Agents

14 minute read

Agree & Join LinkedIn

By clicking Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.

``````Skip to main content

![3rd party authorizations/oAuth/NHI/Agents](https://media.licdn.com/dms/image/v2/D5612AQF4T8kIHZlmRQ/article-cover_image-shrink_720_1280/B56Zay7gsZGsAI-/0/1746758667457?e=2147483647&v=beta&t=WVVWCoQHiwFUc151g0KNr1rZ0zA0v9h9vBejBAXWH6Q)

Video: [https://youtu.be/xzr\_z\_rx\_Mw](https://youtu.be/xzr_z_rx_Mw)

Overview:

1.    The JPMC CISO Letter as a Catalyst:

- The conversation is framed around a recent letter from the CISO of JPMC, described by Harish Peri as a "bomb in industry."
- The letter validates Okta's existing concerns regarding third-party supplier security and authentication protocols, particularly as digital chains become "more and more expansive."
- The letter highlights a "big problem" related to authentication protocols in third-party supply chains.
- Peri states, "I loved it... because it was great to hear, you know, the CISO of one of the world's largest and probably one of the most complex organizations... really echo back the thing that's been top of mind for us."

2.    Identity as an Integration and Orchestration Issue:

- Identity is fundamentally an integration issue, orchestrating identities across various systems (e.g., Microsoft AD).
- The ideal state involves a "one golden record" for identity that is then orchestrated, avoiding "multiple silos, multiple ids."
- Okta's initial focus on single sign-on (SSO) is described as a form of orchestration, connecting an identity source like AD to a SAS app.
- The current challenge involves orchestrating identities and access between multiple apps ("going from like a SAS to another apps").

3.    The Critical Difference Between OAuth 1.0 and OAuth 2.0 and Associated Risks:

- OAuth 1.0: Designed for human authentication into an app ("basically between a person and a technology"). Simple and focused on user access grants.
- OAuth 2.0: A framework for machine-to-machine authorization ("authorizing another app to access another app or resource on my behalf"). This can also include "AI agents."
- The Problem: The machine-to-machine nature of OAuth 2.0, while enabling seamless integration, can lead to significant security risks:
- Long-lived, unmanaged tokens: These tokens are essentially "the master key to every part of the organization."
- Improper token management: Tokens can be "hardcoded or put into configuration files or something in plain text even that can be accessed."
- Lateral Movement: Attackers seek to gain access, "escalate privilege," and then "laterally mov\[e\] around the organization." Long-lived, unmanaged tokens are a "gold mine" for this.
- The drive for ease of customer experience and rapid innovation in app development has often led to security being overlooked in the implementation of machine-to-machine access.
- The JPMC letter highlights the lack of visibility into "what level of privilege that connection allows," "how long that token is living," and "who has access to it." This bypasses traditional security controls like "access management, identity governance and privilege access."
- Harish Peri states: "That right there is what we believe is probably the biggest security gap in our industry right now."
- He adds: "the security side of it is not being thought of with as much diligence as it should."

4.    The Importance of Authorization and Cross-App Authorization:

- Beyond authentication (logging in), authorization (what you can do) is a significant challenge, particularly in third-party applications.
- Different apps have different controls and authorization models, making it difficult to consistently manage access.
- There is a tendency for authorization logic to be implemented directly within individual SaaS applications.
- Okta's Vision (IPS): Okta is working with the Open ID Foundation and other identity providers on a future standard called IPSIE (Interoperable Profile for Secure Identity in the Enterprise).
- The core idea of IPSIE is that no SaaS application should directly implement authorization or authentication logic. Instead, they should "expos\[e\] capabilities such that a platform like Okta can handle that."
- This is because authorization is a "very specialized function" that most app builders lack the expertise to do comprehensively and securely.
- IPSIE will encapsulate SSO, MFA, exposing entitlements and life cycle management, sharing risk signals, and supporting session termination.
- This standard will provide CISOs with "complete visibility" and the ability to take actions like "terminating the session to prevent lateral movement."
- Cross-App Authorization: A key emerging pattern where authorization logic is outsourced to a centralized identity provider. This provides a "single control plane" to manage access across applications.
- Harish Peri emphasizes: "as a security professional, you have a single control plane to see everything. Who's logging in? How are they logging in? What do they have access to? Is that access happening the right way? Are they breaking authorization patterns?"
- This becomes even more critical with the deployment of "enterprise AI agents."

5.    Timeline and Adoption of IPSIE:

- Okta is actively building tooling for both ISVs (app builders) to adopt the standard and for Okta's platform to consume it.
- For Okta customers, the ability to consume the standard and gain visibility/control across apps is being built into the platform.
