Okta, Inc. (OKTA) Earnings Call Transcript & Summary

Please welcome Okta's Vice President of Federal, Amy Johanek.

Hello. Welcome to Okta Gov Identity Summit. Thank you for joining us today. This is our fifth year hosting the summit, but this year marks a deeper milestone. For the past decade, Okta has partnered with you to secure federal identities, evolving alongside the government's highest security standards. That's a decade of building together and a decade of earning your trust. What that decade has taught us is simple. The safest missions don't choose between being modern and being resilient. Modernization and cyber resiliency are deeply intertwined and the common thread is identity. From advanced governance and threat detection to moving to the highest national security workloads, we are extending the identity security fabric to where your mission lives. You'll see these innovations in action throughout the day. And more importantly, you'll hear from government leaders and strategic partners on what identity-first security looks like in practice. Before we look at the agenda, I want to recognize the sponsors who made today possible. Thank you so much. Now let's look at our day. We'll kick things off with Okta's Deputy Chief Security Officer, Charlotte Wylie. She'll detail how we are elevating your mission requirements into a truly secure operating model. Following that, I'll be hosting several conversations focused on reframing identity in Zero Trust posture as the foundation of mission agility. Later today, Okta's Director of Defense Intelligence program, Sabrina Lea, will explore identity and distributed environments. Then we'll have Okta's Senior Vice President and General Manager for Okta for AI Agents, Harish Peri, take a look at the future of agentic identity. And to close our day, former Commander of U.S. Cyber Command and former Director of the National Security Agency, General Paul Nakasone, will lead a deep dive into the wave of change driven by AI and other emerging technologies. It's a full day designed to give you actionable insights. So to kick us off with a vision behind today's summit, please join me in welcoming to the stage, Charlotte Wylie.

Thank you, Amy. What a tremendous commitment to agency's modernization journey. In those 10 years, we've watched you expand across every identity, every use case and every resource. So whether you walked in today from a digital transformation office or fraud investigation unit or a cutting-edge lab, we've all been operating under the same principle. Identity is security. But here's the question that we now need to ask ourselves. How does your strategy hold now that your digital workers have shown up? For decades, identity was straightforward. You logged in, you have permissions, you did your job. Identity determines who access what, when and why. The control and visibility required were universally understood by the teams managing it. Never trust, always verify. One entity permission enabled thousands of citizens to receive their benefits. One role certification meant that entire agencies could operate with confidence. Every mission-critical function was built around it, every decision, action and outcome traced back to identity. Then your new coworkers arrived. The access being requested isn't for a person. It's for AI agents with pervasive intentions. The permissions needed are no longer tied to a role but a purpose, unconstrained by title or department. The governance applied through periodic reviews can't be applied to unknown or known agents whose identities, access and privileges are inherently unmanaged. Managing agentic identity demands a blueprint. I'll come back to this in a minute. Many of you in this room have been building towards this exact moment, applying Zero Trust principles, prioritizing phishing-resistant MFA and tightening data sharing controls. That work is the foundation. We're here to talk about what goes on top of it. As an identity company, Okta's concern starts before deployment. We see how agentic AI extends the attack surface, accelerating the buildup of identity debt. Every agent connected without governance, every unmanaged token, every over-permissioned bot, it all compounds the risk. But we're not asking you to chart this journey from scratch. And we see this reflected in your own directives. The latest guidance on accelerating the federal use of AI rightly encourages agencies to scale the tools you already have for AI governance. All while organizations lean into agile acquisition to ensure secure cutting-edge tech reaches our war fighters faster than ever. We believe the identity security fabric already securing your human identities, workloads and applications, is the single control plane that can also be used for agentic identities. You get a unified approach while strengthening protection, end-to-end security needed to safely leverage AI across every use case and resource. But let's be honest about where most organizations are right now. Instead of relying on enterprise-grade methods for securing AI agents, most organizations are using authentication protocols that expose highly privileged secrets. It's like using a residential lock on a federal building. It works but they're not fit for the job. These legacy approaches fail to provide standard centralized policy control, compromising the auditability and oversight required for enterprise security. And what makes it harder is agents don't just log in. They appear everywhere. They connect to everything and they act on their own. Which means that the strategy that you've relied on for identity doesn't hold. So you have to ask, where are my agents? What can they connect to and what can they do? Those 3 questions deserve a real answer. And this is a blueprint for secure agentic enterprise. Instead of building a bespoke plugin or a one-off manifest, imagine a single standardized way for agents to connect to any system. So