The Identity Defined Security Alliance — a nonprofit group of 30+ identity and security vendors, solution providers, and CISO members who include Ping, Okta, CyberArk, BeyondTrust, VMware, etc. — kicked off #BeIdentitySmart Week, a virtual awareness event to educate business leaders and IT decision makers on the importance of identity in cyber security strategies and business initiatives. The event is held in conjunction with the National Cyber Security Alliance and Cybersecurity Awareness Month.
To rally the identity security community together, the IDSA asked security experts: What is going to be the biggest challenge for identity security in 2022? Here's how they responded.
“The introduction of new identity types based on emerging technologies will pose the biggest identity security challenge in 2022. This encompasses identities in the cloud, governing critical infrastructure, and supporting the adoption of initiatives like zero trust. Many of these identities have new attributes that need to be addressed in policy, procedures, controls, and implementation of monitoring.” - Morey Haber, CISO, BeyondTrust
“Identity is Gold. Gold is the most malleable and ductile of all known metals. It can be thin and soft like hair and or solid like a brick with diverse applications from cancer treatment to jewelry. Very similar to how Identity in combination with other technologies can be an enabler for ecommerce and socio-economic efforts, or a protector when viewed from a Cybersecurity lens, or a key component of digital transformation of the world. All activities (human or machine) in the cyberworld that need to understand ‘who,’ rely on Identity and this reliance will exponentially grow in years to come as we move to Metaverse.” - Manish Gupta, Director Global Cybersecurity Services, Starbucks
“I believe the biggest challenge will be cloud workload identity security concerns in 2022. Ranging all the way from access, to authorization and finally authentication. CSP agnostic, IAM is a challenge in all areas of SaaS, PaaS, and IaaS.” -Dirce E. Hernandez, Compliance Risk Manager Lead, Enterprise Risk Compliance, USAA
“Despite having been spoken about for a long time now, I think the biggest challenges for identity security in 2022 will still be the basics including, but not limited to, timely off-boarding of leavers, disabling or removing orphan and dormant accounts, managing entitlements, etc. Regardless of their size, organizations must pay attention to these basic hygiene factors in order to not get compromised by malicious or unintentional actors. Moreover, technology cannot be the end in itself. As organizations digitally transform, their people and processes must also evolve to keep up with and fully utilize the technologies' offerings to appropriately secure identities.” - Shakthi Priya Kathirvelu, Vice President and Head of Information Security and IT, Funding Societies, Modalku Group
“I believe that the same challenges surrounding Identity Security in 2021 will be even more prevalent in 2022 and beyond as organizations continue to increasingly adopt a cloud-first strategy. Observability and enforcement of the principles of least privilege across hybrid and multicloud architectures will become more urgent to protect against surface area threats. The modern era of hybrid infrastructures creates a unique challenge for security practitioners in achieving a single pane of glass for monitoring all identities and entitlements. Organizations must be proactive and vigilant in their approach to detecting vulnerabilities and preventing cyberattacks.” - Axay Desai, Founder and CEO, ObserveID, Inc.
