ID vendor Okta adds API access, policy smarts, Google cred

Okta seriously expanded its reach as a cloud-based identity and access management provider to the enterprise today, unveiling significant new product capabilities and a closer partnership with Google. Opening the company's Oktane16 annual conference in Las Vegas, the four headline announcements were:

• API Access Management — a new departure for Okta that brings its services down to the API layer, applying the same identity and access management capabilities that it currently brings to applications. Based on the OAuth2.0 specification and partnering with API management leaders MuleSoft and Apigee, this new product is designed to make it easier for enterprises to open up API access to applications and resources while reducing the risk of creating unmanaged security vulnerabilities. Early release customer Pitney Bowes explained how it has used the product as the "identity layer" in a platform that exposes 200 different APIs that partners and customers can connect to with their own applications.
• Lifecycle Management — a new name for the existing provisioning product, which adds new workflow capabilities and audit reporting as well as lifecycle policies for users, devices and resources. The lifecycle concept recognizes that provisioning isn't simply an on-off switch — for example, a contractor during the lifetime of a project might need their rights enabled, then paused, re-enabled again and finally deleted. This proved the most audience-pleasing of the day's announcements, drawing applause for its ease-of-use when deprovisioning users or adding resources.
• Contextual Access Management — enhancements to the existing single sign-on product set that allow administrators to set policies that automatically adjust the level of sign-on security required, according to the user's location or device. So for example a user may only be asked for 2-factor authentication if they're in an unfamiliar location or using a personal device. Or certain applications can be set as inaccessible from IP addresses that Okta flags as untrustworthy.
• Expanded Google alliance — Okta's status as a preferred Google partner for large enterprise, which dates back to last November, is strengthened today with a commitment to "jointly deliver a flexible, multi-cloud reference architecture" for migrating from legacy to the cloud, as well as providing training, tools and support to partner SIs, resellers and ISVs.

Former VMware co-founder and CEO Diane Greene, who last year joined Google as senior vice president of its cloud businesses, took time off today from courting Paypal's cloud business to add her endorsement for Okta's enterprise clout, telling CEO Todd McKinnon:

Google Apps truly digitally transforms our customers ... I started calling you up saying, 'Let's go into those customers together.'

That started working and that led to this partnership.

System of record for identity

Greene's mission at Google is to lift the enterprise penetration of its cloud offering. Partnering with Okta (simlar to its partnership with Ping Identity) allows the cloud giant to become the system of record for identity in Google Apps accounts, as it spelt out in a blog post today:

The Google-Okta reference architecture will enable a secure identity and access management solution for large enterprise customers by using Google as an authentication master and by using Okta as an identity bridge to address complex and advanced identity requirements.

Though it's worth noting that Okta also works with a growing ecosystem of HR vendors as systems of record for identity, today adding NetSuite, SuccessFactors and Salesforce to a list that started out last year with Workday, UltiPro and BambooHR. For Okta CEO McKinnon, ths is all about differentiating his company from its more established partner-cum-rival Microsoft:

The difference is choice. We don't have a horse in the race.

An identity provider in the cloud needs to be neutral and not lock you in.

API economy

But McKinnon's main theme today was readiness for change and Okta's potential to help CIOs "narrow the innovation gap" by making it easier to adopt technology while staying on top of security. That theme culminated with the announcement of the API access management product, which McKinnon positioned as a way of helping established enterprises find new ways of delivering their wares by 'mashing up' APIs from their own IT estate and from third parties.

Innovation is no longer reserved for tech companies and disruption is no longer reserved for startups. Now every company can be a technology company ...

Welcome to the API economy.

James Fairweather, SVP of technology at Pitney Bowes, described how the 96-year-old postage metering company had built its Commerce Cloud technology platform, which customers and partners can digitally connect into. He said that Okta's API access management product had been an enabler across every aspect of the project.

Through API integrations our largest clients can deeply embed our technology into their workflow.

When you thnk about identity, the most obvious place is authentication. But across all those other areas, whether it's API enablement, exposing data to analytics services, or connecting back-office systems, it's central to the thesis of the Commerce Cloud.

Building a digital business

Ed Sawma, director of product marketing at Okta, told me that taking care of API access management greatly simplifies this aspect of building an API infrastructure.

The alternative companies have are, build something themselves or on-prem access management tools — but they're very costly to manage and configure.

We're innovating around the developer and admin experience so it's very easy to set up the different resources.

The partnerships with API management vendors MuleSoft and Apigee are important for providing the core of the API infrastructure while Okta focuses on access management, he says.

Partners have the whole API lifecycle management capabilities that allow you to build a digital business, and we're providing the access layer.

One other announcement worth noting — Okta has signed up for the 1% pledge, offering non-profits free use of its platform as well as committing staff volunteering and funding for good works.

My take

The move into API access management is a smart move by Okta as this is a market that's set to expand rapidly over the next few years, and it will be important to offer enterprises a single identity management console that covers everything from applications to APIs.

The other product announcements are also significant, as they demonstrate an ability to keep pace with the state-of-the-art in Okta's chosen field.

Aligning with Google is good for catching headlines but is probably less impactful on Okta's bread-and-butter business, which still largely revolves around Microsoft's customer base even though the vendor competes against as well as partnering with Okta. However if Google is (finally) now getting serious about its enterprise cloud ambitions, the timing is propitious.

Overall then a useful set of announcements from Okta that helps position the vendor on the cusp of important rising trends in enterprise identity and cloud adoption.