Oktane17: The Future of Okta API, our DevEx, and API Access Management

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I'd like to introduce Alex Salazar alex is the VP of developer products at octa he was formerly CEO at storm path which merged with octa in February we are super excited to get a preview today into the roadmap for our API products [Applause] all right so every company large or small cross industries they're all driving towards delivering their products and services to their customers online and to do that all of them are having to build modern mobile and web applications and in turn all of them are turning into technology companies now at the heart of these like new customer experiences or software developers who are having to build these custom web mobile applications and we're really excited about this movement and being a part of that and so as we're trying to deliver the best products we can as we're trying to deliver the best experiences and as we're trying to be the best partner to these companies who are going through these evolutions we're really focusing on making sure that the developers are successful by giving them the tools and the part that they need and so it's this commitment on the developer and the customer experience and the customer identities that's driving increasingly large investment from us in our developer products and our customer experience products and so earlier this year we acquired a company called storm path its whoo thank you and storm path is really you know the largest acquisition we've ever made at octa and as important because what storm path was storm path was an identity company really focused on giving developers what they need to build applications to help them move faster to help them reduce their development costs and also to help them improve their security posture in their applications and the core innovation a storm path was really our focus on developer experience making it easy for the developers and also in building a unique go to market model to reach developers as part of the business now we're taking all of that expertise and all that DNA and we're injecting it into octa to make to really accelerate our developer products and making sure that we win this market and we're really excited about this market so we think it's huge and the way we think about it is when you know when you look at something like stripe and what they're doing for payments and when you look at what Twilio is for communication that's what octa is for identity and the really exciting thing is that every application needs identity so it's Claire mentioned I'm Alex I'm a former CEO of storm path and I'm on one of the VP sub products here and in addition to a number of people in this room I'm responsible for our developer products and so we're gonna talk about today is our roadmap you know everything we're working towards where we're taking the product in the near term and in the future and so first we're gonna talk about what we delivers it to last achtung then we're gonna talk about what was announced here at octane I mean from there we're gonna talk about what we're thinking about delivering over the next 12 months and then we'll talk about how we're thinking about the business kind of the guideposts of everything we're gonna do beyond the next 12 months now important point from our lawyers everything we're going to talk about is roadmap and the big part of roadmap is that everything we're gonna talk about is gonna be forward-looking it's gonna be things that we are planning on delivering and we're doing our best to give you a clear view into into what we're planning on building but as with any roadmap everything we're gonna talk by subject to change so please understand that as we walk through this and my goal my hope is that as we stalk through all the things that we've announced all the things we've built and all the things that are coming that you get excited as we are about this product site on this product segments and if you're an existing product my hope is that you will evaluate all all of our new feature sets and find better ways of working with our developer products and expanding your adoption and if you're not yet a customer my hope is that you'll try out the product you'll talk to our sales teams new hope hope to learn more about how we can partner with you and help your project to be successful so first what are our our API products right our API products again today they're really our core octa products it's the things that I your IT departments are probably already buying for the employee use cases you know it's things like the universal directory our lifecycle management multi-factor authentication and API access management the innovation here is that we've taken all of our core products and we're exposing that underlying service layer the technology that makes them all run or exposing those api's back to you so your developers can build on top of them and what that means for a development team is that what they're going to get as a result of all of this is out-of-the-box user management for their application out-of-the-box modern authentication and modern authorization for things like ApS now since the last achtung we've been very busy but even before the strong path accusation octo was already making a very big investment in developer experience and they delivered a lot and so one of the first things that we can talk about here are our sample applications we built a lot of sample applications and a lot of code generators and the goal there was really to help developers bootstrap you know their first application oh I'm building this kind of application well here's a sample application it shows you how to do that right taking a lot of the guesswork out of the developer and really trying to minimize the amount of code they have to figure out in addition we made a big investment in documentation really greatly expanding our reference documentation it's my firm belief and our firm belief as an organization the documentation for developers is more important than the actual features right if a feature isn't in isn't well documented and it's not easy for the developer to implement it and get it working in their application it might as well not exist and so we've made a big investment in a reference documentation is excellent in addition we've also built out a developer forum this is important because developers like to self-service right you know they don't want to have to pick up the phone to understand how something works they want to go to a website ask a question or find the questions already been answered kind of like a Stack Overflow and by us building our own developer forum we're really enabling those developers to self-service and when developer does ask a new question and we answer it that answer is now permanently documented on the web and so when another developer comes in