Oktane19: Roadmap Okta Security, the Path to Zero Trust

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

great thank you my name is Alex Bovie I lead product management ferrata for security and zero trust and I'm Tom Hanlon and I'm a product team for security and zero trust great and we're here to talk to you today about our security roadmap specifically the road to zero trust so I think that we got this out of the way but I think I have to put it up here anyways this is just basically saying that a lot of what we're gonna talk about today and share with you is roadmap so expectations can change all that good stuff before we actually get into talking about specifically our roadmap around zero trust I like to take a little bit of time first to set the table in terms of what we mean when we say zero trust I think if you went to RSA this year and you talked to the different vendors you probably got about six different definitions can be incredibly confusing but in terms of octaves view of zero trust we have a very access management driven view of it obviously an identity centric view of it and it kind of starts and I think the reason that zero trust is interesting is it starts around this shift in the traditional security perimeter so the old world the sort of you know your traditional Enterprise of twenty thirty years ago looked like and and you could kind of describe it as like an M&M I think is what's typically used so it's hard sort of candy outside shell in the soft chewy inside and the idea was that once you are through that hard shell that had all these layers of security ids/ips things like that you would gain some sort of trust so you were inherently trusted once you're on that network and then you were untrusted if you were on the outside of it so is this the sort of moat and castle type approach to security and there's all sorts of flaws of that but I won't get into it but really fundamentally that that pattern and paradigm has has broken and it's broken because we've taken our traditional workloads around things like collaboration we move that to the cloud we're starting to do you know public API access we're starting to have public and you know use I as systems for infrastructure and your users are all over the place it's not just your workforce who's you know coming into the office and sitting on the network and accessing these on-prem resources now your workforce is distributed you might have remote people that are all over the world you might have contractors who work for your business you might have consumer users that work for your business across corporate owned and BYO devices so it's just a it's a it's a total mess of connectivity and what that's done is it's it's just broken that traditional sort of moat and Castle approach and made it so you have to rethink how you're gonna do security and fundamentally you know I know there's a little bit of a cliche with this but we believe that identity is the new perimeter and part of that is just the forcing function around the surface area where you can get visibility at and how you can actually drive your Incident Response investigation and and detection capabilities and so you know before actually talking about a technical architecture around zero trust and and the specific roadmap items I think it's also salient to point out some of the key differences that are that are driving some of these changes in just the way that we think about it and that is to say that ultimately zero Trust starts with a philosophy it's kind of a worldview a very opinionated worldview on the way that things should be done and then given those principles apply that to how you are doing access management your business how you're managing your users and that's ultimately a zero trust architecture so what are some examples of that I think old world privileged users and octave we don't I think the concept of privileged users has a finite lifetime right because this idea of someone who's privileged doing some you know going to some privileged system that checks out a privileged credential that access to this privileged thing doing it ultimately the end the day users are just users and my my work force identity is the same whether or not I'm accessing a privileged resource or the lunch menu from the corporate network the difference between those two things is what is the sensitivity of the resource that I'm act that I'm acting on and the transaction that needs to be authorized and that's ultimately what the privilege is it's not me as a user it's privileged it's what I'm trying to do that's privileged so we have to start talking about that shift in and I identity and and start moving away as much as you can from privileged verses on privileged users I know it's not always practical but but I think that's a high-level objective I think another objective and we talked a little bit about this today and in Todd's keynote around advanced server access but if you just look historically at sort of a lot of the security issues over the past ten years like 90% of the time it starts with credentials credential got checked into github on accident a credential was shared a credential was fished credential was pulled off a laptop by a malware it and this there's sort of a saying going around right now and in the industry that bad guys aren't aren't breaking in they're logging and I think that's pretty true and how you start to solve that problem is you got to kill these static long-lived credentials these credentials that are floating around on your machines that can accidentally be shared that can be emailed that can be fished you got to start solving that problem of the the long-lived credential and so as much as possible moving the short-lived keys moving to ephemeral keys that are only good for a certain amount of time it's going to get you a better security posture this is you know fundamentally when you think about zero trust the old world was rooting your trust on the network I'm on my corporate network that means I don't have to 2fa I'm on my corporate network it means I can access this server you're assume your network is compromised assume that your employees are accessing their resources