The takeaways, in brief
- Never trust the network. Okta treats its offices like a Starbucks — certificate-based auth is one of many signals (identity, hardware, encryption, VPN) stitched together with SIEM and AI.
- The help desk is the front door. Social engineering against IT support is a top vector; Okta layers ID verification, device trust, and many checks before any password reset.
- Kill the password. Short-lived re-auth on every sensitive session, heavy controls on service accounts, and a public push for the IPSIE standard to force SSO, SCIM, and short sessions across SaaS.
Chris Carlson is Director of Infrastructure Engineering at Okta, leading client platform engineering, the network team, cloud operations, and developer productivity and SRE. He joined Databricks’ Kyle Dimmick on the SecureW2 × Myriad 360 customer panel at The Battery in San Francisco, in a live Q&A moderated by SecureW2 co-founder Bert Kashyap. His throughline: defense in depth, and a wireless network he has never trusted.
How are you thinking about the AI frontier and the new threats it brings?
AI is here, and it’s going to be transformational for compute. Internally we’re calling it the next big revolution — there was the internet, the move to SaaS, and now the move into AI. With that comes a lot of new threats, and unfortunately a lot of them are internal: employees improperly using AI, or shipping a bunch of our data off to third parties that most likely should not have it.
There’s a lot of shadow IT, and it actually comes out even from our executive team. We did an AI talk at an all-hands recently, and executives went up and said, ‘oh, I’m using this AI tool and this AI tool’ — and none of them were sanctioned. So we’re trying to empower the workforce by giving them tools we think are safe for Okta, but also letting people explore with guardrails. If we don’t adopt AI, we’re going to get left behind.
Social engineering and deepfakes are hitting the front door. How are you defending the help desk?
A huge attack vector is ultimately your IT help desk — they have a lot of power to reset accounts and passwords, and we’ve seen those vectors hit pretty major corporations. We’re using third-party tools where you take a picture of your ID and it runs you through a database, using things like Apple’s LiDAR sensors to determine it’s not just a photo you’re holding up.
It’s really defense in depth: even if you get someone’s identity and can use Okta Verify, you probably don’t have an Okta laptop that’s been issued a certificate or is running through CrowdStrike for XDR. We’re only as strong as our weakest link, so we push our help desk to go through many checks before resetting passwords. You can get all sorts of data on people — we all publish our start date, title, and what we do to LinkedIn.
Attackers increasingly break in by logging in. How do you handle token theft and session abuse?
Token theft is very important to us — Okta was a victim of it a few years ago. A lot of times folks upload HAR files that have active session tokens in them; with case management like Zendesk or Salesforce, people upload very sensitive things, or attackers get access to endpoints and steal tokens. We attack that with defense in depth — even fairly old-school firewall policies people were trying to get away from in the SaaS revolution. We’ve gone back to things like IP allowlisting, so even if a token is lost, you’re most likely not on our network. But we don’t just trust our network — that’s where we do MDM and device trust, and use things like SecureW2 to get signals from many platforms.
Okta eats its own dog food and drinks its own champagne. Almost every single new session to a sensitive platform goes through a brand-new auth event, so even if somebody steals a token, it’s fairly short-lived.
We’ve never trusted our wireless networks. We more or less treat our offices like a Starbucks — we don’t trust anybody who’s there.
— Chris Carlson, Okta
The AirSnitch work is a reminder that the network itself can’t be trusted. How does that fit your architecture?
Okta is trying to stay a modern company, and we’ve never trusted our wireless networks. We more or less treat our offices like a Starbucks — we don’t trust anybody who’s there. Even though we use certificate-based authentication to get onto our employee networks, that’s only one of many things we use to trust a device: identity, the actual hardware, encryption to the resources, VPN on top.
Because we’re getting signals from all of these, we stitch them together with log management and SIEM, and layer AI on top so we don’t have humans watching syslog fly by. We always knew Wi-Fi was never secure — we hoped it was, but we never really trusted it.
The SecureW2 read
Carlson describes exactly the posture certificate-based identity is built for: the SSID is not a trust boundary, so a per-device certificate becomes one signal among many — identity, hardware, encryption, device trust — that get stitched together and continuously evaluated. SecureW2’s role in that stack is the one Carlson names: feeding device-trust signals from many platforms so that even a stolen token lands somewhere the attacker can’t actually use it.
Quotes are drawn from the SecureW2 × Myriad 360 customer panel at The Battery, San Francisco. Lightly edited for length and clarity. Used here in a design mockup.
