Practical Survival Guide to Okta Lifecycle Management

Hannah Young
Hannah Young
.
January 20, 2023
6 min
 read

If you’ve searched for this article, chances are you’re already familiar with Okta LCM: Okta Lifecycle Management (and perhaps with Crosswire’s take on why Your Okta Groups Should Be (Mostly) Empty). While you may have followed some initial steps to get started with Okta LCM, there’s no real technical usability guide as it stands.

Introducing Crosswire’s “Practical Survival Guide to Okta Lifecycle Management.”

Okta Lifecycle circle starting with new employees and an arrow pointing to provision, an arrow from provision to enforce, an arrow from enforce to update, and then two arrows from update: one continuing the circle back to provision and one arrow leading towards offboard
Image by Okta

1) New Employees (Onboarding): When setting up lifecycle management, make sure that API keys don’t expire and that they’re regularly rotated

The first step in any new employee/user’s life cycle is onboarding. When setting up Okta LCM, you can use API keys to bind access to Application Programming Interfaces and their methods — Okta has a whole blog post on how to obtain and use API keys here. If these keys are set to expire, this translates to broken onboardings (and offboardings), which defeats the purpose of using Okta LCM in the first place.

However, API keys are a risk if exposed because they can be used by whoever sees them, so regular rotation is part of risk reduction. While many suggest rotating your API keys every 90 days (or once a quarter), this number will depend on the security needs of your company. For example, you should have an established process for rotating these keys when offboarding an Okta admin or deprovisioning someone’s access. You often know your company best, and we strongly advise finding a rotation timeline that suits your needs.

Image by xkcd
💡 Note: If you do have expirations on your API keys, ensure they don’t expire between invocations. If you use the integration frequently, the expiry will become immediately apparent because it will break, and you will notice (and hopefully fix it). On the other hand, it can be hard to spot an expired API key with infrequent integrations (ones used less than quarterly), and you may not notice it until too late. If you have to use expirations, you should have a periodic test enabled for your integrations that sends an alert when it fails to prevent the expiration from going unnoticed.

Whether through periodic tests or eliminating expirations and switching to rotation-based mechanisms — as we suggest above — it’s important to prevent an integration from breaking when you most need it. Once you reduce the safety risks from your API keys, it’s important to continue implementing other measures to safeguard Okta API integrations — namely, securing your profile source and using dedicated system accounts).

2) Provision: Make sure your profile source is not Google and use dedicated system accounts

The next step in an employee’s lifecycle tends to be provisioning, starting with establishing the profiles you’ll need for your new employee(s). In that vein, we at Crosswire recommend that your profile source for these is not Google. The problem is that you want complete control over the source of your profile information to prevent accidental suspensions that would disrupt your business. With Google, this kind of control is difficult to achieve because it may automatically suspend accounts it deems “spammy,” which would propagate downstream and cause the person to be offboarded entirely. For example, if you have a Google admin account that sends numerous recruiting and sales emails, Google may suspend the account for spreading “spam.” Suspension can severely inhibit the organization, particularly if that admin is the only admin at your company. There are often numerous hoops to jump through to unsuspend the account, and meanwhile, progress has come to a halt. If you want to maintain control over your profiles but still want to be able to use Google workspace, you can easily use Okta as a profile source and propagate that information to Google!

In addition to securing your profile source, using dedicated system accounts for all Okta API integrations is paramount. Regular/personal user accounts are risky for a few reasons. For one, personal accounts, as the name suggests, are linked to a person. So, if that person leaves your company, you may lose access to the integration, or the integration may break. Likewise, that person likely actively uses their regular account for day-to-day work. Thus, the user has a higher risk of being phished or otherwise compromised, which will extend to all integrations the account utilizes (including your organization’s). The security risks involved with profile creation make it vital to safeguard your employee’s user profiles and extend this security to any third-party companies that have access to your company’s profile source/Okta (including MSPs).

3) Enforce: If you are working with an MSP, ask about their security practices to make sure your organization is safe

After safeguarding your user profiles through sound API practices and account creation, you should constantly enforce your access needs and security measures. These measures include continually implementing every user’s access needs (perhaps through an identity tool like Crosswire) and securing third-party companies that have access to your Okta instance — like MSPs.

Often when a company has more limited in-house IT capacity, it will hire an MSP (Managed Service Provider) to manage its IT infrastructure remotely. When working with an MSP, your company takes on the same risks your MSP does since it will usually have admin access to your Okta instance. For example, suppose your MSP isn’t taking adequate safety measures, and a staff account is compromised on their end. In that case, the compromise may extend to your company through the Okta accounts that the staff account can access. Hence, you should be comfortable with whatever steps they take to prevent this kind of account takeover. Ask your MSP about their general security practices, the measures taken to safeguard staff accounts, and their plan in case of a compromise. By enforcing these security measures, you can be confident in your organization’s infosec posture, even when you must update your users’ access needs over their tenure.

4) Update: Ensure the failsafe Import Safeguard option is checked (so you don’t accidentally deprovision the entire company)

While enforcing your original security plans is necessary, your user and company access needs will inevitably change later on. Whether it’s due to a user changing positions, leaving a project, joining/leaving a group, or taking leave, the access you provisioned at the beginning may need to be updated or deprovisioned at some point. You can deprovision a user through your AD (Active Directory) or directly within Okta, but when you do, it’s crucial to make sure that the failsafe “Import Safeguard” option is activated.

