Okta’s McKinnon on Identity Security Resiliency

Mandeep from Bloomberg Intelligence hosts Todd McKennan, CEO of Okta, on Tech Disruptors to discuss the evolving identity security landscape. Todd highlights Okta’s role in enabling cloud access and its critical importance in cybersecurity, especially post the CrowdStrike outage. He emphasizes the shift from identity as a mere enabler to a central security priority, protecting against billions of threats monthly. Todd also discusses Okta's resilience, competition with Microsoft, and the impact of generative AI on security. He underscores the importance of a strong, independent identity platform in a multi-cloud environment and the ongoing need for improved integration and innovation in cybersecurity.

• Identity security has transitioned from enabling access to the cloud to becoming a critical cybersecurity priority.
• Initially, identity security was about facilitating access to cloud services as companies migrated from on-premise systems.
• Over time, the focus shifted to protecting against cyber threats, particularly for administrator accounts.
• Okta now serves almost 20,000 customers, including major companies like FedEx and Wyndham Hotels, emphasizing the importance of identity security.

"In the early days, identity was more about enabling access to the cloud. It was about making it super easy for companies at the time that were moving from a world where everything was on their own network or in their own data center to a world where they were migrating toward cloud services."

• Identity security was initially focused on cloud migration and ease of access.

"As the threats and the cyber risks grew, identity and getting access to these accounts, particularly administrator accounts, became a very, very important cyber priority."

• The growing cyber threats shifted the focus of identity security to protecting critical accounts.

• Cybersecurity incidents, such as the CrowdStrike outage, have heightened the focus on resiliency and backup plans.
• Customers are increasingly concerned about the robustness and reliability of their cybersecurity providers.
• Okta processes 10 billion requests a month, with about 2 billion involving some form of malicious intent.

"After something like this, the conversations are much more about, okay, we know that you're protecting us. How do we make sure it's really rock solid and never going to go down, and what's the backup plan?"

• Post-incident, the focus shifts to ensuring the reliability and robustness of cybersecurity measures.

"We help protect our customers from 10 billion threats a month or ten. We process 10 billion requests a month, and about 2 billion of those have some kind of fraud or some kind of malicious intent behind them."

• Okta's scale of operation and the volume of threats they handle underline the importance of robust cybersecurity.

• Okta has faced its own cybersecurity challenges, including breaches in customer support systems.
• Managing such incidents involves extensive customer communication and reassurance.
• The focus is on maintaining the reliability and security of core products and infrastructure.

"The attackers were clever enough to use that breach to actually get email addresses of many of our customer users. And actually, which, you know, obviously it's not our core product, but it's something that we can, you know, it's very, customers are very, as they should be, expect us to protect that as if it was our production, as if it was our products."

• Attacks on non-core systems can still significantly impact customer trust and require robust management.

"The first part of the conversation is, Okta, do you realize how critical you are to what we're trying to do? And they want to make sure you understand the risks and the focus and what we have to mitigate."

• Customer conversations often start with emphasizing the critical role of Okta in their operations.

• The threat environment is escalating due to the increasing amount of data and systems online.
• Common attack vectors include exploiting supply chains and lateral movements within compromised networks.
• The secular trend indicates a rise in attacks driven by the potential for disruption, ransom leverage, and data theft.

"The threat environment is escalating, and it's escalating for the simple reason, just a secular reason, which is there's more and more online and there's more and more in these systems, and there's more and more potential for disruption, potential for ransom leverage, potential for stealing information."

• The growth of online systems and data increases the potential for various types of cyber attacks.

"Inevitably find there is some sort of commonality between these attacks. Like there is either a supply chain that is exposed that doesn't have a good security system and they are the weak link, and then it leads to a lateral moment."

• Common attack patterns often involve exploiting weak links in supply chains and moving laterally within networks.

• Compromised identity is a major vector for attacks:
  • 86% of attacks involve some form of compromised identity.
  • Common methods include phishing emails that lead to identity theft and lateral movement to escalate privileges.

"86% of attacks involve some kind of compromised identity. So it's either, you know, there was a phishing email that went to an employee, that they took over that employee's identity and then, as you said, moved laterally to escalate the privilege to an administrator account."

• Importance of a strong identity posture:
  • A robust identity management system is crucial for overall security.
  • Companies must have a comprehensive set of systems and processes to secure identities.

"If you don't have a strong identity posture in your company and a platform and a set of systems and processes, keep your identity secure, you can't be secure."

• Eliminating the weakest link:
  • Security strategies should focus on shoring up the weakest links rather than just strengthening the strongest ones.
  • Example: Even a support center user account can be a weak link that needs to be secured.

"It's really a game of eliminating all the weakest links. You don't have to make your strongest link stronger; you have to have comprehensive coverage and make your weakest link less weak."

• Innovation vs. consolidation:
  • The technology market cycles between innovation (with many new entrants and point solutions) and consolidation (where industries mature and solutions converge).

"In the technology market, there's innovation, which means lots of new entrants and lots of startups and lots of point solutions, and then there's industries that mature and naturally things kind of consolidate."

