More machine IDs, attacks on providers and AI verification -- identity management predictions for 2023
Although the death of the password has been predicted for many years, older technology still clings on when it comes to verifying identities.
But that's changing, particularly with the massive growth in the numbers of machine IDs. Here is what some industry experts think we'll see from the identity world in 2023.
Shira Shamban, CEO and co-founder of Solvo, expects to see a more identity-centered security model. "Along with seeing a data-centric approach to security emerge, we will also see an identity-centric model grow. In previous years, when infrastructures were entirely on-premises, the network used to be the security perimeter. However, in today's cloud-native era and with the growth of APIs, it's necessary to have strong Identity and Access Management practices throughout the organization, creating a unique identity not only for each individual employee but also for the specific cloud components, such as containers, serverless functions and data resources. Maintaining a least-privileged state at scale will be increasingly important."
Michael Mumcuoglu, CEO and Co-Founder of CardinalOps, believes we'll see attacks focusing on identity providers. "In addition to SolarWinds-style attacks on software suppliers and attacks on MSSPs targeting downstream customers, we should expect to see more attacks on identity providers like Okta, OneLogin, and Microsoft Active Directory. Once an adversary breaks into these platforms, they can easily impersonate employees, elevate their privileges, and be nearly impossible to detect. That's why it's critical that organizations make sure they're constantly monitoring logs for unusual activities such as the creation of new user accounts -- especially from unusual locations -- as well as password changes and MFA resets."
Axiomatics' chief product officer, Mark Cassetta, echoes this view and says businesses will need to assess how they deal with the threat. "Identity-based attacks are now a threat businesses keep at the forefront of their threat awareness efforts. With remote workforces, widespread adoption of IoT, and a significant number of digital identities being created, the attack surface continues to widen, leaving organizations vulnerable to identity-based exploitation by opportunistic threat actors. Identity threat detection and response (ITDR) software can help protect identity systems, detect when they are compromised and enable efficient remediation. It is different from identity and access management (IAM) software as IAM's function is to prevent identity-related risks through proper user authentication and access up front, while ITDR identifies threats once systems have been compromised. Given the gaps in multi cloud architectures and an exponential increase in human and machine-based identities, in the new year, CISOs and security teams are evaluating ITDR to harden IAM platforms first, especially those deployed in multi cloud infrastructures."
Chris Hickman, CSO at Keyfactor, thinks there'll be further growth in machine identities:
The number of digital certificates will double at minimum. Businesses will rely on even more machines and technology for daily operations due to initiatives such as cloud transformation, DevOps and zero trust. With a growing number of machines, comes a growing number of machine identities, and more digital certificates than ever before.
Due to this growing number of certificates, I expect certificate lifespans to shorten to approximately six months, eventually making its way down to three months. With a high volume of certificates, lifespans will minimize for higher protection of machine identities.
Digital certificates with a three- or six-month life span will be particularly challenging to manage and secure properly. Security teams will have to rely more heavily on automation to manage the hundreds of thousands of certificates within their organization to prevent costly and potentially detrimental outages.
Sitaram Iyer, senior director of cloud native solutions at Venafi, thinks more machine identities will mean compliance challenges for business. "The increased volume of machine identities in cloud native environments will make compliance with regulations on machine identity management a real challenge. If this process isn't automated via a control plane, failed audits will become commonplace."
Shawn Zhong, CTO at Agora, foresees a standardization of identity management. "2023 will see some successful experiments with interoperability standards across virtual worlds. A genuinely interoperable metaverse would see every developer using the same standards to manage identity and entitlements across their virtual worlds. Alas, from our vantage point at the outset of 2023, that reality is but a far-off vision. Still, we expect that early adopters of the metaverse will experience limited interoperability across a few destinations for the first time. This will be a small step in a long sprint, but an important one nonetheless, as it will give the world a glimpse of a potential future for online interactivity."
Donnie Scott, CEO at IDEMIA, sees greater use of mobile IDs. "Mobile IDs will advance the ability for biographic and biometric checks against the system of record (typically the state DMV) in both cyber and the physical worlds. The implications and benefits will touch nearly every aspect of people’s lives. For instance, when going through airport security, people can share their mobile ID with the TSA and may no longer need to carry a physical credential. These mobile IDs can be used to prove an individual’s identity when applying for a home mortgage, by sharing their identifying information with financial institutions, and validating they meet certain financial requirements. Similarly, when applying for a state or federal benefit, government agencies can verify people's identities through their mobile IDs ensuring the benefit goes to the person who is intended to receive it. The benefits of this model where biometrics meets identity are a citizen controlled assertion of their identity, backed by the Government's high standard of proof against who that person is. This combination results in a high assurance, privacy protected model that will reduce fraud, waste, and abuse across both government and commercial services and save billions of dollars annually while speeding the benefit or service to those in need."
Peter Barker, CPO of ForgeRock, expects to see more use of AI in identity management. "The integration of AI has been growing in cybersecurity and can we expect to see further adoption in the identity and access management space in 2023. The massive transformation to digital engagement, paired with the remote nature of our working lives, has opened the door for new and more relentless types of attacks, like account takeovers, inappropriate access and fraud. Alongside the widening skills gap facing the cybersecurity industry, and the increasing sophistication of threat actors, enterprises need to transform their solutions to stay ahead."
This is echoed by Robert Prigge, Jumio CEO, particularly with regard to policing social media. "In 2023, social media sites will be placed under increased scrutiny for allowing minors on their platforms without parental consent. We will see more social media sites following Instagram’s footsteps in deploying security measures that accurately verify the age of their users, but the privacy vs. protection debate will continue. Digital identity verification that leverages the power of AI and biometrics will be a crucial tool to confirm users are the age they're claiming to be."