Okta Technical

Question 1

Universal Directory?

Answer 1

Customize, organize and manage any set of user attributes from multiple identity sources with this flexible, cloud-based user store.

Question 2

Single Sign-On

Answer 2

Free your people from the chains of multiple passwords. A single set of credentials gives them access to enterprise apps in the cloud, on-prem and on mobile devices.

Question 3

Lifecycle Management

Answer 3

Automate user onboarding and offboarding by ensuring seamless communication between directories such as Active Directory and LDAP, and cloud applications such as Workday, SuccessFactors, Office 365 and RingCentral.

Question 4

Adaptive Multi-Factor Authentication

Answer 4

Secure your apps and VPN with a robust policy framework, a comprehensive set of modern verification factors, and adaptive, risk-based authentication that integrates with all of your apps and infrastructure.

Question 5

Workforce Identity

Answer 5

Workforce Identity products are geared toward IT and security leaders. At a very high level, they simplify the way people connect to enterprise technology, while increasing efficiency and helping keep IT environments secure.

Question 6

Identities connect to…

Answer 6

N.A.D.A.
Networks
Applications
Devices
APIs

Question 7

Authentication (Definition)

Answer 7

Authentication is the process of verifying that a user is who he or she says they are, and is typically done before the user is given access to the resource they have requested.

Question 8

MFA (Definition)

Answer 8

Multi-factor authentication (MFA), for example, looks at a combination of factors in different categories (something you know, something you have, and something you are) to verify identity. So a user may be challenged for a password – a something you know factor – and a software token – a something you have factor – in order to log in.
(Know, Have, Are)

Question 9

Context (Definition)

Answer 9

Context can mean any of several things about a login including user context (who is trying to access), application context (what is the user trying to access), network and location context (where are they accessing from), and device context (from what device is access being requested).
Who, What (Application/Device), Where (Network/Location)

Question 10

Risk-based Authentication (Definition)

Answer 10

Risk-based authentication typically takes into account relative risk by calculating a risk score for every login request. The higher the score, the riskier the login, and the higher the chance it’s a malicious login attempt.

Question 11

What are the two dynamics that an organization has to balance?

Answer 11

Security and usability

Question 12

What is the weakest point in a company’s security?

Answer 12

Their people

Question 13

81% of all breaches used either…

Answer 13

stolen or weak passwords

Question 14

Name 3 common attacks

Answer 14

Credential phishing, password spraying, and brute force attacks

Question 15

Name 3 context signals

Answer 15

Location, device, network

Question 16

What is a good use case for Zero Trust?

Answer 16

Infrastructure access should be the first Zero Trust use case implemented. Because it applies to a subset of technical users who are capable of handling the architectural and procedural changes, our customers have found great success when they narrow their focus to this one initiative.

Question 17

Shift Left (Definition)

Answer 17

Shift-left testing is an approach to software testing and system testing in which testing is performed earlier in the lifecycle. It is the first half of the maxim “Test early and often.” It was coined by Larry Smith in 2001.

Question 18

LDAP (Definition)

Answer 18

The Lightweight Directory Access Protocol (LDAP /ˈɛldæp/) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.[1] Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network.[2] As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

Question 19

Which PAM module is used for LDAP authentication?

Answer 19

The pam_ldap module is a Pluggable Authentication Module (PAM) which provides for authentication, authorization and password changing against LDAP servers.

These interfaces are a headache to build and operate, and break down quickly at scale. It can very quickly turn into a distributed systems challenge, with little guarantee of consistency.

Question 20

Bastion Host (Definition)

Answer 20

A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of a firewall or in a demilitarized zone (DMZ) and usually involves access from untrusted networks or computers.

Question 21

SSH (Definition)

Answer 21

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network.[1] Typical applications include remote command-line, login, and remote command execution, but any network service can be secured with SSH.

Question 22

SIEM (Definition)

Answer 22

In the field of computer security, security information and event management (SIEM), software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware.

Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes.[1]

The term and the initialism SIEM was coined by Mark Nicolett and Amrit Williams of Gartner in 2005.

