Interview with Yassir Abousselham, Okta CSO

I spoke to Yassir Abousselham, the CSO for Okta, an identity management cloud security vendor. Before joining Okta this past summer, he worked for SoFi, a fintech company where he built the company’s information security and privacy program. He also held leadership positions at Google, where he built both the corporate security for finance and legal departments and the payments infrastructure security programs, as well as at Ernst & Young, where he held a variety of technical and consultancy roles during his 11-year tenure.

When first started at E&Y, he worked for an entertainment company that hired them to examine their security issues. He found a misconfigured web server that enabled them to enter their network and compromise systems within the first 30 minutes of testing. This got him started in finding security gaps and when he first realized that security is only as good as your weakest link. “The larger the environment and more IT infrastructure, the harder it is to maintain these systems.” Luckily they weren’t billing by the hour for that engagement! He went on to produce a very comprehensive look at the company’s security profile, which is what they needed to avoid situations like what he initially found.

“The worse case is when companies do what I call check mark compliance assessments,” he said, referring to when companies are just implementing security and not really looking closely at what they are doing. “On the other hand, there are a few companies who do take the time to find the right expertise to actually improve their security posture.”

“To be effective, you have to design many security layers and use multiple tools to protect against any threats these days. And you know, the tools and the exploits do change over time. A few years ago, no one heard about ransomware for example.” He recommends looking at security tools that can help automate various processes, to ensure that they are done properly, such as automated patching and automated application testing.

Although he has been at Okta only a few months, they have yet to experience any ransomware attack. “The first line of defense is educating our employees. No matter how much you do, there is always going to be one user that will open an phished attachment. Hackers will go through great lengths to socially engineer those users.” Okta employs a core security team that has multiple functions, and works closely with other departments that are closer to the actual products to keep things secure. They also make use of their own mobile management tool to secure their employees’ mobile devices. “We allow BYOD but before you can connect to our network, your device has to pass a series of checks, such as not being rooted and having a PIN lock enabled and running the most updated OS version,” he said.

How does securing the Google infrastructure compare to Okta? “They have a much more complex environment, for sure.” That’s an understatement.

Working for an identity vendor like Okta, “I was surprised that single sign-on or SSO is not more universally deployed,” he said. “Many people see the value of SSO but sometimes take more time to actually get to the point where they actually use this technology. Nevertheless, SSO and multi-factor authentication are really becoming must-have technologies these days, just like having a firewall was back 20 years ago. It makes sense from a security standpoint and it makes sense from an economics standpoint too. You have to automate access controls and harden passwords, as well as be able to monitor how accounts are being used and be able to witness account compromises.” He compares not having SSO to putting a telnet server on the public Internet back in the day. “It is only a matter of time before your company will be compromised. Passwords aren’t enough to protect access these days.”


Like what you are reading?

Subscribe to Inside Security!

Read More
FIR B2B podcast #82: Doing data-driven marketing right

Can data drive a marketing campaign and still keep it creative? Yes, provided you bridge the divide between art and science by benefiting both sides. Paul Gillin and I examine a recent article in Marketoonist that discusses this issue. Blogger Tom Fishburne quotes an agency head who heard a principal from another agency say, “Data drives every piece of creative we put out today.” The agency chief’s reaction: “Boy, your creative must really suck.” When marketers stray from being data-driven to being data-blinded, campaigns fall flat.

One piece worth reviewing about this appeared on one of the Google blogs last year. Google, DoubleClick and an ad agency collaborated to explore how to best do data-driven campaigns, and came up with three suggestions:

  • Know all the sources of data available, and figure out which can fuel smarter creative.
  • Bring in the agency at the start of a project and talk about what data makes the most sense before any creative program is designed.
  • Collaborate and communicate to the extreme.

Fishburne cites an example of a creative video campaign for the state of Tennessee that struck the right balance. Data was used to determine what versions of pre-roll ads to display, with the creative being designed to evoke an emotional response.

Speaking of creative, Amazon has unleashed a slew of actions by various cities around North America in its response to its quest find a site for its second headquarters. Tucson delivered a 21-foot Sagauro cactus, while Kansas City posted creative product ratings on Amazon’s own site to explain its advantages. Some mayors have put together their own wacky YouTube pitch videos. This is every bit a B2B campaign, although not one most marketers can relate to very closely. What we like about it is that Amazon didn’t state the rules too clearly, leaving a lot of room for bidder interpretation. That led to greater creativity. We can’t wait to see who wins (hope it’s St. Louis or Boston).

You can listen to our 16 min. podcast here:

Read More
Notable TechWomen, in honor of Ada Lovelace Day

The TechWomen program brings emerging women STEM leaders from around the world to the Bay Area for five weeks of mentoring and career development. Sponsored by the US State Department and run by the Institute of International Education, over the past six years it has brought more than 400 women here.

