2015 ushers in the age of identity management authentication. With compromised systems reported by Target, Home Depot, EBay, Neiman Marcus, and Goodwill, 2014 is remembered as the "year of the retail breach". In 2015 every industry becomes a target, every identity a vulnerability, and every app a potential host. As the EoT, enterprise of things, unfolds — enterprise information security will continue to shift from passwords and access, to authentication and automation.
In this changing threat environment, here are my identity management predictions for 2015.
1. The Age of Authentication
Prediction: Enterprise security will revolve around the expansion in cloud computing, BYOD in the workplace, and the Internet of Things (IoT).
The megatrends of cloud computing, social computing, mobile computing and big data, what Gartner calls the "Nexus of Forces", must be harnessed for enterprises to flourish in the era. The migration to SaaS platforms and cloud computing, physical access control single card solutions, virtual facilities, and BYOD in the workplace will place new and expanded emphasis on information security. Where legacy identity management relied on passwords, roles, and a limited number of systems, EoT operations assume multi-factor authentication, organizational fluidity, and near limitless applications as the norm. New solutions will appear in the marketplace, which will be smarter, faster, and in some instances, self-aware.
2. Cyber War, It’s On
Prediction: Agencies and enterprises prepared for government sponsored cyber attacks will prevail in heavily targeted industries.
During November, NATO conducted its largest ever cyber defense exercise, "Cyber Coalition 2014", which tested the Alliance’s security defense and operations in contested cyber domains. It involved over 600 security experts with academia and industry representatives invited as observers. With NATO on high alert, government agencies must not only be ready for preemptive and counter attacks, but also they must be able to provide educational and technological support to the most critical corporate and utility targets. Companies in the energy, finance, manufacturing, healthcare, education, and entertainment sectors will see an increase in highly targeted state sponsored attacks.
3. Crime-as-a-Service Boom
Prediction: The frequency and severity of CaaS attacks require organizations to automate identity governance and access management.
Crime-as-a-Service (CaaS) tools lower the entry barrier into cyber crime, because anyone can simply buy tools and services for a fee. CaaS not only enables people with less technical skills to engage in cyber crime, it opens the door for traditional organized crime. According to the Europol 2014 Internet Organized Crime Threat Assessment, CaaS is considered a viable business model, because it provides an affordable platform for launching cyber attacks that are highly disproportionate in terms of the criminal’s technical ability and the potential damage wreaked upon an organization.
4. Assignments Trump Access
Prediction: Organizations put more emphasis on assignments, rather than just access management to drive greater business value.
The IT and Information Security industries think in broader business terms when it comes to identity and access management (IAM). Enterprise-class solutions put less emphasis on access rights alone and begin leveraging identity management solutions for requesting, approving, tracking and granting assignments. Business leaders work with IT to solve overall organizational challenges based on the holistic management of people, access, assets and assignments resulting in more efficient operations, governance controls and risk management. Concurrently, an increase in IAM automation frees IT resources to perform more value-added and strategic work.
5. Big Data Ransom
Prediction: Organized crime names a price on keeping personally identifiable information private.
As software companies and entrepreneurs race to develop enterprise-ready cloud services, securing APIs to archived video, audio, images, and personally identifiable information emerges as critical to big data management. When Sony’s distributors refused to show "The Interview", you could argue an enterprise’s intellectual property was taken hostage. In 2015, look for customer data to be held as ransom. Considering Target’s $61 million expense to investigate, provide services, respond to lawsuits, and pay for counterfeit fraud losses, in 2015 organizations will be presented with the opportunity to pay a ransom to prevent security breaches from going public.
6. Education Wake Up
Prediction: Educational universities, organizations and associations developing security talent reach full capacity.
We declared 2014 the year of the job. With twelve positions for every qualified security professional and the Pentagon’s tripling its security staff, the prediction didn’t surprise anyone. Yet, young people are still not pursuing cyber security careers and the ones that do appear to be putting on more black hats than white. What’s wrong with this picture? The opportunities for security professional grow, while the development of qualified workers wanes. According to Rand in 2015, educators lag in developing sufficient talent to close the skills gap between the demand for security professionals and qualified candidates to fill positions.
7. Tale of Two Responses
Prediction: Organizations with better incident response processes will be more secure than those deploying the exact same security technologies.
The Target and the JPMorgan Chase data breaches represent two portraits of engagement. Although 76 million households and seven million small business accounts were comprised, JPMorgan Chase was able to respond and remove the malware before irreparable harm was done to customer accounts. In contrast, Target took over two weeks to respond even though they deployed the same state-of-art security products as JPMorgan Chase. Target’s much smaller security team was simply unable to filter through the high volume of alerts being generated by their security infrastructure and slow to assess the criticality.
8. Privileged No More
Prediction: With breaches involving privileged access in the limelight, administrator and super user accountability gets put under a microscope.
While only eight percent of security incidences result from insider and privileged account misuse, the largest and most costly incidences do so says the Ponemon Institute. Most crimes committed by trusted parties are done for financial and personal gain. In 2015, authentication promises to become more multi-factored, accountable and transparent to administrators. Governance over access to critical networks, systems and cloud services assumes administrator and super user accountability by removing gaps in privileged ID management processes. To make authentication secure and transparent, passwords, SMS, voice, biometrics, device recognition, will be applied as multi-factored controls over privileged user requests and workflow.
9. Coming In Second
Prediction: Some Potential "Primary" Security Solutions Will End Up In A Secondary Position
In 2014, one of the suggested replacements for passwords was biometrics. Since everyone’s fingerprint or retinal signature is unique, the solution in theory should be unhackable. In a demonstration that "security in depth" remains critical, hackers recently used high-resolution photographs to duplicate fingerprints. These hacks are more serious than a cracked password, because a fingerprint, once compromised, can’t be changed. As a result, biometrics may be relegated to a second tier in multi-factored security.
10. Pundits Have A Point
Prediction: Nearly every 2015 prediction will come true.
Naturally, my predictions float in a sea of them. Dan Lohrman wrote a column in Government Technology that is a great resource for some of the best, most unique and most terrifying predictions for next year. Some of them mirror mine, some provide additional food for thought. All of them point to more vigilance, more exploration of new security technologies, and better preparation by the few security professionals you have in your organization. Good luck in 2015 and may the cyber gods be on your side.
Begin your identity management initiative by following what corporate compliance experts recommend for the workflow automation of businesses processes, self-service administration and IT operations.