With Auth0 purchase, Okta Will Boost Access APIs for Developers
Okta has targeted enterprise needs for identity and access management (IAM) for over a decade, as it has transitioned from a fledgling startup to become a leading enterprise IT security provider.
Also an IAM provider, Auth0 has channeled more of its efforts to meet what is seen as an increasingly urgent need among developers for a viable API authentication platform. Auth0’s IAM package has also become wildly popular in the developer community.
In this era of “shift-left” security, Auth0’s authentication tools for developers are increasingly in demand. Okta thus obviously saw the need to take advantage of this gap in its offerings by agreeing to pay $6.5 billion for Auth0, instead of continuing to compete against Auth0. While the capabilities of Okta’s and Auth0’s tools can overlap, their combined structure will also serve to offer organizations a single provider that will provide very specific and often separate IAM capabilities and services.
“Both Auth0 and Okta see identity as fundamental in solving these security challenges — whether we’re talking about securing APIs, open-source security, or security automation and implementation — we just tackle the problem differently,” Todd McKinnon, CEO and co-founder, for Okta, told The New Stack in emailed responses to questions. “Auth0 is focusing on meeting the needs of developers and Okta is building products deeply rooted in Zero Trust and automation.”
Indeed, Okta is the leading provider of modern enterprise single sign-on capabilities for SaaS applications, Omri Gazitt, CEO and co-founder for Aserto, a provider of APIs for authentication, told The New Stack. But while Okta “has tried to make inroads into the developer community, their success with that audience has been dwarfed by Auth0,” Gazitt said.
“Auth0 has quickly become the go-to developer API for authentication,” Gazitt said. “Okta needs to become more relevant for developers, and integrating Auth0 is the fastest way for them to achieve that goal.”
While Auth0 has been seeking to move upmarket into the enterprise space, the merger will make it easier to take advantage of “Okta’s existing top-down enterprise and go-to-market prowess in accelerating that growth,” Gazitt said. “At the same time, Auth0 will become part of an organization that is an order-of-magnitude larger, and based on my experience with similar transactions, a full integration will be lengthy and take 12-18 months to complete,” Gazitt said. “At the end of that process, Auth0 may find itself feeling less like the startup that it is today.”
More specifically, for the developer, this merger will allow DevOps teams to directly benefit from their organization’s investment in their IAM platform, Torsten Volk, an analyst for Enterprise Management Associates (EMA), told The New Stack.
The main benefit of Okta and Auth0’s combined offering of their respective tools is that DevOps teams will have “more straightforward access to the developer tools they require for simplified authentication — without having to explain to management why they need their own IAM platform for backend development,” Volk said.
Over the last 12 years, while helping “some of the world’s largest companies solve complex IT challenges,” McKinnon noted how, while the company has become well-known for its ability to manage employee logins and identities, an even bigger challenge organizations “are facing right now is building secure customer experiences.”
“The key to [improving customer experiences] successfully starts with developers,” McKinnon said. “Auth0 has always been focused on enabling developers, providing them with an easy, customizable platform to build secure login and authentication.”
Both vendors offer enterprise single sign-on for software-as-a-service (SaaS) applications, while Okta has been able “to capitalize on the lack of a satisfactory IT solution just as the enterprise SaaS market was exploding, leading to a much larger total addressable market, and culminating in a business roughly an order of magnitude larger than Auth0,” Gazitt said.
“With that said, Auth0 is the leading enterprise SSO solution for developers, growing very rapidly and moving up-market,” Gazitt said. “Competition between these two was inevitable.”
DevOps and DevSecOps Considerations
The merger is also seen by McKinnon as a way to support DevSecOps, especially, as mentioned above, it has been widely accepted in the IT community that security processes must be applied to code development for applications at the very beginning of production cycles.
“The concept of DevSecOps is identical to DevOps, and is where security ‘shifts left’ in the development lifecycle,” McKinnon said. “DevOps requires security that moves as fast as rapidly-evolving development environments. To do DevOps well today is to do DevSecOps — Okta and Auth0 bring expertise in both disciplines.”
In this context, the focus on security is becoming “more important than ever,” McKinnon said. Since attack vectors and surfaces continue to change, “every layer of the modern technology stack — from APIs and applications to cloud infrastructure — all needs to be secure,” he said.
“For cloud security to work, it also requires speed and trust,” McKinnon said. “Security teams need to move at the same pace as cloud native development teams, and they need to evaluate trust at every point of entry, including source code,” McKinnon said.
This merger could even “provide significant benefit in closing some of the gaps when trying to implement a DevSecOps strategy,” Brandon Hoffman, chief information security officer at Netenrich, a provider of security operations and services, said.
“By combining technology aimed at traditional IT-related identity with development-related identity this gap could possibly be eliminated,” Hoffman said. “If these two firms effectively merge their platforms and succeed in keeping the best of both they will emerge with a holistic solution that addresses one of the biggest challenges in any organization: access and identity.”
DevOps teams that have requirements to integrate both Okta and Auth0’s developer APIs should expect to see these converge into one platform over time, the obvious implication consisting of “a reduced need to duplicate efforts,” Gazitt said.
However, “the merger doesn’t change the fact that there are at least a dozen important cloud identity providers for enterprise SaaS applications, and the problem of enterprise single sign-on — both from an IT and developer perspective — is still a big pain point for DevOps teams,” Gazitt said.
Ultimately, more secure APIs, adapting security culture for cloud native environments, shifting towards open source security and implementing automation, including machine learning, are all seen as the key cloud native security challenges of the day. In this way, mature DevOps teams thus must stress integration and automation over manual activities, while organizations are also increasingly shifting to cloud-hosted environments and making use of cloud native technology, said Michael Isbitski, technical evangelist at Salt Security, an API security services provider.
“This fusion of DevOps practices and cloud adoption can accelerate delivery of new functionality, but it also increases security risk for organizations wrestling with so much new technology,” Isbitski said. “Ideally, security processes and tooling need to work seamlessly as part of DevOps workflows and toolchains. This has been a focus for Okta/Auth0 in the foundational area of IAM.”
The API Challenge
The need to fill security holes that APIs represent also accounts for the urgency among organizations to adopt viable IAMs. But as IAM remains a “foundational component” of all technology stacks to power authentication and authorization, implementing authentication can represent additional layers of complexity to manage, Isbitski said.
“Standards such as OAuth2 and OIDC may appear simple at first glance, while deploying them in real-world application architectures is anything but,” Isbitski said. “The more that tooling can be automated with relevant subject matter expertise baked in” from a combined Okta and Auth0 IAM offering, “the better off that development, operations and security teams will be in delivering functional and secure applications.”
On a business level, the Okta and Auth0 merger is also “a confirmation that the IAM industry is one of the hottest industries and fastest-growing technologies,” Joseph Carson, chief security scientist and advisory chief information security officer at Thycotic, said. “As more and more companies move to a hybrid cloud model, the need to manage identities and secure access is needed more than ever,” he said.