a good thing!
The Year of Identity Data Stewardship: Top 6 Identity Industry Predictions for 2021
As a digital society, we are facing a privacy reckoning and a crisis of confidence. The level of data collection by tech companies has reached a new peak, and consumers are losing faith in service providers’ ability to manage their data respectfully. Combine this situation with the sweeping global changes the pandemic wrought in 2020—including the massive shift to work from home and explosive ecommerce growth—and it’s clear we’re in for an unprecedented era of identity and access management.
How will the IAM industry evolve to meet growing identity needs? To gain insight into this question, I and other identity leaders at Ping are sharing our thoughts here on what we think will be the most notable trends in the upcoming year. Some of us focus on data privacy issues, others on identity security, and still others on the user experience, but we all agree that big changes are on the horizon.
Consumer expectations will demand that organizations not only protect their data, but tailor their experience while offering self-service technologies that give individual users control over information sharing. My colleague Loren Russon, VP Product Management, notes that this movement has been underway for some time now, and many organizations have seen results in million-dollar returns on their investment in experience improvement initiatives.
At the same time, these enterprises have realized million-dollar savings by preventing data breaches (and even worse, the immeasurable costs and brand damage associated with the breach). Identity and access management will play a critical role in helping organizational leaders drive a positive change in their accountability to protect and safely use their consumers’ data as they focus on becoming good data stewards.
Take healthcare as one example. Baber Amin, CTO West, anticipates the blossoming of customized healthcare, with custom benefits plans using data science to unlock personalized healthcare and reduce costs while increasing cost transparency. As technology companies make forays into public health with initiatives such as Amazon Halo, we’ll see a greater focus on privacy as more services are provided digitally, a more collaborative approach to public health is taken, and a more streamlined FDA process goes into effect.
Additionally, strong, user-focused identity processes and services will become a market differentiator in 2021. Mark Perry, APJ CTO, points out that the shift to distributed identity—where the user controls access to their identity data—is moving from curious concept to a reality. This reality is getting closer as several federal and state governments worldwide move to digital identity services, starting with digital licenses.
We can sum up this focus on giving individual users jurisdiction over how their information is shared as this:
2021 will be the year that consumers demand more control of their personal data and how it’s used and shared. The identity security industry, specifically, will evolve to address this demand with new “personal identity” frameworks that give consumers control over their identities and which attributes to share with service providers.
By allowing people to pick and choose specific data and identity attributes to share with apps, and giving them the capability to validate their identity without revealing more than necessary, we’ll put an end to the status quo of giving up excessive amounts of personal data to do basic tasks in our everyday lives.
Zero Trust went from a buzzword to a strategy in 2020. In 2021 this trend will accelerate, with CISOs creating their own Zero Trust strategies instead of adopting them from vendors. These strategies will be the foundation of enterprise security, because building a security model that streamlines the workflow of users by implementing adaptive authentication, authorization and identity verification services will let organizations achieve fundamental advancements in their security posture.
“The idea that user identity is the key to IT security, not gateways, VPNs or other perimeter security services, is now the mainstream. Managing identity proofing, authentication and access via strong identity processes and policies is essential. The weakest links are not your authentication service where you have multi-factor authentication enabled. It’s the process for resetting forgotten passwords, where MFA might not be required, and a phone call to the helpdesk, where (not so) “secret Q&A” is still used to identify your employees for this purpose. The technology to enforce strong identity security is mature and can be implemented in a short period of time.”
Our CISO Robb Reck predicts the security industry’s focus on Zero Trust will come about in part because of a number of high profile breaches due to unsecured integrations to business critical SaaS apps. As attackers are pushed to more sophisticated attacks to defeat MFA, enhanced authentication techniques will be critical against that threat. And it won’t be simply businesses that are involved: Combined efforts between government and industry will significantly decrease the effectiveness of ransomware attacks. Reck anticipates that here in the U.S., the government will enact laws to regulate technology companies in the areas of privacy, content moderation and encryption.
For near-ubiquitous Zero Trust adoption to happen, however, more focused spending is needed to secure access to PCs and laptops to smartphones and mobile devices, as well as the billions of under-protected Internet of Things (IoT) devices. Russon identifies two key associated technology areas:
The social security number as a means of authentication will officially die in 2021, and it's about time. In the context of data security and privacy, having a globally unique identifier was never a problem—but assuming it was a secret known only to the individual was. We're safer to assume all facts (and even opinions) are known and not treat them as secrets. For this reason, treating SSN as confidential information that could help ensure secure authentication is too risky to tolerate.
