Okta Champions New Identity Security Standards and Unveils AI-Driven Tools
Okta touts the OpenID Foundation’s new IPSIE working group that aims to create a framework to simplify security management for developers of enterprise SaaS applications.
November 1, 2024
The cybersecurity landscape continues to evolve and change. One segment I’ve been watching is the identity space, as it’s become a cornerstone of security due to the need for robust authentication and access management in an increasingly interconnected digital world. As organizations rely more on digital platforms, ensuring that only authorized users can access sensitive data and systems is critical.
While zero trust, segmentation, and other advanced tools can help, they don’t solve the challenges around phishing, identity theft, and credential stuffing. Organizations can significantly reduce the risk of unauthorized access and data breaches by implementing stringent identity verification processes, multi-factor authentication, and real-time monitoring.
The recent announcement of the OpenID Foundation's working group devoted to developing a new identity security standards, as well as Okta's integrations, and AI-driven tools can enhance security and reduce enterprise operational complexity. At the recent Oktane event, the company’s identity conference, Todd McKinnon, CEO and Co-founder of Okta, discussed the announcement and started by looking at the evolving importance of identity in security.
“Identity is who you are,” he said. “It’s your reflection in the world, both personally and professionally. It’s the entry point for the digital world—it determines what and when you can access it. It’s something that can make organizations more productive. It can make every interaction with technology faster, smarter, and more secure.”
He then said there was something more substantial. “While identity can be a powerful force for good, identity is also under attack,” he said. “Over 80% of security breaches involve some kind of compromised identity, whether it’s the initial compromise or how the threat moves laterally.”
This is the challenge security professionals have dealt with for years. While there have been many good identity tools, a lack of standardization has left big holes in threat protection, and this is the challenge Okta is attempting to solve.
A new acronym for standardizing enterprise SaaS security protocols
With that in mind, one of the critical elements of Okta’s latest announcement is introducing a new standard being created by the OpenID Foundation's IPSIE working group. “The working group is called the Interoperability Profiling for Secure Identity in the Enterprise working group, or IPSIE,” he said.
IPSIE is a working group devoted to developing an open industry standard. Okta, along with others in the industry, proposed the formation of the working group. The working group includes professionals from major players like Microsoft, Ping Identity, SGNL, and Beyond Identity. The aim is to create an industry-standard framework for enterprise SaaS applications that simplifies security management for developers while enhancing end-to-end security in enterprise environments.
IPSIE encompasses protocols such as OpenID Connect, System for Cross-domain Identity Management, and Continuous Access Evaluation Protocol. Okta hopes to streamline SSO, lifecycle management, privileged access, and security information sharing across SaaS platforms by unifying these standards.
In addition to IPSIE, Okta announced 125 new pre-built SaaS integrations, enhanced privileged access management capabilities, and new governance tools powered by AI. These tools aim to mitigate risks from orphaned accounts, shadow IT, and other identity-related vulnerabilities, positioning Okta as a leader in addressing “identity debt”—the accumulated security risks resulting from outdated and fragmented identity management practices.
Market and industry implications
Okta’s plans are ambitious. However, I think assessing the broader implications for the identity and access management (IAM) market and the industry at large is crucial. I see several issues at play.
Standardization and fragmentation in the identity security space: The formation of the IPSIE working group reflects a growing recognition of fragmentation in the identity security landscape. Many organizations struggle with inconsistent security policies across multiple SaaS platforms, leading to vulnerabilities and integration challenges.
IPSIE is up against some precedents. Historically, attempts to standardize security protocols across disparate platforms have encountered resistance due to differing business models, priorities, and levels of market power among vendors. Okta’s willingness to work with an ecosystem likely slowed its development but will lead to a better customer outcome. Okta has a good chance of success as they are a significant player and seem to have the cooperation of SaaS providers, given the 125 integrations supporting aspects of this future standard.
Challenges in adoption: Okta’s efforts to simplify security through pre-built integrations and governance tools are targeted at enterprises seeking to reduce operational overhead. However, achieving widespread adoption of these tools may be challenging. Many organizations are heavily invested in their existing identity management infrastructure, making it difficult to justify the cost and effort of migrating to a new system, even if it offers potential security benefits.
Although the promise of reducing “identity debt” is attractive, organizations may be reluctant to rely solely on Okta’s solutions, especially given the increasing demand for flexibility in managing multi-cloud and hybrid environments. Success for Okta is the growth of the ecosystem. It’s off to a running start, but time will tell.
Competition and vendor lock-in concerns: In the security space, vendor lock-in has been the norm for decades, and customers could perceive this with Okta's IPSIE standard. Organizations may hesitate to fully commit to Okta's ecosystem if they perceive it as a potential barrier to adopting future innovations or integrating with other identity platforms. This is where the company needs to continue to push the freedom-of-choice messaging and enable customers to bring in a broad ecosystem of partners, even if they are competitors. When vendors interoperate, it creates a rising tide, and that's good for everyone.
AI-driven governance and risk management: Okta’s introduction of AI-powered governance tools, which analyze identity risks and provide remediation recommendations, signals the growing importance of AI in cybersecurity. While Okta positions these tools as a significant improvement in risk management, there is room for skepticism regarding their efficacy in practice.
AI-based solutions have incredible potential, but they have limitations. They rely heavily on the quality of the underlying data, and in environments where identity data is fragmented or incomplete, AI-driven tools may struggle to deliver accurate or actionable insights. Organizations adopting these tools should test the solutions in their own environments, as that's the only true way of measuring efficacy.
Some final thoughts
The announcements at Oktane 2024 reflect Okta’s ambition to lead the identity security market by addressing critical challenges like identity fragmentation, operational overhead, and emerging threats. However, the market implications of these innovations are complex. While Okta’s leadership in standardizing identity security protocols could help reduce fragmentation, the success of IPSIE and other initiatives will depend on broader industry cooperation and market adoption.
The good news is that Okta appears to be “all in” with being open—the company currently has more than 7,000 integrations that allow companies to pick their own tech stack and have identity services across the hundreds of vendors they use. This is in stark contrast to Microsoft, where the E5 license tier is designed to lock you into everything Microsoft. One could argue that approach works because Microsoft is a "de facto" standard, but that's not the same as being an industry standard. The latter takes more work but has a better long-term upside for customers.
Zeus Kerravala is the founder and principal analyst with ZK Research. Read his other Network Computing articles here.
About the Author
You May Also Like