with the same question they could find that answer and the really exciting thing is is our community continues to expand not only are we answering many of the questions we're starting to have our own like our own developers in another countries or community answer each other's questions so we're really excited about them we also we also release delegated administration and this is really important for things like helpdesk if you are building a customer facing application whether it's web or mobile there's a high probability that you're gonna start having customers engaging with support right they may pick up the phone and call the helpdesk or maybe they're opening tickets and when helpdesk goes to help that customer and help Desi's to go potentially administer some user data you don't necessarily want your helpdesk administrator to have to login to a full-blown version of octa and have full access rights to all the data right you want that helped us commence traitor to have access to only the things they should have access to and so by delivering delegate administration for helpdesk we allow you to scope down access to octave for what the developer assuming before the helpdesk people need the other thing that we did and we're really excited about is that we deployed a new product if you were here less often we talked a lot about EAP access management that product is now out and that product is awesome and we're really excited about it so what this means is everybody's building api's and you guys are building api's for a variety of things if you're building a mobile application that mobile application can only work if it's talking to server-side API is that you're building that for it to get data and kickoff workloads if you're building a modern JavaScript application with reactor angular it can only work if it's talking to your back-end API is that your building if you have an IOT strategy your devices can only do their jobs if they're talking to the API is that your building on the backend and if your IT organization is building up micro services to modernize their service layer those micro services can only function if they're talking to each other via API the problem with API is is that a lot of developers don't really know how to secure them properly and if you go online you'll find a lot of things about how to secure API z'n not all of its comprehensive so a big one is well let's throw it off on top of an AP and that's the right answer Oh auth is the way that we build and deliver our API security layer the challenge is that a lot of developers will look for code on Stack Overflow and comp and pick copy and paste it's a really bad idea or maybe they'll go find a library on github that somebody else built that adheres to the OAuth spec that's a bit better but many of those libraries aren't that well maintained it's two guys in a dog who wrote it and you're lucky if you get a github response to an issue in two weeks but the even if you find a great library that's maintained by a big company like Microsoft the other challenge is that simply adhering to something like OAuth the secure API isn't enough the OAuth SPAC while great doesn't cover a lot of security best practices and I'll give you one really good example it's token revocation if you've got an API and you've got an end user who's using one of these more modern mobile applications let's back by your API if that users malicious or quint you have no way of revoking that token while there while their token is still unexpired and so if you want to turn that person off live you have to go through custom R&D to build out your own revocation scheme right most developers don't even know this is a problem and you won't discover until it happens live introduction with the vendor like octa all of this out of the box your developers have to worry about it they layer us in and all works and not only do they get both as a service which is what the developer wants behind the developer your IT organization your security organization can come back after the applications built and layer on access policies without having to have the developers even understand how this stuff works or care about them we're really excited and this product has tremendous traction so we're all in on this product and we have more announcements coming so but let's talk about what this really means so for those of you who aren't deep in api's let me give you an example so we've got a customers of solar retailer 8 now you may have seen this during Eric Berg's session yesterday but if you have and I'll walk through this again so the solar retailer wants to build a mobile application for their door-to-door salespeople so that the salesperson can look up information for their customers maybe put orders in while their while they're in the field in order for that mobile application to work the solar retailer has to build api's that front the CRM so the mobile app can work and that's that they get that working they want to make that sure that's secure they want to make sure that the the sales person who is accessing that mobile application can only access the customer data that reflects his customer base you don't want him accessing all the CRM data you only accessing things that are relevant to him so you need access policies in addition to a security layer in addition that's so st. that same solar retailer wants to build a mobile application for their customers so customers can see usage reports and see how they're doing that's great well same thing now they do Bill this mobile application that's interacting not just with the CRM data but also with the usage data and all of the C's to be exposed via API and just like the salesperson example you want to make sure that that end user only has access to their data not their neighbors data not somebody else's data again same thing so we put in that service layer automating and securing this experience so that's what we built it to last octane for this octane we've delivered a lot so buckle up so there's a lot of categories of things that we're announcing the first one is really our you know major expansion and improvement over customer over the developer experience a lot of this is being driven by the start by that position and that that injection of developer DNA the other one the other one is really a focus on enabling you as the customer to pretty put your brand and and and the customer experience that you're trying to drive for forward and so the customers see your brand in that hours that they see the customer experience is that you want do you want them to have not the customer experiences that we're dictating and then next from there is out-of-the-box workflows this is this is a bit of a nuance point developers today can build whatever they want on the octa api's right they can if they want to build some really amazing custom workflow they can do whatever they want on top of the