Transcription
NIST Zero Trust 800-207Mapping for Okta
Identity as the Foundation for Zero TrustThehave theto thein thethat isrightpeopleright level uslyLeast Friction Possible Okta and/or its affiliates. All rights reserved. Okta Confidential2
Zero Trust Reference ArchitectureIDENTITYRisk Score UserRESOURCESACCESSSAML, ppsOn-PremPolicyOAuthAPIsAuthZ EngineSSH/RDPInfrastructureCONTEXTUserDeviceTHIRD cationNetworkAppANALYTICS & ORCHESTRATION
Okta Mapping to NIST 800-207 GuidanceOkta as PolicyEnforcement PointOkta as PolicyAdministratorOkta as Policy Engine Okta as IdP is directly an PEP thatenforces access to the application Okta provides direct and delegatedadmin to policies for zero trust access Okta as IdP to SP of App model (wherego to app first) supported andenforcement occur at app Okta API Server and Authenticationpolicy issues tokens and cookies forOIDC/OAuth2 and/or SAML access Okta provides Policy Engineexecution through AdaptivePolicies and API Policies Okta as IdP of OIDC redirect supported4and ID token at app is enforced by app Okta and/or its affiliates. All rights reserved. Okta Confidential Okta API Server determinesscopes and claims. Okta Access Gateway translates to app Okta Adaptive Policy implementsZTA Trust Algorithm (TA)where legacy protocols required
Okta NIST 800-207 Resource Model DeploymentDeployment models (though are notdirect application access model) asdescribed in 3.1.1 and 3.1.2 can besupported with Okta partners suchas Palo Alto, ZScaler and CASBs orwith Okta Advanced Server Access.Okta out of box focus is on directapplication access model that doesnot depend on agents on clients.To this end the out of boxdeployment model is the ResourcePortal-Based Deployment model.Sample on right is from Figure 5 page11 and overlaid are the Oktacomponents fulfilling that capability. Okta and/or its affiliates. All rights reserved. Okta Confidential5AdaptivePoliciesSSO, LCM,APIAM and MFAUserDashboardAccessGateway5
Okta NIST 800-207 Microperimeter DeploymentOkta does support 3.1.2 usingOkta Advanced Server Accessfor purposes of accessingserver resources.Okta provides identity functionsfrom Okta Identity Cloud forPE and PA and uses OktaAdvanced Server Access forPEP function access to serverresources.Sample on right is from Figure 4page 10 and overlaid are theOkta components fulfilling thatcapability. Okta and/or its affiliates. All rights reserved. Okta Confidential6AdaptivePoliciesSSO, LCM,APIAM and MFAClientAdvancedServer Access(ASA)Agent6
Q A Okta and/or its affiliates. All rights reserved. Okta Confidential7
Thank You
Data Insights into Federal Adoption Okta and/or its affiliates. All rights reserved. Okta Confidential9
Cloud, Mobile Have Dissolved the Network oud appsOn Prem ServersAPIsOn Prem AppsPublicSoftware-Defined PerimeterEmployeesPrivileged UsersContractorsIDENTITIES Okta and/or its affiliates. All rights reserved. Okta Confidential10PartnersCustomersPrivate
Advanced Server Access – Zero Trust for Infrastructure1Request session4Client2AuthN& AuthZ3Issue credentialConnect viaSSH or RDPServer5Audit eventEliminates the use of static credentials by minting short-lived, tightly scoped client certificates forevery independent request only once fully authenticated and authorized Okta and/or its affiliates. All rights reserved. Okta Confidential11
Okta Confidential 4 Okta Mapping to NIST 800-207 Guidance Okta as Policy Enforcement Point Okta as Policy Administrator Okta as Policy Engine Okta as IdP is directly an PEP that enforces access to the application Okta as IdP to SP of App model (where go to app first) supported and
