Digital identity recognition and management under information security protection - Okta

After the outbreak of the new crown epidemic, in order to prevent the epidemic, some companies began to implement remote work. Employees can connect to work through more devices, networks and programs, which also prompted companies to update their information software and adopt more flexible information security software. Not only ordinary companies, but also the financial industry, which is related to assets and attaches great importance to information security, is also promoting password-free and multi-factor authentication login under the rapid development of technology. With the improvement of corporate information security awareness, identity recognition and management software is known and widely adopted by companies. Let us take a look at the relevant practical applications and how to use them in the financial industry.

Digital Identity and Management

A brief introduction to IAM

Identity and Access Management IAM (Identity and Access Management) is the guardian of the company's information security. It manages the way a set of users' digital identities are assigned, the user's identity is enforced, and what permissions are allowed to them. Think of it as a security guard at the door of an important facility, with a list of allowed entry, no entry, and VIP areas.

2. Important Concepts of Identity Recognition

In real life, to verify personal identity, it is often through an ID card or passport. Although not every fact is recorded on it, it also contains enough personal characteristics to quickly compare the identity, and these characteristics are called on the computer system. It is a " verification factor ", which commonly includes the following three:

1. The content that the user knows is limited to the knowledge possessed by one user, for example: username + password combination
2. User-owned content refers to a physical token issued to an authorized user, imagined as a key to a house, and only someone who owns, rents, or otherwise has permission to have the key. It is common to send a one-time code by text message or email when logging in. After entering the code, it shows that the user has something that no one else has - that personal smartphone.
3. User content refers to physical features of someone's body, such as Face ID or fingerprint scanning capabilities.

In real life, identity is a mixture of personal characteristics, history, location, etc.; in the digital world, user identity consists of "authentication factors", which are stored digitally in an identity database and are used when logging in. Always verify identities to prevent counterfeiters.

3. Access management

Access management is the process of controlling and tracking access rights. Each user has different access rights, as low-level employees can access company emails and executive documents, but cannot access payroll records or confidential documents.

4. The importance of IAM to cloud computing

Users can access data through the network without being restricted by location and connection devices. During the epidemic prevention period, the normal remote work has also made identity recognition a core judgment when controlling access rights, determining whether users can access or access Which cloud data.

In terms of information security, in the past, if cybercriminals wanted to steal company information, they mainly used the perimeter of the network, through firewalls protecting the company network, or by bribing internal employees to physically access the server. With the prevalence of cloud-based operations, the most important thing cybercriminals need to access files are employee login credentials (such as names and passwords). Adopting IAM can enhance the protection of access rights and prevent data leakage due to identity theft, which is very important in cloud computing and management of remote teams.

About Okta

1. Introduction

Okta is one of the world's leading information security service providers. The company's Okta Identity Cloud performs identity authentication and access management. Currently serving more than 10,000 users in different industries, including large enterprises, SMEs, schools, non-profit organizations, government organizations, etc. The revenue comes mainly from the subscription system.

It was established in 2009, went public in 2017, and completed the acquisition in July 2021 of Auth0, a new startup that also implements IAM services. The head office is located in San Francisco, USA, with offices in Canada, the United Kingdom, Australia, Singapore, Japan and other regions.

2. Service focus

a. Single Sign-on Single Sign-on Controls the user to authenticate with the logged-in account and authorize the use of resources through single sign-on, so that employees can avoid repeated logins. More than 6000 kinds of SaaS companies such as adobe, salesforce, zoom have adopted.

b. Zero trust Zero trust The "zero" of zero trust does not refer to the meaning of openness, but represents "complete distrust", so each login link will be verified, and customers will be allowed to pass after all verifications are passed. Under today's remote work, companies that open greater permissions to employees have a more complete information security structure.

3. Profit

The main profit is divided into subscription revenue, professional services and other segment revenue.

a. Subscription is the main income Okta provides SaaS services, the income mainly comes from the subscription fees of customers using cloud software, and provides services for existing customers to renew and add other items.
Starting in Q3 2021, about 95% of Okta's total revenue comes from subscriptions, totaling $206.74 million. This is a 43% increase from the $144.52 million in Q3 2020 subscriptions. The increase in revenue was primarily due to the addition of new customers, an increase in users, and additional product sales to existing customers.

b. Professional services and other revenue generated from assisting customers in implementing and optimizing Okta products, including training services, application configuration, solving customer needs, customization services, etc.

In Q3 2021, only 5% of Okta's total revenue came from professional services and other revenue, reaching $10.64 million. Revenue from this segment increased 25% year over year from $8.52 million in Q3 2020. The increase in professional services revenue was mainly due to the increase in new customers, which in turn increased the demand for other services.

Acquired Auth0 Expansion Services

1. Introduction to Auth0

Eugenio Pace and another co-founder, a former Microsoft colleague, co-founded Auth0 in 2013. Through Auth0 WebAuthn Passwordless, there is no need to enter user name and password, providing biometrics (such as facial recognition or fingerprint) login service, focusing on security and convenience, not only providing a smooth experience for end users, but also reducing huge password management for enterprises cost.

