#BeIdentitySmart Week aims to spotlight the importance of identity security as part of Cybersecurity Awareness Month. Each day during the week we will focus on a specific aspect of identity security, posting blogs from the IDSA and the identity and security community, as well as crowdsourced advice from our Identity Management Champions.
We asked our champions, What is going to be the biggest challenge for identity security in 2022? See below for their responses and we’d love to hear your perspective, too! Share your response on Twitter and join us in raising awareness of the importance of identity management and securing digital identities by sharing all of your best practices and advice on Twitter or LinkedIn using #BeIdentitySmart.
“The introduction of new identity types based on emerging technologies will pose the biggest identity security challenge in 2022. This encompasses identities in the cloud, governing critical infrastructure, and supporting the adoption of initiatives like zero trust. Many of these identities have new attributes that need to be addressed in policy, procedures, controls, and implementation of monitoring.”
– Morey Haber, CISO, BeyondTrust
“Identity is Gold. Gold is the most malleable and ductile of all known metals. It can be thin and soft like hair and or solid like a brick with diverse applications from cancer treatment to jewelry. Very similar to how Identity in combination with other technologies can be an enabler for ecommerce and socio-economic efforts, or a protector when viewed from a Cybersecurity lens, or a key component of digital transformation of the world. All activities (human or machine) in the cyberworld that need to understand ‘who,’ rely on Identity and this reliance will exponentially grow in years to come as we move to Metaverse.”
– Manish Gupta, Director Global Cybersecurity Services, Starbucks
“Despite having been spoken about for a long time now, I think the biggest challenges for identity security in 2022 will still be the basics including, but not limited to, timely off-boarding of leavers, disabling or removing orphan and dormant accounts, managing entitlements, etc. Regardless of their size, organizations must pay attention to these basic hygiene factors in order to not get compromised by malicious or unintentional actors. Moreover, technology cannot be the end in itself. As organizations digitally transform, their people and processes must also evolve to keep up with and fully utilize the technologies’ offerings to appropriately secure identities.”
– Shakthi Priya Kathirvelu, Vice President and Head of Information Security and IT, Funding Societies, Modalku Group
“I believe that the same challenges surrounding Identity Security in 2021 will be even more prevalent in 2022 and beyond as organizations continue to increasingly adopt a cloud-first strategy. Observability and enforcement of the principles of least privilege across hybrid and multi-cloud architectures will become more urgent to protect against surface area threats. The modern era of hybrid infrastructures creates a unique challenge for security practitioners in achieving a single pane of glass for monitoring all identities and entitlements. Organizations must be proactive and vigilant in their approach to detecting vulnerabilities and preventing cyberattacks.”
– Axay Desai, Founder and CEO, ObserveID, Inc.
“The biggest identity security challenge everyone is facing today will extend into 2022, it is finding the balance between identity security and ease of use for IT admins. As the world continues its relentless march toward digitalization, there is rapid increase in identity theft. IT admins/engineers are focusing on securing identity data and protecting the company from a data breach. Also, they want the ease of use of the identity management software. Identity technology must manage each user’s identity in a way that meets these requirements of both ease of use and identity security. Any added tools and processes just add complexity to the workday, which affects productivity, while reduced identity security opens the business up to the risk of breaches and insider threats. Ease of use is of the utmost importance and is even driving key business decisions if a product doesn’t meet an end user’s standards, it won’t be used.”
– Senthil Palaniappan, Founder & CEO at Sennovate and Sam Muthu, Co-Founder & CTO at Sennovate
“In 2022, I forecast that the biggest challenge for identity security will be striking the right balance between sustaining existing identity-based processes and planning/pivoting to a new way of implementing identity security for various identity types based on the Zero Trust framework. Taking a one size fits all approach will not work for every organization. Therefore, the program must factor in unique requirements, current maturity level, and organizational dynamics to navigate this challenge successfully. Any delay in adopting a modern identity approach will non-linearly increase the technology debt.”
–Yash Prakash, Chief Strategy Officer, Saviynt
“Communicating Identity challenges to your stakeholders is becoming more complex as the scope of identity changes. Make sure that you have a defined identity strategy that delivers on business goals while reducing risk. Including stakeholders in conversations will help you to prioritize tasks and deliver identity as a critical, foundational service.”
-Rebecca Archambault, Trusted Identities Leader, HighMark, Highmark Western and Northeastern New York
“The greatest upcoming challenge for identity security is managing identities and their entitlements in the cloud – it’s hard to do, and growing more complicated. Overprivileged and even fully inactive identities — human or machine — greatly increase the attack surface and put key resources at risk. Ironically, most organizations overlook this sensitive part of managing an enterprise environment. Being able to properly assess the security posture to understand which identities are vulnerable and which privileges are risky, and in an automated way, is key to getting past the complexity and properly managing any cloud environment.”
