While the implementation of the cloud, data analytics, and other digital initiatives have optimized business processes, they have also brought new risks and cyber threats. But, a good security program starts with securing identities. A strong, flexible, and scalable identity and access management (IAM) program allows organizations to keep pace with the push towards digitalization, rising business and consumer expectations, compliance regulations, and the increasing number of users and devices.
Over the last two years, many organizations have had to make significant changes to how they manage identities and access. As IAM technology continues to advance and more organizations shift to remote and hybrid work environments, understanding the impact of these changes is essential to cybersecurity in 2022. With that in mind, here are six trends in identity and access management to watch and prepare for in 2022.
In the age of digital transformation, organizations in all industries are becoming more reliant on third parties, including contractors, vendors, freelancers, and partners, to drive innovation, increase productivity, and meet operational needs. In 2021, roughly 83% of companies experienced an increase in the number of identities due to the remote work caused by Covid-19; however, most of these new identities were not “human.” Instead, these non-human identities comprised of bots, IoT devices, service accounts, scripts, serverless functions, cloud gateways, or other Infrastructure-as-Code (IaC) software. By 2023, it is estimated there will be 29.3 billion global networked devices (up from 18.4 billion in 2018), which is more than triple today’s global population.
While the identity lifecycle of an employee is typically the responsibility of a single, internal department (e.g., Human Resources), identity governance for all other identities (human or not) is not always clear, making them harder to control and secure. Many organizations lack a formal vetting and identity management process for these third-party identities. Whereas some struggle to grant the appropriate access, others are unsuccessful in properly managing their identity lifecycles. Despite the risks associated with onboarding third parties, companies have not made securing these relationships a priority, with 63% of organizations lacking visibility into both internal and external users.
Over the past five years, attacks leveraging machine identities have risen by over 1600%, causing an economic loss of $72 billion in 2020. As the number of non-employee identities grow, having a robust platform to serve as a strong authoritative source for managing these identity lifecycles and executing risk-based identity access will become critical for organizations wanting to make well-informed, risk-based decisions about provisioning, verifying, and deprovisioning access in 2022.
In 2021, 94% of organizations suffered from an identity-related breach, and of these companies, 99% believe these breaches were preventable. Most high-profile breaches in the last year featured either credential theft (61% of breaches) or privileged account abuse (74% of breaches). But despite these numbers, IAM only constitutes 8% of most security budgets.
By 2025, the global IAM market size is projected to reach upwards of $24 billion, almost doubling the market in 2020. This equates to a 15% year-over-year growth rate. However, in 2021, the average global cost of a breach increased by almost 10%, rising from $3.86 million to $4.24 million, and the average cost of a breach in the U.S. was the highest in the world, up 5% from $8.19 million to $8.64 million. In addition, the technology sector paid the highest price of all industries to recover its 1.6 billion stolen records, far exceeding the projected market size for years to come.
The weakest link in security is identity. Without a strong and effective IAM program, the risk of a devastating attack - like the Equifax breach (exposing 147 million records) or the SolarWinds exploit (affecting 18,000 organizations) - happening will continue to grow. However, organizations that have implemented security measures like a zero-trust approach reduced the average cost of a data breach by almost $2 million. But, without the proper IAM investment, businesses will fail to properly addresses identity and access management needs for years to come.
Modern businesses demand more agile and adaptable solutions that streamline business operations and support a wide range of business processes, workloads, applications, and platforms in one central location (e.g., Amazon Web Services, Microsoft Azure, Google Cloud). Today, over 90% of companies have infrastructure in the cloud, and public cloud spending is expected to reach $500 billion by 2023, doubling in size from 2019. But as more organizations shift from on-premise data centers to hybrid or multi-cloud environments, identity has become a substantial threat target, with 75% of cloud security failures resulting from the inadequate management of identities, access, and privileges.
To help organizations manage identity security in the cloud, new Cloud Infrastructure Entitlement Management (CIEM) solutions emerged. These tools are designed to handle identity governance in cloud and multi-cloud environments and enforce the principle of least privilege to defend against the risks caused by excessive cloud permissions. At any given point, an organization can have tens of thousands of active identities, making the task of monitoring them nearly impossible. A CIEM solution can continuously discover, manage, and monitor human and non-human identities across multiple cloud infrastructures from a single dashboard, providing a holistic view of entitlements.
As organizations aim to reduce the complexity of their cloud environment, gain more control over entitlements management, and better protect high-priority assets, we expect high-performance and cost-effective CIEM solutions will become increasingly vital in 2022.
