There are people who know computers, and people who know computers. Telling the difference between these two groups can be easier than you think. The former group can talk a good game, is fully buzzword compliant, and likely wants your money. The latter group, those who really know computers... and don't ask me why... can most often be seen with untucked shirts.
The technology industry is no stranger to capitalist ambition: that's what industry is. But as the cybersecurity field continues to expand, it's most troubling to see this particular area become tainted by the lies of snake oil salesmen: the area of trust. Computer security is founded on trust relationships between systems. But trust is a profoundly difficult thing to maintain, be it between computers or humans. Digital security obeys the laws of espionage, and adversaries are everywhere. Friend and enemy blur.
Your worst enemy in cybersecurity is not the attacker looking to infiltrate your network on that zero-day exploit. That enemy is a known concern, from whom you have already revoked trust. Your worst enemy is the pretend-friend, the software and appliance vendor selling you additional infrastructure. Trust us, they say... we've got your best interests... and your credentials... well in hand.
The fundamental problem is that the more "hands" through which credentials pass, the less secure your network is. This is a law that can never be escaped, no matter how many value-add features are bundled. If you take point-to-point authentication from one server to another and add additional servers between the original two, you have greatly increased the attack surface of that authentication. Not only have you introduced additional hosts, but additional software handoffs, for your precious credentials to pass through, hoping to encounter no frenemies on their now-longer journey. This is the legacy of commercial Single Sign-On.
But it's even worse than that. As cybersecurity "solutions" grow in complexity, it's not just the system attack surface that grows. The human attack surface grows as well. That's exactly what's happened to Okta, and by extension, their technology partner BeyondTrust. Hilariously, but completely on brand for a company called BeyondTrust, they take full credit for exposing the breach. We're not supposed to notice that they detected the breach precisely because Okta is part of their infrastructure, an expansion of the credential-handling footprint that is the very anti-pattern we are calling out.
What's the lesson? Ask yourself: who do I really trust? Who wants my money? Who in my circle will really tell me the truth...
Keep your circle small. And check their shirts.
UPDATE 10/27: Now 1Password admits to being part of this ever expanding attack surface. Also, this message: