Organizations are shifting towards centrally managed Identity Providers (IdPs) to implement strong authentication and IAM controls with single sign-on (SSO), SAML, and multi-factor authentication (MFA). Therefore, IdPs are becoming a critical service for organizations, since they control the organizations access policy and have the keys to kingdom to provision users and privileges in the most critical business applications. As a pioneer in the IdP space, Okta is considered an industry leader and is enjoying massive adoption by customers that go through digital transformation processes. To improve the out of the box abilities of Okta, admins can configure integrations to Okta using API Tokens and OAuth App, which can allow to streamline business processes such as employee onboarding/offboarding which requires integration with HR systems, security incident response which requires integrations with SOAR platforms, etc. In addition, Okta enables out-of-the-box automation using Okta Workflows, where users can automate the identity processes without the need to write code, leveraging the pre-built connectors catalog.
While Okta is inherently secure, third-party vendors who have access to it through these methods can be a weak link. Inherently risky or over-privileged OAuth tokens, etc. can be exploited to gain the keys to the kingdom, placing Okta customers at risk of data breaches and account exposure. Supply chain access attacks against Okta are not properly covered by existing security approaches such as IdP, Cloud Access Security Brokers (CASB) and SaaS Security Posture Management (SSPM) solutions that focus on human-to-SaaS access controls and neglect the critical growing non-human SaaS-to-SaaS third-party integration layer.
Okta holds the keys to the kingdom, since it’s granted privileges to control the most critical business applications. Therefore, with more than 14,000 customers, Okta is a high-profile target for attackers that are seeking to leverage such access to implement lateral movement techniques and spread within an organization.
That said, attackers don’t necessarily need to try to breach Okta or your organization directly in order to gain access to your organization’s employees and access management policies. Instead, they can target a different third-party vendor that you configured to integrate with your Okta instance and has access to manage the tenant.
Another option for attackers is to gain access to one of Okta’s third party vendors, same as done in the recent known LAPSUS$ compromise. In this case, the attackers compromised the workstation of a Sitel engineer, a third-party vendor connected to Okta’s infrastructure. Potentially impacting hundreds of Okta customers, the attackers used the workstation which was logged into Okta’s customer support infrastructure in order to access Okta’s SuperUser application, used to configure Okta customer tenants - although, according to Okta, they were unsuccessful in implementing any configuration changes during this attack. The compromise caused panic in the entire security industry that tried to minimize the potential impact of such a high privilege vendor being breached.
Valence seamlessly integrates with your Okta environment and helps you discover your SaaS mesh attack surface and manage the risks associated with it: