2025 identity security and data security predictions
From securing nonhuman identities to post-quantum cryptography to DSPM and DLP combining, here's what's in store for identity and data security in 2025.
We provide market insights, research and advisory, and technical validations for tech buyers.
Published: 05 Dec 2024
2025 is right around the corner. Time for holiday shopping, stockings on the mantel, dreidels spinning and, of course, cybersecurity analyst predictions.
I became an analyst at Informa TechTarget's Enterprise Strategy Group in early 2024, and my subsequent time in the analyst seat has provided unique insight to make reasonably informed prognostications about 2025. My perspective is informed by regular conversations with vendors, influencers and practitioners, and by reading the cybersecurity tea leaves around identity security and data security.
The following is what I expect to see in 2025 that will affect practitioners and vendors in the identity security and data security realms.
Nonhuman identity security deployment plans
Identity security is crucial for effective cybersecurity, and organizations are now realizing the importance of securing nonhuman identities (NHIs), including machine and workload identities. Recent Enterprise Strategy Group research explored the challenges and needs in this area, starting with how to refer to the space. Is it nonhuman identity, machine identity, workload identity or something else? The research found enterprises prefer the term nonhuman identity to describe this part of the attack surface.
NHI security is an umbrella term that addresses visibility, monitoring, remediation, secrets management, workload access management, certificate lifecycle management and more. Most enterprises are considering or already deploying multiple products to address the various areas that comprise NHI security. Roughly one-third of enterprises said they had a product in place today, with about half responding that they intended to deploy products in the next 12-24 months.
2025 will be a year of securing and managing NHIs, so stay tuned for more NHI research insights.
Closing gaps in IAM and improving entitlement management
Effective identity and access management (IAM) is not just about better management of identities but also about enabling the organization to work securely and efficiently. An identity security program is a business necessity, but a mature and effective IAM program is a business asset.
Maturing an IAM program requires a holistic combination of people, processes and technologies. The people element includes the security and IAM teams, as well as application owners who can best manage privileges. 2025 is primed to see considerable improvement for all identity constituents.
Managing entitlements and entitlement reviews is painful for IAM teams and application owners. AI and machine learning (ML) hold the promise of alleviating the burden of time-intensive, tedious, manual tasks, and major identity governance and administration players have already added AI and ML functionality for a variety of use cases, from identity analytics to driving governance to guiding and informing users for task completion. A big win is in the accurate prediction for application, role and entitlement recommendations.
A wave of vendor announcements came in 2024, and 2025 will see identity teams and app owners use this innovation to make faster, more accurate decisions around entitlement requests and entitlement reviews.
An identity security program is a business necessity, but a mature and effective IAM program is a business asset.
Regulatory compliance flux around generative AI
As generative AI (GenAI) projects continue to spread across the enterprise, the teams driving those projects struggle to understand their compliance implications while regulators struggle to keep up with GenAI technology and its regulations. Large, multinational enterprises must establish a baseline compliance stance across all the different global compliance requirements, while smaller firms might only have a handful of compliance regimes to consider.
The compliance landscape is complex with AI regulations. The EU AI Act, EU Digital Operational Resilience Act, proposed SEC regulations, and existing and proposed state regulations are all different. Compliance requirements for Colorado will be different than New York, which will be different than the EU.
Regulations follow innovation, and that is particularly evident given the rapid pace of GenAI. There is a lot of regulatory ambiguity, but GenAI compliance confusion should start to resolve in 2025.
DSPM and DLP each serve distinct purposes. DSPM focuses on data at rest, whereas DLP focuses on data in motion. DSPM typically shines with structured data stores, both in the cloud and on-premises, while DLP focuses on unstructured data across the enterprise.
DSPM and DLP have been distinct categories that frequently have distinct constituents inside the enterprise, but they are starting to come together. Some vendors have acquired DSPM players; for example, Proofpoint acquired Normalyze, and Netskope acquired Dasera. Other vendors with DLP offerings are adding DSPM functionality -- for example, Zscaler and Forcepoint. Some DSPM players are adding DLP to create a data security platform, such as with Cyera's acquisition of Trail Security.
2025 will see the fruition of these combinations into single tools for both DLP and DSPM. While this will help avoid some swapping between DLP and DSPM consoles, some enterprises will still deploy distinct DLP and DSPM products to solve particular business challenges. In the data resilience platform vs. specialized tool debate, 2024 Enterprise Strategy Group research found 65% of enterprises preferred the best tool with integrations to adjacent areas, while 33% preferred a platform. This will probably shift in 2025 to be more of a 50-50 split.
Delivering data security for GenAI infrastructure
This prediction has to do with security for GenAI, rather than enabling GenAI features in security products.
While AI-related security incidents affecting enterprises were modest in 2024, this will change as AI and GenAI see widespread enterprise adoption and start touching more sensitive data.
Security for GenAI is a multilayered cake. While many vendors claim to have comprehensive products, I have seen vendors cover one or more layers of the cake rather than the entire confection. Vendors also offer different categories of GenAI products, including application security, vulnerability management and data security. Among many data security issues, security teams need to ensure the right data informs the GenAI infrastructure, secure the models, ensure appropriate guardrails and protect against data loss from bad actors trying to manipulate the GenAI infrastructure. This is a complicated GenAI ecosystem that includes internal and external models, along with custom models and off-the-shelf copilots.
Pieces of the data security technology puzzle are already in place. For example, DSPM helps locate and label data that informs GenAI applications. Another piece of the puzzle involves addressing data leakage in both sanctioned and shadow GenAI applications -- a challenging task.
In 2025, I expect the market to lean toward bespoke GenAI-focused tools that solve this emerging DLP problem, although established DLP tools will also play a role.
Quantum computing and quantum-proof encryption
Preparation for a post-quantum world will continue to crawl forward in 2025. There is plenty of confusion about the cryptographic threat posed by quantum computing to modern cryptography -- and a hefty dose of hype.
A capable quantum computer could eventually break existing cryptography, but we don't know when that threat will materialize. Threat actors with the resources to fund and develop capable quantum computers -- nation-states like China and Russia -- have an interest in keeping that quiet so they can continue to gather encrypted data that they can subsequently decrypt. Post-quantum cryptography (PQC) will help drive research and encourage the development of more quantum-proof algorithms, laying a foundation for future enterprise action.
Enterprises understand quantum computing risks but also recognize the uncertainty of the timing of threats posed by quantum-capable computers. 2024 Enterprise Strategy Group research found that enterprises are taking practical steps, such as inventorying and selectively updating infrastructure, to prepare for a PQC world.
In the security realm, CISOs will have more burning priorities in 2025 that will take precedence over preparing for a post-quantum world. I expect 2025 will be more of the same, with steady assessment and preparation for a PQC world as cryptographic teams inventory their assets and algorithms while selectively looking at crypto-agile technologies to facilitate a transition to quantum-resistant infrastructure. That preparation will smooth the transition for the time PQC becomes a bigger threat to today's cryptographic technology.
Those are my top predictions for 2025. I look forward to seeing how they play out over the next 12 months.
Todd Thiemann is a senior analyst covering identity access management and data security for TechTarget's Enterprise Strategy Group. He has more than 20 years of experience in cybersecurity marketing and strategy.
Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.