underlying API they can they can assemble it any way they want but the problem is there still a lot of code associated with it so we're focusing a lot on on delivering people workflows it takes something that might have taken a developer a few weeks or a few months to deliver and turning it into 15 minutes to a few days of configuration and customization and in addition we're also focusing on delivering better security around authentication right we have a lot of great security technology that we're ready delivering as part of our core products how do we expose the underlying security authentication technology to the developers so that they can deliver a higher level of security in their application that is on par with what we're doing for our own customers and then last as you saw earlier we're betting big on API access management so we'll talk about an important announcement we're making for that feature so let's talk about developer experience developer experience means a lot of things a lot of people but for us it really means how do we drive developer love how do we get the developer to not only be really productive and deliver applications faster but also how do we get them to enjoy the experience and this isn't just about you know having people like us this is actually really important because developers tend to follow the path of least resistance right they will they will build it then selves if it's faster and easier than an alternative and while that's great for their sprint cycles it can sometimes create situations where they've cut corners on security because maybe they didn't know or it was just faster and so it's our belief that the better the developer experience the easier we make it for the developers the more likely they are to use our path as a path of least resistance to deliver a better customer experience that's also more secure than what you might do otherwise so what have we done in developer experience the first thing we've done is we've released a new packaging or API products we call this the developer edition this is a stripped-down version of our API products that many of you are already purchasing and it's really designed for developers to self-service again developers love to self-service and so if they need a small version of octa to build a modern mobile or javascript application and it's for a small project or maybe it's for them to initiate a proof-of-concept or an evaluation of the product they can very quickly sign up for the service start paying with it start playing with it and the moment they need some advanced technology as part of this package they can swipe a credit card and self-service into it to a paid tier not only is this really powerful to help drive developer experience and make sure developers can self-service but all the critical for octave because it's our first foray into delivering our products three commerce the other major improvement we're making is around onboarding onboarding is really important again because developers are impatient they're really busy right they're really busy they're really expensive and chances are you don't have enough of them and so we want to make sure they're very productive and so by helping them onboard onto our product by helping them get that quick win by helping them get enterprise-grade authentication happening in minutes or instead of days or months you know we're focused on really giving them a great onboarding experience and that onboarding experience is going to start with the user experience that what they get when they long when they log into the dashboard you know historically when a developer logs into octave they get an IT admin experience write that user experience is really around managing third-party applications and managing employee access and so it's a bit of a bit of a paradigm shift or the developer to try and wrap their heads around that model so we've done instead if we build out a developer - bored it's it's all the same product but now we're packaging it up differently displaying it differently so the developer sees what he needs in the context that he needs it for building a modern application and managing customers or employees are accessing those custom-built applications another part of our onboarding experience is renovating our developer site so if you've ever been to developer doc TOCOM you'll see a major change in how that sites laid out and how we talk about the product and so we've really redesigned it to talk to developers in the way that they like to talk about this in their language and making it very quick and easy form to understand what these products are where they fit in their architectures and giving them quick access to all the resources they need to evaluate if acht is the right solution for them from here they can sign in they can sign up for the product in the self-service fashion and then dive into the dashboard and our documentation and then I think probably the most exciting part of our onboarding is that we have now built out what we refer to as app creation wizards and so instead of a developer having do some guesswork as to how to use our service to implement different kinds of applications when you goes to create an application we're simply gonna ask them what kind of app or you building are you building a native iOS application are you building a traditional Java based web application whatever kind of application you're building tell us you click you click on the right one and then from there we give you very specific step-by-step instructions to take all the guesswork out of it and get you from having no identity in your application it's having enterprise-grade identity in minutes documentation you'll always hear us talk about documentation for the next few years when I get up on stage and tell you all the great things are doing my developer experience I can promise you documentation will be on the slides so we're expanding our documentation beyond the work that was already done so today we've got great reference documentation that means that when a developer wants to know how an API endpoint works they can quickly look in the reference documentation and go oh ok they can find that the API endpoint and say oh it works like this but that's great for the more advanced developer other developers maybe don't want to go to that depth they don't have to go to that level of understanding because they just want to get multi-factor authentication working and so we're now releasing what we referred to as task oriented documentation so if the developers question is instead hey how do i implement multifactor in my mobile application they can go to the documentation and just have step-by-step instructions it just tells them how to do it without them having a day into the internals of how we work and if the advanced developer really does wanna get to the internals they can always drop back down to the reference