA across all SaaS applications
Include device trust in sign-on policies and adopt phishing-resistant login methods like Okta FastPass
Automate provisioning with clear policies for onboarding, offboarding, and user profile management.
Automate identity management with customized workflows

Enforce least privilege and strengthen access policies

Regularly rotate credentials and use temporary credentials
Require step-up authentication for unusual access and utilize continuous access evaluation
Set alerts for when critical threats or exploits are detected
Limit and review admin or unmanaged accounts
Implement the principle of least privilege access

Understand how applications interact with each other

Limit sharing data with other tools to what is necessary
Setup enforceable policies to manage how workforce accounts share data with SaaS services
Incorporate network security policies into existing access policies

Building a SaaS product?

Builders of B2B SaaS products can jumpstart their customers' SaaS security posture by incorporating modern Identity solutions from the start. This includes adhering to modern standards and following industry best practices.

Saas Security Identity security Okta Secure Identity Commitment Industry Insight

Sofia Desenberg

Staff Software Engineer

Sofia is a Staff Software Engineer at Okta. With experience on security and data-focused teams spanning large companies and small startups — as well as past roles at Auth0 — she is passionate about Okta's mission to enable secure access to technology for everyone.

Meghna Dubey

Principal Engineer at Okta

Meghna Dubey is a Principal Engineer at Okta, focused on adding value to Okta Identity Orchestration and driving new integration capabilities. A seasoned engineer and leader, she has deep expertise in architecting, designing, and developing secure and scalable software solutions. She views technology exploration as essential to creating more secure and innovative products. Meghna firmly believes that any problem can be solved by breaking it down, starting with a simple approach, and refining it into a robust solution.