Using Okta Adaptive MFA for Protecting AI Datasets

Question

Pulumi · Accepted Answer

To protect AI datasets, you might use different levels of security mechanisms. Okta Adaptive Multi-Factor Authentication (MFA) provides a way to secure access to your datasets by requiring additional verification from users attempting to access sensitive resources.

When integrating Okta Adaptive MFA, you configure policies and factors that suit your security needs. Okta's MFA can challenge a user with different factors based on the context of the access request, such as the location of the user, the network they are on, the device they are using, and the application they are accessing.

Here's a basic rundown of how you would achieve this in Pulumi using Okta:

1. **Set up an Okta provider** to authenticate and manage resources in your Okta organization.
2. **Create an Okta MFA policy** that defines when a user should be prompted for a second factor.
3. **Attach factors to the policy** such as SMS, Okta Verify, or Google Authenticator.
4. **Associate the MFA policy with your applications** to ensure that the policy is enforced when accessing AI dataset resources.

Below is a Python program using Pulumi that sets up an Okta MFA policy and attaches an SMS factor to it. We use the `okta` package for Pulumi to create these resources.

```python
import pulumi
import pulumi_okta as okta

# Initialize the Okta provider
okta_provider = okta.Provider("okta-provider",
  # These values will typically be set through your Pulumi configuration or environment variables.
  org_name="YOUR_ORG_NAME",
  base_url="okta.com",  # or your Okta domain (e.g., "oktapreview.com" for Okta preview accounts)
  api_token="YOUR_OKTA_API_TOKEN"
)

# Create an Okta MFA Policy
mfa_policy = okta.PolicyMfa("mfa-policy",
  name="AI-Dataset-MFA-Policy",
  is_oie=False,
  status="ACTIVE",
  priority=1,
  # Define factors settings here if required,
  # such as factor lifetime, enforcement, etc.
  # For example, to enforce MFA every time a user logs in:
  settings=okta.PolicyMfaSettingsArgs(
      type="MFA_ENROLL",
      mfa_requirement=okta.PolicyMfaSettingsMfaRequirementArgs(
          enforced_every_sign_on=True,
      ),
  ),
  opt=okta.PolicyMfaRuleArgs(
      actions=okta.PolicyMfaRuleActionsArgs(
          mfa=okta.PolicyMfaRuleActionsMfaArgs(
              prompt="ALWAYS",
              factors=okta.PolicyMfaRuleActionsMfaFactorsArgs(
                  okta_sms=okta.PolicyMfaRuleActionsMfaFactorsOktaSmsArgs(
                      settings=okta.PolicyMfaRuleActionsMfaFactorsOktaSmsSettingsArgs(
                          enrolled_optional=True,
                      ),
                  ),
              ),
          ),
      ),
  ),
  opts=pulumi.ResourceOptions(provider=okta_provider),
)

# You can attach more factors such as Okta Verify, Google Authenticator, etc.
# Here is a stub showing how to attach an SMS factor
sms_factor = okta.Authenticator("sms-factor",
  type="sms",
  name="SMS Authentication",
  status="ACTIVE",
  opts=pulumi.ResourceOptions(provider=okta_provider),
)

# Associate the MFA policy with the Okta application (that represents your AI dataset access point)
# Assuming you have an existing Okta application resource
app_mfa_policy = okta.PolicyRule("app-mfa-policy-rule",
  policy_id=mfa_policy.id,
  type="SIGN_ON",
  name="Enforce MFA for AI Dataset app",
  status="ACTIVE",
  priority=1,
  conditions=okta.PolicyRuleSignOnConditionsArgs(
      app=okta.PolicyRuleSignOnConditionsAppArgs(
          include=["YOUR_OKTA_APPLICATION_ID"],  # Replace this with your actual application id
      ),
  ),
  actions=okta.PolicyRuleSignOnActionsArgs(
      sign_on=okta.PolicyRuleSignOnActionsSignOnArgs(
          access="ALLOW",
          require_mfa=True,
      ),
  ),
  opts=pulumi.ResourceOptions(provider=okta_provider),
)

pulumi.export("mfa_policy_id", mfa_policy.id)
pulumi.export("sms_factor_id", sms_factor.id)
```

This program establishes the MFA policy in your Okta environment and attaches an SMS factor to it. The policy is then linked to an existing Okta application, which enforces MFA when accessing the application.

Please note, you'll need to replace `"YOUR_ORG_NAME"`, `"YOUR_OKTA_API_TOKEN"`, and `"YOUR_OKTA_APPLICATION_ID"` with your actual Okta organization details and application ID. Also, the factors such as SMS need to be set up with correct settings according to your requirements.

Download and install the [Pulumi CLI](https://www.pulumi.com/docs/get-started/install/) and configure it with Okta credentials to use this program. The Python script can then be run within a Pulumi project to deploy the described resources.