documentation in addition the task-oriented documentation we're also rolling out quick starts this is again really important for the developer just wants to get off the ground in 15 minutes and just get something working but the heart of our developer experience is our SDKs so we've always had SDKs but we've we've been greatly renovating them since the storm path acquisition and what we're doing is we're really making our SDKs take care of a lot of the heavy lifting a developer typically has to do alright we're at the end of the day we're trying to take code out of their custom application and putting it back on us and so the first step is providing great language based SDKs Java SDKs c-sharp SDKs iOS sdk from there over the next few weeks in the few months you'll start to see us rollout we refer to as framework plugins most modern applications are being built using frameworks that automate a lot of what a developer tickets to do to build a modern web or a modern mobile application and so we want to plug into those frameworks and just octa across all the existing patterns that are already in that framework and what that means in English is that instead of a developer taking you know a sprint or two sprints or three sprints a few weeks or a few months to wire in an identity service into their to their modern application they instead do NPM install lock to Express and in five minutes they've got a fully functional enterprise-grade authentication user management system up and running and then all they have to do is a few hours or a few days of customization to make it look the way they want it to look and then from there our goal beyond that is to then elevate that and expand our API access management story to then start hooking into things like API gateways you know things like Amazon API gateway things like nginx things like Apogee things like mule soft things like call so customization and branding in a customer facing application what the customer sees and the experience they have with your application is a critical part of your customer facing application and especially if it's a consumer facing application consumers are very impatient if that experience isn't up to par they might bounce to never come back and so we're really focusing on delivering better tooling to give you the experiences you want so the first thing we're doing is we're improving the capabilities of our out-of-the-box login screens so again let's let's go back to what a developer could already do a developer can already build whatever login screen he wants by hooking into our underlying api's and delivering a unique experience that's completely bespoke completely custom but we want to make it easier for developers so we did a few years ago as we developed a widget you know there's a little JavaScript component that a developer could drop into his HTML and have a lot of the security logic just to work and then all the developer and the organization had to worry about was customizing that screen make it look the right way and then deploying it onto their servers and running it in production that's still too much work in our eyes so we are now announcing the fact that we can pre host we can octa can host these screens for you so all a developer has to do is just customize the screen we take care of all the operations work we take care of all the deployment work we take care of all the security work around managing security screens and all they have to do is drop and pin a copy and paste their custom HTML code into our dashboard hit save and it's up and running as part of that as well when someone lands on one of these hosted login screens you don't want them to see a knock to URL I mean don't get me wrong the authorial is amazing right and it's gonna indicate your customers your applicants is very secure but not every end-user knows what octa is right if you're building the next snapchat you know a 19 year old may not know about the latest and greatest security company and so you want them to you want them to see your URL it's not just because of your brand it's also about trust if they see our URL that's not yours they might think it's a phishing attack right and so we want to allow you to put in your own URLs through we refer to as vanity domains or custom your same thing goes for emails if you're using one of our pre-built workflows like password reset you want those password reset emails to have your email domain not ours so the customer knows who it's coming from so they can trust this they set their confidence on a phishing attack now or out of the books workflows are really important it's accelerating speed to market for applications and make it easier for developers to deliver secure experiences so we're expanding the workflows that we support now because of our commitment to customer experiences in addition to employee experiences for our core products you know we're focusing on that branding we just talked about but we're now also expanding our workflows to include registration self registration for any consumer based application self registrations a standard and increasingly for b2b applications you're starting to see that as well we now support self registration as an out-of-the-box workflow you're developers can just drop in to their application with either the api's dropping in the java store component into their HTML or using one of our pre hosted screens and the power of this is that not only do make it easier for the developer to have one of these flows we're also minimizing the amount of code they have to write so instead of them having to write all this custom code to manage how the restauranteur screens work and determining if they want to kick off activation flows with an email they can just play and click configure how this works it's fantastic it really is going to make their lives a lot easier oh and also as part of this we're also expanding how we make our existing workflows work so instead of a developer having to use one of our pre canned workflows and being stuck to a very rigid step set of steps they can step out of the flows like a password reset flow run their own logic in their own code over here and then call api's to step back in to that flow that makes the developer happy because now they can deliver that that custom experience that's in the requirements document while still using our pre-built flows and have the custom build everything now security Security's big I mean at the end of the day what we're really trying to do here is we're trying to help you and your developers deliver secure customer experiences and a big piece of that is that we are already security experts and we're already delivering best-in-class security for all of our products and not only do we want you guys to use that in in in our in our IT products we actually want you have only to have that same experience in your custom applications we want you to feel like a modern