Todd McKinnon (Okta)
Todd McKinnon founded Okta in 2009 on the outrageous notion that business user identity could be managed in the cloud. In an in-depth 2013 interview on InfoWorld, McKinnon, the former vice president of engineering for Salesforce, argued that mass migration to the public cloud was unstoppable.
As predicted, the number and variety of cloud applications exploded, and Okta played an increasingly important role in cloud identity and access management (IAM).
A wildly successful 2017 IPO followed. Today, Okta positions itself as a cloud service to manage customer IAM as much as enterprise user IAM, with an integration platform that enables Okta to gatekeep for thousands of applications. The company is also venturing into machine-to-machine IAM, a key part of the zero-trust model.
In this edited interview, McKinnon talks frankly about Okta’s roadmap and offers opinions on several key security issues of the day. The conversation began with a brief discussion about our current work-from-home world, in which adoption of cloud applications has accelerated, particularly collaboration and video conferencing services—presenting yet more opportunities for Okta.
As McKinnon puts it, “it’s great for us, even though it feels crappy to say that because of the pandemic.” The interview then moved to the most damaging APT ever discovered.
CSO: What’s your take on the SolarWinds attack and its implications?
McKinnon: SolarWinds highlights a couple of things. The first is that on-prem is not necessarily more secure than the cloud. The second thing, I think, is a massive, concrete reinforcement of the concept of zero trust.
Purportedly, Google did zero trust because the Chinese tried to hack into Google. So, Google was smart and redid its whole infrastructure to not trust anything in the network, inside as well as outside. An average company can’t spend money and time like Google could, so they started from the edge in with remote access. Like, “we’re not going to make everything in the world zero trust, but we can at least take the laptops that are at people’s houses and run those in zero trust.”
But what SolarWinds highlights is that you can’t stop, you have to go all the way to the backend. One server can’t trust another server on the network. The reason people are running around is because that’s hard. It’s one thing to get some laptops connected into zero trust, but it’s a whole other thing to take your whole software and infrastructure internally and have no server trusting the other server. So that means there’s going to be a bigger requirement for machine identity.
CSO: That sounds like a big opportunity for IAM.
McKinnon: Yeah. We have this product called Advanced Server Access, which is really good at authenticating admins to machines, and you can use the same principles to authenticate machine to machine.
CSO: Another big issue is multi-cloud security. The big three clouds have different security models, different security controls and features. That makes it easy to make a configuration mistake and leave the door open. How can you help with that?
McKinnon: The vision for Advanced Server Access is to be that security layer for the clouds.
CSO: A meta-layer of security for the clouds?
McKinnon: Yeah, exactly, like the common security layer. Basically, you authenticate your admins, you log-in to the cloud through Okta, so that you don’t have to tightly couple your security and your processes and your governance and so forth to one platforms’ toolchain.
CSO: Is it on your roadmap to extend beyond identity with that?
McKinnon: You’d have to, yeah. It’s a little bit of a nuanced answer because you will see us extend beyond identity, but it’s in directions that are benefitted by having identity, if that makes sense. You won’t see us do anything that’s not integrated at all with identity.
CSO: The big three clouds are not at all static in what they introduce. Just keeping up with the flow of new features and figuring out what needs to be locked down doesn’t sound easy.
McKinnon: Yeah, it’s a challenge. And I don’t mean we need to solve all of this. Our strategy is to connect to everything and then let the customer have a consistent policy layer around everything. We’re pretty good, but we can do more. Like we can connect beyond just servers, we can connect to different services, specific services inside these clouds. There’s a lot of cloud-specific APIs that we are still building integrations to.
CSO: Are there emerging standards that you’re backing or that you see as promising that could be part of this multi-cloud security meta-layer?
McKinnon: One of the concepts that’s important in zero trust is continuous authentication. Basically, you can do that in two ways. You can be in the network path, like a proxy, and then once that you’ve detected malware, you can stop the network path so the compromised device can’t connect to anything. That’s one way.
The other way is that we and the industry are working on a standard that lets applications and devices share that continuous authentication state and then kill the session when that compromise happens. So instead of being in the network path and shutting down your network connections and your email, when your device is compromised, there would be a lightweight way to check every time that authentication is still good. That can be done scalably and with not too much overhead.
CSO: Do you have an opinion on self-sovereign identity?
McKinnon: I do. I think that it’s the future. We’ve got to get it done. The problem is: How does it get bootstrapped? How does it get useful in enough places so that enough people use it to make it useful? Where is it going to come from? Is it going to come from a big social media company? Is it going to come from a big IT vendor? Or should it come from an independent identify provider like Okta?
CSO: It could come from the crypto folks, right?
McKinnon: Yeah, it could. Payment is a pretty important application for identity; you need to know who people are to pay people. So, it’s possible. The problem is that in crypto, there are standards, but there’s also a lot of enabling infrastructure that’s not built into the standards.
So, the challenge is like … why does Coinbase exist? There wasn’t a part of the crypto standard that kind of defined how you got sovereign currency in and out of it. There’s no part of the standard that specifies how you get identity in and out of it, either.
CSO: Is self-sovereign identity something that you’re looking at championing?
McKinnon: We are. We’re looking at it. Honestly, though, we’re trying some new things and thinking about a few things, but it’s not clear how we solve the bootstrap problem. We have a lot of assets, too—we have tons of customers and tons of users. But we’re still working on how we get from here to there.
