I found the recent information that Okta released about their latest breach to be interesting. According to the report, the employee accidentally saved a service account password to his personal email, and then his personal email my have been compromised which gave the attackers access inside Okta. 

First, don’t we think that is a stroke of luck that the attack managed to find the one user that saved a password incorrectly, and then managed to compromise that account?  Food for thought. 

In my CISO experience, we do need controls around personal email and other SaaS services.  It’s a data exfiltration method that we need to be concerned about. It doesn’t mean that they have to be blocked per se, but there should be a process in place to monitor for services used on a device and data that leaves. Blocking strictly can cause problems: 1- users get really, really mad and tend to find workarounds and 2 - It gets tough considering so many companies use services like Google that have both an enterprise and personal brand,
 

Secondly, this is where I think more zero-trust solutions can help.  Even if an attacker manages to steal credentials, if that attackers laptop isn’t authenticated with the zero-trust platform, it doesn’t get into the service.  I think this is where the industry will eventually go.  Micro network segmentation doesn’t work.  But device-based zero-trust scenarios can.  Thoughts?