technology company and a modern security company as you're building your applications and so to do that a big part of it is multi-factor authentication as a threat level in public application search just continues to go up we're trying to see more and more multi-factor become a standard in modern applications even on my facebook mobile application I've got MFA turned on it's a common pattern that's becoming more and more common now here's the thing there are a lot of different factors out there and we support all of them right so if you've got you know security questions or passwords that's the standard everybody's got that that's the lowest level of assurance and it's also the easiest everybody knows how to use a password everyone else had an answer security question but if you need a higher level of assurance then you start moving up along this path and you start moving to SMS messages or one-time passwords and if you want a higher level of assurance than that then you start moving into hard tokens or pushes to a mobile application like the way Facebook works that our mobile application if you want a higher level of surance than that you are going to biometrics either on the back of your phone or with another device the problem with all of these is that as you go up in security it's typically harder and harder for the customer right it's harder for them to understand sort of them to adopt and adoption is a really big problem in mfa especially when you're talking about customer facing applications and so that's why we're announcing email as a factor now to be honest email is not exactly the most secure form of authentication but it's but you know the the the real trick to the real beauty of email as a factor is that it's ubiquitous everybody understands how to click a link in an email everybody has an email address everybody can access email from their phones or their computer and so for some applications where security really matters we've a really broad base of customers like retail banking or healthcare or government if you want to provide a more secure experience than just a password but you want to ensure that it gets widely adopted and used email as a factor becomes a good option and perhaps it's in addition to other forms of authentication so this is powerful for a lot of our customers we hope you explore it but if you need a higher level of assurance we also have all the other factors we talked about earlier now the problem is that the password is still king every application should support password and while passwords suck we're trying to make it easier for you we're trying to make them suck a little bit less and so we've been doing a lot over the years and so one of the things we already do is we help you Drive password complexity you want to make sure as a capital letter lowercase letter a number and name a special symbol we can enforce and support that for you but even then customers can still get around that they can type password 1 2 3 with an exclamation point right and still have a password that meets your requirements but that's the password that's easily guessed and so if you've got a malicious attacker who wants to start brute-forcing users they can type in password 1 2 3 exclamation point and have a high probability of hitting one of your user into getting all the way in and so part of what we're doing is we're gonna be rolling out you know common password detection to really protect your end users from themselves if you want to turn this on it's optional so if you need a higher level of assurance turn this on and it automatically works so in addition to security we're also expanding our API access management product again this products already out it's already got tremendous traction now we're just expanding what it can do so let's go back to that mobile that solar retailer we talked about this means they're building mobile applications for their salespeople and their customers right this is great they're really happy but now with their success an energy utility decides that they want to partner with them right and that energy utility wants to build their own mobile application that is not only providing the the end-user all their utility statements but maybe they want to also show or consume some of that solar data that the solar retailer pass in order to do that that electric utility has to talk to the solar retailers api's their users API so potentially they erm now a best practice is not just to give that solar retailer full access of the user data the best practice is to allow the end-user to know that this is happening and give the end user the option of saying yes or no because it's their data it's their privacy data and so what's a common pattern here is giving the end user a pop-up screen either in a mobile application or a web application that gives them consent that says you know what here are the things that PG&E wants to see right do you are you comfortable with them seeing this information hit yes or no and we've all seen this before right if you've ever logged in to Airbnb with Facebook you've logged into any other kind of application with Facebook you've seen this screen we're now enabling all of our customers to support that same thing as Facebook and allow all their partners to access their customer data in a way that ensures the customers have control over their privacy so those are things that we were announcing here at octane now there's a lot that's coming down the pipe and so let's talk about the things that we're looking to do in the next 12 months the next 12 months a big focus for us is going to be around driving extensibility and what that means is how can we make it easier for developers to wire in more custom logic or other systems into the pre-built flows that we already have to hook into our event systems to hook into any kind of mutations on data and so there's a few things we're gonna do the first thing we're already doing is that we are committing to open protocols right whether it's to open any connect scam or Fido we're committed to these and the open protocols are important because that means if they want to hook in any other security system we can communicate on a common protocol very easily whether it's another type of multi-factor tool or they want to hook into an existing you know IDP for sam'l whatever it is we can support those if we're on a common standard but not everything you want to hook in to octa is going to is gonna operate on a common standard and so the next thing we're focusing on is really supporting events right or as we refer to them sync asynchronous web hooks and so if something's happening in the octa product we can then kick off events off to other systems whether it's your own code or some other service you're pointing us to this is really important because you might want to push customer events changes are happening or customer activity to your CRM you might