![]() I’m not trying to downplay the scenario that you present, it is serious. Limit the permissions to only what a person needs Require that all administrators use multiple factors to log in (Yubikey, WebAuthn, etc)ģ. Log everything, check the logs frequentlyĢ. The way that you mitigate these sorts of issues are very similar to how you’d mitigate the risk of a bad actor getting root access:ġ. Similar attack vectors might include: setting up an AD or LDAP directory with delegated authentication or adding a password Webhook. Note that, as with getting root, this edge case isn’t the only way that an attacker could compromise the security of an Okta tenant. Getting working credentials for an Okta administrator is not unlike getting working credentials for the “root” user on a UNIX system. At 0815 on Friday morning I use those credentials, and as the administrator I tell Okta to synchronise passwords for Big Corp to Suppose I have figured out how to obtain working credentials for the Okta administrator at Big Corp. When you trust Okta to keep passwords safe, they can (and here do) fuck that up.ĭoes Okta offer a product where they can't make things worse? Note that a product where there's a config setting "Make things worse", even behind six "Are you really sure?" dialogs is worthless for this purpose, the actual product that your customer bought needs to irrevocably be better than nothing. But once you try to fudge things, maybe because it seems easier, and now a private key is (even briefly) in the possession of another party, it's game over for security. So long as you do this correctly you cannot get into trouble. ![]() This reminds me of the situation with private keys for certificates in the Web PKI ("SSL certificates"). ![]() How quickly do Big Corp figure out there's a problem? Once they realise that I have their Okta administrator's credentials, can they shut me out while they investigate or do they need Okta to help them? How easy is it for them to find out about my password stealing operation? At 0815 on Friday morning I use those credentials, and as the administrator I tell Okta to synchronise passwords for Big Corp to Īs each Big Corp employee signs in with Okta that morning, Okta "correctly" sends over their password to for me. When an Okta administrator has set up password syncing to a downstream system.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |