As identity-based attacks skyrocket, Okta CEO and cofounder Todd McKinnon shares his vision for standardizing identity security for today’s Software-as-a-Service applications.
The rapid adoption of cloud computing, the rise of Software-as-a-Service (SaaS), and the growing prevalence of remote work have eroded IT’s once well-defined frontier. As a result, attackers have had to adapt their strategies. Rather than trying to breach a network or an endpoint with malware, they now seek to gain access by exploiting a more expansive target: identity.
Identity-based attacks have quickly become the go-to tactic for cybercriminals. By commandeering the credentials or logged-in sessions of legitimate users—employees, partners, or customers—bad actors can bypass traditional defenses and gain a foothold inside an organization’s network.
Over the past year, identity-related incidents have skyrocketed by 180%—and compromised credentials are now a factor in 80% of all data breaches. In 2023 alone, malware stole 340 million identities, contributing to a wave of identity-driven financial crime that cost organizations approximately $212 billion.
These numbers tell a clear story: Identity has become the new perimeter, and securing it is paramount for any company looking to protect its assets, revenue, and reputation. As Todd McKinnon, CEO and cofounder of Okta, the leading identity and access management (IAM) company, says, “Identity is the gateway to all types of technology environments—cloud, on-premises, mobile—you name it. This makes it a perfect target for bad actors looking to break in and cause harm.”
The need for deep integration
Combating the growing threat of identity attacks is at the heart of Okta’s mission. The company, founded in 2009, has been at the vanguard of the IAM revolution, advocating for a highly integrated, identity-centric approach to security. “A neutral and independent identity solution such as Okta works so only the right people have access to the right resources at the right time,” says McKinnon. “We’re continuously innovating to meet the current threat landscape.”
However, determined attackers will seek out any point of weakness, and that’s where identity intersects with the broader IT ecosystem. Fragmented deployment of identity across other applications and security tools creates exploitable weaknesses for organizations.
The challenge is that most IT stacks are far from integrated. They’re a patchwork of cloud, on-premises, and a mix of legacy and cutting-edge technology. Stitching these disparate components into a cohesive identity fabric can seem like an insurmountable task, but it’s one that Okta has been tackling head-on. “We’ve been in the trenches with our customers, seeing firsthand the complexity and the pain points,” says McKinnon. “And that’s what drove us to launch the Okta Identity Security Commitment—our pledge to provide the industry’s most comprehensive, end-to-end approach to securing identity. It’s about building a web of security with identity at the center.”
The push for a universal identity standard
For more than a decade, Okta has been at the forefront of efforts to develop and promote open standards for cloud software providers. But as the threat environment has rapidly evolved over the past two years, the security standards that govern how cloud applications are built have not kept up.
The current identity security space is fragmented, with tens of thousands of cloud applications lacking built-in secure identity capabilities. This absence of a unified structure for making apps discoverable, governable, and supportive of core identity functions—such as single sign-on (SSO), system for cross-domain identity management, and continuous authentication—has become one of the biggest challenges to effective cybersecurity.
To address this gap, Okta has spearheaded the formation of an OpenID Foundation working group to establish a new, open-source identity security standard, the Interoperability Profile for Secure Identity in the Enterprise. Known as IPSIE, the initiative has a clear goal: to provide a framework for SaaS companies to enhance the end-to-end security of their products across every touchpoint of their technology stacks.
“Our ambition with IPSIE is to standardize identity security and help foster an open ecosystem where building and using enterprise applications that are secure by default is easy for everyone,” says McKinnon.
Harmonizing identity security capabilities
IPSIE brings together a set of new and existing standards, including SSO for centralized access control, lifecycle management for secure user onboarding and offboarding, entitlement management for enforcing least privilege access, risk signal sharing for real-time threat intelligence, and session termination for swift response to detected threats. By advancing and harmonizing these key identity security capabilities, IPSIE aims to help organizations gain a unified view of their identity risk postures, streamline the development of secure applications, and ensure consistent, adaptable protection across their entire SaaS portfolios.
“With IPSIE, we’re saying every app, every service, every piece of infrastructure should be identity-aware and identity-secure,” says McKinnon. “It’s about making that level of integration and protection the rule, not the exception.”
Achieving this lofty goal requires an industry-spanning effort. Accordingly, Okta is working with partners, customers, and even competitors to build consensus and drive adoption. “Identity standards only work if everyone rallies around them,” stresses McKinnon. “It’s not about any one company. It’s about raising the bar for everyone.”
The open-source nature of IPSIE further promotes this sense of collaboration and industry-wide innovation. By bringing together identity providers, independent software vendors, and public and private sector organizations, the standard ensures that identity security best practices are shared, refined, and widely implemented—essential for staying ahead of the constantly shifting threat landscape.
To encourage adoption of IPSIE, Okta is launching more than 125 deep integrations with some of the biggest SaaS providers, including Google, Microsoft Office 365, Slack, and Atlassian. McKinnon’s team is also working to simplify the process of publishing customer identity cloud apps into the Okta Integration Network, helping ensure that these applications, and others, come prebuilt with IPSIE integrations.
A foundation of trust
At its core, a modern identity security strategy is about more than just defending cyberattacks. It’s about empowering organizations to embrace the full potential of their software stacks. This means adopting new technologies, exploring new ways of working, and reaching new customers and markets without sacrificing security or user experience. It’s about building a foundation of trust that enables innovation, agility, and growth.
For McKinnon, achieving this vision hinges on a crucial shift in mindset, not just among security professionals but also among the developers and vendors who build the applications that power the digital world. It’s why the company introduced the Okta Identity Security Commitment—a security initiative that encompasses everything from product innovation to company culture—and why it hopes to push the technology industry forward with IPSIE.
“My big dream is that the people building applications will understand the environment they’re plugging into,” says McKinnon. “That they’ll recognize the need for a standard way of doing things. Because when more of the technology connecting into identity is standardized, that’s when we’ll really start to see a more secure and seamless digital future take shape.”