Your Okta Groups Should Be (Mostly) Empty


Yep, you heard that right; we at Crosswire believe that your Okta groups should be as empty as possible. In fact, we think most of them should be empty most of the time. Your Okta groups represent risks, amplified by the number of people residing there. Your Okta groups are the gateways to the applications and infrastructure of your company. For your organization’s safety, your Okta groups should be (mostly) empty.
Security risk is the likelihood of someone compromising your enterprise’s data, tools, or applications, and this risk compounds the more people that have access to more information. Of course, people need access to these things to do their jobs, so you can’t just remove all that access. Or can you? People need access to do work, but they don’t need that access all the time.
For example, take a look at your local DevOps wizard. Most likely, they permanently reside in the ACL_AWS_SuperAdmin Okta group. However, do they need to be there when they’re not setting up or maintaining infrastructure? To go deeper, they definitely don’t need to be in that group while sleeping, and yet they are. Thus, if they’re compromised outside of working hours or when they’re no longer a part of a relevant project, your organization suffers due to access that person didn’t even need.
While it may be relatively uncontroversial to suggest that few people need all of their access all the time, it is hard to get access, so removing all of that access can be a hassle. Getting access securely and conveniently is a real problem; if it were easier to get access only when needed, then, of course, you would be doing this.
All of this is possible in Crosswire.
Not only is it possible, but you can also configure different types of access with approval chains, automation, and eligibility. Nevertheless, it’s still operationally challenging to remember to revoke access once granted, and it makes sense to worry that your Okta groups may gradually bloat with random junky permissions over time. However, Crosswire helps with that too! You can set TTLs on access so that sensitive access never lives longer than necessary. With Crosswire’s automation, access can be provisioned when the person qualifies and automatically be deprovisioned when they no longer do.
Crosswire’s philosophy is that you can meaningfully reduce your organization’s security risks by emptying your Okta groups, and we can help you do it. Your organization is more secure when your Okta groups are as unoccupied as they need to be for as long as possible. So, please, empty your Okta groups, and stay up to date with (or join) Crosswire below.
More from our blog

Subscribe to our blog
Get Crosswire's security insights delivered straight to your inbox. No frills, no spams, unsubscribe anytime!