I spoke to two of the women that are taking part in the program, both are 32 and from different parts of Africa. Martine Mumararungu runs the core traffic engineering for a Rwanda ISP and has a BS in CS. She was one of seven women in her classes. “Most girls in Rwanda think STEM is just for men,” she told me. Luckily, she had an older brother and sister who were interested in science, and that sparked her own interest. She started out in programming, taking classes in C++ and Java, and got more interested in networking technology. She eventually earned her CCNA and CCNP certifications and has found them very much in demand in Rwanda and very valuable for her job at the ISP. She is using the program to learn more about IT security and how she can beef up her ISP’s profile in that area.

Umu Kamara hails from Sierra Leone where she is the assistant IT manager for a private shipping company. She got her BS in Physics and also got several Microsoft certifications. She switched to IT because she was always interested in systems and databases. She started out wanting to become a medical doctor but wasn’t accepted into the program because of low English grades. Now she is glad she didn’t go that route and likes being in IT. Her father (who died when she was four) was a mechanical engineer, and that motivated her to get interested in science at an early age. She is using the program to learn more about cloud technologies and data center security. She may try to switch her EDR products to more cloud-based ones. When I asked her about the relative bandwidth that she has in the States versus at home, she just laughed, agreeing with me that yes, here it is “a bit faster.” She also agreed that the Internet is here to stay no matter where you live, and even if you have just a marketing company you still need an online presence. “You can’t do without it.”

She experienced a data breach at her company; unfortunately, it was just after her boss left town for a seminar so she had to handle the situation. It was caused by an infected cell phone that was connected to the corporate network, and used malware-infused PDF and Word documents. She had to work long days to reinstall her servers and updates. “It was a good experience but I wouldn’t want to do it again.” The company was offline for several days and the revenue impact was huge, since ships couldn’t unload without the appropriate systems operating.

Read More
Remembering AIM

AOL is eliminating its AIM service after a 20 year run. It is sort of an ignominious end to the once-popular IM platform. Many of us were teens (or parents thereof) when AIM was in its heyday, and I was a big user back in the early 2000s when I worked at CMP to communicate with our far-flung staff (and even the folks sitting a few feet away from me too). That brings up how IM can bring together work teams to collaborate, and how IM has been an essential tool with many of my jobs since then. Just this morning I was using IM to “talk” to my editor in Pittsburgh and another researcher in Europe for my Inside Security newsletter. Like many of you, I take these conversations for granted and like many tech companies, has standardized on Slack, and indeed I participate in numerous other Slack groups now.

More than ten years ago, I wrote this story for the NY Times, The I.M. Generation Is Changing the Way Business Talks. In it, I describe the opportunities and challenges that IM faced in the modern business. To me, the timing of this article points out that there still were plenty of businesses that hadn’t even considered any IM tools. IBM was quoted in the piece as using its own IM tool for sending millions of messages daily, and eliminating voice mail tag. In my article, I called IM “the new black,” meaning it was trendy back then.

Today my phone rarely rings — to the point that I haven’t had a “desk” office phone in so long that I can’t even remember. Between IM and emails, there really isn’t any need to “talk” to anyone anymore.

One of the reasons why businesses loved IM is that its own workers literally grew up on the service. “AIM was a domain parents didn’t understand, giving it a feeling of clandestine cool.” This is from Tech Crunch, which has this tribute. In that link is a clip with a reminder of its pernicious sound effects. Boy does that bring back memories. One of my favorites was when my daughter was a pre-teen, deeply steeped into using AIM to communicate with 100 of her closest friends. I had trouble getting her to sign off when it was bed time, and so told her that she was going to get kicked off the system promptly at 10 pm. I had set up a firewall rule on our home router to block access to IP port 5190 at that time. She didn’t think I could do that, and after a few warnings I remember her realizing that I meant business when the hour struck. Being a parent back in that era was a lot easier than today, to be sure.

Speaking of pre-teens, I found this awkward story about making dating decisions using AIM. Again, a typical use case from back in that era.

But while AIM set the standard for IM, it didn’t keep up with the times. Ironically, as more users became mobile, they migrated to other IM tools because AOL’s mobile clients were late to the party and under-powered. They were slow to provide APIs, something Slack does in spades and one of the reasons you can find Slack “bots” for all sorts of add-on applications. And as users migrated to other IM services, AOL itself stopped using the service for its own internal communications, at one point using Slack itself. That is bad news when you can’t even find the tool capable for your own people.

AIM was also victim to SMS services and smartphones. As more people used both, the use cases blurred further between personal and corporate messaging. My daughter, who is now in her late 20s, told me that she hasn’t used AIM in years. Now she uses WhatsApp for both business and personal reasons, and that can be an issue when she is trying to get her work done and can’t easily find a conversation.

