I am thrilled to announce that today, at Oktane18, BeyondTrust and Okta will introduce a new integration of our solutions to address a long-standing challenge in security: the seamless integration of multi-factor authentication with single sign-on and privileged access.
With 80% of data breaches involving privileged accounts, and the use of stolen credentials through hacking as the number-one tactic used in data breaches in 2017, it has never been more important to apply stringent security controls over access to critical systems and data. The challenge, however, is that static authentication approaches limited to a username and a password are insufficient in dynamic IT environments. And, when single sign-on is deployed, passwords must be protected and managed to avoid misuse.
Integrated, Adaptive MFA, SSO, and PAM is the answer
Okta® and BeyondTrust have integrated their leading multi-factor authentication (MFA), single sign-on (SSO), and privileged access management (PAM) solutions to deliver secure and adaptive authentication security to privileged applications. This integration provides a seamless experience for users, enabling organizations to maintain their productivity while ensuring tight access controls.
Key Use Cases
Through our integration efforts, we’ve identified several common use cases brought to us by customers. Here are a few of them.
Utilizing federation for privileged accounts, when passwords aren’t always practical
PowerBroker Password Safe leverages Okta to enable users to SSO into the central BeyondTrust web console, BeyondInsight™. Okta Desktop Single Sign-On and integrated Windows authentication enables users already authenticated to the Active Directory domain to then seamlessly access Password Safe, enabling Okta to provision new accounts in Password Safe and BeyondInsight. Finally, BeyondTrust and Okta can leverage federation and SSO for managed privileged accounts that allow access to protected web applications and consoles, including Google Cloud and AWS. Credentials are neither exposed to the users, nor required to be sent on the wire – regardless of whether the applications reside on-premise or in the cloud. See the PowerBroker screenshot below for how we provide secure storage and rotation of single sign-on passwords in a way that is fully transparent to the end user.
Supporting MFA via Radius for PowerBroker PAM solutions
For organizations that have integrated Okta and PowerBroker, standard users can elevate to applications that require administrator privileges seamlessly using an Okta challenge. Through a simple three-step process, the user enters his/her credentials and selects the method (e.g., push), approves it on his/her mobile device, and the application starts. Command-line options are also available for Unix and Linux environments.
When users need to establish a privileged remote session to a server or network device, they can leverage the desktop or session management tool of their choice, such as Terminal or PuTTY. If step-up authentication via Okta is enabled, a push notification is sent to a device of choice and, when the request is approved, it starts the remote desktop session. This level of integration ensures that users requesting access to privileged accounts and systems are properly authenticated and authorized through adaptive MFA. See the screenshot below for a representation of the ease of creating rules in PowerBroker.
PowerBroker PAM solutions are available in the Okta Integration Network
BeyondInsight, the central console for PowerBroker administrators and users, is now an Okta Verified app. Using the Okta dashboard, customers can quickly add and configure the SAML integration so users can SSO into BeyondInsight and Password Safe. Also, just-in-time provisioning via SAML can be leveraged for users and privileged accounts connecting to web applications, such as Amazon AWS. Centralizing authentication to BeyondTrust PowerBroker PAM solutions via the Okta Integration Network simplifies access and improves administrator productivity. See the screenshot below for a representation of this.
Benefits of this integration
The integration between key Okta and PowerBroker solutions enables:
- Secure access to privileged passwords, sessions, applications, and commands through dynamic factors
- Tighter security by prompting users for additional authentication on one or more context-aware indicators, including username, group membership, hostname, day, time, command, operating system, and many more.
- Flexibility by supporting multiple second factors – from SMS, voice and email, to one-time passwords (OTPs), and third-party solutions with RADIUS support for all devices
We’re excited to announce this integration! Watch for more – including use case demos and more.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.
