API & Integrations - OKTA Evidence Based Controls

This article contains information on integrating Okta Evidence Based Controls with Mimecast to enhance security by identifying and managing risky internal users, through email threat detection and group management within Okta. It is intended for Administrators.

Okta Evidence Based Controls integration makes it possible to identify, alert, and manage risky internal users. Whether the intention is malicious or benign, perpetuating malicious attachments, URLs, or restricted information outside of the organization can have damaging effects on reputation and compromise business partners. Mimecast provides an additional layer of essential security against malicious activity and coupled with Okta’s identity management capabilities, mutual customers achieve an increased security posture.

Overview

Outbound emails are received by Mimecast and are subject to analysis by the Mimecast inspection funnel, where a series of advanced security scanning techniques are applied ensuring emails are safe before they are delivered to the recipient. If the email has been scanned and there are threats detected by Mimecast Targeted Threat Protection, the sending user's group membership within the Okta platform is updated as per the integration’s configuration. The Okta Groups contain Internal senders implicated with one or more enabled event types; appropriate measures should be in place and applied to the Okta Groups to mitigate the risk posed by internal senders.

Benefits

Okta Evidence Based Controls integration provides the following benefits:

• The additional layer of security provided by Mimecast protects your organization from email-based threats sent from internal users.
• Provides enhanced email threat detection efficacy with risky internal users being shared by Mimecast Email Security Cloud Gateway with Okta.
• Exposes internal threats and risks within your organization.

Prerequisites

Before you attempt to configure Okta Evidence Based Controls, ensure the following prerequisite tasks are met:

• A Mimecast tenant with active subscriptions to the following product features:
  • Attachment Protection with the pre-emptive sandbox or sandbox on demand options selected. See the Configuring Attachment Protection Definitions page for more information.
  • URL Protection. See the Configuring URL Protect page for more information.
  • Content Examination. See the Configuring Content Examination page for more information.
    

    For more information on false positives, see:

    • Content Examination - Definitions, Word Phrase Match List Parameter Details, and Configuring a Content Examination Definition step 8, Fuzzy Hash Setting.
    • Content Examination - Validators
    • Content Examination - Entity Groups

• An Okta organization:
  • User logins should match the users primary email address.
  • An Okta app created for the integration using the Okta App Integration Wizard. See the Create custom app integrations page from Okta for more information.

Okta Administration Console

The Administrator running this task must have at least one of the following roles:  

• Super admin for the Okta org.
• App admin for the Okta org.

Create App integration

You can create an App integration within the Okta Admin Console, by using the following steps:

1. In the Admin Console, navigate to Applications | Applications.
2. Using the action buttons on this page, click on Create App Integration.
3. Select the API Services radio button.

4. Set a name for the new App integration.

5. Click on Edit link.

6. Set the Client authentication setting within the Client Credentials section to the Public key / Private key option.

7. Click on Add Key  within the Public Keys section, followed by the Generate new key link that appears in the Add a public key dialog box.

8. Click on the Copy to clipboard link that appears above the private key.

9. Save the Private Key in a safe and secure location. The Private Key is required to update the integrations configuration with the Mimecast Administration Console.

Okta Admin Console Integrations – Important Steps

Please ensure the following actions are completed in your Okta Admin Console when configuring integrations:

• Disable the DPoP Option: If the DPoP (Demonstrating Proof-of-Possession) option is enabled for your integration, please disable it.
• Assign Administrator Roles to the Application: Make sure to assign the appropriate administrator roles to your application to ensure proper access and management.

10. Click on Done.
11. Click on Save.

12. Confirm the action within the dialog box, by clicking on Save.

13. Okta app for the integration should now be created successfully.

14. Copy the Client ID and save this to safe and secure location, as this will be required to configure the integration via the Mimecast Administration Console.
15. Finally, click on the Okta API Scopes tab and grant the below API scopes:
    1. okta.groups.manage
    2. okta.groups.read
    3. okta.users.read

16. The Okta app configuration is now complete. The next step requires both the Client ID and Private Key to be available to begin configuring the integration in the Mimecast Administration Console.

Mimecast Administration Console

Configure Okta Evidence Based Controls Integration

You can configure Okta Evidence Based Controls Integration within the Mimecast Administration Console, by using the following steps:

1. Log in to the Mimecast Administration Console.
2. Navigate to Integrations | API and Platform Integrations.

3. Click on the Your Platform Integrations tab, and click on the Create an Integration.
4. Select Okta Evidence Based Controls from the list of available Platform Integrations, followed by clicking on Next.

5. Step 1: Activation: Paste the Client Id and Private Key obtained for the Okta App that has been created earlier into the respective fields. The Base URL should be set to your Okta domain URL, as described in find your Okta domain.

6. Once all fields are populated, click on Authorize. An alert will appear in the top-right corner briefly to indicate whether the authorization was successful. In addition to the alert appearing for a successful authorization, Next will become enabled. Click on Next to proceed to the next step in the wizard.

7. Step 2: User Groups: Click on Select Groups (max. 5) to open the group selection side panel and select groups containing users that you want to be acted on by the integration. Click on Next once groups have been selected.

8. Step 3: Events and Okta Groups: Enable the event type that should be monitored for internal users.

9. Type the first 3 letters or more of the name of an Okta and click on Search, Okta Groups that match the search input will be displayed.
10. Select the Okta Group for that specific event type. Users will be made a member of this group when involved in the associated event type.
11. Click on Next.

12. Step 4: Notifications: Select from either Directory or Profile Groups for notifications related to the integration. Notifications are sent when the integration attempts to take an action on a user involved in event types being monitored by the integration.

 

13. Step 5: Summary: A summary of your configuration is displayed, enable the integration by changing the status option from Disabled to Enabled 

14. Finally, click on Create Integration, to finalize the integration.

Edit Okta Evidence Based Controls Integration

You can edit Okta Evidence Based Controls Integration within the Mimecast Administration Console, by using the following steps:

Before editing the integration, ensure you have the Private Key:

1. Log into the Mimecast Administration Console
2. Navigate to Integrations | API and Platform Integrations

3. Click on the Your Platform Integrations tab and click on the entry for Okta Evidence Based Controls.

4. Click on Edit, on the slide-out panel that appears.

5. Paste in the Private Key and click on Authorize.
6. Click on Next to progress through to the wizard and make changes as required.