The identity solution provider for the Cloud has an identity cloud that hosts a single system capable of authenticating and authorizing credentials from Virtual Private Network, On-Premise Applications and AD/LDAP.  It is capable of connecting multiple untrusted Active Directory domains/forests to a single tenant of Office 365. This enables large enterprises or companies to go through mergers and acquisitions to easily add all users without changing their directory architecture.

One of the primary benefits of cloud computing is concept of a shared, common infrastructure across numerous customers simultaneously, leading to economies of scale. This concept is called multi-tenancy. Microsoft Office 365 and Okta both provide identity cloud that supports enterprise-level security, confidentiality, privacy, integrity and available standards. Microsoft office 365 is hardened with Trustworthy computing and Security Development Lifecycle principles where the tenants are assumed to be hostile to one another and the actions of one do not affect the other.

This isolation is provided on the basis of Public cloud AD based authorization and role-based access control, the storage level data isolation using Sharepoint online, rigorous physical security, background screening and a multi-layered encryption strategy to protect the confidentiality and integrity of customer content, server-side technologies that encrypt customer content at rest and in transit, including BitLocker, per-file encryption, TLS, and IPSEC. These protections provide robust logical isolation controls that provide threat protection and mitigation that is at par with the physical isolation.

In addition, Microsoft monitors and tests for weaknesses across tenant boundaries including intrusion, permission violation attempts, and resource starvation. The self-healing processes are built into the system.

Okta's tenant isolation structure is driven by several variables such as customer data access, data separation, and user-experience. Each Okta tenant is separated by its own data, network performance and feature set. Okta use cases treat workforce, customer and partner identity as separate. The workforce identity is supported by product features such as Univeral Directory, Single sign-on, Lifecycle management, and Adaptive multi-factor authentication. With workforce identity, IT enjoys one central place for policy-based management and employees get single sign-on.

Customer Identity products deliver customer user experience using Okta APIs and widgets, identity integration using APIs, scripts to modify user data, and APIs that handle authentication, authorization and user management.

Okta's approach to security comprises of two parts - Okta manages the security of the cloud and partners manage the security in their cloud. Okta provides the identity and access control lists.  Partners provide the tenant and service settings and customer application and content.  Partners are therefore responsible for leveraging the features of the identity cloud to grant the correct permissions to their users, disabling inactive accounts, properly configuring and monitoring the policies required to protect the data and reviewing activity data in the system log and monitoring Okta tenants for attacks such as password spraying and phishing.

Tenant data is stored in a tenant exclusive Keystore comprising of 256 bit AES symmetric keys and 2048 bit RSA Asymmetric keys. Okta uses asymmetric encryption to sign and encrypt SAML and WS-Fed Single sign-on assertions and to sign Open ID Connect and OAuth API tokens. Okta uses symmetric encryption to encrypt the tenant's confidential data in the database. With the asymmetric encryption,  SSO risk for a tenant is minimized when a single org is compromised and tenants can rotate the keys.

Symmetric keys ensure data segregation and confidentiality for the tenant. Both types of keys are stored in a tenant exclusive keystore which can be accessed only with a tenant-exclusive master key. Since the keystore is unique to the tenant and keystores are stored in different databases, it mitigates damage when a single tenant is compromised. Tenant keys are only cached in memory for a short time and never stored on disk. No single person can decrypt customer data without a detailed audit trail and security response.