Cybersecurity your users can love
Barrier for nonprofits: Lack of technical resources
Nonprofits uphold missions that make lasting impacts. Their services may be as critical as helping families access emergency shelter or as life-changing as providing a much-needed career opportunity. While focus areas may vary from organization to organization, they all share a commonality — nonprofits aim to do good for communities.
In addition to providing a service to program participants, nonprofits also employ individuals who seek to advance causes they care about. And for mission-driven workers to drive impact, they need access to many of the same business tools and technologies as for-profit organizations. Identity and Access Management (IAM) is no exception.
Nonprofits differ from their for-profit counterparts in that they often face much larger resource constraints. Their budgets are typically directed towards programs that directly impact program participants and, as a result, other budgeting needs lose priority. Deploying new technology and staffing teams with tech-savvy individuals to manage these systems becomes secondary.
To address the barrier that nonprofits face in accessing business technology, corporate social responsibility (CSR) efforts have widely focused on providing donated and discount tech products to nonprofits. Such has been the case at Okta, a proven leader in IAM.
Okta for Good, Okta’s social impact arm, was created out of Okta’s pledge to leverage its people, product, and dollars to support communities. Through Okta for Good, Okta donates and discounts its security products to qualified nonprofits, making it easier for these organizations to secure the identities of their employees, volunteers, and program participants.
Okta’s nonprofit product offering is one example of how tech companies facilitate nonprofit access to technology, but what about services? Helping nonprofits access tech products is one thing; enabling them to successfully use and sustain new technology, however, requires the support of individuals with unique implementation expertise.
How Okta approaches solutions
For years, Okta has recognized the importance of offering more than just free and discounted licenses and been intentional about helping nonprofits access services. Programs like Pro Bono Professional Services allow nonprofits to partner directly with an Okta technical team to successfully deploy their Okta tenants. Participating nonprofits sometimes staff teams of IT professionals experienced in serving as administrators, who can successfully learn from Okta Professional Services and sustain the work long after their projects are over.
At other times, organizations may not have a dedicated IT professional on staff or the budget for one, as in the case of one participating organization of less than 10 employees. Seeking to configure a few applications and a review of their security policy setup, this small organization’s project goals were common enough. But without a dedicated IT staff member to work with Okta Professional Services and understand the work enough to maintain it afterward, the project came to an unfortunate halt.
A separate and more recent program made multi-factor authentication (MFA) support sessions available to nonprofit customers. Because it’s one of the simplest ways to prevent credential-based attacks and secure users, Okta for Good built a program to help nonprofits effectively roll out MFA. Nonprofit customers could schedule time with an Okta for Good Social Impact Solutions Architect to review their security policies and choice of authentication factors and receive guidance on adjustments that might better suit their security needs.
IAM best practices
These MFA support sessions allowed us to better grasp the hurdles many nonprofits hit when implementing one of the more basic elements of Identity. Security policies and general Okta setup will inevitably vary from one organization to another. What remained consistent across our conversations was the request for IAM best practices.
In alignment with Okta for Good’s goal of making cybersecurity easier for nonprofits, here’s what we recommend.
SSO vs. direct login. A single sign-on (SSO) system like Okta provides a single pane of glass for your workforce to access all the critical business applications they need to do their jobs. Without it, your workforce will have to remember how to access your systems, and they’ll have to manage multiple passwords to log in to your business systems directly. This is hard for your employees to manage and poses a security risk for the organization, because they will likely reuse passwords to make it easier for themselves. Help your employees, contractors, and volunteers be good digital citizens and increase security by integrating your critical business apps to a Single Sign On system.
Password and MFA policies. An SSO system redirects the login process away from the business apps’ native features and, instead, uses the SSO systems features that allow you to configure global password and MFA policies for all of your business apps. This means you can design easy-to-use login experiences that increase security. If you pair your password policy with strong MFA factors you can avoid annoying policies requiring really long passwords and eliminate password expiration processes as well. We recommend 12-15 character passwords.
Weak MFA factors such as SMS/Text, email, and security questions provide additional login security, but they are more easily hacked than strong factors. SMS/Text messages are delivered to mobile devices via their SIM cards; a social engineering hacker can convince a telecommunications provider to change the SIM card associated with a target’s device to another device owned by the hacker. There are also automated text messaging systems that can hijack your messages. Email is also easy to hack,and security questions are easy for bad actors to guess.
Strong MFA factors such as Okta Verify, Yubikey, and biometrics are the most secure authenticators because they provide additional security against social engineering attacks. Okta Verify is an app that can be installed on a mobile device or company managed laptop. When installed on a mobile phone, it is not associated with the SIM card so it can’t be SIM-jacked like a text message can. Yubikey’s are physical devices that are plugged into the laptops USB port and they are also not vulnerable to social engineering attacks because you have to possess the physical device. Finally, biometrics such as a fingerprint or face print positively confirm that you are who you say you are and can’t be hacked via social engineering.
User account provisioning is the process of creating and updating user accounts from Okta to your business systems. In Okta, you can automate user account provisioning based on specific attributes in the user’s profile. Automating this process into downstream systems assures that your users’ names and other attributes are correct, which is good for the user experience. Automating user account provisioning also means business application access can be automatically applied and removed when people leave your organization, improving your cybersecurity posture.
Least privileged access. Take the time to plan out which user types get access to specific systems and design your automation to enable this plan. Be selective about who is a super admin for critical systems like Okta, email/calendar, HR, and finance. Make sure super users are trained on the system before granting access.
Automation. In Okta, assigning users to applications via specific groups rather than assigning apps to individuals helps automate access. Using app groups, you can automate most app assignments with group rules. For instance, all employees get access to certain apps, contractors get a more limited set of apps, and volunteers get access to a few specific apps. Group rules are great for other simple automations, like segmenting users and applying MFA rules. For multi-step automations, like the kind you might write a PowerShell or Python script for, Okta Workflows is a powerful no-code tool. It can drive processes in Okta and in other apps that you have connected to Okta, like Google Workspace, Slack, Zendesk, or Microsoft Teams.
Continuing our IAM for nonprofit journey
Our IAM best practices are the outcome of time spent directly with Okta nonprofit customers, helping them address their security needs. As we continue to build and scale our programs, enabling nonprofits to safely connect their users to mission-critical technologies will remain our focus. In the next phase in our journey to help nonprofits employ security best practices with Okta, Okta for Good will be rolling out MFA Health Checks – one-on-one sessions that existing Okta nonprofit customers will be able to schedule directly from the Okta admin dashboard. During these sessions, our nonprofit customers will meet with an Okta Social Impact Solutions Architect to review their MFA policies and receive guidance on optimizing MFA’s role in securing their users and organization.
Reach out to see how Okta can help your organization with Identity management https://www.okta.com/contact-sales-okta-for-good/.