Long before the COVID-19 pandemic, employees used their work devices to check their social or news notifications while on break. Now, the lines between personal and work uses are even more blurred with most employees working remotely. Unsurprisingly, this has caused extra challenges for IAM leaders. Cyber attackers use phishing methods to gain personal information from employees, and when employees are on their work computers nearly all day, there are more opportunities for phishers to attack them. Now, IAM leaders must learn new ways to mitigate various issues such as identity proofing in a 100% remote environment.
At the end of the day, how does your organization know for a fact who is on the other side, and if the person with whom you are communicating is actually the right person, employee or customer? Is that person pretending to be an employee of yours? Is there a way you can identify this employee and validate his or her identity indisputably? Those are key-questions that need to find firm answers, so businesses can avoid running the risk of becoming the victim of the next data breach.
Based on all of the drastic and unsettling changes that occurred in 2020 and continue to happen in 2021, Gartner shared five trends that can we expect to see in the IAM and the decentralized identity world in 2021:
- More than half of all IAM requests will be supported by cybersecurity mesh
- Managed Security Service Providers (MSSPs) will deliver even more IAM services
- The workforce identity life cycle will implement identity proofing tools
- The decentralized identity standard will shift to being increasingly mobile and global
- Identity proofing will reduce demographic bias
One thing we know about Gartner is that their recommendations are never met with deaf ears. Yet what does it take to implement each single one of these recommendations, so key elements do not fall through the cracks?
More than half of all IAM requests will be supported by cybersecurity mesh
By definition, a cybersecurity mesh involves the design and the implementation of an IT security infrastructure that doesn’t concentrate on building a single perimeter around all devices or nodes of an IT network, but instead establishes smaller, individual perimeters around each access point. The objective is to make sure that each access point’s security can be effectively managed from a centralized point of authority, while not providing access to the broader network should a breach occur on a given node.
As much as this IT infrastructure breaks down the points of access to a network into nodes based on the specificity of the asset that’s requesting access, it certainly looks like the objective is to limit the consequences of a data breach by compartmentalizing the unresolved vulnerability of the network itself. Without being able to prove indisputably the identity of an asset or an employee who’s sending a request to access the network, the benefit of a cybersecurity mesh will solely be limited to avoiding further damages without providing a sustainable solution.
Managed Security Service Providers (MSSPs) will deliver even more IAM services
A managed security service provider (MSSP) provides outsourced monitoring and management of security devices and systems. Common services include managed firewall, intrusion detection, virtual private network, vulnerability scanning and antiviral services.
Over 80 percent of data breaches are due to password mismanagement. So, an organization’s cyber security focus should be around getting the services of a MSSP that provides not only a tool for authentication without passwords, but especially a bulletproof process for verifying the identity of the employee needing to authenticate.
The workforce identity life cycle will implement identity proofing tools
An employee’s identity life cycle starts on day one with his or her onboarding. Whether the employee shows up in person or is onboarded remotely, how do you know that you’re really dealing with the individual you hired? Just to get the USCIS I-9 Form completed, an organization is at risk of five forms of identity compromises. It is therefore essential that identity proofing processes that verify the identity of new and current employees indisputably be deployed.
The decentralized identity standard will shift to being increasingly mobile and global
The utilization of a mobile device like a smartphone that stores an application that leverages blockchain technology to validate a user’s identity, share verifiable credentials with consent or secure transactions seems utterly obvious in this day and age. The ownership of one’s identity, unhackability, transparency and privacy are key-benefits that decentralized identity offers. But without a bulletproof user enrollment process that proves the user’s identity when he or she needs to authenticate, decentralized identity solutions won’t live up to the expectations placed in them, whether they become increasingly mobile and global.
Identity proofing will reduce demographic bias
In 2018, a study led by Timnit Gebru, then at Microsoft Research and now at Google, and Joy Buolamwini at MIT found that leading facial-recognition software packages performed much worse at identifying the gender of women and people of color than at classifying male, white faces. Concerns over demographic bias have since been quoted frequently in calls for moratoriums or bans of facial-recognition software.
A solution that enrolls a user by triangulating one of his or her claims like a photo ID with government issued documents (driver’s license, passport, etc.) and multiple sources of truth (authority that issued the driver’s license or the passport, for example) including an advanced form of biometrics that’s non spoofable, like a liveness test, can not only verify indisputably the user’s identity but also leverage the liveness test for authentication.
While there isn’t anything IAM leaders can do to stop remote work this year (thanks COVID-19 variants and slow vaccination programs), they can take steps to protect their employees while they are working remotely. Indisputable identity proofing, passwordless authentication and the storage of user data encrypted in the blockchain are the only foolproof ways to keep your employees secure, no matter where they are.