Identity Threat Protection with Okta AI
Identity-based attacks are a growing threat to organizations and their users. These attacks use techniques like phishing, session hijacking, and credential stuffing to compromise sensitive information about the people in your org. Protecting against these attacks requires a comprehensive security strategy.
Identity Threat Protection with Okta AI (ITP) is a continuous identity threat solution that responds to threats as they happen. It combines your current identity security solutions (like ThreatInsight, Behavior Detection, risk-based authentication) to provide complete identity protection to your org.
Identity Threat Protection continuously evaluates users and their sessions, receiving risk signals through the Okta risk engine and through security events providers. When ITP identifies changes in a user's risk, Network Zone, device, or behavior, it launches automated mitigation and remediation actions that you can configure according to your org's security requirements.
This constant and real-time risk assessment provides a Zero Trust approach to identity management security.
How it works
Without ITP, your configured global session and authentication policy conditions are only evaluated for identity threats when a user signs in to an org. For all subsequent web requests, your authentication policy is evaluated against the app from which the request is received.
With ITP, these policies, and your Network zones, Risk scoring, Behavior Detection and evaluation, Okta ThreatInsight, and Device assurance configurations, are continuously evaluated for identity threats throughout the user's session.
ITP also determines risk for org using signals from Okta Verify and other security event providers (if configured). Using Okta Verify and your integrated endpoint detection and response (EDR) solutions, ITP gets signals about device context, admin or user-reported risk changes, and IP threats detected by Okta.
Using the Shared Signals Framework (SSF), you can Configure a shared signal receiver integration with security events providers to inform your users' entity risk Detection settings for entity risk policy. This allows the security events provider to transmit risk signals to Okta. By receiving risk signals from security events providers, you can uncover more potential identity threats.
A security events provider is a third-party vendor that supports SSF and with whom Okta has partnered to exchange security-related events. You must be a customer of the security events provider to integrate them with Okta.
ITP provides an Entity risk policy that enables you to configure automatic actions in response to identified risks. You can customize this policy for different scenarios based on user group, risk level, and risk detections. If ITP uncovers a risk, your entity risk policy can run a delegated flow or terminate the user's access to apps that are configured for Universal Logout.
There are several ways that you can monitor Identity Threat Protection while it identifies and responds to identity-based security threats:
- The user risk profile displays a risk level of low, medium, or high based on the user's login, session, and entity risk detections. It also displays the login, session, and entity risk detections for that user over the last seven days.
- The Admin Dashboard has widgets for continuous access, entity risk detections, and at-risk users. These widgets provide an overview of your org's ITP events.
- The System Log displays the details of all logged ITP events in your org.
- Detailed reports provide comprehensive information about your org's risk detections.
This diagram shows how ITP works with Okta ThreatInsight to continuously strengthen your org's risk and security ecosystem.
Benefits
Identity Threat Protection provides orgs with these important security features:
- Post auth session and risk evaluation: ITP continuously evaluates your global session, authentication, and entity risk policies to identify risks that occur during an active session, and not just when users sign in. The Shared Signals Framework (SSF) enables continuous access monitoring even when the user isn't interacting with Okta.
- Diverse risk signals: ITP evaluates risk signals that Okta identifies and signals that your security providers identify. Orgs can analyze risk signals from multiple sources to increase their protection against identity threats. By using security providers, you can choose the best options for your unique security needs.
- Automated threat remediation: ITP continuously assesses policy criteria to drive actions like terminating a session or prompting users for MFA. It can also initiate flexible Workflows to impose read-only access based on changes in identity, device context, or entity risk, or launch an incident management process to quarantine the user, device, or app.
- Universal Logout: You can instantly terminate sessions across all supported apps and devices, ensuring comprehensive security during threats or employee lifecycle management.
- User risk insights: Dashboard widgets, entity risk levels, and reports allow you to view your org's overall security landscape at a glance.
Topics
- Identity Threat Protection key concepts
- Get started with Identity Threat Protection
- Universal Logout
- Workflows for Identity Threat Protection
- Entity risk policy
- Post auth session evaluation with Identity Threat Protection
- Configure a shared signal receiver
- Identity Threat Protection reports
- Identity Threat Protection dashboard widgets
- Manual remediation actions for Identity Threat Protection
- System Log events for Identity Threat Protection