4 identity predictions for 2023
Identity's place in the attack chain is driving the shift of identity responsibility from IT operations to security to look into passwordless, digital IDs, platforms and more.
Ok, I'm late to the party. Very late. Most analysts and just about all my Enterprise Strategy Group colleagues have already published their predictions for 2023. In my defense, the identity space is hot, hot, hot -- which is keeping me busy, busy, busy. And that brings me to my first identity prediction.
1. Economic headwinds become tailwinds for identity industry
We know the current state of the economy represents a challenge. According to Enterprise Strategy Group's "2023 Technology Spending Intentions Survey," one-third of organizations plan an IT hiring freeze, and 23% may lay off or furlough IT staff or impose IT pay cuts.
Many IT and cybersecurity teams are now living with the mantra "do more with less," combined with a chronic shortage of talent. CISOs and IT leadership know they can't hire their way into a secure and efficient environment.
Given the complexity of managing and securing their far-flung identity environments, these teams are going to be investing in identity-related tools or services that increase operational efficiency -- bonus points for simultaneously strengthening cybersecurity. I expect organizations will have a lot of interest in platforms and eliminating inefficient overlaps and redundancies, driving innovation and activity.
I've said it before, and I'll say it again: 2023 will be the year for passwordless authentication. Passwords are a huge problem. Easy-to-remember passwords are weak and strong passwords are hard to remember, which leads to password reuse and the threat of compromise through an overabundance of attacks.
Multifactor authentication (MFA) is only a partial answer to the problem. MFA introduces friction, and many MFA techniques are prone to social engineering attacks, including phishing and push bombing.
Passwordless authentication -- and Fast Identity Online (FIDO) in particular, especially for customer-facing applications and websites -- is crucial to prevent myriad attacks that involve an identity.
In my 2022 research, "Securing the Identity Perimeter with Defense in Depth," one-third of respondents ranked passwordless authentication at their top identity-related activity, and another third ranked passwordless authentication among their top three activities. More than half said their forays into passwordless yielded excellent results that included reduced risk, improved UX and, in a nod to the personnel shortage, increased IT and security team efficiency.
With Apple, Google and Microsoft adding support for FIDO2/WebAuthn, the foundational elements are present in the most commonly used devices and browsers. Businesses will be turning to passwordless specialists like Axiad, Beyond Identity, Cisco, Hypr, Nok Nok Labs, Yubico and others to add passwordless authentication to their internal and customer-facing apps.
2. Dipping a toe into decentralized IDs and digital wallets
No, I'm not talking about cryptocurrencies and crypto wallets. I'm talking about replacing physical identification documents with verifiable digital credentials to provide privacy and security.
When I want to rent a car, the car rental agency only needs to know that I have a valid license to drive and that I'm old enough. Rather than handing someone my driver's license or saving the information in the rental agency's website where it can be stolen, I can provide my digital ID. The agency can take my ID and automatically verify it with the appropriate government agency -- asking the agency if the ID is valid and if I have a valid license -- all without me risking having my ID stolen or oversharing personal information.
You can imagine how many other use cases exist and how a digital ID can help control who has access to our vital, most confidential information.
Microsoft, among others, has been building out the foundational technology. Now that Entra Verified ID is included with Azure AD, I expect early adopters will be experimenting with these new capabilities.
3. Venture capital and private equity investment in identity continues, increased M&A activity
Last year saw some significant private equity activity, especially with Thoma Bravo acquiring Ping Identity, SailPoint Technologies and ForgeRock. In January, OpenText acquired Micro Focus, Saviynt scored a $205 million investment, Strata Identity raised $26 million, Bitwarden acquired Passwordless.dev and SailPoint acquired SecZetta.
This is a reflection on how important identity is to IT and security. You can't run any IT system or service without an identity, and managing and securing identities is paramount. It also shows that the professional investors in venture capital and private equity believe identity vendors are facing economic tailwinds.
4. The rise of identity security platforms
Originally, identity was just some folks and servers buried in the back corner of the data center running Active Directory (AD). No one else knew what they did, and AD was just some black magic that had to work for anything else in the environment to run.
With the introduction of the cloud, identities escaped the data center. We needed tools to manage numerous identities in a plethora of identity silos. And tools to govern identities. And tools to control privileged access. And on and on and on. So identity moved into the realm of IT operations.
Unfortunately, attackers noticed that security teams weren't paying attention to identity and have found many ways to exploit identities. Looking at the Mitre ATT&CK framework and comprehensive breach and attack analyses, such as Verizon's annual Data Breach Investigations Report, it becomes all too clear that identities feature prominently in the majority of successful breaches.
The good news is that CISOs, security teams and the identity industry are paying attention. The responsibility for identity is shifting from IT operations to security or is shared between the two groups.
And the identity industry is responding in kind, adding security-centric viewpoints to existing tools and adding new identity security tools. Vendors such as CyberArk and SailPoint, among others, are also building comprehensive identity security platforms.
What's included in a cybersecurity platform will change overtime as we gain experience, but it will surely cover most if not all identity types accessing any app or system anywhere in IT and operational technology environments. Look for identity security platforms to include access mechanisms, privilege controls, and management automation and orchestration. These platforms will integrate and orchestrate some large combination of identity and access management, customer IAM, privileged access management, identity governance and administration, MFA, single sign-on or federated identities, cloud infrastructure entitlement management, identity threat detection and response, decentralized ID, secrets vaults, DevSecOps for identities and more.
The ultimate goal of identity security is to drastically decrease identity-related risks while massively increasing operational efficiencies.