- The longer-term challenge is getting ISVs to adopt the standard, which is an "industry transformation" requiring "behavior change" and "code change."
- Okta is pursuing a "two-pronged approach": pushing the open standard (IPSIE) and working with major SAS ISVs to have "secure identity integrations pre-built into their applications." This aims to provide an "adrenaline boost to the whole ecosystem."
- This echoes Okta's efforts in driving industry adoption of SAML 15 years ago.
- Okta is actively working to convince SAS builders (e.g., at events like SaaStr) that adopting identity security standards is essential for their long-term viability.

6.    Addressing Current State Issues (Visibility and Control):

## Recommended by LinkedIn

[![How to Leverage Microsoft Purview Data Loss Prevention for Improved Compliance ](https://media.licdn.com/dms/image/v2/D5612AQFeiJE1gUixuQ/article-cover_image-shrink_720_1280/B56ZZzR0fqHsAI-/0/1745690776645?e=2147483647&v=beta&t=AVWg8l97KA6AEqaDykilNjrW2ASt3B_8jFQkx8vAmHM)\\
How to Leverage Microsoft Purview Data Loss Prevention…\\
\\
Kanerika Inc\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
2 months ago](https://www.linkedin.com/pulse/how-leverage-microsoft-purview-data-loss-prevention-improved-gdk4c)

[![Why JPMorgan Chase's CISOs Warning Demands Industry-Wide Action](https://media.licdn.com/dms/image/v2/D4E12AQFCgsT1aRRD3w/article-cover_image-shrink_720_1280/B4EZai634dHoAM-/0/1746490067156?e=2147483647&v=beta&t=8a5I4_0izewCdnasxDVFjb4k3A0j7LS8DKeAPpAe4-E)\\
Why JPMorgan Chase's CISOs Warning Demands…\\
\\
Dr. Erdal Ozkaya\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
2 months ago](https://www.linkedin.com/pulse/why-jpmorgan-chases-cisos-warning-demands-action-dr-erdal-ozkaya-hurke)

[![An Introduction to Keycloak: Simplifying Authentication & Identity Management](https://media.licdn.com/dms/image/v2/D4D12AQFgyUYCYwBgwg/article-cover_image-shrink_720_1280/B4DZVdNrURHwAI-/0/1741025621714?e=2147483647&v=beta&t=meUaoyRcp48-ZgNRdWEfltuQAeMHgAqS8bimUpPxFN0)\\
An Introduction to Keycloak: Simplifying…\\
\\
Ricardo M.\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
\\
4 months ago](https://www.linkedin.com/pulse/introduction-keycloak-simplifying-authentication-identity-morales-h9rif)

- Even in the absence of widespread IPSIE adoption, Okta offers capabilities for visibility and management.
- Using the example of Calendly accessing Google Calendar, Harish Peri notes that while a future state should involve centralized authorization, current capabilities exist.
- Okta's platform, with its deep integrations across thousands of applications, can detect "misconfigured accounts, overprivileged accounts, excessive authorization."
- Okta's ISPM (Identity Security Posture Management) product provides visibility into "all of your risks in one place."
- ISPM is integrated with governance and privilege management capabilities, allowing for "remediative actions all in one place."
- Okta's approach is summarized as "see it, control it and then ongoing manage it from a governance perspective." This includes detecting and managing "overprivileged misconfigured accounts orphan accounts... non-human service accounts, keys."

7.    Activity Monitoring and Blind Spots:

- Pramod Gosavi raises the issue of monitoring app-to-app activity and potential blind spots (e.g., a third-party app misbehaving or being compromised and performing malicious actions on behalf of a user).
- Harish Peri states that monitoring granular activity and taking action requires "depth of integration into the application to be able to see the fine grain entitlements."
- Okta has had "fine grain entitlements for about a year now" allowing visibility into authorization details.
- The ability to "write into that and take action in case there is overprivileged" is also powered by Okta's integration depth.
- He reiterates the need for integrations "almost into that config screen that's saying like what authorizations I have."

8.    Non-Human Identity (Machine-to-Machine) and Privilege Access Management (PAM):

- Machine-to-machine identity is acknowledged as a distinct challenge.
- Vendors are emerging focusing on visibility or separate orchestration for machine identities.
- Harish Peri connects this to the issue of AI agents, which will "exacerbate" bad behavior around service accounts, tokens, and keys.
- The core issue is "discipline" in development practices to avoid exposing tokens (e.g., hardcoding, plain text in config files).
- He highlights the risk of AI-generated code inadvertently introducing exposed tokens.
- Machine-to-machine access patterns often relate to privileged access.
- It's acceptable for tokens to be long-lived or have excessive privilege if they are properly managed.
- The solution lies in introducing "discipline" through PAM practices: "access control around privilege, timebound checkouts, rotations, vaulting."
