Zero trust, democratization and biometrics -- identity management predictions for 2022
Zero trust has been one of the security buzz phrases of the past year and control of identity and credentials is likely to remain a focus for businesses and consumers alike, especially as the work from home trend looks set to continue.
Here's what some of the experts think the identity field holds for us in 2022.
Blake Hall, CEO and Founder of ID.me believes we'll see digital wallets become mainstream as a way of controlling identity. "The pandemic surged demand for secure digital identity systems to efficiently deliver services online. At the same time, the FTC reported that identity theft tied to government benefits increased by 2,920 percent YOY. Digital wallets that streamline access for legitimate users and guard against attackers are the answer."
Larry Chinski, VP of global IAM strategy at One Identity thinks the growth of machine identities will create an even larger identity sprawl challenge for organizations. "Due to the convergence of AI innovation, digitization, and the asynchronous workforce accelerated by the pandemic -- enterprises are increasingly deploying solutions like RPA (Robot Process Automation) to automate tasks, boost productivity, and enhance customer service. However, there's one big issue that's commonly overlooked when it comes to AI innovation -- security. Today, 94 percent of organizations who have deployed bots or RPA report challenges securing them. What's causing this challenge is that security professionals don't realize that bots have identities just like humans. Since RPA requires access to data they ultimately need to be secured just like its human counterparts. So as enterprises exponentially deploy AI solutions like RPA, we should expect to see a string of bot-based breaches because security professionals aren't equipped to handle the identity sprawl linked to the growth of machines."
Kory Daniels, global director, cyber defense consulting at Trustwave thinks identity and access management needs to be a higher priority:
Effective identity and access management at scale will be critical for organizations to prioritize in the coming year. The rules of engagement were much more predictable when workers kept to the traditional 9 to 5 workday and remained at a designated office location. As a result, many companies didn’t even have insider threat management on their radar. Now, there is a new layer of complexity with the surge in remote and hybrid work.
Successful digital identity theft means an attacker can freely impersonate a member of your workforce. So, how do you know if someone is who they say they are? What certification exists, and baseline behavior is in place to establish trust? This is much more difficult to decipher with a virtual workforce -- as workers are in a myriad of locations, time zones, and accessing files off-hours. Baselines for understanding normal user and entity behaviors have shifted further since remote behaviors differ quite drastically.
As a result, it has become much more expensive for organizations, especially those with mature insider threat management programs in place, to distinguish a bad actor from an actual employee. Refining an ongoing identity and access management program and addressing these challenges will be paramount in 2022.
Emilio Campa, analyst on the thematic team at GlobalData believes zero trust will start to be taken more seriously but this won't be a fast process. "Companies that do not adopt a zero-trust approach will be more likely to experience a cyberattack in 2022. As of September 2021, the US government mandates its agencies to achieve five specific zero-trust security goals by the end of 2024. Corporations that do not follow this example will miss out on a critical defense that will save them money in the long run. However, implementation of zero trust will not be easy: Google took six years to fully migrate its staff to a zero-trust framework."
The team at Watchguard Technologies echoes this view:
Recently, a 'modern' information security architecture has grown in popularity under the name of zero trust. A zero-trust approach to security basically boils down to 'assuming the breach.' In other words, assuming an attacker has already compromised one of your assets or users, and designing your network and security protections in a way that limits their ability to move laterally to more critical systems. You'll see terms like 'microsegmentation' and 'asserted identity' thrown around in discussions on zero trust. But anyone that has been around for long enough will recognize this trending architecture is built on existing, long-standing security principles of strong identity verification and the idea of least privilege.
This isn't to say zero-trust architecture is a buzz word or unnecessary. On the contrary, it is exactly what organizations should have been doing since the dawn of networking. We are predicting in 2022, the majority of organizations will finally enact some of the oldest security concepts all over their networks, and they will call it zero trust.
Joseph Carson, chief security scientist at ThycoticCentrify also believes zero trust will become a baseline. "Companies are looking for ways to reduce the risks from cyberattacks and accept that security must become a living system within the business rather than the old legacy static approach. In 2022, Zero Trust can help organizations establish a baseline for security controls that need to be repeated and force cybercriminals into taking more risks. That results in cybercriminals making more noise that ultimately gives cyber defenders a chance to detect attackers early and prevent catastrophic cyber-attacks."
"The rise of hybrid working and continued innovation from threat actors means 2022 has plenty of nasty surprises in store for enterprise security," says Ian Pratt of HP Wolf Security. "As a result, we need to go about securing the future of work in an entirely different way. Organizations should embrace a new architectural approach to security that helps to mitigate risk and enable resilience. By applying the principles of Zero Trust -- least privilege access, isolation, mandatory access control and strong identity management -- organizations can drastically reduce the attack surface and secure the future of work."
Michael Bunyard, head of IAM marketing at WSO2 thinks we'll see a democratization of security. "The tradition of having a single identity or security administrator is rapidly diminishing. Democratization of security will take place, ensuring that everybody within an organization is familiar with security best practices and is able to do their own part to prevent a security breach. No longer will anyone be able to say security 'is not my job.' Developers in particular will have to wear multiple hats as the tech skills shortage intensifies. That also means that cybersecurity will need to make its way into coding curriculum to give new software engineering grads more security skills."
Bala Kumar, CPO of Jumio, believes we'll see organizations prioritizing customer experience in the identity verification process. "Rather than treating all users as potential threats, organizations will put the consumer experience at the center of the verification process. This will enable a more seamless consumer experience and smoother business operations. In 2022 and beyond, organizations will invest heavily to reduce abandonment rates and retain good consumers through the onboarding journey."
Mitek Global head of product Sanjay Gupta predicts we'll see more use of biometrics to verify identities. "The use of AI, including biometrics, to verify identification and support secure online transactions will continue to expand in 2022. According to new research from airports who have implemented biometrics systems in 2021, many consumers support these common types of identity verification, such as fingerprint matching. In the next year, we will hear more about behavioral biometrics and voice matching as these new methods enable people to conduct business and transactions online more securely."