Before we go into the top 2023 IAM trends, let’s summarize what enterprises experienced in 2022. Upheaval has characterized the majority of 2022, permeating across virtually all aspects of personal life and business. The cybersecurity and access management sectors are among the chief industries observing the state of the constant shakeup, bearing witness to emergent technologies, paradigm shifts, and high-profile breach events.
Now that turbulent 2022 gives way to the new year, business and enterprise leaders are eager to predict the new challenges awaiting them in 2023. However, lacking expertise and experience with modern management systems can prove disastrous, as uninformed decisions can miss vital information and result in erroneous judgment calls.
The best way to avoid such hazards is to enlist the wisdom of those with their ears to the ground of the IAM (Identity and Access Management) landscape. Simeio’s extensive teams of identity and security experts deal with emergent issues every day, making us your ideal source of informed predictions on the biggest ongoing and upcoming trends facing you in 2023.
The Biggest Breaches and Other Events in 2022
2022 was a watermark year for high-profile cyber-attacks, encompassing some of the most daring and costly breaches in data history, with many of these breaches being identity and credential-based. Most notable among these was the Uber breach (despite MFA protections) due to unencrypted admin privileges and the Okta attack through a third-party identity compromise.
In both cases, the protections in place could not account for human error and the lack of comprehensive security across all identity surfaces. The pattern that emerged was a concerted targeting of identities and identity systems by malicious actors. Without comprehensive defenses across the IAM apparatus, its gaps will remain large enough for hackers to squeeze inside.
The IAM industry has already begun shifting in response to these emergent challenges. Early signs of consolidation emerged in 2021, with AM companies investing in IGA (Identity Governance and Access) and PAM (Privileged Access Management) capabilities. At the same time,edicated PAM service providers successfully acquired a multitude of smaller AM vendors.
This trend continued into 2022, with IAM and SaaS (Software as a Service) providers moving towards holistic Identity solutions and a market need for scalable systems. Overarching paradigm shifts, such as the FIDO Alliance’s push for Passwordless authentication, should translate to more frictionless verification processes in the coming year.
2023 Identity System Trends
1. Passwordless Authentication
The digital acceleration brought on by the pandemic drove countless users to off-site machines, greatly expanding the attack surfaces of spread-out systems. Traditional passwords have become the most common attack vector for data breaches. Passwordless authentication sought to remedy this issue in 2022 and is poised to expand significantly and will be a 2023 IAM trend.
Vikram Subramanian, Vice President at Simeio, believes that Passwordless verification should be implemented as soon as possible. “It is the beginning of the end of the password,” reports Subramanian. “The cost of a password reset is the driving force, and since SSO (Single Sign-On) did not deliver, a new solution is needed.”
Asif Savvas, Simeio’s Chief Product Officer, echoes this sentiment. “With the credential at the root of a number of breaches, we expect enterprises to further focus on reducing the friction in the authentication experience,” said Savvas. “This is usually achieved by adding a biometric authentication process that Passwordless solutions deliver.”
2. Access Solutions for Machines Identities
Passwordless security is hardly the only 2023 IAM trend worthy of attention. Many machine identities have begun interacting with various business processes and data in vital realms. While PAM solutions are building out capabilities to secure these devices, some machines will fall out of the scope of current PAM; new solutions will emerge to address this need.
3. Focus on Identity Threat Detection and Remediation by IAM service providers
Identity Management as an industry has evolved over the years, evolving from a solution rolled out for efficiency and compliance to being a foundational security pillar. With this evolution, Identity management vendors focused on the Data and information protection are likely to start building out their capabilities in identity threat detection and remediation.
In a remote world with increasing privacy regulations, companies need robust user protection and identity functionality. Recent acquisitions of identity companies, including ForgeRock, Ping Identity, and SailPoint, harken back to the early 2000s when disparate data solutions were consolidated into a comprehensive apparatus.
Telltales of a Vulnerable Identity System
If you’re having difficulty deciding if your enterprise should follow suit, take a moment to consider the following telltales of a vulnerable identity system.
Do you:
Rely on traditional password-based systems?
Trust that a VPN is sufficient encryption for your sensitive data?
Not employ MFA sign-on?
Use unintegrated, unsupported, or outdated software?