- "There's nothing inherently wrong with the tokens. It's the discipline around that."

9.    AI Agents and the Future of Identity:

- AI agents will amplify existing security problems.
- The complexity increases with autonomous agents and MCP (Multi-Component Systems) servers that can dynamically assemble tools and connect to systems in real-time.
- Okta's approach to "Author NAI" (Authoring AI) involves four principles dictating the discipline needed to build AI securely.
- Key principles include:
- Agent should not directly access API keys (should be vaulted).
- Fine-grained authorization must be baked in to act on behalf of the user (relationship-based access control).
- Following SSO/MFA protocols.
- The concept of cross-app authorization extends to AI agents: agents should not have direct access but be brokered through a standard identity platform.
- The need is to "outsource the authorization authentication logic to someone who knows what they're doing like us."
- Okta is working on an identity spec for agents, viewing it as an evolution of IPSIE.
- The vision is a "Lego plate" metaphor: a standard connecting every "Lego" (app, agent, resource) to a "unified identity security platform" for visibility and control.
- The standard acts as a "manifesto" ensuring adherence to core identity security principles ("Do not hard code anything. Make sure you're exposing yourself to a central platform.").

10.    Orchestration, Scalability, and Reliability:

- Orchestration of identities across dynamic, short-lived agents (like microservices) is a challenge.
- Harish Peri argues that with standards and discipline, the central platform can orchestrate actions based on policy violations or anomalous activity (e.g., universal logout).
- Orchestration is "a byproduct of having everything built to a standard sitting on top of a single platform."
- Okta emphasizes its existing high availability and scalability, stating they are "mission critical" and already have the infrastructure to handle high demands ("99... four five times up time").

1.    Okta's Response and Future Focus:

- Okta is actively promoting the adoption of identity security standards among SAS builders.
- They are preparing to release information on cross-app capabilities and updated standards/specs in the June-July timeframe (relative to the recording date).
- The JPMC letter has provided "more fuel to the fire" for these existing initiatives.
- Okta's goal is to create a "utopia" for CISOs where they have visibility and control over their entire application ecosystem, ensuring no direct app-to-app access bypasses identity controls.

Key Quotes:

- Harish Peri: "this letter was sort of a bomb in industry. I loved it... because it was great to hear, you know, the CISO of one of the world's largest and probably one of the most complex organizations... really echo back the thing that's been top of mind for us."
- Harish Peri: "identity at its core is the integration issue."
- Harish Peri: "with O 2.0 is it's really a framework to say I'm authorizing another app to access another app or resource on my behalf."
- Harish Peri: "you end up with essentially a token that is long lived, that is not proper managed that sometimes can get hardcoded or put into configuration files or something in plain text even that can be accessed. And that right there is what we believe is probably the biggest security gap in our industry right now."
- Harish Peri: "Every hacker is trying to do one thing. They're trying to get in get escalate privilege... And once they do that, they can start laterally moving around the organization."
- Harish Peri: "the security side of it is not being thought of with as much diligence as it should."
- Harish Peri: "we imagine a world where no SAS application is directly implementing authorization or authentication logic. What it's doing is it's exposing capabilities such that a platform like Okta can handle that."
- Harish Peri: "as a security professional, you have a single control plane to to see everything. Who's logging in? How are they logging in? What do they have access to? Is that access happening the right way? Are they breaking authorization patterns?"
- Harish Peri: "IPSIE, which it's a very long name for those that don't know. It's interoperable. profile for secure identity in the enterprise."
- Harish Peri: "see it, control it and then ongoing manage it from a governance perspective."

Comment

- Copy
- LinkedIn
- Facebook
- Twitter

Share

100 `` 14 Comments

Brendan Booth

AI SOC Analyst

2mo

Report this comment

Pramod Gosavi What are your thoughts on using a solution like vorlon.io to solve this problem? Do you think there is demand for this before there is a real standard like IPSIE rolled out and adopted by the market?

Like Reply 1 Reaction

Nico Popp

2mo

Report this comment

I especially like session termination. FInally a real ‘R’ in ITDR…After device containment, identity containment.

Like Reply 1 Reaction 2 Reactions

Harish Peri

SVP Product Marketing, Okta

2mo

Report this comment

Okta 👆🏽

Like Reply 2 Reactions 3 Reactions

Harish Peri

SVP Product Marketing, Okta

2mo

Report this comment

Arnab Bose 👆🏽

Like Reply 2 Reactions 3 Reactions

Lokesh Koli

Vectoredge’s AI Powered Data Security platform mitigates AI Data Security risks by enhancing protection measures, enabling secure data sharing, and reducing costs and processing time.