from the Starbucks Wi-Fi from their home ISP from the Southwest Wi-Fi on an airplane from a cell tower via their mobile phone you have to we have to get away from taking routes of trust on the network itself and then lastly again illustratively this isn't completely comprehensive but point integrations and configurations I think you know old world was we would apply these policies and these access controls either at the point of resource or you know potentially through some gateway and what you started to see is this proliferation of policies and controls across lots of different systems and as much as possible you have to consolidate that down you have to have central policy and access control so that you can and from a user and resource perspective who has access to what and drive the right workflows around provisioning deep provisioning and credentialing those users so that you you get the right level of access for the right amount of time so without further ado the way that we think about zero Trust is really around architectural components platform little mini platforms with a lowercase P if you will and it's it really rotates around seven things in particular the first is the IDP so we talked a little bit about the ID the identity engine today I'll go a little bit more in-depth on that in a minute but the IDP is really the backbone of what castration acrost access management within your enterprise the second is strong authentication octa has an MFA product strongly authenticating your users critical component of a zero trust philosophy endpoint and devices understanding device identity understanding the security posture of those devices another critical component centralized access policies real-time authorization and authorization at the speed of the internet and access gateway components so that you can authenticate traffic and the seventh areas around threat detection so understanding what your users are doing being able to get intelligence around that driving identity specific intelligence and all of this is overlaid in octaves mined by an integration ecosystem so we firmly believe you know at the end of the day we want to have components and all these different technology categories and really give you an octave solution so you can have an end and zero trust stack if you will on octa but we also want to build out a best-of-breed ecosystem across these components we understand that that customers don't want to necessarily maybe use octave for threat detection maybe you're using exa b maybe you're using rapid7 you're using your best and breed simplice you'ii be a product totally fine on the EDR side we want to integrate with that from endpoint perspective we we want to play well with all these ecosystems so that you can wire together the tools and technologies that you want to use in your your environment to give you a best-in-class zero trust forward product experience and then the last little bit there's products and experiences so the way that we think about this at octa is sort of resources or nouns octaves known for SAS we're obviously expanding that to additional resource types and so those are delivered through point products that leverage these different architectural components to give you access to two resources I'd love to go into all seven of them we only have 45 minutes for a talk plus demo so we pick some of the more salient ones and we're gonna deep dive into those a little bit and we're gonna start with the identity provider so the IDP is it's like the most critical component from an access management perspective it is the the backbone for orchestrating access and when when we started thinking about octa and all the problem statements that our customer customers are trying to solve across workforce identity consumer identity tying together you know different applications that have different levels of information in them across different insurance models required for the users with you know customization requirements it became pretty clear that breaking open some of those fundamental assumptions that were baked into the IDP pipeline of the past was gonna be essential for us to give our customers the ability to achieve completely novel and customized use cases and so with that in mind we're really excited to announce the octa identity engine and the way to think about the octa identity engine is it is a orchestration flow that is component izybelle that allows you to plug in things like event hooks call-outs do enrollment progressively do profiling of user attributes progressively and drive those user experiences how you want to based on the resource that they're accessing so it's a critical component because what it does is it gives us just this solid foundation for starting to build a very tailored access management capability across your different your your different service providers or access layers if you want to learn more about that there's a session right after this I think it's called customer identity is hard with a couple of my colleagues wills and John Gronberg it's a great session you should go go check that out we're gonna switch up to authentication now so from an off perspective well how many how many folks were to fight Oh to hopefully everybody yeah okay quite a few so what I find super interesting about fight o2 is its commoditizing the authenticator experience I think when you just look at the evolution of authenticators or lots of different form factors types knowledge base crypto base and all this kind of great stuff but what we're seeing with Fido too is it's it's it's driving these consistent user experiences across platform what's called platform Authenticator zoran device authenticators like Windows hello or mac touch ID external security key experiences and leveraging you know cryptographic devices like octave verify all of these are fishing resistant if not phishing proof interoperable across service providers because there's the web often interface that allows you to abstract it all backed by a cryptographic signing operation right and so from a from a service provider perspective those all have very similar traits to us a consuming service that's driving the