Question 23

Does Okta use APIs?

Answer 23

Everything about Okta is exposed as an API. Enrollment, provisioning, and configuration can all be fully automated, making it incredibly easy to use.
(The Eight Principles of Modern Infrastructure Access)

Question 24

PKI

Answer 24

Public Key Infrastructure (PKI) is a technology for authenticating users and devices in the digital world. The basic idea is to have one or more trusted parties digitally sign documents certifying that a particular cryptographic key belongs to a particular user or device. The key can then be used as an identity for the user in digital networks.

The users and devices that have keys are often just called entities. In general, anything can be associated with a key that it can use as its identity. Besides a user or device, it could be a program, process, manufacturer, component, or something else. The purpose of a PKI is to securely associate a key with an entity.

The trusted party signing the document associating the key with the device is called a certificate authority (CA). The certificate authority also has a cryptographic key that it uses for signing these documents. These documents are called certificates.

In the real world, there are many certificate authorities, and most computers and web browsers trust a hundred or so certificate authorities by default.

A public key infrastructure relies on digital signature technology, which uses public key cryptography. The basic idea is that the secret key of each entity is only known by that entity and is used for signing. This key is called the private key. There is another key derived from it, called the public key, which is used for verifying signatures but cannot be used to sign. This public key is made available to anyone, and is typically included in the certificate document.

Question 25

RDP

Answer 25

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. … RDP servers are built into Windows operating systems; an RDP server for Unix and OS X also exists.

Question 26

GDPR

Answer 26

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas.

Question 27

FedRAMP

Answer 27

The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.[1] In 2011, the Office of Management and Budget (OMB) released a memorandum[2] establishing the Federal Risk and Authorization Program (FedRAMP) “to provide a cost-effective, risk-based approach for the adoption and use of cloud services to Executive departments and agencies”. The General Services Administration (GSA) established the FedRAMP Program Management Office (PMO) in June 2012. The FedRAMP PMO mission is to promote the adoption of secure cloud services across the Federal Government by providing a standardized approach to security and risk assessment.[3] Per the OMB memorandum,[4] any cloud services that hold federal data must be FedRAMP Authorized. FedRAMP prescribes the security requirements and process cloud service providers must follow in order for the government to use their service.

Question 28

NIST 800-53

Answer 28

NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.

Question 29

ISO/IEC 27001

Answer 29

ISO/IEC 27001 is an information security standard, part of the ISO/IEC 27000 family of standards, of which the last version was published in 2013, with a few minor updates since then.[1] It is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.[2]

ISO/IEC 27001 specifies a management system that is intended to bring information security under management control and gives specific requirements. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit.

Question 30

How many credentials are stolen each month at Allegen?

Answer 30

Allergan is the second most targeted pharma company from a threat perspective because Botox, which is owned by Allergan, is highly targeted. We see brute force attacks, phishing, etc. Allergan intelligence estimates 150 credentials are stolen per month.

Question 31

CASB (Definition)

Answer 31

A cloud access security broker (CASB) (sometimes pronounced cas-bee) is on-premises or cloud based software that sits between cloud service users and cloud applications, and monitors all activity and enforces security policies.[1] A CASB can offer a variety of services such as monitoring user activity, warning administrators about potentially hazardous actions, enforcing security policy compliance, and automatically preventing malware. Vendors include Netskope, McAfee, Symantec, Microsoft, Bitglass

Question 32

PII (Definition)

Answer 32

Personally identifiable information, or PII, is any data that could potentially be used to identify a particular person. Examples include a full name, Social Security number, driver’s license number, bank account number, passport number, and email address.

Question 33

How do you leverage AD?

Answer 33

A best-of-breed cloud-based IAM solution should provide centralized, out-of-the-box integration into your central Active Directory or LDAP directory so you can seamlessly leverage and extend that investment to these new applications—without on-premises appliances or firewall modifications required. As you add or remove users from that directory, access to cloudbased applications should be modified automatically, via industry standards like SSL, without any network or security configuration changes. Just set and forget.

