Looking Back: Identity & Access Management in 2022

5 (+1) Compelling Items from the past year in IAM

Dustin Avol, Director of Market Strategy and Partnerships, SGNL
January 11, 2023
Follow us on

At SGNL, we strive to pay attention to what is going on in the greater communities of cybersecurity and identity professionals as a whole. As such, we keep an eye on what’s happening in the industry at-large; and since there’s no better way to round out a year than with a list, we thought it an opportune time to share our top 5 (+1) compelling items in Identity and Access Management (IAM) from 2022.

5 Takeaways from IAM in 2022 (plus one extra):

1. Zero Trust and Identity are intertwined

Based on several industry events we attended this year, the winner of marketing word bingo in the security and risk management spaces in 2022 is “Zero trust”. It cemented itself as the most common approach security leaders evaluated and implemented (and vendors referenced) in 2022. From what we’ve seen in 2022, Zero Trust is being adopted…yet only to a point. There still exist honeypots of sensitive and privileged data that – without more finely grained and detailed attention – may be at risk of unjustified access.

Paramount in the Zero Trust approach is addressing each instance in which an entity encounters the protected systems or environment(s). In older days, securing a physical perimeter was more easily maintained, but as remote/hybrid work continues to evolve, the perimeter is fluid; or there is no longer a perimeter at all. Not only is identity central to digital transformation, but as businesses transact, integrate, and exist in the cloud, it is required. Identity becomes the first, second, third, and constant steps in a zero trust framework: in order to verify before we [zero] trust, we must have something to verify.

2. Private Equity’s interest in IAM

The largest IAM interest we saw this year from the Private Equity sector was that of Thoma Bravo. (Special mention to Vista Equity Partners as well, who made significant investment in Detection & Response, as well as Security Information and Event Management (SIEM), and eXtended Detection and Response (XDR) spaces). It was Thoma Bravo who made the biggest investment splashes in Identity, with acquisitions of industry stalwarts ForgeRock, Ping, and Sailpoint for approximately $12B combined ($2.3B, $2.8B, and $6.9B, respectively). The final outcome of this financing is not yet known (perhaps to combine into a larger, converged, identity-centric offering?), but Thoma Bravo has definitely put their mark on IAM in 2022.

3. Eye on Authorization

Not too long ago, access via single sign-on was a new and innovative idea, especially in – and supported by – SaaS; ie: Identity as a Service (IDaaS). Yet Authentication (AuthN) providers have matured and even thrived as web-based applications, standards, and integrations continue to proliferate and evolve. In their shadow prior to 2022, however, has been a part of the IAM landscape garnering less attention: Enterprise Authorization (AuthZ).

Modernization of the workplace (remote workers, fluid business hours, BYOD), digital transformation of businesses and systems, as well as extended workforce support (contractors, outsourcing partners, etc) has driven a more fluid environment to support worker productivity and manage access. Inevitably, technology will continue to improve and enhance AuthN, but to paraphrase one industry expert: “we may have spent the past 20 years focusing on AuthN, we’ll spend the next 20+ focusing on AuthZ.

4. Just-in-Time is becoming a requirement

In the past, companies have taken best efforts to give appropriate access to data, infrastructure, and systems to those who need it. As the world has rapidly changed over the past couple of years, however, the technologies supporting when and how access to information is justified has not kept pace. For years we’ve seen just-in-time (JIT) as a strategy in the IAM world with regards to account provisioning or privileged access management (PAM), and this year, JIT has become a requirement for customers implementing more general access management.

The modern workforce is dynamic: no longer are we governed by time (9-5) or location or device. Therefore how can we expect to manage the access of modern workers with an antiquated approach? Customers in 2022 have recognized that ambient permissions granted based on stale and static requirements are not enough to adequately protect their most sensitive assets, and are driving access to be managed just-in-time.

5. Impact of breaches continues to grow

It would stand to reason that as technology advances, and security approaches continue to evolve that our industry would - on average - more effectively manage the inevitable incidents that occur, resulting in lower breach costs as well as quicker time to detection. Unfortunately, that has not been the case overall in 2022:

  • Cost

    • The cost of a data breach averaged $4.35M in 2022. This figure represents a 2.6% increase from last year, when the average cost of a breach was $4.24M.

    • The average cost has climbed 12.7% from $3.86M in 2020.

    • $9.44M Average cost of a breach in the United States, the highest of any country (12th yr in a row as top country).

      (Cost Figures from IBM Cost of a Data Breach Report, 2022)

    • But there’s hope: Organizations with mature cloud security had a lower-than-average cost of a data breach. In organizations with a more mature approach, breach costs were on average $0.66M less than organizations in the early stages of securing their cloud environments. The cost difference between mature stage and early stage represented a 15.7% savings for mature stage organizations.

  • Detection:

    • While the time to detect data breaches has generally gone down (improved) in 2022, The top discovery method (more than 50%) is now “Actor Disclosure”. Which is usually either in the form of a ransomware note or via a criminal forum to sell the data or announce the breach. This means that more than half of reported breaches are being discovered because the bad actors are telling us about them!

+1  SGNL Launched!

We are especially excited to have announced SGNL as the solution for Modern Enterprise Authorization earlier this year, and look forward to many more announcements in the years to come.

What’s next?

Now that we’ve looked back on the past year, what’s to come of the future, and how do we get there? Stay tuned to the SGNL blog, where we’ll release our upcoming IAM Predictions for 2023 soon!

Let us know what you think:

Best practices and the latest security trends delivered to your inbox