The Future Of Identity Security: Top Trends And Insights
Posted June 27, 2024 by Sayers
Identity security walks a fine line. This area of cybersecurity authorizes the right users to access specific network systems, applications, and data so vital work gets done – while also minimizing your organization’s attack surface to safeguard systems and data.
Identity security faces a growing list of complications, among them:
- Cloud services, remote work, and mobile access expand the attack surface.
- Zero trust strategies limit access but add to your tech stack and administrative overhead.
- Users expect a seamless experience that won’t slow them down.
- Industry and government regulations add more compliance requirements to control access and protect data privacy.
- Malicious actors use AI-generated deepfakes to undermine identity authentication solutions.
Read on for current trends and topics as identity security evolves to address those challenges.
Three Pillars And Three Trends In Identity Security
Today’s companies must address the three pillars of identity security to manage access among humans and machines, while keeping the organization resilient against evolving threats:
- Identity and access management – IAM solutions focus on how you grant access to your organization’s systems, applications, and data. IAM reduces risk for the organization, balances user experience with security requirements, and reduces the impact of stolen credentials.
- Privileged access management (PAM) – This area addresses how you grant elevated access to resources of higher importance or risk. PAM reduces the risk of stolen administrator credentials, ensures all admin credentials are unique, and reduces dwell time when those credentials are stolen.
- Identity governance and administration (IGA) – This third identity pillar covers how you provision and audit access throughout the organization. Provisioning and continuously auditing identity-based access helps limit the risk of data breaches by ensuring people have access only to what they need in their current roles.
As companies find their footing in identity security, Sayers has observed these three trends:
1. Organizations Are Slow in Moving From Siloed Identity Tools To A Holistic Identity Program
Many organizations struggle with identity security because they approach it as tools to implement rather than a program to manage. Their IAM and PAM tools are siloed. Their IGA is missing or minimal, and they lack an accountable identity program owner.
According to the 2024 CyberRisk Alliance Business Intelligence IAM survey:
Only 27% report high levels of confidence that their organization effectively limits user access to the minimum necessary for their job roles.
Instead, users have too much access, no checks exist for separation of duty, and user accounts linger for years after individuals have left the organization.
A holistic view defines an identity security program roadmap, improves your organization’s PAM posture and tool maturity, and moves your IGA forward.
2. Identity Threat Detection And Response Starts To Find Its Place
Attackers attempt to access and use valid credentials to move undetected throughout enterprise networks. Gartner introduced the term identity threat detection and response (ITDR) to describe the tools and best practices to defend identity systems from threat actors and credential misuse.
ITDR solutions, many of them cloud-based, offer improved threat detection, user access control, and compliance management. ITDR wraps around the existing identity tools in an organization, such as PAM and multi-factor authentication (MFA), looking for anomalies occurring in the environment. ITDR tools also focus on hardening Active Directory against attacks.
Joe Schnell, Senior Cybersecurity Architect at Sayers, says:
“While ITDR is a much newer technology in the stack, we’re starting to see the functionality of the different ITDR tools settle out into some more standardized capabilities. This shows ITDR is gaining maturity and starting to fit more into the identity conversation.”
ITDR tools are focusing more heavily on identifying risky accounts or configurations and recommending remediation. Organizations can use ITDR tools to clean up inactive user accounts, ensure people use secure passwords when changing them in Active Directory, and limit users and machines to only the minimum necessary privileges to perform their tasks.
3. Organizations Are Increasing Focus On Workforce Password Management
Sayers has observed more organizations bring up workforce password management (WPM) in conversations about identity security, and more vendors such as CyberArk and Akeyless are moving into this space.
WPM gives you a place to store and vault passwords in the cloud or in some cases on-premise. The end user has the only passkey to unlock and use those passwords, while administrators have visibility to risks such as weak passwords, password reuse, and whether credentials have been found in a recent breach.
Multi-factor Authentication Turns To Phishing-Resistant Techniques
MFA requires users to verify their identity for login using two or more different authenticators. This reduces an organization’s attack surface and makes it more difficult for unauthorized users to access a network, system, or application.
Some forms of MFA are vulnerable to phishing attacks that can bypass MFA and capture login credentials.
The Cybersecurity and Infrastructure Security Agency (CISA) strongly urges all organizations to implement phishing-resistant MFA as part of applying Zero Trust principles. CISA offers this caution:
In a widely used phishing technique, a threat actor sends an email to a target that convinces the user to visit a threat actor-controlled website that mimics a company’s legitimate login portal. The user submits their username, password, and the 6-digit code from their mobile phone’s authenticator app.
Phishing-resistant MFA techniques include:
- Fast ID Online (FIDO) v2.0 Smart Cards authentication. FIDO2 standards for user authentication work with the WebAuthn protocol to provide a phishing-resistant authenticator compatible with major browsers, operating systems, and smartphones. FIDO2 authentication can use physical tokens, be embedded into the device, or incorporate other factors such as biometrics or PIN codes.
- PIV Smart Cards. Based on public key infrastructure (PKI), a user’s credentials are contained in a security chip on a smart card. The card must be directly connected to a device for the user to log in to the system. Successfully deploying these requires highly mature identity management practices.
Is Passwordless Security A Reasonable Goal?
The idea that passwords can’t be stolen if there aren’t any passwords to steal is a compelling concept. But many organizations have legacy systems that can’t work in a passwordless authentication environment.
What does passwordless mean? That depends on your organization’s desired result. Are you aiming for biometrics only, or smart cards only? Traditional IAM options such as Microsoft, Okta, and CyberArk can achieve passwordless in many areas, but not all.
Schnell says:
“We’re seeing the growth of solutions that are helping accelerate toward a passwordless environment all the way down to the desktop. Microsoft, Google, and Apple are all focusing on the FIDO2 standard to help with identity access management, not just from a phishing-resistant MFA perspective, but also to move toward that passwordless conversation.”
Identity security solutions such as HYPR offer passwordless authentication, focusing heavily on identity verification to confirm someone is who they say they are before approving their device as their authentication method. HYPR uses multiple techniques such as verifying passports and driver’s licenses, and verification through chat sessions that combine AI and human interaction.
In healthcare, tap-and-go digital identity solutions that comply with regulatory requirements provide doctors and other medical personnel with quick, secure access to applications on the go.
Questions? Contact us at Sayers today to request an identity access management educational workshop or other services to improve your identity security.