The Okta Breach: Time for schadenfreude or important SaaS security lessons? | HCLTech

The Okta Breach: Time for schadenfreude or important SaaS security lessons?
April 27, 2022

Okta’s announcement that at least 366 of its customers were affected by the recent Lapsus$ security breach is still being digested by the SaaS market. Competitive SaaS vendors might be tempted to capitalize on the security breach by raising the anxiety level of Okta customers and needling them to switch providers.  We should note that few, if any, vendors are immune to attack, so instead of seeing the Lapsus$ breach as an occasion for schadenfreude, it behooves SaaS providers and customers to view it as a learning moment. Customers of any SaaS vendor have important cybersecurity lessons to learn from this breach. 

Companies pressured by SaaS vendors capitalizing on the Lapsus$ breach should read these security lessons first.

The Lapsus$ breach impact continues to unfold, but is not too early to apply these security suggestions and lessons.

Okta is primarily a gatekeeper that provides cloud-based authentication services to its customers. Once an authentication framework is compromised, the field yawns open with other exploitable vulnerabilities. The fact that affected Okta customers and the market were informed two months after the attack is cause for concern. All Okta customers should have been informed immediately so that they could take protective actions.  

Service to customers may not have been interrupted, but that might be pure serendipity. Unfortunately, precious time was lost, and as with many such exploits, only time will tell if lingering or residual compromises have been contained and localized.  

These are key recommendations for SaaS customers to consider: 

  • Understand the shared responsibility model for your organization. Even though this compromise occurred on Okta's cloud, customers should have an active threat protection and monitoring solution for all of their cloud and on-premise services. Make sure to collate logs from your on-premise and SaaS vendors and review them for events such as: 
    • Creation of new administrative accounts: For this you need a traceable identity security management system that handles all provisioning, including privileged accounts.
    • Connections to new applications: For this you need to monitor and certify application users who gain access with their credentials. 
    •  Previously unauthorized users with new access roles: For this you need a periodic access governance, review and certification process tied to your identity security management system. 
    • Any other suspicious access activity: For this you need analysis made possible by a log management and security information and event management (SIEM) system that includes active monitoring and an appropriate taxonomy that supports event monitoring. 
  • Implement a properly designed privileged access management system to govern all cloud and on-premise environments. Such a system can protect against attacks on third-party support administrative accounts, as was the case with Okta. Once Lapsus$ accessed third-party support admin accounts, it was able to breach Okta's internal Slack and Jira applications and the back-end administrative access panel that assists its customers.  
  • Put a strong back-up provider/on-premise solution on standby. Relying solely on paper SLAs and contractual language is insufficient and tempts fate. After all, the cloud is someone else’s data center, so you have little control over it. 
  • Insist on an audit review of your cloud provider based on the Cloud Security Alliance’s Cloud Control Matrix, Privileged Access Management standards, and OWASP top-10 protection mechanisms. 
  • Last but not the least, guard against vendor reticence, which can lose you precious time, by demanding immediate notification of SLA breaches and enforcing commensurate penalties. 

Common vulnerabilities and exposures (CVEs) are continually published, and ransomware attacks and data breaches continue to increase. The lesson we can learn from Lapsus$ is that while we are constantly under threat from cyberattacks, we can minimize the risk and contain the damage if we follow the above steps. That’s better than schadenfreude any day. 

About Enterprise Studio

 provides IT solutions and services to thousands of customers across many industries. We specialize in helping organizations address the challenges of optimizing their technology and transformations.

We use a blend of deep technical skills, advisory and consulting expertise to help you navigate the complexities that come with competing in an inter-connected world. By addressing IT challenges while enabling business and cultural transformation, your IT and business teams can achieve better, more predictable outcomes with long-lasting benefits.

Our global team across North America, Europe, Latin America, India, Australia, and Asia has a relentless focus on customer centricity. Our team’s expertise, built upon decades of experience across digital advisory consulting, IT business management (ITBM), cybersecurity, and AIOps, can help you move quickly from idea to value as you build, integrate and adopt resilient enterprise solutions.

Get HCLTech Insights and Updates delivered to your inbox