Amid rising data breaches, Okta announces new security standards for SaaS

Software as a Service (SaaS) security breaches are on the rise. Earlier this year, compromised user credentials affected numerous companies using Snowflake’s cloud data platform.

The breach resulted in the leakage of sensitive personal and financial information. Other data breaches that occurred this year include Microsoft, UnitedHealth, Caesars, MGM and Clorox.

According to an AppOmni report, 31% of organizations encountered a SaaS data breach in 2024, up from 26% in 2023. Notably, most of these attacks were identity-based.

To address this issue, Okta, the San Francisco-based identity and access management company, unveiled a new comprehensive identity security standard during its flagship event, Oktane, held in Las Vegas.

Called the Interoperability Profile for Secure Identity in the Enterprise or, for short, IPSIE– The vision of this new open standard is to create a framework that enables SaaS companies to improve the end-to-end security of their products. It is expected to ensure robust security in every interaction within its technology stack.

“We’ve seen that many attacks by malicious actors against enterprises and their applications and infrastructure tend to be identity-based attacks,” said Shiv Ramji, president of customer identity at Okta. AIM aside from Oktane 2024.

What is IPSIE?

Developed in collaboration with the OpenID Foundation and companies such as Microsoft, Google, Ping Identity, Beyond Identity and SGNL, ​​IPSIE aims to improve existing security controls while introducing new mandates that will benefit the SaaS community.

These include enforcing single sign-on for centralized sign-on, lifecycle management for secure user onboarding and opt-out to mitigate the risks of orphaned accounts and shadow directories , and the rights that force access to least privileges while progressing to permanent zero privileges.

(Shiv Ramji speaking at Oktane 2024)

In addition, IPSIE facilitates the exchange of risk signals, enabling a seamless exchange of security information across the entire security ecosystem. It also provides session termination, which allows immediate termination of all user sessions in response to detected threats.

According to Okta, applications built with these standards will automatically achieve a higher level of security through governance, rights management, multi-factor authentication (MFA), posture management and real-time universal logout.

“Today’s lack of standardization is a major barrier to effective security. When applications in your ecosystem don’t communicate using a common language or are developed independently, it’s up to you to assess your vulnerabilities, which often results in a lack of visibility. That’s why we’re introducing a central standard for identity security, to help reduce the fragmentation seen in SaaS applications and create a more cohesive security framework,” Ramji said.

During the event, the company also announced a new program to help businesses reduce their identity-critical security debt to zero. Called Security Identity Assessment (SIA), it’s likely to help companies identify vulnerabilities such as expanding administration, improve their identity infrastructure, and continually implement the strongest possible security posture.

(Okta CEO Todd McKinnon addressing the keynote session at Okta 2024)

Standardization remains a challenge

While it’s encouraging to see Okta taking the lead in setting security standards for SaaS and advocating for standardization, widespread industry adoption of these standards remains to be seen.

Many of these SaaS companies have implemented their own standards internally. Adopting IPSIE would mean discarding these existing standards.

According to Ramji, Okta is already implementing these standards, which will greatly help with adoption.

“Many B2B SaaS companies use our customer identity cloud. By building on our platform, they inherently adopt and implement all of these standards,” said Ramji.

Also at Oktane, Okta CEO Todd McKinnon encouraged customers to ensure their SaaS providers have adopted these security standards to ensure strong protection against identity threats and to facilitate a safer and more compatible digital environment.

Okta also plans to hold global events aimed at educating customers about the importance of standardization.

“It’s a journey, and our goal is to educate the entire ecosystem about security visibility gaps. We’ve gained valuable insights and are actively encouraging the industry to develop and ultimately adopt these standards,” said Ramji.

Speaking to reporters on the sidelines of Oktane, Brett Winterford, Regional Head of Security APAC, Okta, said some of the major SaaS breaches we’ve seen this year could have been avoided if these standards had been in place .

He notes that the Okta security breach in 2023 is also a good example of a breach that could have been avoided if such security standards had been in place. Another good example is Snowflake.

“Several attacks on Snowflake clients a few months ago illustrated vulnerabilities not caused by Snowflake itself. Attackers exploited weaknesses in back-end applications, bypassing identity providers due to factors such as information theft and malware that extracted passwords from unmanaged devices. But I can clearly see that the root of many of these problems comes from the way application and service providers integrate with identity providers,” Winterford said .

Why is Okta leading the charge?

Okta is a leading identity management platform that provides secure single sign-on, multi-factor authentication, and lifecycle management solutions. It enables organizations to protect user identities and streamline access to cloud applications.

According to Winterford, about 80% of all attacks that businesses typically witness are identity-driven. “In all my discussions with large SaaS companies, everyone agrees that it’s a problem that needs to be solved, but they’ve been waiting for someone to take the lead and suggest a framework. Interoperability profile specifications will definitely be an issue of ongoing debate; however, it is clear to everyone in the ecosystem that there is a viable path forward,” he said AIM.

The support of the initiative by Microsoft, Google and SGNL indicates an industry-wide problem that needs attention.