authentication of the user we can assume that that's a high assurance authentication experience for the user logging in but that doesn't that's great that's a that's an awesome world because if you can solve the broad-based fishing and credential attack problems for your customers that's a world where we don't have to deal with a lot of identity compromised problems and things like that the but the reality is that it's it's changing the problem statements you know the evolution of authenticators over time we started with knowledge-based authenticators like passwords and security questions and those were great from the perspective that they were generally what's called recallable they're easily easily to remember they're easy to implement so the cost was was you know not not particularly high in that in that scenario but things like fishing and deployability would would potentially be issues deployability more impacted by things like hardware bases ITP tokens you know web authentication what we're seeing is that the problem statements are going to shift it's going to be about interoperability so okay you know great you guys support Webb often with device authenticators but half of my workforce uses I don't know when those machines that were made in 2008 and they're running Windows 7 or something like that so we're start to get into these interoperability issues across browsers OS types machines and hardware and it's going to change some of those problems statements that we have to focus on to help get customers to that next level this is just illustrative Lee you know kind of calling that out when you you know the great thing about web often phyto too is that out of the gate most of the major web browsers supported it so he had edge chrome and firefox support day one actually prior in a day one support because the w3c just officially approved it but what we're starting to see is that you know across the different browser experiences there's different compatibility with different operations different user experiences that are driven from the browser and so we've also shifted the problem a little bit to a UX problem now it's a consistency issue across different browsers and from a service provider perspective how do you get that that good user experience that's consistent across browsers and users that that is also sort of interoperable right so if you register a platform Authenticator on one device and then you go to another device like can we actually tell whether or not you're on a device that supports it and in these types of problem statements with those two with that context in mind I think it's going to be very interesting to see how authentication changes in the future and in particular the attack surface area of authentication in the past it was the authentication layer itself that was the weakest link so it was very easy for attackers to go do broad-based phishing campaigns or to go grab a list of username passwords that were compromised from some third-party service on the dark web and then go try that try go try to beat up different service providers to see if they could get one of those to unstick and work when you move to web off end that's just not a problem because it's a you know public private key operation it's registered directly from that credential and you can't fish it so it changes that issue and what it means is attackers are not going to be going after the authentication layer in the future they're gonna be going after enrollment in recovery that is they're gonna be trying to socially engineer your helpdesk to get them to put your your user's identity your users credential in a reset state they're gonna try to bootstrap that enrollment somehow and so from Octus perspective our roadmap is really focused around starting to solve those problems as well so three big investment areas from a roadmap standpoint on authentication one is supporting multiple credentials this is critical particularly with web authentication you know as you use different devices you use your mobile device you use your corporate device you use your BYO device we need to support multiple registrations particularly for platform authenticators across those devices so you're always using the most secure experience to log in octa that really drives into the second point which is adaptive enrollment we want to understand when a user is on a new machine and we want to drive a secure enrollment experience from something like a bootstrap credential whether that's a mobile device or an external security key to get you that that strong registration identity proofed at some level of that credential on the actual device itself so that you can have a streamlined user experience logging in from then on for that device and then the third areas and enrollment and recovery so we've already made a lot of investments here we build out some platform capabilities that allow you to plug in IDPs as authenticators and octa that functionality is coming to EA in a few months but starting to integrate those flows into our enrollment and recovery experiences so you can drive a secure identity proofed experience for an enrollment flow or for a recovery flow so we're gonna we're gonna hit the enrollment experience to drive adoption we're gonna hit obviously strong authentication with web off end and then we're gonna tie up the loose ends of the daisy chain by allowing you to solve the identity proofing out enrollment and recovery flows and I firmly believe that this is going to get us to a better world from an authentication standpoint let's switch gears a little bit and talk about device so device identity is a critical part of the zero trust strategy it's worth calling out that device is really hard and the reason that device is hard is you have this proliferation of different device types form factors os is across Mac Windows all using different browser experiences or native application experiences to access your resources and so consisting Lee being able to bind to a device identity and to understand that device it's actually a really challenging problem particularly if you want to deliver a good user experience across that and so the way that we're thinking about