Early in 2023 in this blog space, we posted some predictions for Identity and Access Management (IAM) we expected the year to bring. It’s hard to believe that post is now almost a year old!
Year ends tend to bring out these types of lists…for example:
- Top 10 Movies of the Year
- Your Top 9 Most Liked Instagram Posts
- Spotify Wrapped
- Best Taylor Swift Moments of 20231
- Report Cards (School-year end, that is)
As we near the end of this run around the sun, it’s a great time to reflect back and see how we did…so here’s our own report card based on the IAM Market Predictions we made for 2023:
1. The Future of IAM Is Continuous and Contextual GRADE: A
Buoyed by the popularity of a “Zero Trust” approach, organizations continue to search for ways to improve security around application access and actions. We wrote last year about CAEP (Continuous Access Evaluation Protocol/Profile), and its capabilities (caep-abilities? ;-)): and then watched as 2023 was a coming out party for CAEP and the Shared Signals Framework:
- The First Free Online CAEP Transmitter Launched with CAEP.dev to assist in the development of CAEP receivers
- Apple and Okta announced expanded support to improve user experience through shared signals, while Microsoft leverages continuous access evaluation in Entra ID (fka Azure AD)
- Okta and a handful of partners (including SGNL) lean in on CAEP and Shared Signals to support innovative announcements at Oktane
- The OpenID Foundation’s Shared Signals Working Group announced approval of the second implementer’s draft of specifications
2. Individuals will be Held Culpable for Breaches GRADE: B
Perhaps the prediction from last year we’d have most liked to miss has turned out to be mostly correct. Momentum continues in the direction of blaming [InfoSec] executives after unauthorized access events, even if they have taken steps to protect access to their own business environments.
In one case, the SEC alleges charges “for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities” against Tim Brown, CISO of SolarWinds. Ultimately, the complaint claims that SolarWinds’ public cybersecurity statements about its practices were incongruent with its internal assessments and known risks.
The most covered story of individual culpability in enterprise security however, has been that of Joe Sullivan, former Chief Security Officer of Uber. In May 2023, Sullivan was sentenced to three years of probation based on a failure-to-report-wrongdoing offense. A recent Techcrunch article2 cites a letter to the presiding judge signed by over 50 CISOs, as well as ongoing communications Sullivan has with security professionals questioning their career choice, its risk, and longevity.
3. Regulatory Changes Will Take Place That Directly Affect Global Strategies GRADE: C+
We must admit: this wasn’t the biggest leap, to predict that changes in governmental regulations would result in adjustments to the ways business is done. Equally unsurprisingly, the speed at which legislative updates have taken place is deliberate, to say the least. Moreover, the global aspects (ie: between international geographies, not to say “worldwide”) of any developments are not yet discernable.
Domestically (in the U.S.) we have seen acts like the Department of Defense Cybersecurity Maturity Model Certification (CMMC) model directly influence customers’ approaches and priorities to implement an access model in order to align with gubernatorial requirements. The effects of CMMC 2.0 are that contracting companies working with the DoD must have their cyber protection systems evaluated against a framework developed by the National Institute of Standards and Technology (NIST). Its goal is to ensure that the U.S. protects its sensitive data and information as carefully as possible, and businesses who wish to maintain contracts with the DoD must adhere to CMMC 2.0.
4. Revenue Generating Lines of Business Will Influence IAM Policies More Directly GRADE: D
While we have continued to see an increase in the democratization of identity data, IAM policies have still been predominantly maintained by IT, InfoSec, or a centralized IAM team. This is not to say that there are not use cases starting to affect decisions and priorities of these centralized teams, but access policies and requirements are still largely being driven by internal technical requirements, and not by customers, vendors, or partners…yet.
Administrators in the Sales Enablement/CRM/Salesforce.com practice are maturing in their thinking about how to better protect customer data living inside their managed applications. Better questions are being asked about why or if identities should be accessing Salesforce data, for example. Specifically, a use case gaining traction is based on internal access to revenue data that will be part of that reported in a public earnings call and is housed in a CRM (like Salesforce) via deal data, prior to being reported. Public companies are concerned about who has access to information that can be used to determine quarterly/annual revenue – and potentially trade on that information as an insider – against regulations.
5. Incomplete Solutions in the Market Provide a Fertile Ground for Innovative Startups to Solve Modern Problems GRADE: A
We may be biased, but hard pressed to find a sector that has been more active than that of IAM in the past year. Unfortunately propelled by some especially public breaches and bad actors, shortcomings in the market are often exploited and give rise to new startups or approaches in a growth-minded fashion. Beyond company formation, founding, or funding, we have seen markets expand and evolve to address the needs of customers without continuing to adhere to the stringent definitions of IAM categories in the past.
Privileged Access Managements (PAM) and Identity Governance and Administration (IGA) are two classes of offerings in IAM that have historically been unwieldy to fully adopt as customers – necessary challenges to address, yet the market has been asking for more elegant solutions. Customers are thinking more nimbly about their approach to PAM, and looking for a more dynamic solution to enabling AWS access, in particular, as an example of a sort of “PAM light”.
Even industry experts like Gartner are recognizing that customer needs are expanding. In their IGA research like the Market Guide for Identity Governance and Administration and Is Light IGA Right for your IAM Needs? they take note of differences in legacy IGA suites and the development of a “lighter” option that may “can provide sufficient depth of functionality for your organization”3.
CONCLUSION
It’s always valuable to look back and see how predictions have fared, and especially exciting to continue to see IAM markets and needs expand and mature. Stay tuned for our next annual predictions post, and let us know how you did on any prognostications of your own.
We’re looking forward to 2024, wishing you well, and can’t wait for the developments the next year brings!
1 My vote: when she attended her first Kansas City Chiefs game, 09/24/23.
2 Ex-Uber CSO Joe Sullivan on why he ‘had to get over’ shock of data breach conviction, by Carly Page; Dec 8, 2023
3 Gartner, Inc. “ Market Guide for Identity Governance and Administration”, 14 July 2023, By Rebecca Archambault, Henrique Teixeira, Brian Guthrie, David Collinson, Nathan Harris