Entity authentication is one of the fundamental security requirements for a safe cyberspace, but we all know what a pain it can be to have to re-authenticate ourselves everytime we login to a system - different systems, different passwords, different tokens and so on. Part of the solution to the hassle is authentication services that serve multiple systems. If you're so minded, you can login to Google, to authenticate yourselves to other systems that its authenticator supports. Another variant is the "single sign on", which is increasingly common in the workplace: you login once in the morning, then you can use the company's full range of apps without needing to repeat the process each time you seek access.
There are many other varieties that we might discuss, but the point I'm making is about the importance of authentication in a connected world. It has to work properly. It has to be trusted.
Let's try and put this need for trust on a reference scale, to help conceptualise the magnitude of trust in authentication. This might require a bit of a jump, but here we go:
Sometimes you read about cases in the news of doctors having relationships with their patients, or teachers having relationships with their pupils, or CEOs having relationships with their juniors, or TV presenters having relationships with their fans, or Presidents having relationships with their interns (actually, I can only think of one example for the latter). These stories often blow up in the media. Some of them are outrageous, particularly where children are involved, but central to them all is the issue of breach of trust. We see a special trust relationship in all of these situations, some more acute than others, and the breach of trust involves an abuse of power.
In a cybersecurity sense, authentication services occupy a similar level of importance, in a trust sense. Trust is acutely important and is a matter of power. We're talking about mega trust.
Thus, if things go wrong with an authentication service, the outrage can be acute, due to the sense of breach of trust and abuse of power. Imagine how you'd feel if you used a specific, single authentication service for all of your most sensitive online activities, including banking, insurance, healthcare, document storage and so on, only to discover that the service is insecure. You'd be entitled to be worried, distressed, anxious, outraged even. Trust would be damaged, if not permanently destroyed.
Unfortunately, this is a situation that Okta is now dealing with. Okta is an authentication service that sits in the background of the cyberspace. It provides authentication services to other businesses, some of which themselves provide critical security services to others. Thus, Okta is foundational to many aspects of security. Like any important foundations, they need to be made of concrete, not sand. Okta knows this, of course. As it says on its website, "everything starts with identity". It's strapline is "we've got your back, no matter your stack".
Last week, Okta reported a security breach and while it wouldn't be right to say that its share price is in free fall, the picture isn't pretty, as the charts show. Where it will land, nobody knows, but when the markets lose confidence, you're dealing with a completely different level of crisis to a "mere" security breach. It's a crisis on top of a crisis and investors will instinctively recognise the challenges that they lie ahead of Okta, which include commercial B2B contractual problems, regulatory investigations, litigation and perhaps flight of talent: this doesn't auger well for market confidence and share price.
But on the other hand, perhaps market track record will be with Okta? For many years now, there's been a widespread feeling that the market isn't working properly insofar as security breaches are concerned. Customers rarely vote with their feet and share price backlash to cases of insecurity is rarely substantial and prolonged, so Okta's NASDAQ graphs might return to a more favourable position in the relatively near future. Whatever happens, this could be a litmus test of the market's ability to regulate security. And if the market doesn't take up the challenge, all that does is fuel the growth of new regulatory law, to cure the market's imperfections.
Back to the story. So what happened? Obviously, it's too soon in the process to be able to definitely explain the nature of the breach, but according to other reports, it seems that an Okta customer service centre was compromised, which gave the threat actor access to the tokens and session cookies that enable Otka's help desk to access its client's systems for troubleshooting purposes. This suggests the potential for the threat actor to move laterally between Otka and its clients' systems. If that's true then we're talking about a potential supply chain attack on a trust epicentre of the cyberspace.
Another theme of the story - again, it's hazy - is that the potential compromise was discovered by some of Otka's clients and they notified Otka of their concerns. That suggests a problem with either incident detection or incident response at Otka's side, or perhaps both.
As you tour through the reports, you'll find another theme, which is that Otka was associated with a prior security incident in its supply chain, which raises the classic issue of needing to be on heightened alert. Thus, questions may arise as to whether the incidents were connected in anyway, or whether the first incident should have triggered actions that would have reduced the risk of the current one and, if so, whether necessary actions were taken.
This is a sorry tale, but to summarise my perspectives about the issues that it raises:
Trust services - is the regulatory scheme adequate? I have no doubt that Okta will be held to account by the US legal system, but is regulation optimised to reduce the risk (to the lowest level possible) of these situations happening in the first place ?
Company leadership and ownership responsibility - as part of the regulatory question, do we have the right model for ensuring accountability of company leaders and owners? If Okta's share price fall proves to be a blip, that might stand as evidence of imperfection in the market, meaning that investors aren't owning the problem.
Supply chains - how is assurance achieved in complex supply chains? What is the right thing to do if the assurance is lacking? All the companies that provide security services to others based on Otka's technologies surely have questions to answer.
Incident response - are the lessons of prior incidents learned and properly acted on? Also, remember that when the narrative is lost, its gone for good and when that happens you can become a case study.
