ETR Insights recently hosted a panel discussion with four veteran IT executives, focusing on Okta’s most recent security breach and the evolving identity and access management landscape. The panel raised questions about Okta's monitoring and alerting response and introduced lingering doubt as to the company’s previously recognized status as the best-of-breed leader within the Identity & Access Management (IAM) market. ETR Insights subscribers can watch the full webinar, read the summary, or review the transcript on our research platform here. If you are not yet a subscriber, you can start a free trial and gain access today. In the meantime, you can read a brief synopsis of the Panel summary in this article below.
In this panel discussion, the ITDM group discusses competitors like BeyondTrust, Saviynt, JumpCloud, and more (each with innovative solutions posing a substantial challenge to Okta), the resurgence of older authenticator technologies, and the potential expansion of well-established security players like Fortinet and Palo Alto Networks into identity authentication solutions. Our panelists observe companies like SailPoint and SpectreOps leveraging generative AI for policy construction and note a growing market for more sophisticated solutions catering to complex enterprise needs. The full panel transcript and summary also examines JumpCloud’s unified approach to managing user identities; Microsoft Entra security features bundles; and why Okta’s claim over large enterprises may not be as secure as present data suggests following yet another breach and bungled public response.
Vendors Mentioned: Apple / Auth0 / BeyondTrust / Bitrise / Cisco / CyberArk / Fortinet / GitHub / Google / JumpCloud / Juniper / Microsoft / Okta / Palo Alto Networks / Ping / RSA Security / SailPoint / Saviynt / Secret Double Octopus / SpectreOps / Talon / Twilio
Panel Overview
Our panelists are current users of Okta and Auth0 for identity and access management and multi-factor authentication. All raised significant concerns about Okta's response to its most recent security breach, where malicious actors gained access through a rogue IP and compromised session cookies, session tokens, and HAR files. One veteran Director of IT, whose firm was already considering alternate solutions, was shocked by how long the intrusion lasted. “It’s less about the time it took them to notify their customers, and more about the amount of time that the bad actor was actually in the environment. 14 full days is a little mind-boggling to me.” Okta’s breach not only affected their internal operations but also put the security of their clients at risk. Another executive found Okta’s subsequent communication borderline deceptive, a “bait & switch,” likening it to Target’s 2013 breach where the retailer was slow to disclose the full extent of users affected. “I think what we're seeing is a trend in cybersecurity; they’ll announce something, make it seem smaller up front, and then after the dust settles a little bit come back around and disclose what's really going on.” A third CISO was particularly troubled by what they perceived as inadequate monitoring and alerting measures; for them, contract renewal with Okta is now in doubt. “For an organization of that size and complexity, whose value proposition is all about furthering security hygiene, posture, and awareness, I found their response and forensic accounting lackluster and surface level, especially when they started talking about adjusting how they're going to monitor and react.”
Our panel made it very clear that there are alternatives to the once widely viewed best-of-breed vendor with competition coming from both old and new competitors. BeyondTrust, Saviynt, and JumpCloud are strong players challenging Okta in the IAM security space. “I think that now they've put themselves in a landscape where not only could they be left, but there's enough other competitors out there that are hungry for business and still innovating.” JumpCloud provides multiple functionality that integrates directory services, device management, and identity governance; this unified approach is particularly appealing to organizations looking for a single solution to manage user identities across various systems and devices. One IT Director shared an experience where he successfully replaced Okta with JumpCloud in a previous role and organization and stated that doing so was quite seamless.
Microsoft Entra, formerly Azure Active Directory, is also gaining traction, bundling various IAM features such as privilege access management, MFA, SSO, and identity protection. Okta should be mindful of both small and large defections. “For a company as large as the one that I work for—we employ 90,000 globally—to take that business and move it to somebody else is going to be really significant for somebody like Okta.” Another panelist highlighted evolving SOC 2 compliance and a shift towards more sophisticated MFA, for which Okta may be unprepared. “The entire model of identity and access management is going towards future state MFA—and once AI gets involved, forget about it. That is not going to bode well for Okta at all.” Okta must continue to innovate to fend off the competition and keep pace with industry advancements, even more so following their latest mishaps.
Established and well-entrenched companies like Fortinet and Palo Alto Networks remain key security players with significant potential to expand their roles in their client base, particularly around authentication solutions. “I would love to see somebody like Fortinet or Palo Alto jumping into this space for authentication tools that are cross-platform. Integrations with Microsoft or the other big players could be something really advantageous for them. I'm not saying that they don't have that now, but people think of Palo Alto as a frontline for authentication for SSL.”
One panelist predicts a shift away from traditional IAM towards more innovative solutions like those offered by companies like SailPoint and SpectreOps, which use generative AI to enhance policy construction and implementation. “They were founded by Red Teamers that are looking for common attack paths with identity and access management, to take whatever you're using and help you better construct policy and use what you have. I think that's going to be the future, leveraging the open-source community.” Microsoft’s bundled security services will remain dominant among SMB. “If you are under a quarter of a billion dollars in revenue, there's almost no reason to not at least look at Microsoft. Their licensing makes it easy. But when you start getting large and sophisticated enough and that you have specialized use cases, your needs are naturally going to push you in the direction to evaluate a more catered solution.”
ETR Data: Okta's most recent spending intentions data was collected during ETR’s OCT23 TSIS, PRIOR to news of the most recent security breach being released. Although the vendor’s overall Net Score (blue line above) within that survey hit all-time lows, the spending intentions among the world’s largest organizations (as represented by Global 2000 and Fortune 500 customers) remained healthy. Meanwhile, the company's Pervasion metric (yellow line above) continues to climb higher. In fact, Okta had the 6th highest Pervasion metric among all information security vendors during this survey period. We anxiously await the JAN24 TSIS data to track any impact this latest security breach may have on the vendor’s forward-looking spending.
If you would like to watch the full panel replay or read the entire transcript and summary, please log in to the ETR research platform. And stay tuned for the January 2024 Technology Spending Intentions data coming soon. That survey is currently in the field, and the fresh spending intentions data for the calendar year 2024 will begin pulling into our research platform next week. NOW is the time to start your own free trial and see the data for yourself.
Enterprise Technology Research (ETR) is a technology market research firm that leverages proprietary data from our targeted IT decision maker (ITDM) community to provide actionable insights about spending intentions and industry trends. Since 2010, we have worked diligently at achieving one goal: eliminating the need for opinions in enterprise research, which are often formed from incomplete, biased, and statistically insignificant data. Our community of ITDMs represents $1+ trillion in annual IT spend and is positioned to provide best-in-class customer/evaluator perspectives. ETR’s proprietary data and insights from this community empower institutional investors, technology companies, and ITDMs to navigate the complex enterprise technology landscape amid an expanding marketplace. Discover what ETR can do for you at www.etr.ai