Identity and access management (IAM) trends are evolving. Yes, areas such as single sign-on (SSO) and zero trust remain vitally important. But new influences are in play.
Here are some of the top trends in the IAM market:
Machine identity is the next frontier of IAM
Zero trust is all about securing IT infrastructure and data via a framework that can tackle safeguard remote workers, hybrid cloud environments, and IT in general. It works on the assumption that any network is always at risk of either internal or internal attacks.
“The theme of 2022 is secure your users and your infrastructure secrets with zero-trust network access,” said Darren Guccione, co-founder and CEO at Keeper Security.
Zero trust means an individual is not just trusted because they are on the network. They have to prove who they are and are given only limited access to systems they need. But beyond safeguarding and vetting individual identities, the next frontier is now verifying machine identities.
“Enterprises have invested in IAM as it relates to people. However, initiatives like zero trust also require machines to have strong identities that need to be managed,” said Chris Hickman, CSO, Keyfactor.
“This continues to drive the adoption of certificates across the enterprise, and as with identity for people, machine identities also need consistent management to mitigate risks.”
Identify across all footprints
Hickman with Keyfactor said that there is a growing need for identity across all footprints.
“Cloud transformation continues to push the boundaries of identity,” Hickman said.
“Finding the right solutions that allow for the identity of both people and devices across hybrid environments is challenging. Making sure that the solutions are also agile to allow for timely responses to incidents or breaches continues to be critical.”
To be able to achieve identify across all footprints, automation is the key to scale.
“Manual processes and configuration management impede growth and take resources away from other critical tasks,” Hickman said.
“Relying on largely manual processes as it relates to people and machine identities seriously constrains an organization’s ability to scale.”
Zero trust accelerates
All of this will play right into the zero-trust feeding frenzy. The more organizations buy into this philosophy, the more security technology built on zero trust they will need to deploy.
“Cloud computing, distributed workforces, and remote connectivity for vendors and partners will further accelerate zero-trust network access adoption,” said Guccione with Keeper Security.
Zero-trust network access, after all, is the only viable solution in a world where the network perimeter no longer exists. In addition to securing network connectivity for their distributed workforces, organizations need to ensure that their third-party vendors and business partners can connect to needed network resources securely. A zero-trust approach includes strong user and device authentication, role-based access control (RBAC) with least privilege access, and comprehensive password security, including strong, unique passwords for every user account and multi-factor authentication (MFA), Guccione said.
In addition, organizations will need to shore up their IT secrets management as data environments become more complex and the number of connected devices and apps grows exponentially. With the steady move away from on-prem computing to multicloud and hybrid cloud environments and away from monolithic applications to modern microservices, there are so many more devices and applications connecting to organizational networks. This turn has caused a surge in IT infrastructure secrets, such as certificates, API keys, and remote desktop protocol (RDP) credentials.
“Securing human users with zero-trust network access is critically important but so is securing infrastructure secrets that unlock access to highly privileged systems and data, enabling devices and apps to leverage cloud resources and execute sensitive business processes,” Guccione said.
“For this reason, secrets are prized by cybercriminals for use in highly sophisticated cyber attacks. As an example, among the massive amounts of data stolen during the NVIDIA security breach were code-signing certificates, which threat actors are now using to spread malware in the wild.”
Therefore, organizations can’t afford to take an ad hoc approach to secrets management. They must deploy comprehensive, zero-trust secrets management solutions, so that they can organize and secure their infrastructure secrets.
Once you have a clear understanding of data across your organization, the next step is to leverage this data to reduce attack surfaces as much as possible. One way to do so is to implement identity-based zero-trust architecture and multi-factor authentication.
This approach requires all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture, before being granted or retaining access to applications and data. This includes real-time prevention of identity-based attacks by leveraging conditional access policies.
“Solutions should enforce consistent risk-based policies to automatically block, allow, audit or step-up authentication for every identity, all while ensuring a frictionless login experience for genuine users,” said Patrick McCormack, SVP of platform engineering, CrowdStrike.
“These policies are defined and enforced in real-time, based on authentication patterns, behavior baselines, and individual risk scores to verify identities using step-up authentication, such as multi-factor authentication.”