developers, the ones that are automating multi-step government service transactions for citizens or detecting payroll anomalies, helping workers process controlled and classified information, they spend their time building capabilities, not plumbing integrations. Instead of building a new physical key for every door, imagine a universal key system, one that every agent can use, every system can trust, and every admin can control. That's the principle behind a centralized approach to agent security, leveraging vaulted credentials to help ensure that an agent's identity is not exposed even whilst it's in use. Even before we reach peak agentic where all software is inherently AI, we've already moved past that binary choice of whether to connect. The key question is control. When an agent is taking action, is it operating within its mission parameters? Or is it stepping beyond what it's been explicitly permitted to do. The consensus that we're hearing from you is that agents can't be fully autonomous. And this is where the governance kicks in. You want to treat agencies like first-class identities, not just connections. You need an automated kill switch that stops rogue agents in their tracks. And CISOs need the control and visibility that we are duty bound to protect. There's a lot within a single unified control plane, and you'll get a deeper dive on this later today. In this era of escalating threats, the security provider that you choose must be as unshakable as the mission itself. You need to know that the fabric connecting your force is built around the same rigor that you expect of your own systems. And that difference matters because federal technology leaders and security innovators share the same mandate, impact at scale, sustain hardening, battle-tested. That's nonnegotiable. That is the duty that we have. The relentless pursuit of secure, scalable identity is exactly what we have been working towards for the last 2.5 years, the Okta Secure Identity Commitment. The Okta Secure Identity Commitment is our pledge to secure identity in the age of AI and whatever comes next. It's built on 4 pillars: secure products, hardened infrastructure, customer best practices and industry leadership. This is our long-term promise to secure our enterprise and build secure products for you as AI reshapes the digital landscape. We've been solely dedicated to securing identity for almost 2 decades. And with your most critical use cases in mind, I want to zero in on how this promise mirrors how your missions operate. It is anchored on accountability because we believe security is an operational commitment. Our security is your security, and we can prove it. We hold our internal people, processes and technology to the same rigorous cyber threat profile as our customer-facing environment, holistic inside-out security. Operational resiliency is the backbone of all of this, building corporate infrastructure that actually holds up to the pressure. Our Zero Trust approach to security is identity-first security. As Customer Zero, we secure our own global infrastructure with the same products that we deliver to you, from passwordless rollouts to self-service governance. Think about it as our own OIG audit. We stress test our solutions and find and close gaps, ensuring that the hardened result is what you receive. This isn't about just a testing ground for our products. It's forming a framework for your own Zero Trust implementation. We've updated our Security Technical Information Guide to include specific hardened guidance for nonperson entities, providing a standardized framework to secure automated identities and deny adversaries a foothold in your network. We've launched our threat intelligence capability to produce advisory and in-depth research for the world's largest threat schemes. From exposing nation-state facilitators using AI-enhanced tools, to place operatives and engineering roles, to identifying illicit earnings that are being flowing back to hostile regimes. And this is where it converges. The cost lever, preventing incidents before they happen and the risk lever, reducing the attack surface systematically. These aren't just security metrics. They merge into a single truth. Agencies that deliver identity-first security protect missions, and they accelerate them. But accelerating mission surfaces the real challenge that you're facing. It's not lack of innovation. Your teams are innovating at scale. The real pressure is interoperability, the friction of pulling autonomous systems, legacy infrastructure and compliance into a coherent operating model without slowing down. That's the power of flexible SaaS. Flexible SaaS means identity adapts to your mission, not the other way around. It's one identity fabric governing everything: humans, agents and legacy systems without forcing you to rearchitect how you work or sacrifice security for speed. Flexible doesn't mean loose. It means configurable. It means a civilian benefits agency and a defense logistics command can both deploy the same identity fabric, but tuned to specific classification level, their compliance framework and their mission tempo. One configuration for citizen-facing passkeys and scoped agent tokens, the other for CAC-based authentication and air gap workflows. Same platform, same security commitment, different mission expressions. This flexibility is what allows your defense to evolve as quickly as the threat landscape. That's identity-first security and it's the vision that we're building together. An identity fabric as resilient, battle-tested and mission-focused as the agencies we serve. I asked Okta's Federal Chief Security Officer, Sean Frazier, to join us and bring some of this to life. What you're about to see is a tool that can defend your Okta tenant from bad actors. We're talking about an adversary-in-the-middle phishing campaign, the kind likely targeting your admins today. Sean, the floor is yours.

