As you usher in another January, are you one of those people who’s brimming with anticipation and optimism? Many are setting their goals and resolutions for the year ahead, and perhaps you are, too.
Speaking on behalf of the CTO office here at Ping, we’re also finalizing our objectives for the new year, and it’s going to be a great one. You can expect to see plenty of exciting advancements from us in the months ahead.
But when you provide intelligent identity solutions for some of the world’s largest enterprises, your annual outlook must also extend beyond your own business goals. So we set aside time at the end of each year to research and identify the biggest cybersecurity threats and identity and access management (IAM) trends that could impact our customers the most.
With that in mind, we’ve compiled a list of our top five predictions for 2019. Read on to get our outlook on the year ahead for the enterprise identity security landscape.
Fewer Successful Attacks on Multi-factor Authentication Methods Last year, we predicted that the types of attacks on multi-factor authentication methods would keep pace with advancements in the technology itself. And as anticipated, determined bad actors continued to find new ways of attacking MFA methods. Of note, SIM swapping attacks gained notoriety, and the ReelPhish 2 factor phishing tool made it easier to attack one-time passwords (OTP).
However, the adoption of the W3C’s WebAuthn by major browsers provides a solution when combined with FIDO CTAP authenticators. An authenticator will only accept authentication requests from websites where it has been registered. This combination provides greatly enhanced security by preventing subsequent phishing attacks, leading us to predict that you’ll see fewer successful attacks against MFA in the coming year.
Cryptographic Verification of Identity
As phone-carried credentials become increasingly common, a growing number of identity authorities are adopting the use of mobile phones to cryptographically verify identities. Mobile drivers licenses have already been implemented or are being tested in 14 U.S. states. China also recently announced that it will issue a digital version of its national ID card.
While privacy advocates raise concerns about giving law enforcement access to your mobile phone, we anticipate that many of these objections will be balanced out by built-in privacy safeguards, and the convenience that phone-carried credentials provide. And as a result, we predict that you’ll also see a growing number of government entities adopting mobile drivers licenses, national ID cards and passports.
The Death of Corporate Firewalls and Rise of Zero Trust Architectures As identity becomes the new perimeter, Zero Trust architectures may make firewalls and VPNs obsolete technology. And as the notion of a traditional firewall becomes a distant memory, a new breed of authentication and validation methods may emerge for employees and external authorized users.
Employee-only applications are already accessible via the open internet. Continuing in this same vein, we anticipate that security processes that previously required corporate network access—like two-factor authentication registration and password recovery—will increasingly be made available to users regardless of domain, location or device.
“Identity security sits at the center of a Zero Trust approach to business. With this in mind, it’s critical that organizations protect their digital resources, as well as customer and employee information—while also delivering seamless, secure user experiences.” —Bernard Harguindeguy, CTO, Ping Identity
More API-centric Breaches—and Regulations The explosion of API infrastructures provides easy access to data and applications. While the proliferation of APIs has fundamentally changed the way business is conducted and significantly improved customer experience, it also presents serious security challenges. The recent breach announcements by Google, Facebook, the USPS and others further reinforce the reality that API security is a very serious concern that can't be ignored. Underscoring this is the fact that many of these high-profile attacks went undetected for months or even years.
As business digitization initiatives expose even more previously siloed information, you can expect to see even more high-impact breaches. In response, we anticipate that an increasing number of API-specific regulations and governance—and corresponding financial penalties—can also be expected.
Wider Adoption of Open Banking Standards The Open Banking Standard is paving the path of innovation for financial services organizations across the UK. Building on its momentum and success, other countries will deploy similar open banking standards to spur innovation in their own nations. In fact, Australia, Japan, New Zealand, Hong Kong and Canada are already reviewing open banking standards or working on similar security and API standards.
Banks in these countries will need to update their existing IT infrastructures to accommodate the new security and API standards. Even in other parts of the world where a move toward open banking isn’t yet imminent, forward-thinking financial services leaders will task their IT teams to keep pace. As the financial services industry faces imminent pressure to innovate, we predict a scarcity of identity and security specialists to tackle these projects.
As is typical of the world of enterprise security, the year ahead is likely to deliver no shortage of challenges. But as someone full of wisdom once said, challenge is simply the seed of opportunity. So here’s to a great year full of big opportunities ahead!