Altman Solon is the largest global strategy consulting firm exclusively working in the TMT sectors. This insight is part of a series dissecting cybersecurity trends from the RSA and Black Hat conferences. Major trends include the expanding role of identity security, consolidation and convergence across the sector, and the rise of niche cybersecurity services. Here, we look at the rise of identity as a service in a changing cybersecurity landscape and emerging software categories to meet growing security demands.
Identity products and services, once considered adjacent to cybersecurity, are now at the heart of IT security. This shift is driven by the adoption of zero trust models, which place identity at the heart of verification and security strategies and have companies evolving their cybersecurity policies and tools and investors capitalizing on new opportunities in a growing software segment.
Zero trust security principles are becoming the standard approach to cybersecurity and are built on the assumption that no user, device, or application should be trusted until verified. As enterprises embrace hybrid working conditions, the Internet of Things (IoT), and multiple cloud environments, traditional network boundaries are no longer the primary points of access. Instead, the zero trust model relies on identity as the foundation for verification. As a result, the importance of identity software has grown as organizations will need to rely on more advanced and modern methods of managing identities.
Historically, identity and access management (IAM) platforms and multi-factor authentication applications (MFA) have been the most common categories of identity software. These tools remain effective for authentication and granting access and are still widely used. However, due to the proliferation of SaaS applications, open APIs, and connected devices, the growing number of entitlements companies must manage requires identity governance and administration (IGA) solutions that can manage increasingly granular access controls. Particularly for large, complex organizations, IGA tools can ease the administrative burden of managing entitlements across the identity lifecycle.
There has also been a rise in risk-based identity and identity threat detection and response (ITDR) solutions across the market, as mentioned by an RSA session led by the SANS Institute. ITDR tools recognize anomalous user behavior and react automatically to security breaches. According to a 2022 Gartner report, by 2026, 90% of organizations will be using some form of ITDR tools as their first line of defense against identity attacks.
Other emerging categories of identity software with growth in adoption include identity proofing and passwordless authentication. In a world where AI lowers the barrier to impersonation and fraud, ID verification tools using multiple means of proof (e.g., webcam, photo, biometric data, etc.) are increasingly important. Similarly, when over 24 billion username and password combinations are circulated in criminal marketplaces, passwordless authentication can reduce user friction and secure high-risk assets by moving to biometrics, security keys, and mobile authenticators. Indeed, new standards being rolled out by Big Tech players, including Microsoft, Google, and Apple, are paving the way for a move toward passwordless authentications; identity becomes increasingly core to an organization’s security posture, and these emerging categories will develop further and mature.
Until recently, cybersecurity services around identity were simple and involved user setup and provisioning. Today, as identity moves to the forefront of security, companies in highly regulated spaces are turning to third parties to manage, review, and enforce access rights – particularly in the context of a potential audit. Outsourced identity and access management service providers are meeting a gap in the market, especially for customers in highly regulated environments where compliance requirements are stringent or internal security standards are designed to appease a regulator. Today, upfront services like designing an IAM plan or a federated authentication approach can be packaged with other identity management services. These services include continuous testing, audit preparation, and reporting of identity and access rights to ensure that the organization's compliance requirements are being met.
The cybersecurity playbook is being rewritten in real-time.