“Communicating Identity challenges to your stakeholders is becoming more complex as the scope of identity changes. Make sure that you have a defined identity strategy that delivers on business goals while reducing risk. Including stakeholders in conversations will help you to prioritize tasks and deliver identity as a critical, foundational service.” -Rebecca Archambault, Trusted Identities Leader, HighMark, Highmark Western and Northeastern New York
“The biggest identity security challenge everyone is facing today will extend into 2022, it is finding the balance between identity security and ease of use for IT admins. As the world continues its relentless march toward digitalization, there is rapid increase in identity theft. IT admins/engineers are focusing on securing identity data and protecting the company from a data breach. Also, they want the ease of use of the identity management software. Identity technology must manage each user’s identity in a way that meets these requirements of both ease of use and identity security. Any added tools and processes just add complexity to the workday, which affects productivity, while reduced identity security opens the business up to the risk of breaches and insider threats. Ease of use is of the utmost importance and is even driving key business decisions if a product doesn't meet an end user's standards, it won’t be used.” - Senthil Palaniappan, Founder & CEO at Sennovate and Sam Muthu, Co-Founder & CTO at Sennovate
“In 2022, I forecast that the biggest challenge for identity security will be striking the right balance between sustaining existing identity-based processes and planning/pivoting to a new way of implementing identity security for various identity types based on the Zero Trust framework. Taking a one size fits all approach will not work for every organization. Therefore, the program must factor in unique requirements, current maturity level, and organizational dynamics to navigate this challenge successfully. Any delay in adopting a modern identity approach will non-linearly increase the technology debt.” -Yash Prakash, Chief Strategy Officer, Saviynt
“The greatest upcoming challenge for identity security is managing identities and their entitlements in the cloud - it’s hard to do, and growing more complicated. Overprivileged and even fully inactive identities -- human or machine -- greatly increase the attack surface and put key resources at risk. Ironically, most organizations overlook this sensitive part of managing an enterprise environment. Being able to properly assess the security posture to understand which identities are vulnerable and which privileges are risky, and in an automated way, is key to getting past the complexity and properly managing any cloud environment.” -Shai Morag, CEO, Ermetic
“We expect trust to continue to be decentralized with different sources of data that make it challenging to keep track of identities, roles, and access rights. Further, in 2022 workers will still require access from different locations in different time zones. This forces security teams to ensure that identities not only have the levels of access required to be productive, but also not more than needed to keep them secure. Added together with a growing list of compliance mandates, each individual needs to be treated as a unique entity within a centralized source in an increasingly decentralized world.” -Rod Simmons, Vice President of Product Strategy, Omada
“Sophisticated ransomware attacks are no longer the preserve of nation states. In 2022, anybody can access the tools to carry them out—or engage with a ransomware-as-a-service group to do the dirty work. But most attackers will continue to use tried-and-true entry points such as compromising identity systems, a key tactic in both the SolarWinds and Colonial Pipeline attacks. And as these incidents illustrated, the goal now isn’t just to make money but also to cause disruption. As a result, critical everyday services could become unavailable, prices could go up, and we could find ransomware affecting our daily lives. But organizations can take action to defend against identity-related attacks: Closing security gaps in Active Directory (the most common identity store), implementing automated remediation for malicious changes, and having a tested recovery plan in place will significantly improve overall security posture.” - Sean Deuby, Director of Services, Semperis
"2021 has been an awakening to the possibility of passwordless authentication – tech leaders like Microsoft have made it a priority and there are now more options than ever to support MFA. The challenge of 2022 will be delivering on the high expectations for passwordless. There's no silver bullet for authentication, so businesses will need to implement multiple credential solutions to get rid of passwords. This will be complex and time consuming for both the user and the IT team. In 2022, businesses need to consider how to make their transition to passwordless simple and painless." - Jerome Becquart, COO, Axiad
“The pandemic has forced the adoption of new ways of working and the return to the office will be the adoption of understanding those ways of working - how do we understand them and secure them. Access will be a huge challenge - especially understanding who has access, what they have access to, and do they still need access.” - Eric Kedrosky, CISO and Director of Cloud Security at Sonrai Security
“The biggest challenge to identity security in 2022 will be organizations using a siloed approach to handling different identity-related security needs, and inadvertently leaving gaping holes in their overall Identity security strategy. Identity is surfacing as a key cybersecurity exposure gap, whereby 63% of data breaches are caused (often inadvertently) by internal staff; more than 50% are credential-related attacks, and nearly half of all users have more privileges than his or her job requires. What organizations need is a unified identity security platform that allows them to harden privilege; ensure all identities are correlated and visible; remove friction with better integration; manage identity consistently; and better and more quickly add, remove, and adjust privilege just in time.” -Rima Pawar, VP Products and UX, One Identity
“While it seems that the biggest challenge for identity security would be successfully defeating the ‘bad guys,’ it is a lack of resources that could create the biggest hurdle for organizations in 2022. With the recent explosion of cyberattacks, organizations know that they need to improve their identity security, with many solutions to choose from. Yet many are deterred by the high costs and workload required to implement critical security controls, as well as the lack of cybersecurity talent required to do so successfully. Organizations will need to seek out flexible, affordable solutions to improve their identity security in 2022.” -Kimberly Johnson, VP of Product, BIO-key International