want to push things that are happening to your data warehouse for analytics later on or you might want to create tickets in you know your service management system like ServiceNow we're also building out flow extensibility and what that means for technical people is we're building out synchronous homes and so that means that as some as one of our pre-built workflows executing a query or service we're inserting breakpoints in that registration where that where that flow stops calls out to some other logic that you dictate and we wait until that comes back as success before we continue the flow all of these are really powerful because it allows for things like progressive migration as users authenticating we put a breakpoint pull in from another system pulled our data into our databases now they've been migrated into octa live without having to go through a forklift migration and all hidden from the end-user it also means if you're trying to do account linking maybe across social information or other information more than IDP we can put those account links as part of an a registration service or an authentication service and if you need higher level of assurance where you want to make sure the person who's registering is who they say they are we can put a break point and call out to Experian or some other proofing system wait till it's complete and then finish the flow so to give you an example of how this would work I want to walk you through the registration as a service and our vision for we can do with accessibility so a user lands on your registration screen and they initiate registration well the first thing you're always going to want to do is you're going to want to kick off an event to Google Analytics so that Google knows that they've now to achieve this milestone so your marketing team can then continue optimizing and tweaking you know their onboarding flows or their marketing flows or their funnel flows that's great that's an asynchronous hook out to your google event system now throughout this process as they start to put in their personal information they hit enter they then kick kicked over in a synchronous flow to Experian for identity proofing to make sure they are who they say they're and after that flow is complete there's a there's a callback to the octo service and we continue towards completion of this registration flow and so the user is now put all the information they prove this that they they are who they say they are in that process we're going to create a synchronous hook out to Salesforce and and to create that user record and we need to do that synchronously because we don't want to get out of sync right we want to make sure that that push to Salesforce to create that account record is successful before we complete registration now on an asynchronous side we're gonna kick off an event to the data warehouse with all the information we collected somewhere else so that your analytics team can do some follow-on work in the coming months or weeks or years and as we complete the registration once everything's done and the customer gets this success screen and this welcome screen we might kick off another asynchronous event to your marketing system to kick off an email nurture flow so that as they start to experience your product they're getting all the drip emails you want them to get so they become a more engaged customer not only is it's important for customer identity and not only is important for flows like registration and authentication extensibility for us is going to be a critical piece of how we evolve the entire octa product set beyond just our api products it can any big for all our products recommence over the coming years it's me huge investment so stay tuned social if you're building consumer application there's a high probability that you need to have a facebook login screen or you need to have a button that says log in with Google and increasingly for b2b applications you're trying to see these two in particular for things like Google and G suite we support all the major ones Google and Facebook which makes up the vast majority of this market but also LinkedIn and Microsoft over the over the next 12 months we're gonna add support for Twitter because people still need that but there's a long list of other social providers that you might need depending on the context of your application depending on the industry you're working in and so while we can't support everything directly and natively what we can do is we can build a generic open ID or a generic baath integration so that you can self-service and plug anything in that supports the standard protocols and that gives you a near limitless list of integrations you can make for any social login and so I'll give you an example if you're building an application that's going to be focused on other developers you might want them to log in with github right with it with this with this generic integration you can plug github in or maybe you building an application that you're focusing on the Chinese market well you're gonna want to hook in a Chinese social provider that's maybe not Google or Facebook and you want to do that through the standard open idea or oauth integration or maybe you're a retailer and you want to let people log in with their amazon credentials instead of Facebook or Google again you plug them into the generic integration that can all work we're really excited about this as we expand into customer identity you know again back to security we talked about multi-factor authentication and and how you know we can really support a variety of factors to make your application secure and also you know allow you to go up and down depending on experience you want to deliver but the problem is that developers are increasingly being asked to do more around security than just passwords you know they you know maybe the business unit saw how cool the slack magic link is and they decide that they want that in their application and so this there's just there's this new there's just new model coming up that's big that's gaining popularity called password lists right how do you think eight your user without having to have them remember a password for some applications especially applications that you don't really interact with that often password list is popular but how do you make it secure well the way you make password list secure is you need to create policies that link together any number of these different factors other than the password to not just deliver the user experience you want but also the security that you need in the application and so over the next 12 months we're going to be focusing on allowing you to create these secure policies to deliver a good secure password list experience not just a quick link to email to make it work okay so that's what's happening in the next 12 months let's talk about we're thinking about beyond the next 12 months