Screenshot of the “Import Safeguard” option in the Okta Admin Console

Without this checked, if you have an error in your Lifecycle Rules or a misconfiguration, you could accidentally deprovision your entire company without a way to “Ctrl+Z.” Enabling the failsafe option mitigates that risk and helps protect your organization’s information and productivity.

💡 You can follow these step-by-step instructions from Okta for more guidance on enabling this feature for yourself!

These updates are critical, especially when deprovisioning access for users that no longer need it but continue to be a part of your organization. However, if you’re deprovisioning access because a user is no longer a part of your organization, you should go beyond just deprovisioning access and move into true offboarding.

5) Offboarding: Do more than deprovision, release licenses!

Offboarding is the final step in any employee’s lifecycle when leaving your organization. This process will look different for every company, but it’s important to remember that only deprovisioning access is often insufficient. For instance, deprovisioning only suspends the account when integrating with Google Workspace and does not release licenses by default. Therefore, you must make sure you have a mechanism in place to actually terminate the licenses by deleting the account or manually switching them to the Archived User license types.

“When an assignment is removed (deprovisioned) from a user in Okta, Okta does not delete the user’s account. The account is put into a deactivated state in the external application and the user’s access to the app integration is removed from Okta. Some external applications may support deleting the user’s account in the external application.” -Okta Provisioning Guide

From onboarding new employees to offboarding them, Okta’s automated LCM is a great tool once you get a solid grasp on the best ways to use it. In addition to the advice offered in this article, another way to make the most of your Okta LCM is through Crosswire, where users can be automatically granted the correct permissions without overcomplicating management systems. For further guidance on securing your organization, reach out to us! You can stay up to date with / join Crosswire below.

More from our blog

How to Detect and Remediate Identity Threats; Solution 1: Detect

This is Solution 1: Detect of a two-part series on how to detect and remediate evolving identity threats.

Hannah Young
.
5 min
 read
AI D&R: AI (in Security) is Dead; Long Live AI (in Security)

Explore the historical use, modern approaches, and future applications of AI in detection and response (D&R).

Hannah Young
.
8 min
 read
Quick RSAC 2023 Recap: We’re Back (and Stronger Together)

From Armisen to AI/ML, catch up on what you missed from RSA Conference 2023 with Crosswire!

Hannah Young
.
4 min
 read
Defending Against Threats in Identity Security; Part 2: Remediate

This is Part 2: Remediate of a two-part series setting up emerging problems in identity security.

Hannah Young
.
6 min
 read
Why Now’s the Perfect Time to Join an Early-Stage Startup

If you’re looking for the right time to join a high-risk, high-reward venture, we’d argue that there’s never been a better opportunity.

Hannah Young
.
3 min
 read
It’s Not Just You: IT Security Audits are Stressful

IT security audits can be a pain for everyone involved: check out our solutions to make this auditing season just a little bit easier.

Hannah Young
.
5 min
 read
Why RBAC is obsolete

RBAC lacks sophistication and flexibility, failing to address the access needs of the modern company.

Hannah Young
.
3 min
 read
Defending Against Threats in Identity Security; Part 1: Detect

This is Part 1: Detect of a two-part series setting up emerging problems in identity security.

Hannah Young
.
5 min
 read
Identity Is a Co-owned Problem Between Security and IT

Who owns identity at your org? Identity is (and should be treated as) a co-owned problem between security and IT.

Hannah Young
.
5 min
 read
Your Okta Groups Should Be (Mostly) Empty

Yep, you heard that right; we at Crosswire believe that your Okta groups should be as empty as possible.

Hannah Young
.
2 min
 read
The Founding of Crosswire as Told by Its Values

Crosswire, and its co-founders Johnny and Nick, are building the future of enterprise identity in new and exciting ways.

Hannah Young
.
7 min
 read
RSA Conference™ 2023: Stronger Together

The theme for 2023’s RSA Conference™ is “Stronger Together.” When info security is more important than ever, so is collaboration.

Hannah Young
.
6 min
 read
6 Early Warning Signs of an Under-Resourced IT Organization

It’s no secret that your IT organization is crucial to your company. But are they getting all of the resources they need?

Hannah Young
.
5 min
 read
Cybersecurity Is More Critical Than Ever, and You (Yes, You) Can Do Something About It Now

Why cybersecurity is more crucial than ever and what you can do to make your organization more secure, no matter your role.

Hannah Young
.
7 min
 read
Understanding Automation: How To Do More Than You Have the Resources For

Five significant ways to improve your workflows with automation and get more results than your resources permit.

Hannah Young
.
5 min
 read
Google Workplace Organizational Units (OUs) according to Parks and Rec

What are Google Workplace Organizational Units, and how do they work (according to Parks and Rec)?

Hannah Young
.
5 min
 read
Authorization (AuthZ) and Authentication (AuthN): A Brief History

Authentication is who you are, and authorization is what you can do. Here, we dive into the history of these terms.

Hannah Young
.
5 min
 read