Identity and Access Management (IAM) is a central part of securing the modern enterprise. And while enhancing security is the most pressing issue, the strongest IAM solutions will ensure the user experience (UX) is as smooth and seamless as possible. The concept is simple. But in practice, it’s tricky to strike the balance between protecting your valuable data and systems, while also creating a productive work environment. Add factors like a highly-distributed workforce, advances in artificial intelligence (AI), cloud proliferation, and persistent threats, and you’ve got your work cut out. At Clear Skye, we’re on the ground floor of the fast-evolving world of identity. As such, we’re consistently rethinking best practices, new threats, and what’s ahead. With that in mind, it’s our humble opinion that the following IAM trends will have a big impact this year and years to come.
Enterprises can no longer rely on a single factor, such as location or a device ID, to enable authentication. Today’s workforce is increasingly mobile, working across apps like Slack and Teams, from home or co-working spaces to coffee shops and airports. It’s the latest iteration of the most difficult challenge IT leaders face—ensuring security mechanisms are active at the location of work—wherever that location may be. With remote and hybrid working becoming the norm for many, the shift to securing identity from anywhere is simply the latest flavor of an age-old problem. The industry lived through the move from mainframes to Client Server, and again from LAN- to SaaS-delivered applications. Historically, with new compute models come new attack surfaces. As a result, implementing a strong IAM strategy across your IT environment is crucial to promoting a culture of flexibility, efficiency, while still guarding the gates.
IAM is about ensuring the right people are granted the right access to the right resources at the right time for the right reason. We do this because the vast majority of breaches happen via social engineering or phishing emails—in other words, people. This means the best protection against the next breach or ransomware attack is to focus on identity management, which includes ensuring that employees only have access to the entitlements they need to do their jobs. On the flip side, it’s equally important to create a productive working environment for your teams. As a result, smart organizations will start to treat security as a business problem, not just an IT problem. Expanding these responsibilities to cross-functional teams will become more common, operationalizing technology and security where it’s being used—not off in its own silo.
Security and UX uniting are a good lead-in to our next trend: platform proliferation. Just as IT and functional leaders shouldn’t strictly operate in their own worlds, neither should your IAM solution and the rest of your company’s tech stack. CISOs have reached the limits of effectiveness associated with managing multiple new solutions for every possible threat. The ultimate solution is a new generation of security tooling built within the business platforms and processes enterprises already use. While specific endpoint technology will always be needed, solutions will become increasingly integrated with larger systems of action that are aligned with an existing employee workflow and risk profile. Clear Skye does this on the world’s leading IT Service Management platform—ServiceNow. To learn more about creating a comprehensive, future-proof IAM strategy that works with your existing tech investment, check out a demo.
As an industry, we’ve grown with the implementation of privacy regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the best efforts to protect user data. And as more stringent regulations come to light—NIS2, The Cyber Resilience Act, and the AI Act in Europe and Biden’s Executive Order on AI in the US, to name a few—businesses need to be prepared. IAM systems in place must comply or evolve to meet new standards. Otherwise, the cost may not just be financial, but legal. As a result, IAM will move beyond efficiency and security to becoming an integral part of data privacy and regulatory compliance. As mentioned above, this will be another factor in creating more user-friendly identity management solutions—not necessarily just in regard to UX, but how we manage identities. Which brings us to our next trend…
Currently, we rely on user IDs, passwords, physical and digital tokens, and social logins for authentication. In a Web3 world, users would have their identity stored on a public blockchain, privately held on a computer, or a wallet on their mobile device. In this scenario, user authentication changes drastically in a sense that governance and risk lie with the user, not the company they work for. Owning and controlling one’s own data, content, and identity is a good thing (in theory), and it’s starting to become a reality. A shift to “Bring Your Own ID” (BYOID) means an individual would have their own wallet to store all of their identity things. This is great from a security and privacy standpoint. However, there are scalability, interoperability, and compliance hurdles to address before decentralized identity becomes common.
Much of the conversation around AI over the last year has focused on leaps forward in generative AI. Some use cases promise to advance humanity while the growth of solutions like ChatGPT have some of us fearing for our jobs. Whichever way you slice it, AI has the power to meet critical business needs and its applications in cybersecurity are no exception. Take compliance, for example. IAM solutions can automatically assess who has access to what, auto-approve any permissions that look right, and flag anything for review that doesn’t. This is a valuable time saver that automates a once manual, labor-intensive process. What AI can’t provide is important insight into potential vulnerabilities associated with access, whether it’s outdated policies or an unknown security threat. There are simply data limitations that even the most advanced algorithms can’t bypass. For now, the role of support agent is the most valuable application of AI in IAM. Identity management itself started as a way to improve efficiency and evolved with time. That’s how we see AI—an efficiency tool to save time and money that will mature to more complex use cases with time.
This is the year a heightened sense of urgency will emerge around a sometimes neglected, but critically important area: identity risk management. In today’s digital world, attacks are inevitable. But successful attacks don’t have to be. Moving from a reactive to proactive stance on risk will be the difference between organizations that recover and ones that don’t. Having a process flow that identifies, stops, and remediates the damage from a breach won’t stop it from happening, or even happening again, but it will ensure the blast radius is contained. Solidifying an incident response plan is the next piece of navigating from breach to IT resiliency. This should cover next steps after someone reports an incident to the Help Desk: What happens downstream, who is notified, who is assigned the task, and how do you then determine there’s no additional risk in the process? Identity data will help get to the root of the problem. A strong IAM stance will help it from happening again.
