Security and risk management leaders are experiencing widespread disruption in identity and access management (IAM) solutions for many reasons, most notably because of the increased drive to customer-facing interactions on digital channels and the sudden and rapid expansion of the remote workforce because of the pandemic.
“IAM challenges have become increasingly complex,” says Akif Khan, Senior Director Analyst, Gartner, “and many organizations lack the skills and resources to manage effectively. Leaders must improve their approaches to identity proofing, develop stronger vendor management skills and mitigate the risks of an increasingly remote workforce.”
The five strategic planning assumptions that follow focus on current trends in decentralized identity, access management, IAM professional services and identity proofing.
Cybersecurity mesh will support more than 50% of IAM requests
The old security model of “inside means trusted” and “outside means untrusted” has been broken for a long time. Most digital assets and devices are outside the enterprise, as are most identities.
By 2025, cybersecurity mesh will support more than half of all IAM requests, enabling a more explicit, mobile and adaptive unified access management model. The mesh model of cybersecurity provides a more integrated, scalable, flexible and reliable approach to digital asset access control than traditional security perimeter controls.
Delivery of IAM services will increase via managed security service providers (MSSPs)
Organizations lack the qualified resources and skills to plan, develop, acquire and implement comprehensive IAM solutions. As a result, they’re contracting professional services firms to provide the necessary support, particularly where multiple functions need to be addressed simultaneously.
More and more, organizations will rely on MSSP firms for advice, guidance and integration recommendations. By 2023, 40% of IAM application convergence will primarily be driven by MSSPs that focus on delivery of best-of-breed solutions in an integrated approach, shifting influence from product vendors to service partners.
Identity proofing tools will be implemented within the workforce identity life cycle
Historically, vendor-provided enrollment and recovery workflows for multifactor authentication have incorporated weak affirmation signals, such as email addresses and phone numbers. As a result, implementing higher-trust corroboration has been left as an exercise for the enterprise.
Because of the massive increase in remote interactions with employees, more robust enrollment and recovery procedures are an urgent requirement, as it is harder to differentiate between attackers and legitimate users. By 2024, 30% of large enterprises will newly implement identity-proofing tools to address common weaknesses in workforce identity life cycle processes.
A global, portable, decentralized identity standard will begin to emerge
Centralized approaches to managing identity data — common in today’s market — struggle to provide benefits in the three key areas: Privacy, assurance and pseudonymity. A decentralized approach uses blockchain technology to help ensure privacy, enabling individuals to validate information requests by providing the requestor with only the absolute minimum required amount of information.
By 2024, a true global, portable, decentralized identity standard will emerge in the market to address business, personal, social and societal, and identity-invisible use cases.
Demographic bias within identity proofing will be widely minimized
Bias with respect to race, age, gender and other characteristics gained attention significantly in 2020, coinciding with the increased interest in document-centric identity proofing in online use cases. This “ID plus selfie” process uses face recognition algorithms to compare selfies of customers with the photo in their identity document.
There has always been awareness of possible bias in face recognition processes, with implications concerning customer experience, brand damage and possible legal liability. As a result, by 2022, 95% of organizations will require that identity-proofing vendors prove that they are minimizing demographic bias, a significant increase from less than 15% today.