device identity is really from a platform first perspective that is at the octal layer having the primitives that allow you to do device based registration using things like token exchange services and device level binding and attestation at the different web flows and layers of the product that allows you to build out an ecosystem of applications and experiences that can do those operations with an octa to provide that device identity so whether that's coming from a browser plug-in or a desktop agent or some custom agent that's home rolled we want you to be able to attest to that device identity during an authentication experience or a transaction so we can with high assurance detect understand that device and then use that as a part of the transaction verification and furthermore all those experiences are going to be supported by your your favorite MDM vendors in terms of being able to deploy and and and get those experiences out to users for device identity that then layers into the directory which is now that I can actually identify devices I can securely enroll them how do I get visibility across those devices and so one of our big investment areas this year is extending our Universal directory product to support device as a first-class citizen giving you the ability to have visibility across your devices that are registered cataloging inventory all those great capabilities as well as starting to add some basic lifecycle management capabilities to the devices themselves supporting things like suspend operations and where this gets us well one of the one of the other challenges from a zero trust perspective is how do you start to bridge the OS login experience to a secure single sign-on experience with an octa and so that's a super interesting problem for us we're looking at how we support that across Mac and Windows devices Android and iOS devices and being able to understand that device identity attest to the login experience and the credential that was used for that that authentication experience and then drive that single sign-on experience into octa in a zero trust way not taking a dependency on the network so not having to be on network with an IWA agent or something like that to actually do your single sign-on experience in doctah and just to kind of wrap it up from a integrated device and authentication perspective really where this is going to drive to in the future is you know smarter and password list experiences so using things like our factor sequencing with web authentication to deliver a seamless UX integrating that with the the OS login experience across Mac Windows iOS and Android to drive to a single sign-on experience to the octa to octa risk based access control so using that risk anomaly detection machine learning capability that acht has been building to actually inform the transactional risk of authenticating the user and potentially driving step-up or some other remediation activity and then lastly we've also changed the way that we do authentication to address issues like lock outs where we're seeing that you know by evaluating the credential before we have the conditional policy that drives lockout so we've actually changed that fundamentally we're also doing some other changes as well with things like not locking the user out if they're using web authentic oaken's because you can't prove for some and there's no reason to lock the user out with that I'm gonna kick it over to Tana for a demo thanks Alex really quick cool so we're really excited about what octa has been building in the last few months and I want to show you some of the experiences here so let's start with authentication experience so right now you see on the screen a login page but what you might notice is there's no password bar this is probably really different from what you used to and this is because we've enabled for this org a couple of the new features that alex has been talking about first of all we're using a risk-based authentication in this org so what happens what credentials I enter really depends on the context of my login secondly you'll notice I'm using Chrome this is a MacBook and it has touch ID enabled we've integrated web authenticators so I can just log in with my fingerprint and then finally we've integrated factor sequencing so password isn't my primary credential I'm going to use a strong factor instead let's see what this looks like so I enter in my username and you'll see here that a pop up from Chrome has pop has shown on my screen and it's asking me to use touch ID 10 to Kate I can use my thumb sly pit here I'm in super easy I think this is what we've been looking for for a really long time I mean the iPhones had fingerprint for a while I don't use my password to log in my bank anymore but now it's on desktop so that's really really cool we like I said I'm using a MacBook but that's not all we've tried this on we've tried it on Chrome browsers we've tried it on edge browsers Firefox we've tried it on Mac books surface pro Android devices that last one Chrome browsers on Android devices should reach over a billion people in the world so let's see where that goes switching over to the admin side a little bit what does it take to configure these features so I go here to my admin panel authentication sign on policies and you'll see here that I've configured a risk score policy this policy is three rules one for high-risk logins one for medium and one for low risk logins starting with low-risk logins which is the one that I just triggered you'll see that this rule is really just based on the risk of the login and octa on the back end is looking at all the attributes of your login what device you're coming from the network the location and user behavior in general and since this is my laptop I've logged into this many times from this life I my login risk was low so I was able to choose one of two ways to login I could have logged in with octave verified push or with web authentic and that's it single factor and I'm in now what happens if I was traveling say I'm in Mexico City I'm in a hotel and for some reason I have to log into Splunk that's a new location new device because I'm using a hotel computer