2020 Predictions for Identity and Access Management (IAM)

This is our first annual roundup of expert predictions for the coming year. Here’s what leading industry figures have to say cybersecurity issues affecting Identity and Access Management (IAM) and related cybersecurity issues in 2020.

• IAM is the new perimeter, and it is harder than you think. Everything in the cloud has an identity, and the relationships are complex, so scoping to least privilege or adopting zero trust sounds great, but is really difficult to do. In 2020, security professionals are going to realize that identity and access management (IAM) is an area where they can lose control rapidly, and it is very hard to take back. Approaches and strategies from the datacenter world don’t transfer, and companies need to rapidly invest in the process and in supporting tools (including automation) to stay ahead in this complex landscape. The repercussions of poor IAM governance are substantial and sometimes unpredictable. For example, a former AWS employee was able to access over 100 million Capital One customers’ records by bypassing a misconfigured web application firewall, performing privilege escalation and as a result, obtained access to a swathe of customer information. – Chris DeRamus, CTO and co-founder, DivvyCloud

• 2020 Will be the Beginning of the End of Passwords.Consumers already log in to dozens of protected resources everyday: from email, banking and financial accounts, social media, healthcare, government accounts, and beyond. Even when tools like TouchID are leveraged each of these resources currently still have an associated username and password that can be attacked. To save time and remember their credentials for all these sites, consumers reuse the same username and password across several sites. As a result, the user’s exposure from any one security breach on one of those profiles dramatically increases the odds that additional accounts can be compromised as well, allowing attackers to access far more sensitive information. Users can also put their employer at risk of being breached if they use the same login credentials across personal and professional accounts. Organizations have reacted to this risk by increasing their password policies and requiring more and diversified characters, as well as more frequent password changes; however, this still allows users to reuse usernames and passwords across different accounts. To eliminate this issue, passwordless authentication methods, such as using out-of-band steps on smartphones that leverage push notifications, will become widely adopted. In fact, Gartner estimates that 60% of large and global enterprises, as well as 90% of midsize organizations, will leverage passwordless methods in over 50% of use cases by 2022. Companies that properly implement passwordless authentication will not only be more secure, but they subsequently improve the overall user experience by reducing friction in the login process. – Ben Goodman, CISSP and SVP of global and corporate development at ForgeRock

• Unified, third-party identity providers become the gold standard to streamline and secure the user experience. Consumers already validate their identities by leveraging single sign-on (SSO) and registration with Facebook, Google, Apple and more. However, similarly to how a NASCAR car is covered with logos, the practice of using too many third-party identity providers creates a “NASCAR” condition which can hinder the user experience. The truth is that with even more market entrants coming in 2020 none of these providers will likely get enough critical mass in order to be recognized as the de facto provider for all US consumers. To combat this problem, the U.S. will balance the need for security with the importance of a seamless user experience. The U.K. Postal Service currently uses Digidentity as a method for consumers to quickly and securely obtain access to postal services, and it would not be surprising to see similar concepts take off in the US. The benefits of leveraging digital identity speak for themselves, as a recent Deloitte Insights article referenced how: Nigeria saved $1 billion on civil service staff by using digital identity and removing 62,000 ghost workers. 24 of the 28 European Union member countries that have implemented the Once-Only initiative are expected to save nearly 855,000 hours for their citizens and 11 billion euros for businesses annually. Estonia’s use of digital signatures saved the country 2% in annual gross domestic product (GDP). – Ben Goodman, CISSP and SVP of global and corporate development at ForgeRock

• By assigning identities to connected things to secure and manage them, they will become first-class citizens in 2020. To reduce IoT security incidents, device providers will cease to prioritize connectivity over security in their projects. In fact, security will be integrated at an earlier phase of the development cycle, and devices will have identities assigned to them from square one in order to effectively and efficiently secure and manage them. Recently, it was reported that hackers have created dedicated software for breaking into Amazon Ring’s security cameras, and there have already been successful attacks in Florida and Tennessee. To get IoT security right, companies must be secure at multiple levels: the transportation of data, access to that data and access to connected devices. As a result, organizations will define unique and secure identities for the devices they are trying to secure and manage. This can be done by working with vendors that understand the identity and access management (IAM) issues companies will be dealing with. – Ben Goodman, CISSP and SVP of global and corporate development at ForgeRock

• Blurred Lines: Corporate and Personal Identity Will Converge – With the rise of bring your own device (BYOD) culture in the workplace and the access to personal accounts, corporate and personal identities have started to become one and the same. Context is a large part of redefining identity, with who you are being based on a number of factors rather than just a username and password. As we continue to shift toward using biometrics as a primary mode of authentication, even for work devices, those lines will continue to blur even further. – Kowsik Guruswamy, CTO at Menlo Security

• Digital identity solutions will help financial service organizations and banks meet a variety of regulatory demands in 2020 while also maintaining strong customer relationships: Regulations like KYC (know your customer) and AML (anti money laundering) have created necessary but sometimes lengthy processes for banking and financial service organizations, resulting in a compromised customer experience (the average customer onboard process takes an average of 26 days to complete). In order to meet comprehensive regulatory needs while also prioritizing customer experience, the financial industry must deploy more sophisticated means of identity verification and ongoing authentication in 2020. Options like biometrics with certified liveness detection will allow the industry to quickly identify customer identity, protect against deepfake attacks and other fraudulent activity, ease of use for customers and better cross-platform portability, creating a new standard for customer onboarding and continued identity authentication. – Robert Prigge, President ofJumio

• Identity validation will be a major challenge across the entire security sector. Most companies think about cybersecurity in terms of encryption, sandboxing, network segmentation, etc., and overlook the core role of identity. In 2019 we saw enterprises and security vendors increasingly wake up to the importance of identity and access management (IAM) as an integral component of enterprise security, and for good reason. But granting access is just one slice of the cybersecurity “identity crisis.” Every person, phone, computer, and IoT device has an identity that must be authenticated in order to establish trusted communication. And validating identity is no easy task. Over Labor Day weekend we saw Twitter CEO Jack Dorsey’s Twitter account get hacked via SIM swapping (which was most likely initiated by an impersonation of Dorsey himself), and incidents of business email compromise (BEC) attacks and social media disinformation campaigns executed by bots are all examples of havoc wreaked when identity is not authenticated. – Peter Goldstein, CTO and Co-founder Valimail 

• DMARC adoption will grow across industries. We’ll see a continued increase in Domain-based Message Authentication, Reporting and Conformance (DMARC) adoption. DMARC is a vendor-neutral authentication protocol that allows email domain owners to protect their domain from spoofing, and the number of domains using it has grown 5x in the last 3 years. We’ll see increased growth across several verticals in 2020 – especially healthcare and government. Following the lead of the federal government’s civilian branches, the Department of Defense will soon be requiring all of its domains to enforce DMARC, resulting in an increase in the number of military domains protected. H-ISAC, global nonprofit organization serving the health care sector, has urged health care companies to adopt DMARC as part of best practices for securing email, and as a result we’ve already seen a rise in adoption rates in this vertical. This growth will continue throughout 2020. – Peter Goldstein, CTO and Co-founder Valimail