6 IAM Trends & Insights to Look Out for in 2022 and 2023
Written July 25, 2022
The trends in identity and access management (IAM) are evolving. Traditional best practices such as Single sign-on (SSO) and zero trust aren't going anywhere anytime soon, but new technologies and methodologies are emerging to further bridge the gap between top security and ease of use.
Below are some of the key IAM trends we have identified for 2022 and into 2023:
1. Passwordless Authentication
Although not a new concept, passwordless authentication is still a rather novel concept when it comes to traditional IT. For close to a century now, passwords have been considered a necessity when attempting to secure a system. Passwordless authentication is a process of confirming a user's identity without the use of a password. Instead, passwordless employs more secure methods such as possession factors (one-time passwords [OTP], registered smartphones) or biometrics (fingerprint, retina scans). For a long time, passwords were not secure. They are difficult to recall and easily misplaced.
According to the Gartner Group, password reset requests account for 20% to 50% of all IT help desk inquiries each year. An average MSP that supports 1300 users wastes $9350 annually simply on ticket management for password resets. They are also the most popular target for cybercriminals. So much so, that weak or stolen passwords account for 81% of all breaches.
2. Identity Proofing
Identity proofing is the process of confirming a user's identity and that they are whom they claim to be. This may appear to be standard authentication based on a username/password combination, but identity proofing occurs before users receive their credentials to access an application or alongside the traditional authentication process.
Before granting a user access to your system, you can verify their identity using life history (a credit report), biometrics (a facial scan), and other factors. This has become more prevalent and necessary due to the fast adoption of remote working. In industries such as finance, identity fraud and credit fraud have become widespread issues. Banks, mortgage companies and other financial institutions are benefiting from increased productivity, efficiency, and customer satisfaction because of process digitalization. Regrettably, criminals are also leveraging the convivence of technology to exploit gaps in banking services to carry out financial scams. Identity proofing's goal is to ensure that a user's claimed identity matches their actual identity and that their identity is real and not fictitious. As a result, identity proofing is a first-line defense against today's identity perimeter attacks as well as some of the more advanced attacks such as identity theft and financial fraud.
It should be noted that there are different levels to identity proofing. A person's level of identity assurance is measured by their Identity Proofing (IP) level; the greater their level, the more personal information they require. For instance, to access your financial information you would want to ensure the highest level of identity proofing is in place, however, to access your pizza order history you may want a much lower level of IP.
3. Securing Non-human Identities
Organizations devote significant time and effort to securing the identities used by individuals and groups within their environments. While these are important activities, companies may lose sight of a different set of identities, often highly privileged, that exist just beneath the surface; these are the non-human accounts within the environment. Non-human accounts being applications, devices, service calls, etc. When organizations attempt to manage human and non-human identities within a single IAM data structure, complexities arise. One of the challenges with this approach is that non-human entities do not have first and last names or email addresses. Non-human identity onboarding and life cycle management must be handled differently. During the onboarding process, a device must be identified by its type, such as a smartphone, thermostat, security camera, and so on. The device's behavior must also be monitored as it interacts with applications and other assets within the organization. Three notable non-human accounts include service accounts, device identities, and secret identities, which include certificates, SSH keys, API keys, etc. Understanding these complexities and designing an in-depth layered IAM management framework are essential key steps to securing non-human entities within the organization.
4. Identity-as-a-Service (IDAAS)
Another emerging trend for 2022 and 2023 is Identity-as-a-Service or IDaaS. IDaaS is an application delivery model (similar to software-as-a-service or SaaS) that enables users to connect to and use cloud-based identity management services. The shift to deploying IDaaS, also known as cloud-based identity security, began several years ago and was led by companies with a digitally driven IT adoption strategy. Many IDaaS systems use the power of cloud computing and adaptive authentication to improve or accelerate these business processes. This level of IAM computing makes use of cloud computing, database storage, and other IT resources.
The rise of IDaaS is directly related to the rise of cybersecurity threats in today’s increasingly digital world. A secure identity platform has become the standard way to keep up with the increasing number of identity access tasks that must be completed to ensure airtight security. Enterprises can’t ensure a quality user experience for their employees with self-service solutions without spending valuable time maintaining the systems because manual updates are prone to be overlooked. IDaaS solutions provide automated, long-term protection for growing businesses that do not want to be burdened internally with IAM responsibilities.
5. Cloud Infrastructure Entitlement Management (CIEM)
A relatively new term, Cloud Infrastructure and Entitlement Management (CIEM) was introduced by Gartner in 2020 as a part of the Hype Cycle for Cloud Security 2020 research collection. Essentially, CIEM is a specialized SaaS solution designed to manage risks associated with identity access in cloud environments using novel security controls, as well as manage entitlements and data governance in multi-cloud IaaS environments. To detect and prevent anomalies or emergent risks in account and identity entitlements, it employs machine learning (ML), artificial intelligence (AI), and statistical techniques. The principle of least privilege is a key tenet of CIEM, and it aids in the establishment of a secure baseline defense against data breaches and malicious attacks.
One of the primary advantages of CIEM is that it enables organizations to use advanced techniques such as machine learning to recommend the least privileges for a specific type of work. For example, a user may request SSH access to a production machine to verify a configuration value or to test an environment variable. To complete the task, the user can request temporary SSH key pair access. The security team approves the user's request and instructs him or her to obtain the keys through an SSO provider. Once the user has completed the required work, the resource access is revoked, and the user will no longer have access to the machine with those keys. The security team is always aware of each user's effective permissions and can compare them to the minimal requirements for each type of process.
The security team would have created a much greater security risk if they had used a more relaxed entitlement model (such as granting unlimited use of the keys for an indefinite period). Granting more than the bare minimum exposes the system to insider threats, access key misuse, and other potentially malicious user activity.
6. Identity Threat Detection and Response
The identity and access layers were already under attack prior to the pandemic, especially with the shift from on-premises to cloud, where identity serves as both the key to accessing an organization's assets and the perimeter that protects those assets. Taking control of identities with privileged access gives attackers the keys to the castle, as well as access to all the crown jewels within. Identity threat detection and response (ITDR) includes features that enable organizations to identify credential theft and privileged account misuse, as well as attacks on Active Directory and risky entitlements that can generate attack paths. The protection of identities, entitlements, and the systems that manage them is the focus of identity threat detection and response (ITDR). When compared to existing identity protection tools such as IGA, PAM, and IAM, which typically focus on authentication and authorization and ensuring that the right people have access to the resources they require, this is a significant difference. ITDR is a nice compliment to a mature IAM infrastructure.
Want to Learn More About the Current Trends, KeyData Can Help
KeyData's flagship service is Identity and Access Management (IAM).We concentrate all our efforts on IAM. The KeyData advantage is based on our people and our knowledge. Our team is made up of a highly skilled group of engineers and consultants who specialize in Identity Governance and Administration, Privileged Access Management, Customer Identity and Access Management, and Cloud Security Posture Management. Our team has a strong track record of providing end-to-end IAM services, from requirements gathering and roadmap development to full implementation, training, and managed support. Don't hesitate to get in touch with us right away for a free initial consultation