Take more than 4 hours to hire, fire, or modify the access of a user?
Not have the ability to flag and trace your privileged access authorization?
If you answered yes to any of these questions, then your IAM solution is woefully underequipped to deal with the realities of 2023. Any of these criteria marks your systems as easy prey for a determined hacker ripe for breaching.
Cyber-attacks, attempted and successful, are underway every hour of the day, and without Primary Controls and a proactive cybersecurity strategy, you’ll find yourself at the mercy of your attacker.
The best way to overcome your enterprise’s weak points and modernize for the current year is to draft and develop your business’s identity maturity map. Measure the current state of your IAM solution against what you want to see. Include your Identity Governance, Privileged Access Management, Access Management and CIEM (Cloud Infrastructure Entitlement Management).
This maturity map needs to outline the processes as well as the controls in place to protect the enterprise assets, providing guidance on where the investment needs to occur. A low level of maturity in areas of high risk is often an indication that the processes and tools in place are not effective and need focus.
Take the long view on IAM investments most likely to boost your business in the coming years. Measure every dollar spent on expert development and implementation as a dollar saved, with dividends paid out in greater efficiency and better protection against costly data breaches.
IAM – identity and access management- is the information technology security framework of policies and technologies that ensures the right users (whether employees, customers, partners, or otherwise) have the right level of access to the technology resources they need, including applications, servers, and data. It’s not something that companies have, but rather what they do. Managing the lifecycle of your users’ identities, governing their access, and properly monitoring the use of identities and their credentials through identity analytics is what comprise IAM. IAM also ensures proper controls are in place around the ability of users to interact with critical systems for which they require what’s called “privileged” access.
Avoid the Biggest IAM Mistakes You can Make
Simeio’s research indicates that most companies lack comprehensive identity and access management governance when implementing identity and access management program. This gap stems from a lack of strategic vision when it comes to IAM. Additionally, the inevitable siloes that arise between the systems and owners of identities, the IT systems they need to connect to the organization, and the business owners of the applications most necessary to do their jobs also make it challenging to implement a transparent governance process. But if I could name only one mistake that most companies make when rolling out IAM, it would be the lack of support, visibility, and sponsorship from the company’s executive leadership team: everyone—CEO, CFO, COO, Etc., and not just the CISO or CIO—needs to share the same strategic vision around IAM, and they all need to drive it within the organization for it to be successful.
And then avoid the top 10 other common IAM mistakes!
No IAM governance: a lack of a comprehensive strategy, roadmap, and policies. No executive leadership team “buy-in” or guidance Lack of skilled resources: IAM engineers, architects, and managers Poor or partial IAM implementations that make you complacent (thus vulnerable) Multiple unreconciled sources of identity authority (i.e., identities are distributed and duplicated throughout numerous systems of record) Political infighting over data and application ownership/responsibility Lack of institutional change management processes Intuitional “analysis paralysis” results in a distaste for reducing complexity and fear of automation because “manually is the way we’ve always done it.” Uncleaned data lifted and shifted into new IAM systems. Unrealistic IAM roll-out approaches don’t work for your sponsors and users. Is your IAM strategy working for you?
The first step in fixing any IAM problem is to understand it. It’s easy to tell if your IAM strategy isn’t working – ask your users, be they employees, customers, or partners. They’d be happy to tell you all the IAM issues that impact the everyday experience of interacting with your IT systems, applications, and services. I would recommend a comprehensive IAM assessment: it will diagnose what you’re doing well, where you need to improve, and what you need to do in the future to achieve the IAM maturity necessary to protect yourself from the potential for breaches and ransomware so prevalent today.
For one client, we identified redundant IAM tools (some of which were still shelf-ware) that could be decommissioned, which enabled a 20% yearly saving in license costs. For another, we identified and implemented unified IAM KPIs that enabled the CISO to demonstrate the success of IAM, gain additional funding for resources, and keep their company’s name out of the newspaper. For all clients, we provide specific recommendations to close their existing IAM gaps in the form of actionable project charters detailing the steps they need to execute to attain the next level of IAM maturity. The cost of a failed IAM strategy can be in the millions of dollars, whereas the cost of a Simeio IAM assessment strategy will be very reasonable.
