Industry executives and experts share their predictions for 2022.  Read them in this 14th annual VMblog.com series exclusive.

5 Identity and Access Management (IAM) Predictions for 2022

By Kevin Converse, GuidePoint Security

The traditional network perimeter has disappeared and attackers have exploited employees' corporate accounts to gain access to valuable systems and data. These employee accounts are essentially keys into an organization's front door as well as every other door inside to move deeper into the network. According to Verizon's 2021 Data Breach Investigations Report, 45% of data breaches in 2020 involved hacking - and more than 80% of those hacking breaches involved brute force or the use of lost or stolen credentials.

With a historically high number of remote workers and the continued movement of applications and data to the cloud, Identity and Access Management has become central to cybersecurity, with analyst estimates putting the market size between $22-25 billion by 2025.

Additionally, many organizations are starting or have already begun their journey to Zero Trust adoption and the adoption rate will only increase with the recent Executive Order for Improving the Nation's Cybersecurity. Identity is central to a Zero Trust architecture. Identity must not only address the security challenges that many organizations face, but must enable productivity and be transparent to the users to ensure adoption. Here are my five predictions for the evolution and adoption of Identity & Access Management capabilities.

1.  Passwordless Authentication will lead to more continuous authentication.

This prediction is more near-term than long term as many identity vendors are offering versions of passwordless platforms today. Passwords have been a core cybersecurity staple for a while now, but have always been a friction spot with users and IT because of how often they need to change, users forgetting passwords, passwords that are too simple or too complex, etc. Most surveys I've seen show the majority of respondents saying password management is difficult. And what do people do when something is difficult? They look for easier solutions.

Passwordless authentication is upon us now to address these traditional challenges. Whether the capabilities are based on biometrics, behavioral biometrics, IP address, physical location, and more, this type of frictionless authentication will change how we initially onboard users and register users with devices and will ultimately lead to more continuous authentication that is central to a functioning Zero Trust architecture.

2.  Single Sign On (SSO) Protocols will continue to decrease the need for unique accounts/credentials for every resource.

Standards such as SAML, OAuth 2.0 and OpenID will continue to reduce the number of accounts needed to access web applications. SSO can enable automated provisioning and deprovisioning of users, and provide centralized authentication and control over user management, providing massive productivity enhancements and transparency to users. This capability will also continue to support the maturation of cloud platforms (thus reducing the importance of on-prem Active Directory).

3.  Multi-factor Authentication (MFA) continues to evolve and MFA as a Service replaces SMS One Time Password (OTP) with push notifications.

SMS OTP is becoming more vulnerable via man-in-the-middle attacks, and for organizations that must comply with NIST requirements, it is no longer a compliant authentication method. SMS OTP will be phased out and replaced by more biometric types of authentication that can be used with many applications. Additionally PINs will fall by the wayside as they continue to be replaced by yes/no push notifications.

4.  Wearables for MFA.

How many people do you work with that have a smartwatch? With wearables becoming commonplace these days, these devices provide another option for supporting stronger authentication and can leverage biometrics such as your heart rate, gait, etc.

5.  Access Control blending into the IGA and PAM space.

The identity space has been segmented by Access Control, Identity Governance Administration and Privileged Access Management, with vendors and solutions in each silo. We will begin to see these areas of identity merge as vendors expand and encroach into each other's spaces. We've already seen at least one vendor announce their plans to launch capabilities in these complementary areas.

IAM is a key business enabler because of automated policies and transparency to users, while also providing greater security. With more organizations looking to adopt a Zero Trust security model, identity is an integral component of such an approach. IAM is ultimately another step in the evolution of cybersecurity, where passwords fall by the wayside, MFA continues to evolve, and the identity space as a whole continues to converge. 

##

ABOUT THE AUTHOR

Kevin Converse, Identity and Access Management Practice Lead, Professional Services, GuidePoint Security

Kevin Converse is the Identity & Access Management Practice Lead at GuidePoint Security. He has over 20 years of experience in the IT and cybersecurity domains. In his career, Kevin spent several years working for a large financial organization and higher education institution where he oversaw projects ranging from end user deployment, remote workforce enablement, and infrastructure automation. He has a decade's worth of experience across multiple cybersecurity domains including vulnerability management, SIEM integration, and security architecture, and identity management. He has spent the last 5 in the consulting space deploying identity and access management programs across multiple verticals.