This article explores how organizations can bolster their Okta security using two powerful methodologies: Infrastructure as Code (IaC) and Policy as Code (PaC).

Understanding Infrastructure as Code

Infrastructure as Code is a practice that enables businesses to define and manage infrastructure resources in a declarative manner using code. Instead of manually configuring infrastructure components, IaC allows organizations to automate the provisioning and management of resources. When adopting IaC practices for Okta organizations, businesses achieve several security advantages:

1. Consistency and repeatability: IaC ensures consistent application of infrastructure setup across environments, minimizing configuration errors that may introduce risk.
2. Version control and auditing: Storing infrastructure code in version control systems allows a complete audit trail of changes, enhancing security monitoring and making it easier to identify potential security gaps.
3. Rapid disaster recovery: In the event of a security breach or infrastructure failure, IaC allows swift and accurate rebuilding of Okta environments.

When it comes to IaC tooling, there is a myriad of choices. Which IaC tool select often depends on the use case, and opinions often fall prey to what looks like a religious war. That being said, it is hard to debate which IaC tool is the most widely adopted. For that, the clear winner is HashiCorp Terraform.

Securing Okta with Terraform

HashiCorp Terraform, a globally adopted open-source IaC framework, hosts a registry of providers for various cloud platforms. While official cloud platforms such as AWS, Microsoft Azure, and Google Cloud maintained by HashiCorp continue to see the largest adoption, there has also been a rise in partner providers for other technologies such as data management, networking, container orchestration, and more. The growth in partner providers shows that organizations see the value in creating IaC solutions for their customers and that users are looking for those solutions to help them automate a wider range of technologies.

The Okta provider, built and maintained by Okta, provides resources for configuring Okta, applying recommended security configurations, and reducing onboarding time for new applications. Since its release in 2019, the Okta provider has steadily gained adoption and has seen almost 20 million downloads.

The resources provided by the Okta provider cover most of the configurations for an Okta organization, many of which directly affect the security posture of Okta. These resources go a long way to help ensure business-critical infrastructure is configured securely but is the adoption of IaC enough to ensure security?

Is IaC security testing enough?

Running security tests against IaC code is not a new concept. There are various tools on the market, many of which are open source, that are designed specifically to scan IaC for security misconfigurations. These tools help teams shift security left to catch misconfigurations that put businesses at risk before they are deployed to runtime environments. The teams most often implementing these tools are not always the security teams, but rather the infrastructure engineers, platform engineers, and DevOps teams tasked with automating environments. Testing IaC for security issues is a good pattern that should be adopted, but does it go far enough?

It is easy to over-rely on IaC as the source of truth of what infrastructure is running, and how that infrastructure is configured. The challenge with IaC scanners is that they are designed to test just the code rather than running infrastructure. This gap has profound implications for the security teams accountable for the security of the environments and the platform engineering, DevOps, and SRE teams responsible for managing them. While IaC testing is critical for finding issues before they are deployed, organizations must continuously scan runtime environments for misconfigurations and vulnerabilities.  

What happens is organizations buy one solution for SaaS security and another for IaC security. These solutions are not designed to work. Changes to runtime checks are not propagated to the IaC scanning without human intervention. This gap causes misalignment which creates more noise and adds to the friction between security and development teams. The result is increased operational costs, increased friction to innovation, and lower work morale.

To truly tackle the challenge of creating an end-to-end workflow that meets the needs of both security and engineering teams, you need a solution designed to work across both development and runtime domains.

Leveraging Policy as Code for SaaS Technology

Policy as Code (PaC) allows businesses to define and codify security best practices and organizational policies as executable code. Integrating PaC in the Software Development Lifecycle (SDLC) yields numerous benefits:

1. Automated policy enforcement: PaC allows businesses to automate the enforcement of security policies across their Okta environments reducing the risk of human error.
2. Continuous compliance monitoring: Incorporating PaC into the workflow enables continuous compliance monitoring. Policies can be defined to check for compliance against industry regulations, internal security standards, and best practices, providing proactive identification and mitigation of security vulnerabilities.
3. Enhanced collaboration and accountability: PaC promotes collaboration between security teams, developers, and other stakeholders. It enables transparent discussions about policies and facilitates accountability by tracking changes to policies over time.