Although personal information has long been a commodity among businesses, data privacy has become the foundation of consumer trust. This demand for privacy has sparked an increase in data protection regulations globally – from the EU’s GDPR and Brazil’s LGPD to China’s trifecta of privacy (PIPL) and cybersecurity laws (DSL) and the U.S.’s CPRA, CDPA, and CPA. This growing regulatory landscape has given organizations a long list of obligations for securing personal data and given consumers better control over their personal information.
As the number of privacy regulations increases, IAM will become a strategic tool for managing privacy. By aligning data collection practices with various privacy regulations, an effective IAM program will ensure only the right users have access to personal information, including employee, customer, and third-party identities. Over time, IAM solutions can identify and track what information specific users have access to, how users can access this information, and where information can be accessed. The location of accessed and stored information is also important because various privacy laws have restrictions on where personal data can be stored, like the GDPR and China’s PIPL.
While maintaining compliance with numerous privacy regulations can put a strain on many organizations, a comprehensive IAM program can effectively navigate the intricate world of privacy regulations and help maintain continuous compliance.
As discussed earlier, the concept of “identity” is no longer limited to only humans. Instead, the proliferation of new technological innovations and the prevalence of wireless networks has expanded identity to encompass “things,” as well. Now that we can connect physical objects – household appliances, smart cars, lights, wearable health monitors – to the Internet, Internet of Things (IoT) has become an indispensable part of daily life and an intrinsic part of modern business operations. From GPS-tracking models in transportation to ingestible sensors in healthcare to inventory management in retail, IoT devices are fundamental in many industries around the world. By 2025, companies are expected to invest up to $15 trillion in IoT technology.
This IoT device evolution is fueling digital transformation, resulting in undeniable benefits, including cost savings, greater efficiency and productivity, enhanced customer experiences, and optimized business opportunities. Yet, as the hyper-connected digital world embraces IoT, many new devices fail to have appropriate security measures in place (e.g., regular software updates, unique passwords, authentication practices, etc.). Just as with human identities, IoT devices also have identity lifecycles that must be authenticated, provisioned, configured, and monitored until they reach end of life. By failing to secure their digital identity, cyber criminals can easily exploit weaknesses in these connected devices. In 2017, only 15% of organizations had suffered an IoT-related data breach, a number that has spiked to 61% in just 4 years. 82% of healthcare organizations also experienced an IoT-focused cyberattack in 2021, potentially putting lives at risk.
Every second, an average of 127 new devices connect to the internet for the first time; however, most IoT devices are attacked within five minutes of going online, and this trend is only expected to grow as more devices are connected (64 billion by 2025). Failing to secure the digital identity of these devices can leave organizations and their customers vulnerable to breaches, business outages, and data loss. Regardless of the benefits that IoT devices bring to the table, the security risks they create can overshadow those benefits if not managed properly, making it more important than ever that businesses take the proactive steps to secure these digital identities in 2022.
Americans quit their jobs at a record pace in 2021, with November reaching an all-time high at 4.5 million resignations. Roughly 40% of tech workers have either already quit or plan to do so in 2022, leaving cybersecurity teams understaffed and overburdened in the war against complex cyberattacks. As “The Great Resignation” inspires people to reevaluate the role of work in their lives, businesses are left struggling to keep up with widespread supply chain disruptions, growing regulatory obligations, and changing consumer behaviors, while still managing day-to-day operational needs and objectives. In addition, when the pandemic hit in 2020, roughly 24% of organizations cut their technology budgets, and global technology spending is still down today.
As a result, more and more businesses are turning to managed service providers to reduce the burden on overworked IT resources, address technological inadequacies, and manage daily essential tasks. A managed service provider (MSP) works as an extension of an organization’s internal IT and security team, offering their wealth of knowledge and expertise to a range of business operations, from privileged access management and cloud security to network administration and identity infrastructure maintenance.
A successful relationship with an MSP depends on trust and a mutual understanding of business goals and expectations. When selecting an MSP, organizations should focus on providers who can deliver positive outcomes and meet their needs, rather than cutting-edge technology solutions. Instead of rushing to adopt the latest tools that IT departments are not staffed to effectively operate, businesses can engage MSPs to enjoy lower IT operating costs, achieve better scalability opportunities, and gain real-time ongoing support for all their identity and access management needs
As businesses continue to struggle with access to top talent and technology, we expect there to be a tremendous opportunity for businesses to shift to managed services to drive their long-term, strategic, identity and access management outcomes.
Cyberattacks continue to be a growing threat, but not all data breaches are caused by outside threats. Every organization must battle with a different set of identity challenges, each with their own approach to identity management. But, by understanding the upcoming identity trends for the next year, your organization can strengthen its IAM capabilities and be better prepared to scale with a constantly changing identity environment.
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.