Access Gateway Security Statement
Okta takes a comprehensive approach to security, spanning hiring, architecture and software development that powers Okta. Our focus also encompasses the data center strategies and operations that enable the company to deliver a world-class service. For more information about Okta’s overall security see okta.com/security.
This paper is intended to describe the security measures in place for Access Gateway, a specific product within Okta’s portfolio. Access Gateway is an on-premises appliance, so it is not officially covered by our SOC 2 Type II and other SaaS-oriented certifications. However, Okta’s comprehensive security absolutely extends to Access Gateway.
Below, we describe which controls, processes, and procedures are in place to ensure that Access Gateway is locked down to thwart attackers to the greatest extent feasible.
The operating system that powers Okta Access Gateway is hardened and secured to ensure that your systems are safe and updated to counter all known threats.
Okta performs a multi-layered vulnerability assessment and risk analysis on every new release of the Access Gateway virtual appliance, including:
- Host-level Vulnerability Scanning and Risk Analysis - at every release the Okta Security team performs an analysis of thousands of system-level documented vulnerabilities tied to specific software packages, versions and patch-levels.
- Application-Level Vulnerability and Risk Analysis - At every release the Okta security team performs a review against common web-application vulnerabilities.
- Library-Level Vulnerability Analysis - Okta tracks all libraries used by Access Gateway evaluating and deploying applicable updates, especially those involving security.
- SSL/TLS (encryption) Configuration Verification and Risk Analysis - The Okta security has done a deep analysis of the SSL/TLS configuration, including enabled/disabled ciphers, certificate strength, digital signature strength, client compatibility of all browsers and mobile devices and an analysis of any known vulnerabilities ties to the configuration in conjunction with any known clients
A completely clean scan and analysis is required for an Access Gateway build to be certified for production use.
In addition, Access Gateway, and the OS behind it, is penetration tested, and all packages are tested against Common Vulnerabilities and Exposures (CVEs) before each release. These tests are also performed on a regular basis to determine if new security updates are required.
Okta pays very close attention to all CVEs to ensure that we rapidly issue patches and prevent any known security issues.
For a general overview of how Okta views security please see the Okta Security White Paper.
To protect traffic proxied by Access Gateway, the following protections are applied:
- All ports are locked with the exception of 443 and 22. In addition, any requests on port 80 are automatically redirected to port 443.
Ports 161 (SNMP) and 162(snmpwalk) may be enabled if required.
- TLS is enforced on all connections.
- Access Gateway does not store any credentials for external applications.
- Sessions exist in RAM only per node with no external access and no session information is persisted to disk.
- Sessions are fingerprinted to negate session hijacking and application session jumping.
In addition, Access Gateway captures user IP address and browser information in sessions. On every request, sessions are validated and changes written to the audit log. Application session integrity checks can be configured to redirect to a session integrity error page or can force IDP re-authentication on change.
Build and source control security ensures a safe environment.
- All builds are scanned for both viruses and malware using best-in-class tools.
- Builds cannot be released without specific authorization.
- Source code access is protected by strict access policies and strong multi-factor authentication is always required.
- All developers must take and maintain security training.
Access Gateway instances may need to occasionally be accessed by Okta to resolve and troubleshoot errors.
- Access is provided via a specialized secure environment using an Access Gateway only VPN.
- Only select Okta engineers and support personal can access instances.
Segregation of duties is enforced on releases to protect against malicious insiders.
- All access to Access Gateway instances is audited.
- Certificates are required on all customer instances.
- Root access to instances is tightly controlled and customers may elect to disable support access completely at anytime.