Thank you for your interest in Obsidian! Please enter your information in the form and we will contact you shortly to schedule a demo.
The Okta breach disclosed earlier this month served as another reminder of the devastating impact of a session token compromise. This technique is nothing new—it’s something we’ve been discussing for years in our content and with a dedicated blog series.
Nevertheless, we continue to see session token compromise leveraged in security incidents at several leading enterprises to grant adversaries access that is often discreet and extremely persistent.
We have already discussed the importance of robust SaaS threat detections in minimizing attacker dwell time and enabling rapid response to token compromise. The purpose of this blog is to explore proactive security measures that bolster Okta environments against this technique. These same principles can be applied to other identity providers (IdPs) to help combat session token compromise in any environment.
We can delineate the security challenges surrounding identity providers and single sign-on (SSO) solutions into four focus areas, which we can consider the four pillars of a robust security posture. At a high level, they are:
1. Strengthen Authentication Policies: User authentication policies are critical to the security of the IdP/SSO environment. Rigorous and consistent application of multi-factor authentication (MFA) coupled with constrained session lifetimes will serve as a strong first line of defense against unauthorized access.
2. Fortify Self-Recovery: Self-recovery mechanisms are indispensable, especially when users are inadvertently locked out. However, poorly configured self-recovery mechanisms can serve as open doors for attackers. Employing the strongest possible MFA within trusted network ranges helps ensure a secure self-recovery process.
3. Weaponize End Users: By enabling new device and suspicious activity notifications for end users and ensuring their active status, you effectively transform users into vigilant sentinels. This proactive measure significantly improves the likelihood and speed of threat detection and response.
4. Limit Privileged Access: An often overlooked—but crucial—measure is the management of privileged access within the IdP/SSO environment. Stringent control of privileged users is imperative considering that they have the potential to undermine every aforementioned security measure.
Authentication policies form the crux of security in your Okta environment, providing a structured framework to manage user access. These should be meticulously reviewed and strengthened to ensure they align with your organization’s security requirements.
Authentication policies are orchestrated in a priority sequence that you define. They are applied based on specific conditions for users accessing the platform. The intricacy arises from the interplay between these policies, user groups, and various risk indicators. The objective is to enforce more stringent or frequent MFA in high-risk scenarios while allowing leniency in safer or mitigated risk situations—for example, differentiating between accesses from a corporate IP range and an organization proxy on another continent.
Disentangling authentication policies can be challenging, meaning that misconfigurations are all too common. Here are some frequently observed configuration issues and recommendations on how to rectify them.
Poorly configured account recovery mechanisms invite abuse by adversaries—we’ve even covered a similar topic as it relates to Azure AD. Because this is a relatively infrequent user operation, teams can enforce more stringent security measures without significantly impacting user convenience.
Okta recommends executing account recovery within a secured network zone—again, typically a corporate IP range or VPN—and requiring strong user authentication. These two measures together substantially mitigate the risk otherwise associated with this process.
Misconfigurations in account recovery can inadvertently diminish the security threshold, opening up your environment to unauthorized access. Here are some frequently observed configuration issues and recommendations on how to rectify them.
When you enable security notifications, you empower your user base and improve the overall security posture of your Okta environment. These notification emails enable users to more promptly identify and report suspicious activities associated with their accounts. It’s an approach that dovetails with the broader cultural paradigm shift towards a mentality where “everyone is in security,” fostering a collaborative effort to maintain a secure digital ecosystem.
Misconfigured notification policies ultimately lead to missed opportunities in the earliest stages of potential threat detection. Here are some frequently observed configuration issues and recommendations on how to rectify them.
The overprovisioning of highly privileged accounts is a pervasive issue across SaaS platforms which introduces a tremendous amount of security risks. Managing and constraining this privilege is always important, but especially so for the organizational identity provider. Super administrative access demands extremely stringent control as the pinnacle of user privilege within Okta.
Align administrative permissions closely with the functional roles of individuals in an effort to uphold the principle of least privilege and bolster your security.
Poor management of privilege in Okta has the potential to undermine every other proactive security measure put in place. Here are some frequently observed configuration issues and recommendations on how to rectify them.
The purpose of the four pillars is to serve as a foundation for a stronger Okta security posture, limiting the likelihood and potential impact of a cyber-attack. The initiative to fortify these proactive defenses should be supported with continuous verification that these configurations remain strong, and that gaps don’t reappear discreetly later on. Moreover, these measures should be complemented with robust threat detections because, despite every proactive effort, sophisticated adversaries will continue to look for a way to bypass them.
The Obsidian Security platform helps organizations with both sides of this equation. SaaS governance and risk management capabilities enable security teams to enforce every secure configuration highlighted in this blog and more while simultaneously monitoring to ensure these secure settings don’t drift over time. Our team provides posture recommendations out of the box informed by our expert research, industry benchmarks, and leading compliance frameworks.
At the same time, we complement these proactive capabilities with cutting-edge threat detections designed for SaaS. Only Obsidian can detect session token compromise in a matter of minutes, preventing attackers from dwelling in your SaaS environment and executing more damaging long-term campaigns.