On Monday, March 21, 2022, news broke that Okta was breached through one of their outsourcing partners, Sitel Group. Since then, a lot of mud has been slung at these groups in what feels like a public shaming. A lot of the anger directed at Okta has been about their public comms, and even Okta admits that they could have done better. But, putting these organizations in the public crosshairs and attacking them is not the way this should be handled.
I have spent the last 7 years leading a team that’s innovating in the identity security space. We’ve worked closely with Okta’s Tech and Product teams to build out integrations and collaborate on building better digital identity. Recently we’ve focused on solving problems for Business Process Outsourcers (BPOs, companies like Sitel). All this is to say that I know Okta’s industry and I know Okta, I know Sitel’s industry and I know Sitel.
Both Okta and Sitel are best in class when it comes to Information Security. Both of these organizations have some of the industry's top security talent, best security procedures, and best technology…and still were still breached. If we’re hurling invective at them, we should all realize that we’re going to get the same treatment back one day. Why? Because even the security of the best-in-class wasn’t enough here to prevent the breach.
A single endpoint was compromised with an open session, and the attacker used the authorized user’s access to do what the authorized user did every day - fiddle with other users’ MFA. For those claiming that Zero Trust would have prevented this, ZT is almost always implemented with device trust, which was compromised, in combination with MFA checks, which were passed by the authorized user. What should they have done, implemented step-up MFA checks every 5 minutes across hundreds of thousands of employees? Is that what the rest of us are doing that entitles us to throw stones? No, we’re all living in the same glasshouse, and the paradigm of periodic challenge-response MFA transactions for securing ID failed them, and the rest of the world is operating on the same paradigm.
This paradigm didn’t work for Okta and Sitel, but it does not make the rest of us better than them, or give us the right to tear them apart publicly. This is not their fault. The problem is that the paradigm of authentication doesn’t match the problem we’re all trying to solve. MFA is a square peg trying to prevent the compromise of humans, which is a round hole. Rather than shaming whoever suffered the breach-of-the-day, why don’t we be supportive and collaborate in solving the big, big problems that make it impossible for even best-on-class security to protect itself.
I, and the whole team at Twosense, are trying to solve this problem, so come collaborate with us on fixing things, rather than spending energy putting down the poor teams who lost a game of Russian Roulette that we’re all playing together.