This guest blog was contributed by Jackson Shaw, CSO, Clear Skye. Read part 1 here.
In part one of this series, we explored three important Identity and Access Management (IAM) trends that will shape 2024. We covered securing remote working environments, creating an intuitive user experience (UX), and the benefits of a platform approach to identity. These aspects of security are unique in that, if done right, all contribute to better workflows and improve business overall business functionality.
That said, there are several other areas of IAM that deserve to be highlighted. Although they also have the ability to help a business run smoothly, the focus is on threat detection, protection, and most importantly, prevention. Whether it’s AI-powered automation, new regulatory implications, or new approaches to old cybersecurity problems, here are four more IAM trends to watch this year.
AI Support
AI has the power to meet critical business needs and its applications in cybersecurity are no exception. Take compliance, for example. IAM solutions can automatically assess who has access to what, auto-approve any permissions that look right, and flag anything for review that doesn’t. This is a valuable time saver that automates a once manual, labor-intensive process. But AI is not a silver bullet.
What the technology can’t provide is important insight into potential vulnerabilities associated with access, whether it’s outdated policies or an unknown security threat. There are simply data limitations that even the most advanced algorithms can’t bypass. For now, the role of support agent is the most valuable application of AI in IAM. Identity management itself started as a way to improve efficiency and evolved with time. It’s likely AI will follow the course, with more complex use cases as it matures.
Regulatory Crackdowns
As an industry, we’ve grown with the implementation of privacy regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the best efforts to protect user data. And as more stringent regulations come to light—NIS2, The Cyber Resilience Act, and the AI Act in Europe and Biden’s Executive Order on Cybersecurity in the US, to name a few—businesses need to be prepared. IAM systems in place must comply or evolve to meet new standards. Otherwise, the cost may not just be financial or reputational, but legal.
In response, IAM will move beyond efficiency and security to becoming an integral part of data privacy and regulatory compliance. This will be another factor in creating more user-friendly identity management solutions—not necessarily just in regard to UX, but rather how we manage identities. Advances in biometrics and the tried and true multi-factor-authentication will help with this. But there's another trend to keep an eye on…
Decentralized Identity
Currently, we rely on user IDs, passwords, physical and digital tokens, and social logins for authentication. In a Web3 world, users would have their identity stored on a public blockchain, privately held on a computer, or a wallet on their mobile device. In this scenario, user authentication changes drastically in a sense that governance and risk lie with the user, not the company they work for. In theory, owning and controlling one’s own data, content, and identity is a good thing.
A shift to “Bring Your Own ID” (BYOID) means an individual would have their own wallet to store their identity. This is great from a security and privacy standpoint. However, there are scalability, interoperability, and compliance hurdles to address before decentralized identity becomes a reality. Considerations about who is responsible if company data is compromised are important to iron out before implementation.
Identity Risk Management
Identity risk management is critically important, but often undervalued and under-prioritized in enterprise security. In today’s digital world, attacks are inevitable, but successful attacks don’t have to be. Moving from a reactive to proactive stance on risk will be the difference between organizations that recover from security compromises and ones that don’t.
Having a process flow that identifies, stops, and remediates the damage from a breach won’t prevent it from happening. It will, however, ensure the blast radius is contained. Solidifying an incident response plan is the next piece of navigating from breach to IT resiliency. This should cover next steps after someone reports an incident to the Help Desk: What happens downstream, who is notified, who is assigned the task, and how do you then determine there’s no additional risk in the process? Identity data will help get to the root of the problem. A strong IAM stance will help it from happening again.
It will be interesting to see how these areas impact businesses in the coming year. And while trends come and go, IAM has staying power as a means to not only secure the enterprise, but operationalize it in the process.