and you network that will probably be a high-risk login and if it was evaluated as high-risk I have a different authentication chain again I have to log in with one strong factor either web authentic to verify push but then I'm stepped up with password so I have to present a knowledge-based factor just in case say my device is stolen and compromised and you'll notice here that this is not any different from how you do MFA today we've just flipped the factors around and made the experience completely different finally you'll see that to make this work I had to have web authentic I with push I had to have my password maybe even SMS and that's a lot of factors that you have to enroll and we've heard from customers that this is a big pain point you start on your first day of work and you have to bring your phone you have to get a laptop you have to be given a UV key and then all the forms you have to fill out so to make this a little bit easier we're introducing factor enrollment grace periods giving users more time to enroll the required factors so in my org everyone in the org is required to have octave verify and web often enrolled but they have three months to enroll starting from today so if they don't enroll them required factors every time they log in once a day they will be reminded to enroll the additional factors this should make life a lot easier for users and for admins to roll out additional credentials and with that passing it back to Alex cool thanks Donna okay awesome let's talk about threats this is maybe my favorite section so one of the the bits of feedback that was pretty clear from our customer base this year is that as customers move diet as removing your identities to the cloud you're losing that traditional perimeter set of controls we really need to start giving customers more control at the edge and there's some some big investments we're making there but the way to net it out is to think that we really want to give you more policy controls in particular across those unauthenticated endpoints so being able to drive adaptive rate-limiting experiences potentially captcha and modern authentication protocol endpoints and then frankly also just denying access if something doesn't make sense or something looks malicious from the user and that leads into octave threat insights Oh octave threat insight was a feature that we announced last year at octane it's a month or two away from EA that'll be available to all customers it's one of my favorite and most exciting features because it really starts to change the security game for our customers what we the the reason that we went and invested in threat insight is that we recognized we had a massive amount of data and understanding contextually with what was happening across the edge of our service and we had a unique we had a unique advantage in that we could see across all these different orgs thousands and thousands of customers billions of authentications a day and we were more adept at being able to identify those attacks than most people are we've got a group of people who are super focused on that effort and we also are able to do things like introspective credential so by being able to look at the credential that's being used look at the the signature of the request we can start to proactively identify attacks that are happening and so we're looking at things like instead of potentially you know days for a customer to respond pulling that data and from their sim trying to make sense of it driving a blacklist experience literally get minutes order magnitude of minutes level to detect some of these attacks there's an immediate response capability using a coarse-grained blacklist and deny control with it and just sort of initial data analysis suggests that we're also capturing about 90% of at least what we see and identify internally so it's not to say that this is the end-all be-all this is a journey for octa but we're really excited to give our customers a little bit more control and the reason that's important is that I think at the end of the day cyber attacks are asymmetric warfare that is the people that are attacking you attacking our identity attacking your company your network your perimeter are fundamentally using a different set of controls and capabilities than you are and it might take you a thousand calories to identify an attack respond to an attack you know remediate and recover from an attack and it takes an attacker you know 10 calories to change their signature in terms of how they're actually going after you as an organization and that that's a little bit unfair right because you're not playing on the same same playing field so we have to find ways to shift the balance of power to make it easier for you as an organization to respond to those attacks and to cut out the 80/20 in terms so that you can focus your effort on a narrower set of you know attacks and and narrow set of alerts and that really leads me into my next point which is fundamentally your your sock isn't scaling you know we hear from a lot of customers that they've got alert fatigue they've got chair swivel across consoles there's been all these incremental technologies that you're adding on top of other technologies and you're you're trying to play this catch-up game over and over again but we need to reorient towards outcomes and I think part of the strategy there is let's go solve that 80/20 problem let's solve it with strong authentication with device identity with proactive threat detection and remediation at the edge and then it allows you to take the people that are really good at their jobs around incident response and investigation and detection and they can focus on the targeted attacks they can target they can focus on the wailing they can target the more sophisticated attacks that are that are pursuing your organization so they're not spending all their time on the things that that should just be kind of cleared out of the way the other part of that strategy the other leg if you will in that stool is giving users more visibility their security I'm a firm believer in this one and that you at the end of the day your SOT can only do so much your security team can