COVID-19 had a dramatic impact on nearly all functions within business, and identity and access management is no exception. In an era of increased remote working, traditional approaches to access management are struggling to manage devices and user identities that now exist outside of the enterprise.
Many organizations no longer possess the skills and resources in-house to effectively address the increasing complexity of identity and access management (IAM) challenges they are facing. As the IAM landscape continues to rapidly evolve, security and risk leaders must improve their approaches to identity proofing, develop stronger vendor management skills and mitigate the risks of an increasingly remote workforce.
To help security and risk leaders effectively approach this new era, Gartner analysts have made five strategic predictions for the future of IAM and fraud detection. These predictions focus on current trends in decentralized identity, access management, IAM professional services and identity proofing.
Cybersecurity mesh will support more than 50 per cent of IAM requests by 2025.
The old security model of “inside means trusted” and “outside means untrusted” has been broken for a long time. Most digital assets and devices are outside the enterprise, as are most identities.
The mesh model of cybersecurity provides a more integrated, scalable, flexible and reliable approach to digital asset access control than traditional security perimeter controls. By 2025, cybersecurity mesh will support more than half of all IAM requests, enabling a more explicit, mobile and adaptive unified access management model.
By 2023, 40 per cent of IAM application convergence will primarily be driven by MSSPs that focus on delivery of best-of-breed solutions in an integrated approach.
Organizations lack the qualified resources and skills to plan, develop, acquire and implement comprehensive IAM solutions. As a result, they are contracting professional services firms to provide the necessary support, particularly where multiple functions need to be addressed simultaneously.
More and more, organizations will rely on managed security service provider (MSSP) firms for advice, guidance and integration recommendations. By 2023, 40% of IAM application convergence will primarily be driven by MSSPs that focus on delivery of best-of-breed solutions in an integrated approach, shifting influence from product vendors to service partners.
By 2024, 30 per cent of large enterprises will implement identity-proofing tools to address common weaknesses in workforce identity life cycle processes.
Historically, vendor-provided enrollment and recovery workflows for multifactor authentication have incorporated weak affirmation signals, such as email addresses and phone numbers. As a result, implementing higher-trust corroboration has been left as an exercise for the enterprise.
Because of the massive increase in remote interactions with employees, more robust enrollment and recovery procedures are an urgent requirement, as it is harder to differentiate between attackers and legitimate users. Identity-proofing tools will increasingly be implemented within the workforce identity life cycle to address such weaknesses.
A global, portable, decentralized identity standard will begin to emerge by 2024.
Centralized approaches to managing identity data — common in today’s market — struggle to provide benefits in the three key areas: Privacy, assurance and pseudonymity. A decentralized approach uses blockchain technology to help ensure privacy, enabling individuals to validate information requests by providing the requestor with only the absolute minimum required amount of information.
By 2024, a true global, portable, decentralized identity standard will emerge in the market to address business, personal, social and societal, and identity-invisible use cases.
By 2022, 95 per cent of organizations will require that identity-proofing vendors prove that they are minimizing demographic bias.
Bias with respect to race, age, gender and other characteristics gained attention significantly in 2020, coinciding with the increased interest in document-centric identity proofing in online use cases. This “ID plus selfie” process uses face recognition algorithms to compare selfies of customers with the photo in their identity document.
There has always been awareness of possible bias in face recognition processes, with implications concerning customer experience, brand damage and possible legal liability. As a result, by 2022, most organizations will require that identity-proofing vendors prove that they are minimizing demographic bias, a significant increase from less than 15% today.