now I'm going to talk about at a higher level because these are really goal posts for us these are really the the guiding that the kind of the guiding lights is we think about the future of not just developer but also customer so the way we're thinking about it is first around customer experiences most of these custom applications that developers are building or for customer-facing applications and so as we think about how do we improve how do we help developers and their organizations improve on the customer experiences they're developing you know we're thinking about things like progressive profiling right when a user self registers instead of putting a registration screen that's got 15 different fields on it and increasing the risk of that consumer or that or that business user from just giving up and bouncing out how do we make it so you can just ask for something really basic like a phone number and email address and then over that users life cycle in your application slowly and steadily start prompting them for more information so you still get those 15 fields but instead of getting them all in one shot and risking the user experience maybe you get it over the course of a few days or a few weeks or a few months but ensuring that the customer sells a good experience another important piece that we're thinking about is impersonation if you're building a customer facing application again chances are they're ultimately they're gonna call your helpdesk because their ultimate going to have some sort of issue in the application and we want to make that support experience a little bit better so instead of the support agent trying to really understand what's happening and trying to think about how to recreate you know that experience in a different context functionality like impersonation where the help desk admin can log into the application as if they or that user is important because then it can ensure for the higher likelihood that they can see that bug that error that missing data that incorrect data in the way that the customer is experiencing and take that guesswork out and make that help this experience smoother and cleaner for the end-user the office are focusing is run developer agility when we talk about customer experience we're not just talking about developer love we're also talking about developers being with to deliver what you're asking to deliver much faster and so as we think about developer agility there's a few things we're thinking about one of them is bringing your own directory to octave that's important because you might already have a database or some other system that has user data in it and you might not want to migrate that to octave right there might be a number of other systems that are already hooked into that database you need to preserve that system how do we allow you to hook into that while still experiencing all the value that we're building across the octopus platform above and beyond just our directory product also we're on mobile support mobile is big everybody is moving more and more towards mobile applications the problem with mobile application development is not just that it's hard and it's not just that there are all these security patterns that are they're difficult for developers the thing that's really hard about it is just aren't enough developers that have experience in mobile application development if any of you have tried to hire an Android developer who has experience as any good it's hard it's very difficult and in some in some regions nearly impossible and so we're trying to lower that bar for you to not just deliver a great customer experience but also a secure experience in mobile by seeing how how much more mobile tooling can we get so maybe a more junior mobile developer or maybe a non mobile developer can still deliver that great experience with less work and also as we focus on giving developers what they need we also need to be really cognizant of what's happening there little in the developer community a lot of innovation is happening in the developer community and they're really consistently pushing the envelope and some of the big trends turn into you know standards and some of them ultimately fall by the web by the wayside we're trying to make sure that we're part of all of it so that we're an early supporter of new of new patterns and new paradigms one that we're looking at actively is this notion of functions as a service and so I don't know how much you know about this if if you are around later today there's a session on this with Amazon and our team but as developers start thinking about new ways of building applications beyond just building monolithic applications in Java or Ruby or Python you know we're trying to see how can we be a better partner as they move to things like functions as a service and then back to security at the end of the day what we're trying to do with everything we're doing is how do we let developers deliver the best security by default even if they don't know anything about security because most developers don't how do we make it really easy for them to deliver best-in-class security because it's the easiest thing to do and so there's a lot of things we're thinking about and it's not just about security it's also about privacy because in customer-facing applications that's an increasing set of requirements both in the US and international so around security we're trying to take a lot of the advancements we're making in our core products or around an adaptive behavioral security where we're looking at more than just passwords or looking at their activity we're looking at their IP addresses we're looking at a broader pattern of what's happening in the application and what's happening with that user to detect where there might be a higher risk end-user right how do we expose all of that awesome logic to the developer so they can have that same functionality in your applications and so that you can then determine if you wanted to step up or you maybe you want to block somebody or you want to do some other workflow to secure your application on the privacy side how do we help you deliver the privacy experiences that you're increasingly being required to deliver in places like Europe now these are becoming laws and so how do we give you the workflows to drive consent and privacy flows that make your customers sick and secure and private while adhering to local regulation and then one of the things that's made us really successful and hopefully you've heard a lot about it over over the course of the day is our commitment to partnering in our in our in our core IT product segments you know all the products that that have made a successful has gotten to where we are we have built an enormous ecosystem of partners over 5,000 partner integrations to do a variety of things for IT employee base workflows how do we extend that success into customer identity and