The need to secure digital identities remains one of the most urgent tasks facing modern enterprises. Stolen or compromised credentials continue to be not only the most common cause of a data breach but also the most difficult to identify and most expensive. According to research published this year by the Identity Defined Security Alliance, 84% of organizations suffered an identity-related breach and 78% experienced direct business impacts as a result. Indeed, the average credentials-related cyberattack costs $150,000 more than the typical data breach, according to IBM’s Cost Of A Data Breach report 2022.
As businesses embrace new technologies and ways of working, they urgently need to adopt approaches that help them secure their employees, customers, and partners at all times. With that in mind, here are a few trends we expect will dominate the digital identity space in 2023:
The Enterprise World Will go Passwordless
The use of passwords remains one of the biggest Achilles heels for nearly every company worldwide. Passwordless access to apps and systems may sound like a distant future thing. But the technologies are already in place for every business to make passwords a thing of the past.
We’re seeing passwordless techniques going mainstream, particularly non-phishable and passwordless multi-factor authentication approaches. We’re also already seeing this in the consumer world with Apple’s introduction of Passkeys, so expect to see much more of this through 2023.
In addition, expect to see an uptick in the usage of inherence-based authentication, such as biometrics and behavior, as the go-to verification method, as opposed to simply being a backup to passwords and pin codes. These approaches will be crucial to enterprises providing the necessary level of security while delivering great user experiences.
Data Privacy Laws Will Force Data Architecture Changes
Data privacy regulations like the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) have existed for several years. But the data privacy landscape will become even more challenging to manage as states like Connecticut, New York, and more follow California’s lead and formulate their own guidelines.
We don’t expect to see these regulations in 2023, but enterprises must start planning for them to be introduced within the next two to three years. These new guidelines will put pressure on businesses to manage data in a specific format and have different liabilities in every state.
Companies have to start thinking about state-level data management, in addition to the country-level focuses they already have in place. They need to have processes in place to dynamically manage data to ensure it’s only available to authorized users in specific states, which could be challenging since users expect seamless systems that allow access to their data from any location.
Access Control Will Become More Fine-Grained
Traditional approaches to authorization have used role-based access control (RBAC), which makes decisions based on the role of the user. For example, human resources employees can gain access to tools like payroll applications, and finance teams can access financial reporting systems.
That approach worked in the traditional way of working when users connected to systems under a network perimeter. But it’s too limited for modern enterprises, given the number of people making access requests to new applications from disparate locations. As a result, RBAC is resource- and time-consuming, difficult to audit, and creates potential compliance issues. Furthermore, access permissions have to be defined for each role every time a new data set or source is added, which is extremely difficult to manage in large companies.
To address this, fine-grained access control utilizes variable factors in access decisions. In the identity space, this will allow enterprises to write complex rules containing variable conditions, such as action, location, role, and time, into policies. This approach is especially crucial to companies sharing sensitive information, sharing data across geographical borders, or operating in highly regulated industries.
Working groups and regulators are exploring ways to reduce the burden on corporations to manage access, particularly in highly regulated industries, so we can expect an increase in the shift towards a more dynamic mindset throughout 2023.
AI and ML Will Enhance Identity Approaches
We’re increasingly seeing enterprises use artificial intelligence (AI) and machine learning (ML) to identify security risks and automate user access privileges. But through 2023, we expect to see more companies enhance their secure operations centers (SOCs) with enriched data from identities, endpoints, and networks.
Cloud Complexity Will Evolve Corporate Identity
Companies will continue embracing multi-cloud architectures and onboarding more cloud providers through 2023. As they do so, it increases the complexity of managing identities across various infrastructures and enforcing emerging standards and controls around policy management.
Companies will need to ensure awareness of all users, seamless experiences across legacy and cloud-native solutions, and be able to automate across hybrid solutions. To handle this multi-cloud complexity, businesses will seek out new identity approaches, such as Cloud Infrastructure Entitlement Management (CIEM) and Dynamic Authorization.
Brands Will Increasingly Require Identity Verification
We expect verified identity to play a prominent role in how online platforms, from social media networks to travel sites, secure users and regulate content. A good example of this in practice is Airbnb requiring all users to verify their identities, which is indicative of an increase in enterprises seeking new approaches to user onboarding.
We could also see consumers assume more control of their digital identities as they assume “identity scores.” This could see personal information stored in digital wallets and other decentralized verification methods, which users can share with third-party providers. Again, this points to a future without passwords and gives people more control over their personal data and who they share it with.
The need to secure digital identities is potentially the most pressing issue facing any enterprise as we move into 2023. From the ever-increasing risk of cyberattacks to the boom in cloud adoption and dynamic work practices, businesses are under enormous pressure to ensure all employees work securely at all times and from anywhere.
The predictions above paint a picture of the challenges facing businesses and the battles they face to modernize systems while keeping data and identities secure. To find out more, download the 2022 Trends in Securing Digital Identities.