Okta's new Security Technical Implementation Guide (STIG)
In cybersecurity, identity is the first line of defense. As the number of applications and systems increases, the fatigue of the cyber workforce increases in parallel. Exacerbating this is the increased responsibility on customers to create secure baselines where none exist.
Securing Baselines
In an effort to create secure baselines, organizations like the Defense Information Systems Agency (DISA) have built publicly available guidance in the form of DISA Security Technical Implementation Guides (STIG). STIGs and Security Requirements Guides for the Department of Defense (DOD) information technology systems are mandated by DODI 8500.01 and provide benefits across the industry. This guidance bridges the gap between the National Institute of Standards and Technology (NIST) Special Publication 800-53 and Risk Management Framework (RMF). STIGs offer significant benefits as it relates to improving IT system security, compliance and resilience.
Okta and DISA
Okta recently announced our partnership with DISA, which has resulted in the release of the Okta Identity as a Service (IDaaS) Security Technical Implementation Guide (STIG). While this STIG is specific to Okta platforms, the integrations and hardening guidance are standards-based that can be used on any identity platform.
Industry-leader in Identity and Access Management (IAM), Okta is interoperable with various identity platforms and applications, which improves the ease of use when referencing the Okta STIG as a basis for other similar products in today's technological marketplace.
As the first identity vendor to provide this level of configuration guidance, we look forward to continuing our relationship with DISA. By raising the bar for the industry, we're helping create the strongest and most secure guidance possible for securing not only the Okta platforms — but everything they connect to.
Call to Action
With the release of this guidance, we encourage all of our customers to evaluate their Okta orgs against the STIG. While some checks such as "banner notifications" may not apply to commercial entities, the remainder of the checks include recommendations for the utmost secure configuration of the Okta platforms.
The Okta Identity as a Service (IDaaS) Security Technical Implementation Guide (STIG) is available to download at https://public.cyber.mil/stigs/downloads/, search for Okta. If you have feedback on the STIG, please contact fedramp@okta.com.