Question 34

IDaaS (Definition)

Answer 34

IDaaS is an acronym for Identity-as-a-Service, and it refers to identity and access management services that are offered through the cloud or SaaS (software-as-a-service) on a subscription basis.

Question 35

Kerberos

Answer 35

Kerberos (/ˈkɜːrbərɒs/) is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. The protocol was named after the character Kerberos (or Cerberus) from Greek mythology, the ferocious three-headed guard dog of Hades. Its designers aimed it primarily at a client–server model and it provides mutual authentication—both the user and the server verify each other’s identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography during certain phases of authentication.[1] Kerberos uses UDP port 88 by default.

Question 36

SAML

Answer 36

Security Assertion Markup Language (SAML, pronounced SAM-el[1]) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions). SAML is also:

A set of XML-based protocol messages
A set of protocol message bindings
A set of profiles (utilizing all of the above)
The single most important use case that SAML addresses is web-browser single sign-on (SSO). Single sign-on is relatively easy to accomplish within a security domain (using cookies, for example) but extending SSO across security domains is more difficult and resulted in the proliferation of non-interoperable proprietary technologies. The SAML Web Browser SSO profile was specified and standardized to promote interoperability.[2] (For comparison, the more recent OpenID Connect protocol[3] is an alternative approach to web browser SSO.)

Question 37

OAuth (Definition)

Answer 37

OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.[1] This mechanism is used by companies such as Amazon,[2] Google, Facebook, Microsoft and Twitter to permit the users to share information about their accounts with third party applications or websites.

Generally, OAuth provides to clients a “secure delegated access” to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner. The third party then uses the access token to access the protected resources hosted by the resource server.[3]

OAuth is a service that is complementary to and distinct from OpenID. OAuth is unrelated to OATH, which is a reference architecture for authentication, not a standard for authorization. However, OAuth is directly related to OpenID Connect (OIDC) since OIDC is an authentication layer built on top of OAuth 2.0. OAuth is also unrelated to XACML, which is an authorization policy standard. OAuth can be used in conjunction with XACML where OAuth is used for ownership consent and access delegation whereas XACML is used to define the authorization policies (e.g. managers can view documents in their region).

Question 38

OIDC (Definition)

Answer 38

OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol, which allows computing clients to verify the identity of an end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner. In technical terms, OpenID Connect specifies a RESTful HTTP API, using JSON as a data format.

OpenID Connect allows a range of clients, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, supporting optional features such as encryption of identity data, discovery of OpenID Providers, and session management.[1]

Question 39

REST (Definition)

Answer 39

Representational state transfer (REST) is a software architectural style that defines a set of constraints to be used for creating Web services. Web services that conform to the REST architectural style, called RESTful Web services, provide interoperability between computer systems on the Internet. RESTful Web services allow the requesting systems to access and manipulate textual representations of Web resources by using a uniform and predefined set of stateless operations. Other kinds of Web services, such as SOAP Web services, expose their own arbitrary sets of operations.

Question 40

ESR

Answer 40

Employee System of Record
Every organization has taken advantage of those expected fields in AD (such as phone, address and title) that provide needed details about users and made AD a usable directory beyond its authentication function. But, because on-premises AD will no longer be the focal point of your identity, there needs to be a central employee system of record (ESR) that exists outside of AD. In fact, in a proper identity-centric implementation, the ESR isn’t even updating AD directly; it’s instead updating your identity platform, which, in turn, updates AD (among the other directories that may exist).
The most appropriate choice for an ESR is your Human Resources Management System (HRMS). It’s constantly updated with the most current employee information (such as role, title, department, location and phone) that can be utilized by an identity platform and/or individual directories.

Question 41

HRMS

Answer 41

Human Resources Management System

Question 42

Long Polling

Answer 42

Web applications were originally developed around a client/server model, where the Web client is always the initiator of transactions, requesting data from the server. Thus, there was no mechanism for the server to independently send, or push, data to the client without the client first making a request.