only do so much but you have to start empowering users to have a little bit more visibility and control over their own security and you don't have to do that in a intrusive way you can do that in a passive way hey it looks like you have suspicious activity on your account hey did you recently login from this location hey did you recently reset your password push notification to octa verify so starting to give that more visibility to end users and then allowing them to drive self remediation work flows from it so being able to tie some of those end user experiences drive that from a workflow perspective to some sort of an automated response gets you a much quicker incident response capability and remediation capability where the user can actually recover their account can bump that to the right people if they need to from an investigation standpoint so we're super excited about what this means in the future and with that we'll do another demo all right before I start my demo I just wanted to put a little plug in the web authentic and we hope to make it EA in production as soon as next week's release so be excited for that switching over to my demo let me start by putting on my end user hat I'm gonna play the end user right now and as an end user every day I go I start I check my email today I see that there's some strange new emails from octa my MFA factor has been reset and then enrolled again I've been standing here listening to Alex talk so it's clearly not me going into here I see information and not me so I can report suspicious activity again I can review the details of the attack and if I don't recognize this activity and go forward with confirming this report some actions will be taken in my org my octa administrator will be notified so they can respond as needed and I will also be signed out of all devices and put in Password Reset mode so this allows me to have peace of mind that whoever got into my account they're kicked out and they can't get back in cuz the button super simple and that's the way we want it to be for the end user if they see something wrong press the button and then the admin and octa will take care of the rest so taking off my end-user hat and switching back over to my admin role I go to the admin email account here I see that yes the end user has reported suspicious activity I can click on review security event and be taken to the syslog where I can see the details about what happened what actually triggered that this event that octa had to notify the end user where did it happen what happened see a map view of it what you should note here is an end user reported suspicious activity is a distinct event in the octa syslog that means that you can send that event to spunk or to your sim tool and connect it to your incident response systems now you'll also recall that I the octave didn't just notify the admin there were some additional actions taken and those actions were coordinated by octaves automations feature so here you'll see that I've actually created an automation for user reported suspicious activities when a user report suspicious activity I will run these three actions are shown on the screen now of course these actions might not be right for your org and it's you know best so you can always change the actions say you don't want to clear the sessions and you don't want to reset the users password delete it activate it and you're good to go and these are just the actions that are in octa so automations are powering actions in an octa but like I said before this is a distinct event that you can subscribe to using an octa event hook so when this happens you can downstream actions in Splunk and Twilio and slack like you saw in the keynote today so with that before I pass it back to Alex I do want to say that this is only the tip of the sphere for automations I've showed you the security aspect of it but there's a lot more you can do so there's a talk about that tomorrow call it eliminating tedious tasks with automations so go see that if you want to learn more thanks [Applause] Donna mentioned a really great point that I didn't touch on in threats but I think is very salient which is all of this all the things that acht is doing around threat intelligence whether that's threat insight or risk based can risk-based assessment or account compromised detection notification can all be consumed through our system log and pushed out to your sim and used as a way to prioritize alerts and to drive additional context for your team that's responding to those threats the last area we're gonna deep dive into is resources that is to say nouns so traditionally acht has been known for SAS applications and API is across the API access management but it's very interesting to us to be that platform where you can actually provide contextual access across all of the things if you will and the two other things that are particularly interesting in legacy applications and infrastructure and so we're really excited to announce the launch of the octa advanced server access product octave and server access is a zero trust way all those philosophies that I mentioned earlier of driving access to critical business infrastructure so it's keyless access so it mints ephemeral certificates that are used to do SSH and RDP based login all driven can through contextual access with an octa it's multi cloud so it supports AWS and GCP and it provides a fully automated tool kit for your DevOps tooling and what's so great about this is it eliminates those static credentials so we talked earlier about just-in-time access killing static keys and credentials server access hits that right on the head for your infrastructure and so where we want to go with server access from a roadmap perspective is obviously we you know play well with all of your is today and including we can work with your private cloud environment but we're also looking at taking the product further we want to integrate with all of your DevOps tooling so if you're using Amazon CLI to do automation or to do you know configuration and/or management of those servers we want to integrate with that from a server access standpoint across all the different CLI tooling we