– Dr. James Quick, Director, Solutions Advisory, Simeio
In less than a month, two cyberattacks shook the United States and other nations, impacting people’s daily lives. It’s ironic that the countries where these attacks happened are developed nations, where information security is expected to be top-notch, but the reality is far from it. Organizations that take proactive steps to counter cyberattacks are likely to curb the numbers.
Consider this: We are only in the middle of 2021, and there have been 10 major cyberattacks. Two recent attacks – Colonial Pipeline and JBS Foods – involved multiple sectors. The industries most affected were media and entertainment, educational institutions, financial services, oil and gas, utility, information technology and security, aerospace and aviation, and food processing and telecom, to name a few.
The Colonial Pipeline cyberattack resulted in the shutdown of 5,500 miles of pipeline that led to a scarcity of gas, panic buying, high gas prices and tens of million dollars spent to restore systems. As impact details are still coming in on the JBS cyberattack – one of the largest food processing organizations – we already know the supply chain crisis of meat would have one of the biggest impacts, even if temporarily. Add to that the cost a company incurs dealing with the attack; the average cost of a cyberattack is $4 mn and could be much more depending on the size, industry and many other factors.
So, why are we witnessing these attacks year after year, without being able to minimize the impact? Do we not have enough information security technologies to curb the attacks? While there may not be a shortage of technologies to curb cyberattacks, a lack of cybersecurity talents is much discussed. Close to 70% of cybersecurity professionals acknowledge there is an impact on the organization because of the skills shortage. But should that stop the leadership from taking proactive measures?
The fact is – proactive and tactical security measures are the only ways to minimize cyberattacks – whether it’s utilizing the best tools for physical security or access management. Security teams that aren’t considering proactive cybersecurity measures are simply leaving the door open for a hacker and waiting for an attack. Organizations that have a strategy in place need proactive audits to ensure tools and platforms are set up by filling the gaps that caused the most recent attacks.
Proactively investing in systems, software and people to ensure the best-in-class defense against hackers is no more a technical need – it is a business need of every organization that wants to minimize impacts on costs, operations and brand equity. The current administration’s executive order, although late, at least acknowledges the need and sets up a roadmap for developing proactive strategies around securing data and citizens from the burden of the impact.
Developing a proactive approach towards architecting and implementing a robust cybersecurity action plan should be one of the top three priorities for decision makers. What are some proactive steps to minimize cybersecurity attacks?
Review IT Assets
Not assessing hardware and software in the IT systems is detrimental to security management. Ensuring complete visibility and upgrades is not only relevant for successful IT systems management, but it also plays a major role in endpoint security. With detailed reporting on IT asset inventory, you can identify applications that need to be whitelisted or blacklisted, and it minimizes and prevents security lapses.
Recognize the Relevance of IAM
Increasingly, the role of IAM in cybersecurity is being recognized as a top priority. The major focus on IAM is being driven by the “customer-facing interactions on digital channels” and the pandemic leading to a rapid increase of remote workforce (Gartner, 2021). In a study by Hitachi ID (2020), 43% of CIOs plan to invest in IAM, compared to 34% who plan to invest in endpoint security to achieve their security and remote enablement goals. From access management of devices, networks, servers, to password management, to identity and access governance – these form a crucial role in securing infrastructure. Consequently, leaders are realizing that the role of IAM in ensuring robust cybersecurity practices, and a proactive IAM strategy could prove extremely beneficial in preventing attacks.
Educate Stakeholders
Be it employees or customers, organizations need to educate their organization about possible threats and best practices to safeguard access to critical data, information, access and identity. Educating stakeholders periodically is one of the best proactive measures, and it doesn’t require a huge investments or a ton of resources.
Set up Policies and Regular Audits to Keep up with Compliance
As much as implementing the best tools to safeguard systems is important, the foundation of a secured infrastructure starts by developing robust security practices and policies. Once the policies related to key aspects of information security have been determined, regular audits to keep them updated based on the industry events around security attacks and compliances should be an uncompromised practice.
When 80% of senior IT and IT security leaders believe their organization lacks sufficient protection against cyberattacks, despite an increase in budget, it means there is a considerable gap in the approach. Organizations are dealing with massive environments, digital transformation, lack of talent and other regulations.