• Choosing the right layers to consolidate:
  • Companies must decide which layers to consolidate and where to adopt a platform approach.
  • Identity is a crucial layer that benefits from consolidation into a comprehensive identity platform.

"Companies have to pick what layers to consolidate and where to do a platform approach, because you can't do one vendor or one platform for everything."

• Value of an independent identity platform:
  • An independent and neutral identity platform can cover all identity use cases, from privileged access management to identity governance.
  • Over-consolidation can limit choices in other areas like cloud infrastructure or email.

"We believe in this independent, neutral identity layer, consolidating the identity landscape, but not over-consolidating or over-platforming and doing identity as part of another distinct part."

• Shared responsibility among vendors:
  • Despite the complexity, all vendors should take some accountability when a customer faces a breach.
  • A single-vendor approach is unrealistic and could hinder innovation and adaptability to emerging threats.

"Every vendor of that customer takes some amount of accountability. I guess in a perfect world, you could really truly have one throat to choke and have one vendor for everything. But I just think that's unrealistic."

• Importance of diversity in the security landscape:
  • Having multiple vendors encourages innovation and helps protect against emerging threats.
  • The security industry is adversarial, and consolidation around one vendor could expose weaknesses.

"Having diversity in the security landscape is, I think, a good thing and having competition and having people emerging there."

• Microsoft's historical dominance in identity:
  • Microsoft dominated the identity space in the 1990s and 2000s with Active Directory, leveraging its high market share in desktop devices, email, and server compute.

"Microsoft in the nineties and two thousands had the world's leading identity product. It was called Active Directory, and it worked and it was successful because Microsoft had a 90% share in desktop devices on the network."

• Shift in the market landscape:
  • The market has evolved with the advent of cloud computing and numerous SaaS applications, providing opportunities for companies like Okta.

"In the late 2009 when we were founded, the world was much different and the world was there's much more innovation, there was the cloud happening, there was different email systems, different collaboration systems, thousands and thousands of SaaS applications customers could use."

These notes provide a comprehensive overview of the key ideas discussed in the transcript, formatted to highlight each theme and supported by relevant quotes and explanations.

• The company developed an advanced identity system designed for the open ecosystem of cloud and SaaS.
• Microsoft replicated this approach and now offers a competing product, tailored primarily for Microsoft-centric environments.
• The company excels in environments where non-Microsoft technologies are in use, such as Mac computers, iPhones, Android devices, Zoom, Teams, and Slack.
• The company's strength lies in managing and securing a diverse technological ecosystem.

"So we basically built the successor to Active Directory. It was this identity system for the open ecosystem of cloud and SaaS."

• The company created an innovative identity system surpassing traditional Active Directory, aimed at modern cloud and SaaS environments.

"Our customers see the value, and the reason we win and are so successful is because when it's not Microsoft... our capabilities in terms of connecting to those technologies and keeping them secure and keeping this heterogeneous world manageable and secure is where we really shine."

• Customers appreciate the company's ability to manage and secure diverse technological environments, which sets it apart from Microsoft-centric solutions.

"It's all predicated on it being a very different world than it was in 2000, where Microsoft was a monopoly and they had such control over everything. And now it's a very different world."

• The current technological landscape is more diverse and less monopolized by Microsoft, making the company's solutions more relevant.

• Generative AI brings a new wave of tools and applications that deliver unique and compelling value.
• Business applications are being reimagined to generate content rather than just store it.
• Identity management becomes increasingly important with the rise of generative AI applications.
• Generative AI also poses new security threats, such as deepfakes and enhanced phishing attacks.
• The company leverages generative AI to improve defense mechanisms and product resilience.

"The first level is that there's a whole new wave of tools and apps and services that are being built and that can deliver unique value and compelling value because of these breakthroughs in AI."

• Generative AI introduces new tools and services that offer significant value.

"All of those experiences need identity. So a secular trend of more apps, more users needing more identity is very powerful, and it's a big driver of our business."

• The increasing number of applications and users necessitates robust identity management, driving business growth.

"The next wave of technology is going to be used to try to be exploited, whether it's deepfakes or better phishing attacks... But the good news is that there's also ways we can use generative AI to defend our customers better."

• While generative AI introduces new security threats, it also provides opportunities to enhance defense mechanisms.

• The company has expanded from core workforce identity to customer identity and privilege access management.
• Generative AI presents early-stage opportunities, and the company remains open-minded about its evolution.
• The company currently utilizes models built by others rather than developing its own infrastructure.
• The security industry is exploring ways to augment existing models effectively and cost-efficiently.
• AI agents represent a new area of interest, requiring secure identity management for system-to-system integration and task execution.

"One of the exciting things about generative AI is that it's still so early, and we try to keep an open mind on how it's going to evolve."

• Generative AI is in its early stages, and the company is open to its potential developments.

"We're using the models other people are building. Yeah, we're waiting for what's going to come out of the models."

• The company relies on existing generative AI models rather than developing its own.

"What that agent has to do is that agent has to log in a lot of different places... We have multi-factor authentication, but we don't really have a good way to do it for agents."

