Okta Review

The best in identity governance for your business or customer base? This article helps you find out.

Okta is one of the leading platforms in the field of identity management, and their exceptional services extend to include automated user provisioning and de-provisioning, user access control via deployed cloud agents, and password security systems. Additionally, an entire branch of their services is designed exclusively for providing customer-based identity management, with options for extending the authorized login to your bespoke applications and services to include identity governance features.

But what does Okta bring compared to its competitors? And what can you expect to gain from the extensive pricing and licensing options that are available to you? This article goes into comprehensive detail to discuss the various components of the Okta product lineup, with suggestions on how best these services might best suit your exact use cases. In the end, we discuss pricing and draw a helpful conclusion that should assist you in deciding on whether to commit to signing up for Okta.

Integrations

Okta prides itself on the broad availability of possible integrations that you can establish through the system. This foundation of integrations forms the bedrock of their services, allowing you to fully connect your entire network of services into a unified user provisioning and identity management system. Okta provides three distinct avenues of integrations that you can explore to ensure that every aspect of your network is included.

The first is the Okta Integrations Network. This consists of a vast searchable database of out-of-the-box integrations that you can essentially plug into your system and quickly establish user control over the service. The database can be broken down into use cases and is free to navigate without needing to have any account, allowing you to evaluate whether the services you need are covered within their parameters before committing to an account with their services.

Another side of the possible integration system is through the Auth0 Marketplace. This is an equally extensive database of connectable systems, focused on Okta’s Auth0 system—which provides you with better capabilities in customer access control and identity management. The Auth0 Marketplace provides an array of integrations that you can plug directly into your customer-facing apps and services to provide Okta’s proven level of security to your customers. Despite being called the ‘Marketplace’ all the integrations are included in an Auth0 account, meaning you can browse and install at your leisure without being concerned about additional costs.

The third and final avenue for integrations is of course through the APIs. Okta comes equipped with a large variety of APIs for your bespoke integration needs. These include The Apps API for managing apps and their association with users and groups; the Users API for CRUD operations on users; the Sessions API for creating and managing user authentication sessions; the Policy API for creating and managing settings such as a user's session lifetime; the Factors API for enrolling, managing, and verifying factors for multi-factor authentication (MFA); and the Devices API which is for managing device identity and lifecycle.

By combining these three comprehensive methods of integration, you can ensure that your entire network and services are included. Before committing to Okta, evaluate your business's ability to integrate with the available systems. Do you have people on the team who can build bespoke integrations for you through the APIs? If not, are your required services covered through the Okta Integrations Network or Auth0 Marketplace? If they’re not, you might be able to request for Okta to purpose-build these integrations in your stead, but can you afford to wait for these to be built? Consider all of these questions when deciding if Okta is right for you, especially since the broad arrangement of integrations is where Okta excels.

Devices & FastPass

Okta employs a system called Okta Devices to distribute, a cloud-based service that analyzes the devices on your network and accurately report-on and restricts access levels throughout the entirety of your endpoints. The solution is also how the Okta FastPass system is distributed, which is the autofill and passwordless agent that provides convenient logins to users that are registered on your network.

The system is designed to help with a variety of use-case security issues that might be of interest to your business. Namely, by introducing better password control and also providing remote sign-on systems. This component of the service is essentially the ‘agent’ part that handles all the necessary tasks that require direct device access. Because it is cloud focused, this means that all the features brought by Okta Devices can be managed and facilitated remotely, with all the relevant information being forwarded to the central control of your administrators.

The system shines when interacting with your mobile endpoints, since it can provide insight into device access and control access to unmanaged remote devices. You can additionally integrate this system with other endpoint detection and incident response (EDR) systems to deny privileged access in the case of a compromised device. Essentially, any device registered to the Okta system by your end users is automatically registered within the monitoring and user provisioning infrastructure. This means that the Devices and Okta FastPass systems can also work in Bring-Your-Own-Device (BYOD) environments without much oversight on the part of your administrators.

Okta FastPass comes with the same level of comprehensive integrations that come with all other aspects of Okta. It comes with passwordless login to app access on devices that accept biometrics, with no more prompts when accessing Okta-managed apps after logging in with biometrics. This means you can use the solution to secure access to corporate resources and utilize FastPass to reduce end-user friction with phishing-resistant characteristics and adaptive policy checks.

Identity Governance

Okta also provides comprehensive options for Identity Governance that comes in a package of three separate products, each orientated towards supporting different aspects of your user’s lifecycle and access. These three components work separately to perform their overview functions, while also synchronizing to ensure the process of identity governance is easy to manage.

The first of these products is Lifecycle Management, which represents the core of the user provisioning and deprovisioning solution. This system is completely automated, with few demands on your administrators, which means de/provisioning of new users into your network is fast and secured from human error. When it comes to de/provisioning, you want as much automation as possible—not just because it saves on time—but by establishing a set of default parameters for each user, you ensure that all of your users of the same group have equal levels of access without the risk of forgetting something.

The second product is the Access Governance system, which provides the core system that you are probably most interested in: controlling what users can access. This includes managing and automating access requests, and improving your security posture through behavioral analysis systems that can detect and resolve threats (discussed more below). The system provides a streamlined experience for employees, partners, and line-of-business users such as app owners and IT administrators. The system meets employees where they are, giving a much more straightforward user experience by utilizing natural language processing and connecting with ubiquitous technologies such as Slack and Microsoft Teams.

