A new identity security standard has been launched by Okta to provide a framework for SaaS companies to enhance the end-to-end security of their products.

Named the Interoperability Profile for Secure Identity in the Enterprise (IPSIE), the company claimed this open standard will allow SaaS builders to bring together new and existing technologies like SSO, risk signal sharing and session termination.

As a single identity security framework, IPSIE is intended to streamline development and integration, allowing teams to focus on high-impact tasks. IPSIE will bring together a set of existing and new standards, covering a wide range of proposed use cases, including:

• Single sign-on (SSO) to centralize login, policies, and enforcement (OIDC) 

• Lifecycle management to secure user on/offboarding and prevent security risks like orphaned accounts and shadow directories, avoiding unauthorized access (SCIM) 

• Entitlements (governance/ privileged access) to enforce least privilege access and move toward zero standing privileges (SCIM) 

• Risk signal sharing to get seamless security insights and share them across the entire security ecosystem (CAEP/SSF)

• Session termination and token revocation to immediately terminate all user sessions in response to detected threats

Don't Integrate Well

Speaking in the opening keynote at Okta’s Oktane conference in Las Vegas, CEO Todd McKinnon said the reason identity and security is hard is “because all the applications and all the technology is different, they don't integrate well.”

He said this led to a simple “but profound realization that to solve the identity security challenge that is affecting the world, we need massive standardization.” With no identity security standard that ensures visibility and interoperability across all technologies - and SAML is “far from where it needs to be”

“The time is now to fundamentally re-evaluate how we think about identity security. We need to move to a world where every app, every device, every workload all speak a common language,” McKinnon said.

“Our goal is to standardise identity security across the industry and by doing this, we will help foster an ecosystem that is seamless and efficient to build enterprise technology and use it an environment that will be secure by default.”

Involves Everyone

Okta has also formed a working group with OpenID Foundation with the aim of defining, creating and working with the whole ecosystem to evolve the standard.

McKinnon said: “This is open, and it involves everyone including other identity providers: from the biggest to the smallest. We're going broad and wide with this because it only works if it covers everything.

“Today the identity industry can't integrate deeply enough into technology, and the people that are building technology, they don't have a simple and consistent way to allow these connections to happen. They're all reinventing the wheel and IPSIE is meant to codify this connection and in doing so it will dramatically improve identity security.”

McKinnon said by adopting IPSIE, users will get complete visibility into their identity environment and the threat surface, and they can provide access to the right applications at the right time, and take real-time actions in response to threats. “We need to solve these problems as an industry and get back to the main businesses we're all in.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.