Okta's comprehensive approach to security

Security at Okta spans hiring practices, software architecture, and data center operations. Our end-to-end security strategy enables us to deliver a world-class service while protecting customer data.

We operate under a shared security responsibility model, which means:

  • We’re responsible for the security of the Okta Identity Cloud service and its underlying infrastructure. We’re also committed to providing you with the security features you need in a predictable and reliable manner.
  • Customers configure and maintain their Okta settings according to their security posture and user activity.

Security controls

Below are some of the major controls we leverage to secure our cloud service infrastructure:

Infrastructure and Physical Security

When we selected an infrastructure provider, we drew on our technical team’s experience in developing and operating market-leading cloud services. This enabled us to build in security and availability at every layer, from physical security through to computer, network, and storage. We complement these measures with well-defined security and access policies, and prove our security using ongoing third-party audits and certification.

We protect your data at every point in our infrastructure, including compute, storage, and network transmission.

We ensure that all of our service providers meet our data protection standards.

We continuously monitor the health of our service and show customers those metrics via this trust portal.

Secure Personnel

Our security-focused culture starts at the highest level with a chief security officer who reports directly to the CEO on security issues. It extends throughout the company via a security team that trains employees to watch for social engineering attacks like phishing, and tests them regularly to ensure compliance. We also support this culture with a policy that limits the amount of employees who have access to production systems.

Our security controls govern employees and contractors before, during, and after their time at Okta.
Our security team builds security into our culture by promoting security awareness and testing employees to ensure compliance.
We reduce risk by limiting production access to those that need it to do their jobs, while continuing to monitor their access.

Secure Development Lifecycle

We begin building security into our software before we write any line of code. Strict security checkpoints govern every step of our development lifecycle from design through to coding, testing, and deployment. Our internal security team works with independent external security researchers to validate our software security.

Each year, we train our developers in the latest secure programming and code review techniques.

Our software security is regularly reviewed by peers, in-house security researchers, and third-party security assessors.

Our software development lifecycle includes more than 60,000 tests.

Our coding tools automatically assess software security as they build our web applications.

Our internal penetration testing team continually audits source code per OWASP standards to measure source code integrity.

Secure Customer Data

Okta’s data protection meets the highest industry standards, complying with FedRAMP and NIST 800-53, HIPAA, and ISO 27001 requirements. Our state-of-the-art encryption technology protects customer data both at rest and in transit to the user’s browser, leaving no weak spots for attackers.

We encrypt all customer data at the data field level, ensuring that we protect all of your sensitive information.

We protect every customer individually with several unique encryption keys.
We protect those encryption keys using Amazon’s industry-tested key management service.

Security and Penetration Tests

We aggressively hunt for bugs in our software using four concurrent security programs. Our internal tests work in conjunction with third-party security audits, a public bug bounty program, and a highly-responsive customer bug reporting program. We also believe in the customer’s right to conduct a penetration test on Okta, and so we provide them with test environments to do that.

We support multiple security and penetration testing programs in parallel.
We provide environments to support customers’ own penetration tests on Okta systems.
Our public bug bounty program allows anyone to test our system security and report bugs.

Our people make the difference

Our security experts have worked for the world’s leading SaaS companies. We incorporate their research directly into our products in a cycle of continuous improvement.

I’m really impressed with Okta’s responsiveness. Within an hour or two, we always get a response to acknowledge that a request has gone through. Its technicians own even the trickiest problems and work right through to completion. That’s an important thing for us.

Okta has demonstrated, not just to us, but to industry analysts and security experts, that they take security very seriously, and that it's a service that we'll be able to trust.

Learn more about Okta’s security

Want to dive deeper into Okta’s approach to security? Follow the links below:

Okta Security Technical Whitepaper
Okta SecOps on Security: Protecting Your Okta Orgs
Security Deep-Dive: Adaptive Authentication for Enhanced Security
How we work with AWS to improve security
How Okta Designed a Comprehensive Approach to Security
Hands-on security training: Advanced Security: Protect the Modern Perimeter with Okta