Thank you, Charlotte. Good morning, good morning. As you can see, I'm going to tell you something you don't already know. As you can see, identity attacks are on the rise, both from the perspective of being more sophisticated as well as being higher volume. Attackers are using AI the same way we're using AI to drive down cost and to increase capabilities. When Charlotte talked about the Okta Secure Identity Commitment, one of the core pillars of that was to help our customers with their security journey. And to that end, we've created a tool for our customers to navigate through this called the Threat Exposure Assessment, or TEA, because who doesn't love a good acronym. The Threat Exposure Assessment is a security-focused health check that analyzes a tenant configuration from password policies to network controls to help ensure the customers are optimally protected against future attacks. Here are some examples of configurations that the Okta Identity Defense team have observed during real-world incidents to highlight some of the issues identified in the TEA report. Let's look at the demo. We grouped this example configuration into 3 phases of the authentication pipeline: before the login, during the login itself and after the login. Our TEA report recommends a defense in-depth approach across this entire life cycle. For before the login, in this scenario, ThreatInsight was enabled but stuck in audit mode. The admins wanted to observe the logs before putting into enforcing mode, but it fell off the priority list as things tend to do. On the networking side, they're only blocking some IP address ranges for attackers networks that they've known because they saw it in the course of an event. They're not using some of the advanced features like geolocation. For the login itself, the user base was familiar with SMS, OTP, onetime passwords. So they enabled those initially, but these low assurance factors are easily phished. We often hear from Okta admins during an incident, they have a backlog or a road map item to migrate to phishing-resistant factors, but life got in the way and they just were never able to do it. For after the login, in the name of good user experience, the tenant had long configuration global session policy token issuance. To make matters worse, they never enabled end user notifications when end users would discover that something was going on with their account. So the end users were never able to let the Okta admins or the security team know that something was going on, and they're your first line of defense. For tenants configured in this manner, there are multiple identity attacks that could cause headaches at a minimum or at a maximum lead to a security incident. There was a 61% increase in brute force attacks last year based on data that we've gotten from the Okta Threat Intelligence team. With these low assurance factors like SMS or e-mail OTP and when they're not enabled, there are a variety of attacks that can manifest themselves, things like account takeovers, credential harvesting, those types of attacks. It doesn't take a really sophisticated actor to launch a brute force password attack or a password guessing attack or credential stuffing attack. And more advanced attacks, such an adversary-in-the-middle can be used to bypass the low assurance factors like SMS and e-mail onetime passcodes. In the adversary-in-the-middle attack, a proxy server intercepts a password and the OTP in real time to authenticate with the legitimate site. By stealing the resulting session cookie, the attacker bypasses all the MFA requirements to hijack the account. This has become a lot cheaper for attackers to implement. With phishing infrastructure, a threat actor can take over an account and change the password or reset the MFA factors, and they can block the legitimate user from access to their own account. Let's look at what the TEA report might recommend for the previous list of misconfigurations we discussed in order to mitigate these potential threats. Again, back to the 3 examples of the authentication pipeline. The TEA report creates and provides a lot of guidance and a lot of information for you, but I'm going to only focus on a few of those today. Before the login, TEA would recommend putting ThreatInsights into blocking mode. On the network zone side, anonymizing proxies should be blocked and the combination of these 2 controls will help mitigate against credential stuffing attacks. For the login itself, TEA would advocate for phishing-resistant factors such as Okta FastPass, WebAuthn biometric or YubiKeys. This helps protect the end user from phishing and adversary-in-the-middle attacks. For after the login, TEA recommends setting up the global session policy expiration that aligns with NIST standards. Notification should be enabled so that end users can report suspicious activity directly to their Okta admin and their security team right from the phishing e-mail. And Identity Threat Protection or ITP session protection and detection should be enabled. With ITP, you get Universal Logout. Universal Logout can automatically be triggered to terminate sessions and revoke tokens for various cases such an end user reporting suspicious activity on their account. Threat actors are evolving. They're evolving their techniques and their tactics, frequently changing them to avoid detection. But the good news is that Okta has released a number of features like ITP, Identity Threat Protection, that will help protect against these kinds of attacks. And the TEA report will help protect against these kinds of attacks and let you know exactly what to do in your configurated tenant. So the call to action today, reach out to your customer success manager, ask for a TEA report. You can also request this directly from your support ticket by opening up in your tenant. As Charlotte mentioned, we also released the updated version of our STIG 1.1, which includes nonhuman entity. So please make sure if you haven't downloaded that and applied that to your tenant, do that now. Be aware of the pitfall, set and forget it. Take advantage of cutting-edge features and security features specifically that we released in the Okta product all the time. And don't wait until you're dealing with a security incident, be proactive and start today. Thank you very much.