• AI agents require secure identity management for effective system-to-system integration, a developing area of interest.

• The company's moat lies in its technical integration with a wide range of systems.
• Single sign-on (SSO) is valuable based on the breadth and depth of integrations.
• The company has more integrations than competitors, both simple and complex.
• The company's independence from any single cloud infrastructure or collaboration app enhances its competitive position.
• The cultural and philosophical differences between the company and competitors like Microsoft contribute to its unique strengths.

"The mote is the technical integration to every other system. So single sign on is only as valuable as the number of things you can go to."

• The company's competitive advantage is its extensive technical integration with various systems, enhancing the value of its SSO.

"We have more integrations than the competition and they're more capable. So it's not just there's simple integrations and there's complex integrations. We have more of both."

• The company leads in both the number and capability of integrations compared to competitors.

"We're not beholden to one cloud infrastructure or we're not beholden to one set of collaboration apps."

• The company's independence from any single cloud or app ecosystem strengthens its market position.

"Imagine being the product manager or the developer at Microsoft... you're going to have an awesome integration to Amazon Web Services. You're just not going to, you probably get fired, right?"

• The company's flexibility and independence contrast with competitors like Microsoft, who may face internal constraints.

• Enterprises typically adopt a multi-cloud, heterogeneous architecture.
• They consolidate various functions like ERP, CRM, collaboration, infrastructure, and network.
• Identity should be a primary point of consolidation, providing capabilities like privileged access.

"We live in a world where there's a multi-cloud, heterogeneous architecture for most enterprises."

• Modern enterprises use multiple cloud services and diverse systems.

"Our basic position in the market is that one of those things that the points of consolidation should be identity, and then we're going to provide all of the capabilities on that platform, privilege, access."

• Identity is crucial for consolidation, offering comprehensive capabilities on a unified platform.

• Identity is essential for achieving zero trust security.
• Basic identity solutions are insufficient for robust zero trust security.
• Advanced identity solutions are necessary to prevent data breaches, which often stem from stolen identities.

"Everyone knows you have to have your identity story strong and you have to have a great identity solution to achieve zero trust."

• Strong identity solutions are fundamental to zero trust security.

"87% of data breaches are a stolen identity. And so you need a rock-solid identity story that is flexible, integrates to everything, it defends itself against these attacks."

• The majority of data breaches involve stolen identities, emphasizing the need for advanced identity solutions.

• Okta benefits from being an independent, neutral leader in the security ecosystem.
• Integration with various security solutions like CrowdStrike, Zscaler, Netscope, and Palo Alto Networks is a strategic advantage.
• Microsoft’s all-encompassing approach is not widely resonated in the industry.

"We're the independent, neutral leader for the rest of the ecosystem. CrowdStrike, Zscaler, Netscope, Palo Alto networks on and on and on."

• Okta's independence and integration with multiple security solutions are key strengths.

"Microsoft is different. They think that they're everything from Microsoft network and identity and endpoint and everything. Their whole thing is their worldview is get everything in Microsoft, we got you covered."

• Microsoft's approach is to offer a comprehensive suite, but it is not the preferred strategy in the industry.

• Okta’s seat-based model aligns well with its user-driven nature.
• The shift towards consumption models in the industry does not significantly impact Okta.
• The economic environment has affected employee growth, which was previously a tailwind for Okta.

"The seat model works very well for us because it's inherently tied to people."

• Okta’s pricing model is effective because it is closely linked to user count.

"The employee growth that was a tailwind for many, many years for our business. That's not the case anymore."

• Economic changes have affected the growth dynamics that previously benefited Okta.

• Elevated cybersecurity spending is expected to last indefinitely.
• The primary concern is investing in the wrong company strategies.
• Excitement about integrating every piece of the ecosystem more comprehensively.
• The most important metric for success is new bookings growth.
• Expectation of 50 large language models (LLMs) in the next five years.
• The Biden executive order on cybersecurity has increased awareness of basic security measures.
• No supply constraints on the compute side for Okta.
• Biggest risk is someone building a better-integrated identity system.
• Anticipation of increased M&A activity in cybersecurity over the next two years.
• Misconception: People underestimate the impact of identity on companies.

"How long will the elevated cybersecurity spending cycle last? Forever."

• Cybersecurity spending is expected to remain high indefinitely.

"What keeps you up at night? Investing in the wrong things from the company strategy."

• The main concern is making incorrect strategic investments.

"Getting every piece of the ecosystem more integrated. It's not integrated enough."

• There is a focus on achieving greater integration within the ecosystem.

"New bookings, growth."

• Success is measured by the growth in new bookings.

"Yes, it made people more aware of the basics."

• The Biden executive order has increased awareness of fundamental cybersecurity measures.

"That someone can build an identity system integrated to a big platform in a way that could be better integrating than an independent identity platform."

• The biggest risk is the potential development of a superior integrated identity system.

"I think the biggest misconception is people don't understand how impactful identity is to companies."

• There is a common misunderstanding about the significant impact of identity on company operations.