Okta's new Security Technical Implementation Guide (STIG)
In cybersecurity, identity is the first line of defense. As the number of applications and systems increases, the fatigue of the cyber workforce increases in parallel. Exacerbating this is the increased responsibility on customers to create secure baselines where none exist.
Securing Baselines
In an effort to create secure baselines, organizations like the Defense Information Systems Agency (DISA) have built publicly available guidance in the form of DISA Security Technical Implementation Guides (STIG). STIGs and Security Requirements Guides for the Department of Defense (DOD) information technology systems are mandated by DODI 8500.01 and provide benefits across the industry. This guidance bridges the gap between the National Institute of Standards and Technology (NIST) Special Publication 800-53 and Risk Management Framework (RMF). STIGs offer significant benefits as it relates to improving IT system security, compliance and resilience.
Okta and DISA
Okta recently announced our partnership with DISA, which has resulted in the release of the Okta Identity as a Service (IDaaS) Security Technical Implementation Guide (STIG). While this STIG is specific to Okta platforms, the integrations and hardening guidance are standards-based that can be used on any identity platform.
Industry-leader in Identity and Access Management (IAM), Okta is interoperable with various identity platforms and applications, which improves the ease of use when referencing the Okta STIG as a basis for other similar products in today's technological marketplace.
As the first identity vendor to provide this level of configuration guidance, we look forward to continuing our relationship with DISA. By raising the bar for the industry, we're helping create the strongest and most secure guidance possible for securing not only the Okta platforms — but everything they connect to.
Call to Action
With the release of this guidance, we encourage all of our customers to evaluate their Okta orgs against the STIG. While some checks such as "banner notifications" may not apply to commercial entities, the remainder of the checks include recommendations for the utmost secure configuration of the Okta platforms.
The Okta Identity as a Service (IDaaS) Security Technical Implementation Guide (STIG) is available to download at https://public.cyber.mil/stigs/downloads/, search for Okta. If you have feedback on the STIG, please contact fedramp@okta.com.
Rob Gil is a Sr. Director, Federal Architecture at Okta and is responsible for leading the Public Sector technology initiatives for FedRAMP, DoD Impact Levels, and StateRAMP. Prior to Okta, Rob worked on the JEDI project for the DoD Cloud Computing Program Office as well as leading the Cloud SecOps team at Elastic. Rob’s work at Elastic helped set the foundations for the Elastic SIEM as an initial core contributor to the Elastic Common Schema and first version of the Elastic SIEM. Before Elastic, Rob led operations and engineering teams at Salesforce and a variety of financial institutions. When not working, Rob enjoys the quiet life on his homestead and dabbling with tech.
Naveed is a Senior Solutions Architect at Okta, focusing on the DoD and Federal customer base. He has worked in cybersecurity since leaving the US Navy in the late 1990s. Before coming to Okta, Naveed was a consultant for several DoD customers, and he continues to offer advice via active participation in the DoD community. He grew up in Stafford, Virginia, and upon returning from active duty, took up residence there once more. In his free time, he enjoys beer brewing, gaming, and the occasional date night with his wife.
Brandon Iske is a Principal Solutions Architect focused on enabling Federal Government and strategic accounts at Okta. He is passionate about strengthening our nation’s cybersecurity and user experience through Identity-focused IT modernization and cyber best practices. Before joining Okta, Brandon worked for over a decade in government public service to deliver and secure joint Department of Defense enterprise capabilities in endpoint security, mobile management, identity and access management, and Zero Trust architecture at the Defense Information Systems Agency. He earned a Bachelor’s Degree in Computer Science from the University of Nebraska at Omaha. He is also a National Science Foundation CyberCorps Scholarship for Service Alumnus and an Okta Certified Professional.