Instead of a centralized portal, users can gradually register one carrier at a time, and can flexibly use a variety of password-free authentication, helping to transition from password-free to password-free faster, benefiting both users and organizations.

(Additional: Verizon's 2021 Data Breach Investigations Report shows that 84% of data breaches are caused by compromised passwords. Password-less authentication reduces these issues.) https://www.businesswire .com/news/home/20210615005345/zh-HK/

The background and motivation

Both Okta and Auth0 are companies that provide IAM services. In March 2021, Okta announced that it would acquire Auth0, which is also a new venture, for $6.5 billion in stock, which will be completed before the end of July of the same year.

The service difference between Okta and Auth0 is that Okta provides various software services, including IAM services such as Gmail, Slack, Salesforce, etc.; Auth0 is a developer tool that allows developers to customize the identity authentication process through API and embed them.

In the past, Okta's business mainly served end users. With the addition of Auth0, the front-end software customers were included in the service scope, and the front-end and back-end services were integrated.

3. The two companies view the acquisition

"Okta and Auth0 are complementary, and this acquisition enriches Okta's existing offerings, including developer collaboration and CRM," said Todd McKinnon, Okta co-founder and CEO.

Eugenio Pace, co-founder of Auth0, expressed optimism that through the combination with Okta, it can meet the needs of users, enterprises, and employees, and provide simple, convenient, and high-security services.

Practical application of Okta - FedEx and Broadcom

1. FedEx

When the 2020 epidemic began to spread, FedEx began to adopt Okta identity cloud software, and moved more than 1,000 programs such as Salesforce, Zoom, Office 365, etc. to Okta, benefiting more than 85,000 employees around the world, simplifying the login process and ensuring internal information. Safety.

2. Chip maker Broadcom

Broadcom is known for its acquisitions of large companies, and it completes one or two mergers and acquisitions on average every year. Okta quickly provides new member identity certification, allowing new employees to get started quickly, allowing the company to expand or transform its internal construction flexibly.

Recent Development of Information Security Software Company

1. Okta information leakage incident

Just in the last week of March this year, three major technology companies—Microsoft, Okta and HubSpot have announced information leakage, among which LAPSUS$ (Hacker Group) is the attacker of Okta and Microsoft's information leakage. Okta outsourced some services to Sitel. On January 21, Okta received an alert that the computer of a Sitel engineer was compromised by LAPS$. Because the engineer's access rights were not high, he could not edit the database, thereby limiting the impact of the attack. scope.

Although there were no serious losses, the incident also gave Okta three benefits:

1. The security from equipment to SaaS cannot be limited to the SaaS environment that protects companies and software. If the computer equipment used by users is not secured, data may be leaked at any time.
2. Multi-factor authentication (MFA) username and password, one-time code, touchID login, etc. MFA can improve the possibility of blocking information leakage.
3. 3. Incident monitoring When information security personnel find unusual behavior, such as MFA factor change, password reset, login from unknown address, etc., they should take immediate action and review it every day.

Summary: With the development and progress of information security, there are also many strange virus attacks. High-strength passwords and single sign-on alone cannot be prevented. Only by constantly paying attention to SaaS security and adopting automatic management instead of manual protection can help teams improve security and efficiency.

2. The FIDO standard is gradually promoted

In May of this year, FIDO, Apple, Google and Microsoft jointly issued a statement, saying that they will expand the promotion of passwordless login technology, so that users can log in to online services more safely and conveniently.

FIDO is a technology for online identity authentication. The alliance was established in 2012. Its members include industry leaders such as google, Microsoft, Apple, VISA, and Aegis. , use identity authentication to log in to the linked program and the network, and perform multi-factor authentication by one-time code, fingerprint or facial recognition, etc., taking into account both convenience and security, this standard is also widely used in various industries.

In recent years, financial industry players have successively introduced FIDO technology into products, such as CITIC, Cathay Pacific, Taishin, etc. Digital banking apps commonly used by the public can also see FIDO applications, which can identify users more quickly and safely by means of biometric verification.

FIDO is the benchmark for information security maintenance in the financial industry. In response to technological advancements such as remote work and biometric identification under the epidemic, it has brought many opportunities and benefits to identity software companies such as Okta. Security and maintenance lay an important foundation.

Mark's thoughts

Due to the outbreak of the epidemic, more online services have been provided to the public, and Taiwan's financial industry's awareness of information security has also increased a lot in recent years. First of all, the Financial Supervisory Commission will require financial institutions and pure online banking to set up information security chiefs in 2020, to encourage all enterprises to attach importance to information security culture, and to cultivate information security awareness from top to bottom. Recently, it has also focused on the information security risks of the software supply chain. It is expected that by the end of 2022, the information security management regulations related to the supply chain will be disclosed.

In the face of increasingly diverse digital financial demands, many core systems in the financial industry have been upgraded and transformed. Each institution has different designs, and the features and functions to be provided are also quite different. Under such conditions, it is necessary to create an impermeable The system is very difficult, so it is equally important to be able to respond quickly when an incident occurs, or to apply new technology to prevent the occurrence of an incident. The security risks faced by financial institutions will have more challenges in the future, and these challenges can help financial institutions to carry out digital transformation faster and promote the formation of the next generation of financial services.