The Combined Power of IaC and PaC:

The combination of IaC and PaC practices creates a robust security framework. Here's how these methodologies complement each other:

1. Automated policy enforcement: Infrastructure code can be augmented with PaC rules to automatically enforce security policies during the deployment and management of Okta resources.
2. Policy testing and validation: IaC tools can incorporate policy testing capabilities, ensuring that security policies are implemented and functional from build to release.
3. Compliance-as-Code: Businesses can define compliance requirements as code, integrating them into their IaC and PaC practices. This approach reduces the risk of configuration drift and enhances overall security posture.

Mondoo has been at the forefront of the PaC movement since its beginning. Mondoo’s technology supports scanning IaC for security issues and additionally supports scanning various runtime environments including public and private cloud, Kubernetes, containers, servers and endpoints, SaaS, IoT, and even networking equipment. This unmatched capability allows teams to implement Mondoo Policy as Code practices in an IaC workflow from development through runtime.

Building end-to-end secure workflows for Okta

Securing infrastructure should start by applying the recommended secure configurations. Okta’s HealthInsight audits an org's security settings and suggests tasks that improve security posture. Each new Okta organization provides the HealthInsight dashboard to show which recommendations have been successfully implemented, and which are outstanding.

Mondoo Platform comes with the Okta Organization security policy out of the box, covering all of the HealthInsight recommendations. Mondoo Platform makes it easy to integrate your Okta organization to provide continuous security posture management against Okta HealthInsight checks. What makes Mondoo’s policy unique from the Okta dashboard is that it supports both runtime scanning of Okta and scanning of Terraform code that leverages the Okta provider for Terraform. Mondoo’s policy goes even further by working across all of the defined stages of a Terraform run including the pre-plan, post-plan, and the post-apply stage. Each stage provides an opportunity to take action if the security scan does not meet your security requirements.

Mondoo policies are easily customizable. The checks can be disabled if they are not required for your environment, and the default values for checks such as the number of super admins allowed in Okta, or the minimum password length can be easily overridden to meet your needs. Changes to policies take effect immediately across the release process affecting both runtime checks and Terraform IaC checks. This avoids misalignment due to inconsistent data between teams stuck using different tools for security scanning in development vs runtime.

Mondoo policies can be easily integrated into any CI/CD platform. Results from CI/CD scans appear both in the pipeline and are returned to Mondoo Platform giving developers the data they need to ensure they are passing security checks, and Security teams the data they need to ensure all changes are running the required security checks.

The end result of implementing Mondoo and Terraform together is your Okta organization is configured with all of the HealthInsight security recommendations using an automated workflow. Any changes to IaC will be audited to ensure your Okta organization remains compliant with the policy.

‍

Conclusion

As data breaches and security incidents continue to pose significant risks, businesses must proactively secure their Okta organizations. Infrastructure as Code and Policy as Code offers a proven pattern to enhance security, automate compliance checks (including evidence gathering for auditors, which we will delve deeper in a future blog post), and maintain a clear audit trail of changes.

Mondoo provides comprehensive policies for Okta that work seamlessly from development to release into production. By embracing these methodologies, businesses can protect their Okta environments against potential threats and safeguard critical business data.

Start Your Security Transformation Today

You've seen the power of blending Infrastructure as Code and Policy as Code. You understand how Mondoo and Terraform can propel your Okta security to new heights. Now, it's time to take that step forward.

Our team of experts is eager to help you navigate this journey, ensuring your security workflow is seamless and robust. No need to do this alone; we're here to guide and customize solutions that match your unique needs.

So why wait? Your secure future begins now. We can't wait to embark on this exciting journey with you!