Todd McKinnon founded Okta in 2009 on the outrageous notion that business user identity could be managed in the cloud. In an in-depth 2013 interview on InfoWorld, McKinnon, the former VP of engineering for Salesforce, argued that mass migration to the public cloud was unstoppable. As predicted, the number and variety of cloud applications exploded, and Okta played an increasingly important role in cloud identity and access management (IAM).A wildly successful 2017 IPO followed. Today, Okta positions itself as a cloud service to manage customer IAM as much as enterprise user IAM, with an integration platform that enables Okta to gatekeep for thousands of applications. The company is also venturing into machine-to-machine IAM, a key part of the zero trust model.In this edited interview, McKinnon talks frankly about Okta\u2019s roadmap and offers opinions on several key security issues of the day. The conversation began with a brief discussion about our current work-from-home world, in which adoption of cloud applications has accelerated, particularly collaboration and video conferencing services\u2014presenting yet more opportunities for Okta. As McKinnon puts it, \u201cit\u2019s great for us, even though it feels crappy to say that because of the pandemic.\u201d The interview then moved to the most damaging APT ever discovered.CSO: What\u2019s your take on the SolarWinds attack and its implications?McKinnon: SolarWinds highlights a couple of things. The first is that on-prem is not necessarily more secure than the cloud. The second thing, I think, is a massive, concrete reinforcement of the concept of zero trust.Purportedly, Google did zero trust because the Chinese tried to hack into Google. So, Google was smart and redid its whole infrastructure to not trust anything in the network, inside as well as outside. An average company can\u2019t spend money and time like Google could, so they started from the edge in with remote access. Like, \u201cwe\u2019re not going to make everything in the world zero trust, but we can at least take the laptops that are at people\u2019s houses and run those in zero trust.\u201dBut what SolarWinds highlights is that you can\u2019t stop, you have to go all the way to the backend. One server can\u2019t trust another server on the network. The reason people are running around is because that\u2019s hard. It\u2019s one thing to get some laptops connected into zero trust, but it\u2019s a whole other thing to take your whole software and infrastructure internally and have no server trusting the other server. So that means there\u2019s going to be a bigger requirement for machine identity.CSO: That sounds like a big opportunity for IAM.McKinnon: Yeah. We have this product called Advanced Server Access, which is really good at authenticating admins to machines, and you can use the same principles to authenticate machine to machine.CSO: Another big issue is multicloud security. The big three clouds have different security models, different security controls and features. That makes it easy to make a configuration mistake and leave the door open. How can you help with that?McKinnon: The vision for Advanced Server Access is to be that security layer for the clouds.CSO: A meta-layer of security for the clouds?McKinnon: Yeah, exactly, like the common security layer. Basically, you authenticate your admins, you log-in to the cloud through Okta, so that you don\u2019t have to tightly couple your security and your processes and your governance and so forth to one platforms\u2019 toolchain.CSO: Is it on your roadmap to extend beyond identity with that?McKinnon: You\u2019d have to, yeah. It\u2019s a little bit of a nuanced answer because you will see us extend beyond identity, but it\u2019s in directions that are benefitted by having identity, if that makes sense. You won\u2019t see us do anything that\u2019s not integrated at all with identity.CSO: The big three clouds are not at all static in what they introduce. Just keeping up with the flow of new features and figuring out what needs to be locked down doesn\u2019t sound easy.McKinnon: Yeah, it\u2019s a challenge. And I don\u2019t mean we need to solve all of this. Our strategy is to connect to everything and then let the customer have a consistent policy layer around everything. We\u2019re pretty good, but we can do more. Like we can connect beyond just servers, we can connect to different services, specific services inside these clouds. There\u2019s a lot of cloud-specific APIs that we are still building integrations to.CSO: Are there emerging standards that you\u2019re backing or that you see as promising that could be part of this multicloud security meta-layer?McKinnon: One of the concepts that\u2019s important in zero trust is continuous authentication. Basically, you can do that in two ways. You can be in the network path, like a proxy, and then once that you\u2019ve detected malware, you can stop the network path so the compromised device can\u2019t connect to anything. That\u2019s one way.The other way is that we and the industry are working on a standard that lets applications and devices share that continuous authentication state and then kill the session when that compromise happens. So instead of being in the network path and shutting down your network connections and your email, when your device is compromised, there would be a lightweight way to check every time that authentication is still good. That can be done scalably and with not too much overhead.CSO: Do you have an opinion on self-sovereign identity?McKinnon: I do. I think that it\u2019s the future. We\u2019ve got to get it done. The problem is: How does it get bootstrapped? How does it get useful in enough places so that enough people use it to make it useful? Where is it going to come from? Is it going to come from a big social media company? Is it going to come from a big IT vendor? Or should it come from an independent identify provider like Okta?CSO: It could come from the crypto folks, right?McKinnon: Yeah, it could. Payment is a pretty important application for identity; you need to know who people are to pay people. So, it\u2019s possible. The problem is that in crypto, there are standards, but there\u2019s also a lot of enabling infrastructure that\u2019s not built into the standards. So, the challenge is like \u2026 why does Coinbase exist? There wasn\u2019t a part of the crypto standard that kind of defined how you got sovereign currency in and out of it. There\u2019s no part of the standard that specifies how you get identity in and out of it, either.CSO: Is self-sovereign identity something that you\u2019re looking at championing?McKinnon: We are. We\u2019re looking at it. Honestly, though, we\u2019re trying some new things and thinking about a few things, but it\u2019s not clear how we solve the bootstrap problem. We have a lot of assets, too\u2014we have tons of customers and tons of users. But we\u2019re still working on how we get from here to there.