Industry executives and experts share their predictions for 2023. Read them in this 15th annual VMblog.com series exclusive.
Machine Learning, API Access Control and Authorization in the Spotlight for IAM Teams
By Mark Cassetta, chief product officer,
Axiomatics
As attack surfaces continue to expand,
identity access management (IAM) and subsequently, authorization will be a
focal point for the enterprise. With drivers such as remote work, new
applications and managing standards, organizations will make developing access
control strategies a priority in the new year.
The Rise of ITDR Will
Force Enterprises to Examine How They Quantify Risk
Identity-based attacks are now a threat businesses keep at the
forefront of their threat awareness efforts. With remote workforces, widespread
adoption of IoT, and a significant number of digital identities being created,
the attack surface continues to widen, leaving organizations vulnerable to
identity-based exploitation by opportunistic threat actors. Identity threat
detection and response (ITDR) software can help protect identity systems,
detect when they are compromised and enable efficient remediation. It is
different from identity and access management (IAM) software as IAM's function
is to prevent identity-related risks through proper user authentication and
access up front, while ITDR identifies threats once systems have been
compromised. Given the gaps in multi cloud architectures and an
exponential increase in human and machine-based identities, in the new year,
CISOs and security teams are evaluating ITDR to harden IAM platforms first,
especially those deployed in multi cloud infrastructures.
IAM Teams Look to Adopt AI and Machine Learning but Only for
Specific Instances
As more enterprises adopt an identity-first approach to their
security strategy, they are challenged with how to manage the increasing number
of entitlements and permissions connected to applications that live in a
variety of environments (on-premises, private cloud, public cloud, etc.) and
create a lot of data about events, logs, users and more. In addition, the
explosion of demand for cloud infrastructure and entitlement management (CIEM)
solutions has resulted in creating more predictable models about users,
entitlements and provisions. As a result, in 2023 enterprises mature in
their implementation of these areas will consider leveraging artificial
intelligence or machine learning to further scale these strategies. However, AI
and ML adoption by IAM teams will likely remain constrained to those targeted
areas as enterprises continue to mature their IAM strategies.
API Access Control will take center stage for IAM teams
With the adoption of microservices and more advanced API
frameworks including GraphQL, it's easier and more encouraged than ever before
for developers to leverage APIs through their application development process.
While the benefits to this approach are well known and include faster
development, more code reuse within the enterprise, and more, enterprises will
continue to struggle with the challenges this creates. Specifically, as all
APIs become policy development points (or PDPs), they become a massive point of
risk and a specific challenge for IAM teams. In short, while security teams
have struggled with the explosion in APIs, IAM teams will grapple with the
explosion in PDPs and the risk this creates for the enterprise.
For Authorization, it's no longer about the standards...it's about
the strategy
Historically, authorization conversations focused on what
standard is most effective or should be leveraged in a particular situation.
Much like the standards in authentication (OpenID vs SAML vs OAuth), there
won't be one standard that defines authorization. The use cases are so vast
there may be different reasons to apply/leverage a different standard but the
important thing will be the ability for these standards will interact with one
another. As more enterprises look to adopt authorization, this conversation
will shift from focusing on standards to focusing on strategy - how best to
deploy authorization as part of a broader Zero Trust strategy or how to
leverage signals from existing IAM (or broader cyber) solutions to bring access
control to the fore across the IT stack. This will mark a leap forward for the
authorization market as the focus moves from early adopters to becoming more
mainstream.
##
ABOUT
THE AUTHOR
Mark
Cassetta, chief product officer, Axiomatics. A cybersecurity veteran with more
than a decade of experience, Mark Cassetta leads Axiomatics' product strategy,
driving the creation of solutions that offer enterprises around the world a way
to address current and future authorization and access management challenges.
Mark's background includes various leadership positions for both software
vendors and global systems integrators, including Titus and Accenture.