The Cyber Hut recently ran a 7 day community poll on LinkedIn asking which of four big-ticket items will organisations be looking at from an identity and access management point of view.
Clearly every organisation has finite resources – including both personnel and software budgets – when it comes to technology adoption, redesign and business support. However, business demands often seem to be infinite – competitive pressures, new market targeting, service and product launch agility, workforce management, customer engagement, emerging threats, regulation and lots more.
Clearly there are more than four areas organisations could invest upon for 2024. The four chosen represent some emerging vendor sectors The Cyber Hut has tracked for the past 24 months or so. Some sectors are more established than others, with stable vendor go to market strategies, definitions of the market category, use cases and the like. Others – perhaps ITDR – less so.
N=42 responded, with Passwordless authentication just coming out on top with 45% – interestingly a similar poll in 2022 ended with Passwordless hitting 49% of the vote.
So what is this really telling us? Clearly we all hate passwords – both as consumers, end users, application owners, CISO’s and regulators. Yet, we often still have to use them – either to bootstrap multi-factor authentication or simply as many consumer or social services see MFA and other options for authentication as being too much as an inhibitor to service adoption.
To see passwordless again topping a poll indicates many still see the password as both a security vulnerability, yet also now perhaps a barrier to success for frictionless consumer and citizen based services.
Let us also take a look at the second placed focus on identity threat. This has a nod to the emerging Identity Threat Detection and Response landscape – not to mention more subtle incarnations focused on Identity Security Posture Management and Cloud Infrastructure Entitlements Management.
Identity threat is hitting the headlines, mainly as the complex and often highly distributed IAM infrastructure components are coming under attack from adversarial activity. Why steal one identity’s password, if you can attack a directory service and alter the phone number being used for one time password delivery for everyone in a department? Visibility of the IAM asset landscape, alongside activity and patterns of behaviour is a more complex topic than it sounds.
Authorization is a certainly more mature market than the other three sectors – so why such as low adoption focus? Clearly as this is less new and shiny, there are likely to many more “in-flight” projects focused on access control. Migrations for RBAC to ABAC (and in turn maybe to relationship based access control ReBAC), adoption of projects such as Open Policy Agent for distributed decision making, centralised management of access control policies and the relationship with data security – both posture and runtime enforcement.
So I would argue many mid to large sized organisations are already well away of the need to move away from home grown access control solutions in favour of commercial products, centralised management and governance with an array of enforcement options. These projects are of course, complex and often slow to get to a level of measurable return on investment – but once achieved provided an array of business benefits, including improved data sharing and collaboration, PII protection and privacy awareness.
The slow move away from passwords is well and truly underway and numerous vendors (see HYPR, Beyond Identity, 1Kosmos, Descope, Authsignal, Stytch amongst others) providing an array of options. Standards such as FIDO, WebAuthn and Passkeys allow integration, interoperability and security “insurance”.
Further Resources:
- Content search passwordless: from The Cyber Hut archives
- Commissioned research report for HYPR on the role of passwordless for Converged Identity Assurance
- ITDR Emerging Market Report launch webinar and industry panel
- Research Report: ITDR Emerging Market Report
- Research Report: ITDR Questions for Vendors
- Research Report: Passwordless Buyer’s Guide
- Commissioned research report for PlainID on a buyer’s guide for external authorization