While many of the tried and true best security hygiene practices remain, we’ll face new and complex business challenges related to how we work, the systems we use, threats and compliance issues we face. Although often overlooked, a strong identity governance strategy can address these hurdles, and should be a foundational part of every IT and security initiative.
With that in mind, here’s where the identity and security space may be headed this year:
Cloud and remote work growing pains will continue
Most workers don’t want to go back to the office full time. As a result, most companies are extending flexible or hybrid working protocols and the accompanying cloud infrastructure to support it. This requires the use of more business applications and systems. While it’s great for morale and employee satisfaction, this creates a much larger attack surface to secure. Add to this contract and gig workers from varying departments and positions with different levels of access and entitlements, and you can see how things get complicated.
Attackers know this, which means that we can expect identity-based attacks. Beyond external threats, it’s also important to consider more common sources of compromise, such as negligence or inactive accounts of employees’ past. Insider threats are on the rise and are costing the enterprise millions. It’s likely this will get worse before it gets better, but in the meantime, the best defense is having strong identity controls in place.
Cross-functional teams will become commonplace
Expanding cross-functional teams will become a necessity to manage IT across a business. Security should be present where technology is being used, and not be off in its own silo. This means certain tech skills and capabilities must be present everywhere- For example, an HR person who is tasked with on- and off-boarding employees should be able to grant or rescind access to certain tools and systems on their behalf. Fortunately, low- and no-code tech solutions are finally starting to catch up to this need, allowing domain experts to improve security.
While this will enable functional areas to perform more efficiently, tech/IT competency and risk awareness will be paramount for success. Give too much access and you make your organization vulnerable to risk. On the other hand, too little access will cause frustration with employees who don’t have what they need to perform their jobs. It’s a fine line, but businesses need to start looking at the whole organization when it comes to technology, security, and user experience.
Vendor consolidation will persist
Today, even organizations with the most modern IT frameworks are looking for a way to orchestrate identity management across hybrid-cloud environments. Leaders are increasingly aware that many independent solutions are not equipped to protect today’s complex, distributed workforces. Unified identity promises to centralize the management of identities and access in a single platform, and the industry is taking notice. And we can understand why—a platform approach is not only more secure, but helps streamline workflows, and increase productivity, thus lifting revenue in the process.
Microsoft recently announced the launch of Entra, a new product family of identity and access management solutions. This includes existing tools like Azure Active Directory (AD), and two new product categories: Cloud Infrastructure Entitlement Management (CIEM) and Decentralized Identity. Thoma Bravo acquired identity and access management powerhouses, SailPoint, Ping Identity, and ForgeRock. Expect to see more vendor consolidation as organizations start to realize the value of a platform approach.
It’s still early days for a passwordless world
We all know passwords are not the most secure way to protect our information. But what’s the best alternative? We’ve talked about the death of the password for years, but this shift requires major infrastructure changes that many enterprises simply aren’t ready for and can’t afford. With engineering, websites, and products that will need to be rewritten entirely, it’s not as easy a fix as some might assume. While products like Apple Passkeys are easy to integrate and use, it’s unrealistic to believe 2023 is the year we’ll say goodbye to passwords for good. In the meantime, there are steps users can take to protect themselves.
Leverage apps that include biometrics for authentication. For example, rather than use a web client to access your bank, use the phone app, which integrates with the facial recognition capabilities of your mobile device. Use unique, strong, passwords for each website that requires authentication and let the browser store the password.
Most browsers synchronize the data between your laptop and your phone so once you start doing this, your need to remember passwords diminishes so you can create as complex a password as you want. It’s not the sexiest option, but it’s the most practical—for now. Alternatively, you can use a password manager.
Despite the challenges that lie ahead for identity, we’ve reached an inflection point. We can continue chasing the new, shiny, best-of-breed solutions, or we can start thinking about the big picture, with a platform approach to identity, security, and beyond. We can leave IT and security in their own silo, or we can get more folks involved to better secure the enterprise.