To overcome this deficiency, Web app developers can implement a technique called HTTP long polling, where the client polls the server requesting new information. The server holds the request open until new data is available. Once available, the server responds and sends the new information. When the client receives the new information, it immediately sends another request, and the operation is repeated. This effectively emulates a server push feature. A simple diagram below:

For a technical, in depth look at HTTP long polling and implementations for Python, Ruby and JavaScript, check out our article on WebSockets and Long Polling in JavaScript, Ruby and Python.

Question 43

Certificate Pinning

Answer 43

Securing your mobile applications ensures that you and your customers are safe. And unfortunately, just using SSL and HTTPS doesn’t fully protect your data. Instead, certificate pinning currently tops the list of ways to make your application traffic secure.

Today we’ll look at what certificate pinning is and how it secures your application from man-in-the-middle attacks. We’ll compare certificate and public key pinning. And lastly, we’ll look at why leaving certificate pinning as a build flag makes your app flexible for man-in-the-middle testing.

Background
Before we get into specifics, let’s take a look at the life of a request from your mobile app to its back-end server using HTTPS. Without looking into things, we only know that our client sends a request and the server sends a response. However, more subtlety exists in this exchange than many realize.

Before the client and server exchange application data, a figurative handshake occurs to confirm the client is talking to the right server. This handshake follows these five steps:

The client initiates a handshake with the server and specifies a Transport Layer Security (TLS) version.
The server responds with a certificate and public key.
Then, the client verifies the certificate or public key and sends back a shared key. This shared key is based on the public key from the server.
Next, the server confirms receipt of the shared key.
And finally, data flows between the client and the server. Both the client and the server encrypt data using the new shared key.
In this example, we didn’t use certificate pinning. The client does some basic validation on the cert but doesn’t verify that the cert matches any known cert. It checks to see if the cert’s root came from a trusted certificate authority and that the server in the cert matches the server that the client connects to.

Although HTTPS results in much better security than using HTTP, the “bad guys” trying to listen in on your network traffic could still succeed if the trusted certificate provider gets compromised due to a security vulnerability.

So, what do we do to secure our data transmission even more? We pin specific certs that we trust to our client application.

What Is Certificate Pinning?
Certificate pinning forces your client app to validate the server’s certificate against a known copy. After pinning your server’s certificate inside your client app, your client should check the basic validity of the cert as in No. 3 from the list above, as well as verify that the server’s certificate matches the pinned certificate.

To verify we have a match, the client can validate against the entire cert or against the public key. However, instead of a direct copy of the cert or key, we instead use a fingerprint. A fingerprint is a hashed version of either the entire cert or the public key. If the fingerprints between the server and the client side cert match, the connection is valid. If they don’t match, the app should reject the connection.

Another fun fact—pinning can be preloaded into the application, or it can automatically pin whatever certificate the server sends during the first client-to-server call. Preloading protects the application more protection, as an attacker might be able to pin their own certificate upon the first call.

Question 44

AD Agent (roles)

Answer 44

1) Authentication
2) User imports
3) Real time synchronization

Question 45

Number of Customers?

Answer 45

7400+ (as of 12/5/19)

Question 46

Application Integrations?

Answer 46

6500+ (as of 12/5/19)

Question 47

Network Effect

Answer 47

A network effect (also called network externality or demand-side economies of scale) is the effect described in economics and business that an additional user of goods or services has on the value of that product to others. When a network effect is present, the value of a product or service increases according to the number of others using it.

Question 48

Customers >$100k ACV

Answer 48

1,325

Question 49

Zero Trust (definition)

Answer 49

Zero Trust is an information security framework which states that organizations should not trust any entity inside or outside of their perimeter at any time. It provides the visibility and IT controls needed to secure, manage and monitor every device, user, app and network being used to access business data.

Question 50

Daily Active Users?

Answer 50

7M+

Question 51

Jobs Per Month?

Answer 51

100M+

Question 52

App Authentications Per Month?

Answer 52

2.1B+

Question 53

81% of data breaches involve…

Answer 53

stolen/week credentials

Question 54

91% of phishing attacks target…

Answer 54

credentials

Question 55

73% of passwords are…

Answer 55

duplicates