I would like to wrap up 2022 w/ a few thoughts…
Identity Summary of 2022:
First of all – identity is the primary source of attacks – the Verizon Data Breach Report says over half of breaches are identity based – and I believe that number is higher.
Identity is always the key component in the cyber kill chain. Whatever the attack vector is – the hacker usually wishes to compromise a credential, escalate the privileges and then move around the enterprise, e.g. conduct lateral movement, to discover and then obtain the valued target – which is most often PII or PHI.
In addition, I think we have gone far enough on the cyber security journey to understand that identity is not a binary topic. A report for Palo Alto’s cyber security group, Unit 42, stated that 99% of cloud identities were overly permissive.
People – this is doing the hackers work for them. That is – there the hackers can skip the step of privilege escalation with privileges, especially CLOUD privileges, accessible to anyone w/ access to the internet, are overly permissive. Managers need to be held accountable. They need to start asking themselves if their employees really need that level of access and do they need it now?
Lastly, and central to the YouAttest concept of governance – is compliance, and continual compliance. I believe 2022 showed – that regardless of what happens in the world – from political turmoil to pandemic – compliance doesn’t budge – the audits still need to be filed and the reports need to be filed. And now in 2023 w/ an economic downturn in full swing – these need to be completed w/ less staff and more economical. This will cause more pain to meet the era of continuous compliance.
Going Forward to 2023:
Ok – now for the key items concerning identity, as we see them in 2023:
IDAAS (identity as a service) solutions:
- Identity as a service solutions will continue to grow. They are they future. Solutions like Okta, Azure Ad, JumpCloud, Ping are requirements for enterprises large and small to manage their identities and enforce entitlements
- We see a growth in managed services in identity and now identity governance. Because of the need for continuos compliance – there is no way many enterprises, especially in SMB and commercial will be able to keep up w/ the identity security let alone compliance and governance requirements.
- Zero Trust has to be understood as a identity-centric enforcement/authorization tool. I still believe it is not. The network segmentation folks are leading the charge – but it’s not enough. To really implement zero trust i believe a consensus on trust score and how it’s passed/accepted needs to devices – much like SAML, OIDC did for SSO. But there needs to be a SSO+ w/ a zero trust score attached.
- This brings me to metrics. Metrics are really going to be more important in the security world and lastly in the identity world. We simply do not have metrics concerning the security trust of a single identity let alone the collective identities coming from a suppler or 3rd party. This needs to be addressed. I know I have many ideas on this and YouAttest has applied patents in this space
- As stated above, with the economic downturn in full swing – IT and Finance teams are looking to find ways to cut costs and save money. One of these ways is to validate that users really need the apps (and associated licensing) that is assigned to them. Many times users are given birthright licenses they either rarely or never use. This can translate into enormous cost savings.
Ok – so there is the my summary of identity is 2023. Look forward to hearing your thoughts and more importantly working w/ you in 2023 on your identity security and compliance concerns.
Garret Grajek is a 13 U.S. patented identity expert with experience at RSA, Netegrity, IBM and Cisco before starting SecureAuth and YouAttest.