developer products and we're starting to think about that a lot and so there's a few things we're thinking about how do we partner up with CRM vendors so that our registration flows all of our activity flows automatically hook into the CRM and start funneling that information to your single pane of what's happening at a at a field level at a marketing level at a sales level with the end users that are in your application same thing with marketing analytics how do we push all these events to those systems so that your teams can quickly run whatever reports they want and and and and have those reports be informed by the data that we're seeing and we're collecting and also if you've ever done any work with payments payment and subscription information and those systems like stripe and Braintree and PayPal they are tightly linked to the users identity so how do we make that integration seamless so that your developers want the monkey code to make stripe work with an energy system and then lastly for applications that need that higher level of assurance of who the user is how do we better partner with proofing solutions like Experian and others to make sure that when you're building out your registration flows or any other kind of flow you can easily hook in one of these partners you just have it automatically work minimising the integration work your developers your systems integrators have to do so these are the things were we've built these are things that we're planning on delivering we're really excited hopefully you guys are excited as well and so my ask is that if you are excited that you learn more and there's a lot of resources here so one we had the new developer site so if you are interested in learning more about API products I ask you to please come to our developer page learn more about it sign up for the service play around build an application see how easy it is also if it's not that easy give us feedback we'll make it easier also you know we're also making a big investment in developer relations we have a great developer relations team they're generating a lot of high-quality content to really build thought leadership and awareness in the developer community follow us we're very active on Twitter and this is all brand new so you know you guys can get on the ground floor early and if you guys do have a project and you're interested in how we can help you contact sales contact our sales people contact our support people contact us at info at octo and engage us and let us show you how great of a partner we can be and so with that before I open up the questions I want to recommend recommend a few sessions so if you if you like what we're building and you you want to learn a lot more while you're still here at octane there's three sessions I'll recommend the first is really around how to build restful api in the right way and that's going to be that's going to be presented by my co-founder from storm pathways Hazelwood I think immediately after me that's awesome I recommend that session if your technical also if you want to learn more about how to build api's and secure api's and if you want to learn a little bit more about functions as a service there's give me a session later on with Amazon that's going to be hosted by somebody from octane somebody from Amazon talking about these modern architectures around api's and if you are a developer and you really want to get into the into like the into the code and really see how we can build an application together how we can take a spring boot you know back-end and wire it up with api's and deliver an angular and we're gonna have a session at the end by Matt ray bol who is one of our developer evangelist and very popular Java community so with that I hope you attend more and we'll take the minutes that are left and answer any questions never mind no questions if you have any questions Oh is one we're gonna get one one so we get the hook before we get the hook yeah put the new developer experience is that only if they sign up for their own developer instance or is there a way of bringing that for existing organizations instances yeah that's a great question so the question was is developer experience exclusive to the new developer orgs or can we turn that on for any existing oft implementation the answer is you can turn it on for any existing off back plication x' so again the the the the beautiful secret of what we're talking about when we talk about our API products is that they are basically the octa products so if you've already got an acht implemented and you want to write some custom code some custom code against it all of our SDKs all of our documentation all of our libraries all of that goodness will perfectly work all of it will work now if you want the developer dashboard if you want that native visual experience for developers there my recommendation is contact support and what they'll do is out the turn on what's called the feature flag and when they turn that on you'll get that new dashboard oh there are many future flags but for the developer experience that's probably the one that I can recommend yeah the reason we haven't turned it on for all the orgs is that we don't want to suddenly brute-force everybody into New York a new experience and ruin their day as they're trying to do some work hi yeah so by the way last question excited we're getting we're getting the hook ok yeah so sorry really good um so we have a situation where we this is more of like a kind of road map slash API question but uh we have preview instances and we demo a lot of stuff and make sure that we have everything tuned up and yep this looks good and then we have to go replicate everything over in our pride in stance do you guys are any sort of plans for you know either migrating configuration over or exporting configuration stuff like that that's a great question the question was how do i migrated from my dev instance of my production instance to minimize my work yeah we're thinking about it we're absolutely thinking about you're not the only customer that's having this problem I don't yet have an answer for you so my recommendation my strong recommendation is if you know you're going to be using often or use a high probability going to use octave my recommendation is you work with your account team to set up a dev organization in the production cell so that once you get your POC working that can turn into your production instance and then you can keep a separate sandbox for any work you're doing on an ongoing basis to make sure your code is working awesome well thank you very ready for your attendance if you have any questions you want to talk to me afterwards I'll be right outside [Applause]

Info

Channel: Okta

Views: 439

Rating: 4.1999998 out of 5

Keywords: Oktane17, Okta, Stormpath, API products

Id: 2vao69fQufo

Channel Id: undefined

Length: 49min 4sec (2944 seconds)

Published: Tue Sep 05 2017