Okta Breach
Okta security breach disclosed in October 2023
Description
Keeper Security is aware of the recent security breach at Okta, where cybercriminals accessed client files through its support system. As part of its support process and system, Okta’s customers upload HTTP Archive (HAR) files which contain sensitive information from the user's web browser. This information included session tokens that were used to impersonate several Okta customers.
Impact to Keeper
Keeper Security does not use any of Okta’s products internally - for Single Sign-On (SSO) or any other purpose. Therefore, Keeper’s internal business operation was not impacted by the security incident at Okta.
Keeper is a zero-knowledge and zero-trust cybersecurity platform which means that all of the encryption of user data occurs on the user's device, and Keeper does not have the ability to access any customer data. Further, least-privilege, role-based access control and delegated administration permit and restrict access for all users in the system. Keeper's employees utilize the Keeper Enterprise platform for authenticating into websites and applications using strong and unique passwords generated by our software.
Keeper SSO Connect® is a powerful feature of the Keeper platform which provides customers with the ability to authenticate into their Keeper vaults using their preferred SAML 2.0 identity provider - both on-premises and in the cloud. Keeper SSO Connect, when properly configured with Okta SSO, provides enterprise-wide authentication and end-to-end encryption with zero-knowledge and zero-trust security.
For those customers who use Okta with Keeper SSO Connect for accessing their Keeper vaults, please implement the following best practices:
Enforce MFA on the Keeper vault in addition to enforcing MFA at Okta for all privileged users. Keeper is the only Enterprise Password Manager that provides an additional layer of MFA to reduce the risk associated with an identity provider takeover attack.
To prevent users from accessing their work vaults outside of approved locations and networks, administrators should activate IP Address Allowlisting. This is a role-based enforcement setting in the Keeper Admin Console which enforces that users can only access their vaults when their device is on an approved network. This should always be enforced for administrative roles.
Reduce administrator privilege for SSO-enabled accounts. If an administrator uses Okta to authenticate into the Keeper platform, reduce the role privilege so that their administrative responsibility is limited in scope to perform their role with the organization.
Ensure that at least one administrator is able to access the Keeper platform using a Master Password authentication method in case the SSO identity provider is unavailable.
Activate Keeper's event reporting and alerting system into your security operations. Keeper integrates into any popular SIEM solution including Splunk and Datadog. In the Keeper Admin Console, alerts can be configured to notify your security team covering over 200 different event types.
References
Blog Post Regarding IdP Takeover Attacks
Keeper Enterprise Security Recommendations
https://docs.keeper.io/enterprise-guide/recommended-security-settings
Keeper SSO Connect
https://docs.keeper.io/sso-connect-cloud/
Keeper's Security and Encryption Model
https://keepersecurity.com/security.html
If you have any questions please contact security@keepersecurity.com.
Last updated