want to integrate with terraform and and be able to use that tooling to automate provisioning of servers and up and spin-down actions and then lastly we want to look at doing you know meeting customers up where they are from an infrastructure perspective in their environment so whether you're doing a DJ machines or you need more fine-grained permission management on the machine those are all capabilities that we're delivering in the future on our server access product to help you get to a more secure security posture across your infrastructure so just to recap server access you know from a call out perspective you know it's killing the manual operations that you had previously from an infrastructure standpoint killing your static keys killing your shared accounts your directory interfaces is all moving to local provisioning and de-provisioning experience so we saw the demo earlier today where you know a deep provisioning action whether that's driven from an HR system or an octa directly immediately revokes access instead of doing you know session recording looking at its structured log aggregation for the product this is an exciting time for us in terms of just investing and launching a new product that provides that that new category of access for our customers leveraging again a central policy capability with Octus contextual access capabilities so final thoughts I think I really love this quote from a customer it was probably four or five months ago because I think it's really salient to a lot of the other customers that I talked to and they said basically we were talking to him about zero trust and how we're thinking about it and their program and they basically said look you know well beyond Corp is kind of a reference architecture from Google but basically said hey Google's got this you know there's a roomful of propellerhead or saury and a company full of propellerheads and we just have the people in this room and what they meant by that is they were really inspired to get better security outcomes they were really inspired to push their organizations forward but they don't have you know the ten thousand engineers to go build a server access product on their own or to drive you know creating a custom device identity experience and so for us at octa we want to really be your trusted partner for that zero trust and modernization journey across all of your different capabilities as you're modernizing access you're taking your you know collaboration tools and you're moving into the cloud best-of-breed adoption integration in your ecosystem adopting high as or lifting and shifting server resources out to public cloud infrastructure octo wants to be that partner and we want to give you the sets of tools and capabilities to help you really achieve that journey and to get those those good security outcomes and so with that questions Hey so the the web authentically cool but do you guys have any EA customers like say in China where Hoth bushes have been kind of a challenge sorry it was hard to hear you can you repeat it the web often feature yeah you guys have any EA customers in the asia-pac region where push notification or anything like that has been a challenge so for web authentication there shouldn't be specifically I'm trying to think if there would be any specific issues with those regions explicitly and I don't think there are I know what push notifications the main issue around areas like China is that Google Play services are not turned on by default and so you can still use your OTP experiences you just can't use your push experiences but web often as a standard still supports external security keys or on device authenticators and so you'll still get that secure experience with with web off end so we've seen some great stuff here today around bringing in visibility to the users to bring that zero trust security aspect so my question is on the impact that it brings from a privacy standpoint so you showed some really cool things on how we get visibility into the various devices that the user users know you can manage them from within octa but given that there are more stringent privacy laws that's coming up all over the world are there levers in in in this architecture that provides the customers to kind of tune them to various jurisdiction requirements yeah sure makes sense so the question is specifically around device identity and device level attributes and sort of the privacy implications of that I think it's important to fork that conversation at the highest level across consumer and workforce users so your consumer users privacy is is obviously much more of a concern the way that we drive device identity primarily today from a consumer standpoint is just a lightweight fingerprint that fingerprint is you know a hash of attributes we don't actually collect any of the data it's very opaque to us so it's request level signatures around the user agent paired with a paired with a fingerprint from a workforce perspective I think the way that we view that problem is that that's a device enrollment problem first and foremost where the user is is driven to an enrollment experience that enrollment experience can be pushed from MDM or it can be a self-service flow the way to incentivize that self-service flow is the carrot right so doing things like using device identity at octa sign-on to reduce a a sign-on requirement or to make it so you don't have to MFA as often is a that's kind of a best practice that we've seen with customers where it can drive adoption and enrollment of these device the device registration experiences where they are then opting into it particularly for BYO devices so you kind of have to follow that tree down I think if it's if it's MDM managed the reality is MDM has a lot more than off there's gonna have if it's you know workforce but BYO you you know you drive that through through an enrollment policy but allow people to opt in to and then on the consumer side obviously privacy is more more of a concern there

Info

Channel: Okta

Views: 1,183

Rating: 5 out of 5

Keywords: oktane19, security

Id: Jj-xOdN2_n4

Channel Id: undefined

Length: 44min 46sec (2686 seconds)

Published: Wed Apr 03 2019