Well before Facebook-stalking was a thing, AIM profile stalking became slang for many users. This Ars writer recalls he had his “first taste of how the Internet could enable asynchronous self-expression and personal broadcasting amid a tight-knit social group.” That was before blogs, before MySpace even. So while I haven’t used AIM in a long time, I am sad that it is actually getting turned off soon.

Read More
iBoss blog: Implementing Better Email Authentication Systems

To provide better spam and phishing protection, a number of ways to improve on email message authentication have been available for years, and are being steadily implemented. However, it is a difficult path to make these methods work. Part of the problem is because there are multiple standards and sadly, you need to understand how these different standards interact and complement each other. Ultimately, you are going to need to deploy all of them.

You can read my latest blog for iBoss here to find out more.

Read More
Protecting your Windows endpoints with VIPRE Endpoint Security Cloud

VIPRE offers a nice package for small and medium-sized businesses that is easy to use and manage with a wide array of protective features.

We tested VIPRE on a series of different Windows clients during September 2017. It supports all versions of Windows desktop since v7 and servers since v2008R2. It currently protects more than six million endpoints and finds more than a million daily malware infections. VIPRE also sells an on-premises endpoint solution that also includes patch management features.

Pricing starts from $30/yr/seat with significant volume discounts. VIPRE offers free phone based US support during business hours.

Read More
Software shouldn’t waste my time

One of my favorite tech execs here in St. Louis is Bryan Doerr, who runs a company called Observable Networks that recently was acquired by Cisco. (Here is his presentation of how the company got started.) One of the things he is frequently saying is that if a piece of software asks for your attention to understand a security alert, we don’t want to waste your time. (He phrases it a bit differently.) I think that is a fine maxim to remember, both for user interface designers and for most of us that use computers in our daily lives.

As a product reviewer, I often find time-wasting moments. Certainly with security products, they seem to be designed tis way on purpose: the more alerts the better! That way a vendor can justify its higher price tag. That way is doomed.

Instead, only put something on the screen that you really need to know. At that moment in time. For your particular role. For the particular device. Let’s break this apart.

The precise moment of time is critical. If I am bringing up your software in the morning, there are things that I have to know at the start of my day. For example, when I bring up my calendar, am I about to miss an important meeting? Or even an unimportant meeting? Get that info to me first and fast. Is there something that happened during the night that I should jump on? Very few pieces of software care about this sort of timing of its own usage, which is too bad.

Part of this timing element is also how you deal with bugs and what happens when they occur. Yes, all software has bugs. But do you tell your user what a particular bug means? Sometimes you do, sometimes you put up some random error message that just annoys your users.

Roles are also critical. A database administrator has a lot different focus from a “normal” user. Screens should be designed differently for these different roles. And the level of granularity is also important: if you have just two or three roles, that is usually not enough. If you have 17, that is probably too many. Access roles are usually the last thing to be baked into software, and it shows: by then the engineers are already tired about their code and don’t want to mess around with things. Like anything else with software engineering, do this from writing your first line of code if you want success.

Finally, there is understanding the type of device that is looking at your data. As more of us use mobile devices, we want less info on the screen so we can read it without squinting at tiny type. In the past, this was usually called responsive design, meaning that a web interface designer would build an app to respond to the size of the screen, and automatically rearrange stuff so that it would make sense, whether it was viewed on a big sized desktop monitor or a tiny phone. If your website or app isn’t responsive, you need to fix this post-haste. It is 2017 people.

Read More
iBoss blog: What Is WAP Billing and How Can It Be Exploited?

An old scam to separate people from their money has been gaining more popularity. It uses a cellphone protocol called WAP billing to steal your money. You have a hint from its name that it has something to do with wireless network protocols, but the idea is to save folks some time when they want to pay for something online by having the charges go directly on the user’s phone bill. I explain the exploit and how it is being used in my latest blog post for iBoss here. One infection point is a “battery optimizer” app that conceals the WAP billing trojan.

Read More
HPE blog: What developers can learn from the best museum designers about UX

Inspiration on how to improve user experience can come from many places. Here’s how some top museum high-tech exhibits explain data, using interesting visualizations or a combination of senses. I look at examples from the St. Louis City Museum, the Springfield Ill Lincoln Museum and the Chopin Museum in Warsaw (shown here) for examples.

You can read my article in HPE’s Enterprise.Nxt blog here.

Read More
iBoss blog: Understanding the Differences Between Anonymity and Privacy

Balancing anonymity and privacy isn’t an either/or situation. There are many shades of gray, and it is more of an art than science. Making sure your users understand the distinction between the two terms and setting their appropriate expectations of both should be a critical part of any job managing IT security.

Most users when they say they want anonymity really are saying that they don’t want anyone, whether it is the government or an IT department — to keep track of their web searches and conversations.

However,controlling our privacy is complex: Take a look at the typical controls offered by Twitter. (See the screencap at right.) How can any normal person figure these out?  This post for the iBoss blog discusses these and other issues.

Read More
1 2 3 4 5 197