Keeping hackers at bay: A Q&A With Okta’s Frederic Kerrest
Co-founder of identity management company talks passwords, spyware, and mobile security
November 2, 2015
Frederic Kerrest, MBA '09
With identity and mobility management firm Okta, employees gain access to their company’s apps on the Internet and mobile using a dashboard unlocked with one username and password—no more fumbling for several logins. The company’s clients include Adobe Systems, LinkedIn, and 20th Century Fox. It has raised $230 million from investors including Andreessen Horowitz, Greylock Partners, and Sequoia Capital. Co-founder Frederic Kerrest, MBA ’09, explains why identity streamlining is essential for security.
What does the word “identity” mean in this context?
Put simply, “identity management” is connecting people to technology securely. “Identity” refers to the information about a person needed to securely connect them to technology.
Why is identity management important to the current professional landscape?
At work, your identity—often in the form of a username and password—is what gives access to the apps, services, and devices that you need to be productive. You likely access dozens of apps, services, and devices on a given day. It’s up to businesses to ensure that your personal work information and sensitive data is kept secure and private, while also giving you the right access to the right information, anytime and anywhere. An identity management solution helps organizations manage varying needs of access, while enabling employees, partners, and customers to get their work done simply and securely.
An identity management solution can include a single sign-on (or SSO)—one secure dashboard requiring strong authentication—where you can access all of your accounts, apps, services, and devices with more secure tokens or assertions. This negates password fatigue from time spent re-entering passwords and password re-use. In addition, when you’re traveling out of the office, an identity management solution can help make sure that you are who you say you are, by requesting multiple factors to enable your access, like an SMS or push notification on your phone. If someone across the globe tries to access your account, they won’t be able to get in without additional proof.
What are the potential pitfalls of not using such a system?
You’ve likely heard about many of the corporate breaches that have happened in the past few years. Both sensitive data and personally identifiable information can be put at risk without an identity solution. It’s untenable for people to remember dozens of usernames and passwords, so people often use the same—and weak—credentials for many accounts. A set of captured credentials for a low security social application can make it easy for attackers to hack into corporate accounts.
When has improper management of security gone awry with devastating results?
FinFisher [also known as FinSpy] is a commercial spyware-for-hire tool distributed by a British company. Between 2011 and 2014, multiple discoveries were made indicating that the software was used to spy on journalists, lawyers, and activists. FinFisher targeted Android, iOS, and BlackBerries in addition to PCs, and was designed to spy on people through their mobile phones, tracking location, reading text messages and monitoring apps, emails, texts, and calls. In the past few years, the spyware has been found in 25 countries. It was particularly devastating due to the amount of personal information it was able to collect and relay to a third party.
What should the average employee know about how the identity management business might affect their working life?
Consumer features that people love—such as using a fingerprint to access your mobile phone—will start to make it to the enterprise. Mobile devices are playing a massive role in our work lives today, so you’ll see products that enable the mobile experience as well, making it easier to enter credentials on apps and services on mobile devices. Right now, everyone hates entering usernames and passwords on mobile devices, so there’s huge potential for improvement.
Any tips for customers and employees who want greater mobile security?
Keep your phone OS and apps up to date.Device manufacturers and app developers often put out updates to fix security issues. To benefit from these fixes, you have to keep your apps and OS updated with new software.
And be cautious with public Wi-Fi. Security on those networks may be scarce. Only connect to Wi-Fi networks that you trust and know. On an unsecure Wi-Fi network, data like passwords for accounts could be intercepted. Stick to window-shopping and browsing, and don’t access secure information.