Increasing integration of identity-management frameworks at the API level will push human error out of the security equation and produce a cloud-security foundation that is “many times more secure than a password could ever be”, the local head of fast-growing Okta has predicted on the back of surging customer adoption that he says points to the rapid maturation of Australian companies' cloud philosophy.
Despite recently announcing high-profile local customers like REA Group, Baker's Delight, Cricket Australia and others, Okta – which secured $US75 million in venture-capital funding in September – is “only scratching the surface” of the fast-growing identity and access management (IAM) market, APAC vice president Graham Pearson told CSO Australia.
“There is not one set vertical buying our technology,” he said. “That just says to me that Australian organisations are adopting the cloud and they can see that security is a fundamental piece of that. Employers want their employees to be able to do their jobs easily, efficiently, and securely – and that's definitely a message that's resonating here in Australia.”
Strong mobile usage had compounded Australia's early-adopter advantage in Okta's core market space, where a climate of ongoing security breaches had heightened executive appreciation of the need to wrap mobile adoption into a flexible and enterprise-wide management infrastructure.
“That's our vision,” Pearson said, highlighting the company's security credentials as a cloud-only provider of IAM services. “It's essentially to enable any company out there to use any technology they want to, however they want to do it, and make it secure. And organisations in the cloud take security and uptime more seriously than someone who is wearing a pager in an organisation.”
The ongoing stampede to the cloud is being empowered by growing recognition that identity is a common thread for organisations of all types and sizes – and this was reflected in the growing usage of APIs to build secure inter-application exchanges that would become increasingly important as IAM usage matured next year and beyond.
By using APIs to exchange credentials, applications could enjoy non-repudiable authentication and communication that would prove even more useful in securing remote access than existing user ID-and-password combinations.
“As new pieces of software come out they're all being built at the API layer,” Pearson said. “Once you get that, the handshake between Okta and an application is so encrypted that you can do without a password. The handshakes that Okta does in the background are so many times more secure than a password will ever be – and the technology will get to the point where it's all API driven.”
The desire to build broader authentication is driving Okta to work closely with implementation partners: Okta's Australian arm, for example, recently forged an alliance with NSW-based cloud specialist VMtech and Qubit Consulting as well as Queensland's Cloud Strategic Services and Victoria's Identity Solutions.Read more: Re-used crypto keys expose millions of devices to attack
Okta's Australian arm – which opened a little over a year ago – is expected to grow strongly in coming months with new staff hired to support these partnerships and accommodate growing demand.
A key part of the customer engagement was to make sure that the IAM architecture was well-developed enough that the system saw strong adoption over time: REA Group, for example, wrapped a cloud-based corporate reinvention around Okta and was able to move 98 percent of its systems to the cloud as a result.
“A huge part of our business is customer success,” Pearson explained, noting that in the past many such purchases ended up as 'shelfware' when implementation became too hard or resources were too hard to find.
Taking IAM as a service using the cloud model forced Okta and other providers to work much harder to continue generating customer value, Pearson said – marking “a big backflip on how the world used to be. We have to have customers not only buy it, but use it – because if they're not using it they can turn it off next year.”Read more: Visibility and control over SSL traffic in an era of HTTP/2.0