–Shai Morag, CEO, Ermetic
“We expect trust to continue to be decentralized with different sources of data that make it challenging to keep track of identities, roles, and access rights. Further, in 2022 workers will still require access from different locations in different time zones. This forces security teams to ensure that identities not only have the levels of access required to be productive, but also not more than needed to keep them secure. Added together with a growing list of compliance mandates, each individual needs to be treated as a unique entity within a centralized source in an increasingly decentralized world.”
–Rod Simmons, Vice President of Product Strategy, Omada
“Sophisticated ransomware attacks are no longer the preserve of nation states. In 2022, anybody can access the tools to carry them out—or engage with a ransomware-as-a-service group to do the dirty work. But most attackers will continue to use tried-and-true entry points such as compromising identity systems, a key tactic in both the SolarWinds and Colonial Pipeline attacks. And as these incidents illustrated, the goal now isn’t just to make money but also to cause disruption. As a result, critical everyday services could become unavailable, prices could go up, and we could find ransomware affecting our daily lives. But organizations can take action to defend against identity-related attacks: Closing security gaps in Active Directory (the most common identity store), implementing automated remediation for malicious changes, and having a tested recovery plan in place will significantly improve overall security posture.”
– Sean Deuby, Director of Services, Semperis
“I believe the biggest challenge will be cloud workload identity security concerns in 2022. Ranging all the way from access, to authorization and finally authentication. CSP agnostic, IAM is a challenge in all areas of SaaS, PaaS, and IaaS.”
–Dirce E. Hernandez, Compliance Risk Manager Lead, Enterprise Risk Compliance, USAA
“2021 has been an awakening to the possibility of passwordless authentication – tech leaders like Microsoft have made it a priority and there are now more options than ever to support MFA. The challenge of 2022 will be delivering on the high expectations for passwordless. There’s no silver bullet for authentication, so businesses will need to implement multiple credential solutions to get rid of passwords. This will be complex and time consuming for both the user and the IT team. In 2022, businesses need to consider how to make their transition to passwordless simple and painless.”
– Jerome Becquart, COO, Axiad
“The pandemic has forced the adoption of new ways of working and the return to the office will be the adoption of understanding those ways of working – how do we understand them and secure them. Access will be a huge challenge – especially understanding who has access, what they have access to, and do they still need access.”
– Eric Kedrosky, CISO and Director of Cloud Security at Sonrai Security
“The biggest challenge to identity security in 2022 will be organizations using a siloed approach to handling different identity-related security needs, and inadvertently leaving gaping holes in their overall Identity security strategy. Identity is surfacing as a key cybersecurity exposure gap, whereby 63% of data breaches are caused (often inadvertently) by internal staff; more than 50% are credential-related attacks, and nearly half of all users have more privileges than his or her job requires. What organizations need is a unified identity security platform that allows them to harden privilege; ensure all identities are correlated and visible; remove friction with better integration; manage identity consistently; and better and more quickly add, remove, and adjust privilege just in time.”
–Rima Pawar, VP Products and UX, One Identity
“While it seems that the biggest challenge for identity security would be successfully defeating the ‘bad guys,’ it is a lack of resources that could create the biggest hurdle for organizations in 2022. With the recent explosion of cyberattacks, organizations know that they need to improve their identity security, with many solutions to choose from. Yet many are deterred by the high costs and workload required to implement critical security controls, as well as the lack of cybersecurity talent required to do so successfully. Organizations will need to seek out flexible, affordable solutions to improve their identity security in 2022.”
-Kimberly Johnson, VP of Product, BIO-key International
“Identity protection has a broad definition that spans from consumer to enterprise identity protection. Security tools for this space have historically focused on access management for authentication and authorization. Here, businesses gain control of provisioning, connecting, and controlling identity access, basically facilitating that the right person can get access to what they need. Adding tools for single-sign on and MFA have proven to be critical controls for organizations to protect themselves. There is no doubt that we will see many forms of compliance and insurance mandating these controls as we move into 2022. Access management is foundational, however, it leaves gaps related to the security of identities. Based on the significant number of credential based attacks, businesses will want to add identity security controls for visibility to credential, privilege, entitlement, and management system exposures that can be exploited by attackers. For a proactive defense, organizations will also want to add Identity Detection and Response (IDR) as a complement to EDR tools. This will equip organizations with the ability to detect credential theft and misuse and targeted attacks on Active Directory, essentially adding the capability to stop threat actors who are impersonating employees from getting the access they need.”
–Carolyn Crandall, Chief Security Advocate and CMO, Attivo Networks
What do you think will be the biggest Identity challenge in 2022? Share your response on Twitter! And join us in raising awareness of the importance of identity management and securing digital identities by sharing all of your best practices and advice on Twitter or LinkedIn using #BeIdentitySmart.