Uniting all of these systems together in a structured methodology is the third product that is part of the Identity Governance package: Workflows. This solution provides a fully integrative system that allows you to build structured systems that automate the identity governance pipeline in a customizable way. By pulling information through Okta, all of your connected integrations can be supported, meaning it can immediately process all of your user de/provisioning demands or access changes. This system is also code-free and is run entirely through GUI-based scripting, which means the process is also excessively easy to configure and manage.

Secure Protection

Identity governance demands a proportionally high level of protection to prevent a number of both accidental and intentional security breaches. Okta matches this high level of security and goes above and beyond to ensure your user data is protected with absolute certainty. As discussed above, one of the ways this solution can drastically improve the security of your network is through the Okta FastPass system. This system allows you to reduce password management risk by centralizing identification with a single sign-on. This allows you to utilize the strongest passwords possible without relying on human-driven password management, which inevitably leads to some of your users taking shortcuts with their passwords for the sake of convenience.

The product also increases identity assurance by using a range of multi-factor authentication (MFA) systems, such as one-time passwords, soft or physical tokens, or numerous biometrics options. You can apply and manage these policies to all applications to safeguard your data, regardless of where or how it is accessed. Support for RADIUS, RDP, ADFS, and LDAP expands coverage to on-premises applications, while the ‘MFA Everywhere' option provides you with the capabilities to expand this system to include the Okta Integration Network's vast number of out-of-the-box connections.

Okta detects and evaluates user behavior patterns and uses this information to construct profiles that characterize usual patterns based on previous activity. This information allows you to create sign-on policy rules that account for changes in user behavior—for example, if a user signs in from a new location or uses a new device, you can establish a policy to demand multifactor authentication. Unlike many other products, Okta doesn’t use behavioral analysis as the primary means of detecting unauthorized access, but it does provide it as an additional layer of both convenience and reporting.

Customer Identity Governance

So far, we’ve focused mainly on the user (or ‘workforce’) identity governance, meaning identity governance for those working within your organization. However, as discussed in the Integrations section, Okta also provides services for managing customer identities. This system provides the same level of security, control, and integrations, but for the development of customer-facing services/applications that your organization is building or has in service.

This service connects your app with any of the available integrations—either acquired from the previously discussed Auth0 Marketplace or built yourself using the numerous APIs. This system allows users to authenticate using their preferred, existing social login credentials, which provides a way for a simple and quick authentication process, and by including authentication solutions that are frictionless and versatile, you can allow people to interact with your systems in the way that most suits them.

Account hacking threats through customer identity governance are mitigated by seamless and secure authentication via a central authorization server. This means that your customers can use a single set of login credentials for all of your systems, which allows you to orchestrate an unbroken authentication experience across various applications. The product also comes equipped with full role-based access control—this system means you can examine your users' demands and assign them to roles based on shared duties. Then, for each user, you assign one or more roles and one or more permissions to each role. Because users no longer need to be controlled individually but instead have rights that conform to the permissions provided to their role, the user-role, and role-permissions connections make it straightforward to perform user assignments.

The platform itself is run through Auth0, which is a drop-in authentication service built around providing customer-based identity governance. The solution is GDPR compliant and fulfills several other compliance demands including ISO27001, ISO27018, SOC 2 Type II, and HIPAA BAA. This ensures that your implementation of the service will up your security posture, and increase customer confidence in your products. Additionally, Auth0's Secure Systems Development Life Cycle (SSDLC) ensures that security is implemented from the start of a new project and is maintained throughout the system's life. The security of services and apps is critical for maintaining the dependability and integrity of data under Auth0's management.

Trials & Pricing

There is a free trial available for the Workforce Identity Cloud solution. The trial lasts for 30 days, plenty of time to familiarize yourself with the services, and also check out the integrations. However, as mentioned previously, it’s worth noting that you can browse the full extent of the Okta Integrations Network without even needing to sign up for a trial account. The trial includes full access to the available APIs in case you need to set up your own bespoke integrations.

The Okta Customer Identity Cloud is transitioning towards its newer Auth0 system, both of which come with a free plan that includes extensive support and features available without paying for anything. The Auth0 solution is free for up to 7,000 active users, after which the costs scale to either $23/mo or $240/mo depending on the level of subscription you find most applicable to your resource and feature demands.

The Workforce Identity services are divided into the individual components of the solution, meaning you can pick and choose exactly what services you need from the product and make your licensing choices based on the available options. The components are Single Sign-on; Multi-factor Authentication; Universal Directory; Lifecycle Management; API Access Management; Advanced Server Access; Access Gateway; Workflows; and Identity Governance. These components are all individually priced from between $2 to around $11 per user per month, meaning the costs can climb substantially as you begin to outfit your business with licensing choices.

Conclusion

Okta easily provides one of the best identity management services on the market today, but that level of service comes at a premium. Overall, the ability to browse through what is likely the largest selection of out-of-the-box integrations available, accompanied by the comprehensively documented APIs, means Okta almost certainly has your needs already covered. Additionally, the breakdown of services by monthly per-user subscriptions facilitates a modular approach to licensing, which makes the service more enticing.

However, it is worth noting the increased costs of the product when compared to other, similar services. The individual cost listing for some of the modular components can increase your licensing fee quite dramatically, especially when some of the modular services are offered as standard by other competitors. Despite this, you get what you pay for with Okta on all levels: features, compatibility, scope, and support all come at a top-tier level of service.

Essentially, it boils down to how much identity management matters to your business. If it is one of the core focuses of your business, application, or services, then you cannot go wrong with the investment—even if the investment itself is a pricey one. The best thing to do is always going to be: to try it out first. Set up a trial account and take full advantage of the service for the entire 30 days, dedicate time to learning the features, and get your fellow administrators onboard.