Okta & SafeLogic Partnered to Complete Pair of FIPS 140-2 Validations

It’s not every day that you encounter a unicorn.

“It’s a term that has certainly become overused. You might even say that it ‘jumped the shark’,” said SafeLogic CEO Ray Potter with a smile. “But every once in a while, you encounter an organization that isn’t a myth at all. Okta is very impressive, from their product line to their professionalism, and it was a real pleasure to align our efforts together.”

Okta, like many other cutting-edge companies, selected SafeLogic as their partner to complete FIPS 140-2 validation. Faced with a traditional timeline of at least twelve months, Okta recognized the value in SafeLogic’s tandem solution, combining CryptoComply software with the RapidCert service to compress the validation into mere weeks. In this case, Okta selected two flavors of CryptoComply, Mobile and Java, to maximize coverage of their customers’ platforms and form factors. Validation certificate #3344 was posted by the Cryptographic Module Validation Program (CMVP) at the National Institute of Standards and Technology (NIST) on December 17, 2018 for the Okta Cryptographic Module for Mobile, while certification #3353 was posted on January 29, 2019 for the Okta Cryptographic Module for Java, after being held in limbo during the U.S. government shutdown.

Chris Niggel, Okta’s Director of Security and Compliance

“We’re very excited to bring FIPS 140-2 capabilities to our customers. We know they will benefit from the security and ease-of-use of Okta Verify, particularly those with compliance requirements governed by NIST,” said Chris Niggel, Okta’s Director of Security and Compliance. “By partnering with an established expert like SafeLogic, we were able to strategically shift our engineering efforts to user needs, while reaping the benefits of an accelerated schedule and simplification of the FIPS 140-2 process. We didn’t need to hire any specialists or devote any engineering hours to familiarize with FIPS 140-2 or the challenges therein.”

As a Cloud vendor, Okta pays particular attention to strategic planning for FedRAMP, so when the Project Management Office (FedRAMP PMO) updated the controls in November 2017 to require FIPS 140-2 Level 1 Multi-Factor Authentication for privileged users (control IA-2(11)), Okta recognized that the options to cloud providers for strong authentication were extremely limited.  After completing certification in partnership with SafeLogic, Okta Verify simplifies compliance for FedRAMP-authorized applications, and can be used to protect privileged users, as well as unprivileged (normal) users.

“This was a natural next step for us,” added Niggel. “By completing our FIPS validation, Okta customers deploy NIST-benchmarked authentication, allowing them to focus on creating innovative solutions for government customers.”

The innovation doesn’t stop there. Okta leveraged their FIPS 140-2 validation to provide MFA integration with Epic Systems, one of the leading Electronic Health Record (EHR) vendors in the multibillion dollar healthcare industry. This allows doctors to be able to use Epic’s Electronic Prescriptions of Controlled Substances (EPCS) functionality with Okta Verify while complying with U.S. Drug Enforcement Administration (DEA) and Health Insurance Portability and Accountability Act (HIPAA) regulations, and in partnership with vendors like F5, Citrix, and VMware. I recommend reading more about this use case for more information.

"I'm excited that Okta chose SafeLogic for its FIPS 140-2 validated crypto," Potter commented. “The use of MFA is proliferating fast, and rightfully so. Personally, I can’t wait to see what they do next!”