And if we need a reminder of just how serious the consequences can be when we use SSN as a trusted authenticator, look no further than the massive volume of fraudulent unemployment insurance claims now plaguing the United States. In the pandemic era, widespread unemployment aid fraud is overwhelming state systems to the tune of an estimated $1 billion. Along with the financial devastation to our nation’s coffers, behind each of those claims lies a real person who is negatively affected.
Business agility is everything. 2020 showed us that reacting in a matter of days—in the face of a critical ongoing emergency—to move employees to remote working is vital to ongoing success. Companies reported major productivity issues when thousands of employees who normally came into the office to work all logged in remotely via the corporate VPN, and that infrastructure just couldn’t cope. In addition, fraudsters and cybercriminals used the pandemic as a trigger for new phishing and hacking attacks. The ability to react in days, not weeks or months, to fix these issues is something that we’ll likely use as a template for future emergency events.
Emma Maslen, VP & GM of EMEA & APAC, believes that while the need for employees to be enabled for a greater level of remote working support is the biggest lesson from 2020, it comes with challenges such as workers connecting to digital assets from multiple places during the day, employees who should have the same experience as they would in the office, and a workforce where many workers will still work onsite and require unique and safe access to the applications and data they need. She points out that identity can help solve WFH challenges in two key ways:
We at Ping predict that the way we worked in 2020 will become the “new normal” for the next decade. While some of us expect a possible backlash against WFH as creativity and innovation decline, others predict remote workers will continue to drive innovation in online collaboration tools and services, bringing a “consumerization of identity services” to the market. These services will leverage capabilities provided for the customer identity and access management (CIAM) market to the enterprise.
Not only are we working from home more—we are shopping from home more. For that reason, Maslen thinks, identity is going to be a big consumer focus in the future:
“Users/consumers are bombarded with username and password requests, identity challenges and a friction-full experience, which results in high basket abandonment to our besieged retailers. For companies to ensure their maximum share of wallet, they must replace legacy experiences and disrupt their environments. The frictionless experience for consumers will drive loyalty and a larger share of wallet. Those focusing on those challenges are predicted to be the winners of 2021, certainly in retail, insurance, banking and many other sectors.”
Passwordless will help get us there. To maximize security while minimizing user friction, passwordless authentication allows users to authenticate with something other than a password—like push notifications requiring a fingerprint on a specific device, integrated MDM solutions or hard tokens. Reck expects more and more companies will transition their consumers to a passwordless experience, and this trend will pressure others to invest in smoother customer user experiences just to keep up.
Russon believes that 2021 will see an acceleration in identity verification and validation services that incorporate biometric and biographic information. Identity documents and knowledge of personal data or events will be used to guarantee the uniqueness and validity of an individual’s identity before they can access a service or receive an entitlement, and this will need to be carried out in a way that doesn’t negatively impact the user experience.
Is the world of William Gibson’s “Neuromancer,” where AIs become self-aware and fight amongst themselves for control of cyberspace, here already? No, but Perry thinks there’s a strong possibility that AIs become the new attack mechanism for cybercrime this year, and they will succeed in defrauding major services:
“Targeted attacks could become more sophisticated and less obvious using AI, causing static defences like security gateways to be helpless. It will be AI versus AI, as organisations turn to their own unsupervised, continually learning cyber defences to defend their systems and services.”
As a result, Perry predicts AI-based threat detection and mitigation for workforce and consumer online channels will be a cybersecurity spend priority over the next 12 months. But while Russon believes that behavioral analytics and risk signals should be integrated into all access and lifecycle management flows to quickly spot suspicious activity and adapt access to the level of risk, he cautions against putting too much emphasis on AI/machine learning:
“Many organizations and vendors thought artificial intelligence and machine learning (AI/ML) was going to reshape how access control and identity lifecycle management policies were created. AI/ML can provide useful signals and risk information to enhance explicit policies but has not proven to be a replacement.”
As we put 2020 firmly in our rearview mirror (thankfully!), we at Ping will continue to champion your identity as we strive to help enterprises achieve Zero Trust identity-defined security and more personalized, streamlined user experiences. Another way we champion you is by helping you keep up with the constantly changing identity security industry. Subscribe to our weekly blog update to get the latest insights from dozens of identity experts.