With nearly three decades of cybersecurity industry experience under their belts, our team of identity management experts gathered their predictions and trends. Here they are for 2023.
#1 Random Passwords Will Reduce Lateral Risk
Lateral movement risks are a key focal point and are only going to get more attention over the coming year. Phishing attacks against both professional and personal accounts are growing at exponential rates. But attackers don’t want to control your personal Netflix account. They are playing the odds that many people have reused their personal Netflix passwords for work-related accounts. And if they can compromise your Netflix account, they will be able to laterally move into your business life quickly and easily.
This is the foundation of why people must stop reusing passwords. We must start using random passwords for each service. Stop trying to remember passwords. Start storing passwords in secure places dedicated to your personal and your professional lives. By using random passwords you drastically increase the challenge for attackers to move laterally through your accounts.
#2 SSH Key Certificates Will Gain Momentum
Additionally, we are likely to start to see people becoming aware of the risk of non-password-based lateral movement in enterprises like SSH keys. SSH keys have been used for decades to allow administrators to log-in to systems for routine actions quickly and easily. But these have multiple risks. For example, they never expire. They also rarely require a second factor, like a passphrase. It is also very hard to map out the extent of reach someone can have if they are allowed to hop from machine to machine using your SSH key.
Moving to SSH key certificates will gain significant momentum in 2023 as one of the best-in-class approaches to help solve these fundamental weaknesses in SSH key authentication.
#3 Increased FIDO Adoption
Authentication is hard. There are so many competing approaches. And the devil tends to be in the details. Are shared secrets being used? How secure is my authenticator device (i.e. phone, key, etc.)? Can I meet the regulatory requirements of each region I operate in? These are tough questions to answer. And as a result, people will lean more and more on standards bodies and certification processes to give people relative “easy buttons”. The FIDO Alliance is at the forefront of this and is likely to continue to drive this. You can already see this in the guidance provided by the White House earlier this year. This kind of guidance is certainly going to continue resulting in an increase in FIDO2 adoption.
#4 AI-Driven Attacks
Robots have been found to continuously scan companies’ digital surfaces and exploit any vulnerabilities they find. This trend will accelerate, and the attacks will become more sophisticated, aided by AI.
APIs secured by weak passwords are especially vulnerable. With increasing remote work, shared access to publicly visible APIs introduces another vulnerability.
For APIs that still depend on password authentication, it will be critical for companies to have firm control over the quality of those passwords. A baseline to be able to sleep at night will be 16+ characters and randomly generated passwords.
For newer platforms, people will continue to push towards modern authentication strategies such as OAuth, OpenID Connect, and in the future Gnapp.
#5 Personal Device Will Be Exploited
Personal devices are being used more and more in remote work scenarios. Especially with the rise in their usage as personal authenticators. The ease and simplicity of using them cannot be denied. But people must also ensure that the authenticator solutions being deployed are resistant to common attack vectors.
For example, third-party applications like TikTok are raising significant concerns about having them on devices for business purposes. For example, how much information are those apps collecting about you when you interact with websites via them? Are they collecting your keystrokes? Are they collecting your passwords? Are they tracking your movements?
There will be a significant focus on making sure applications are applying best practices to secure data on them. For example, is your authenticator app storing its cryptographic material in the trusted platform module of the mobile phone? If it's not, these applications will likely come under significant scrutiny over the next year.
#6 Rethinking Authentication for New Joiners
Existing IAM practices for provisioning accounts and helping new employees authenticate will become a point of primary concern. Practices where an onboarding email is sent with a username and password in plain text need to stop. Practices where people register for MFA days, weeks, or months after being onboarded need to end. Onboarding needs to ensure on day one that people are able to authenticate securely to company resources.
For these reasons we predict companies will start to really review their joiner strategies and identify where best practices such as never putting passwords in emails are being circumvented. After all, none of us want our employees to disregard best practices on their first day.
#7 Remote Browser-Based Attacks Rise
Web browsers can be manipulated in many creative ways. And with the rise of advanced AI technologies, deep fakes, and other creative trickery we are going to see a continuing arms race that companies and users will struggle to keep up with. But if you focus on the basics like phishing-resistant MFA, randomized passwords, and Just-in-Time access strategies, you can help protect against these scenarios by removing the element of human error from the equation.
#8 Risk Mitigation Keeps Pace with Cloud Services Growth
As the explosive growth of cloud services continues, the need for a unified situational awareness of security risks is ever more important. Organizations must be able to take advantage of new development methodologies, modernization, and scalability afforded by cloud services, but at the same time must be able to weave their risk management strategy into the adoption of new technologies. Retrospectively attempting to manage risk after allowing for unchecked adoption of new tools is bound to lead to breaches and blind spots.
This means the risk management tools themselves must be intuitive, easily accessible, and ideally automated to some extent, lest they be circumvented and unadopted. This also means that the appropriate tools must be available for each business function - forcing a single process or tool on the entire business will not work.
All of this points to a situation where the risk management tools employed must be comprehensive, interoperable, and agile enough to adapt to ever-evolving business needs, and must in some way improve or augment new processes rather than stand in the way of innovation. Consolidation of identity, risk, and access management platforms, and capabilities that cater to the needs and risk profiles of each level of the organization's business - not just IT - are going to be extremely important to keep pace with innovation without succumbing to additional risk.
#9 Quantum-Resistant Cryptography Moves from Theory to Requirement
Quantum computing is maturing at a rapid rate. Forward-thinking organizations are going to start asking their suppliers for plans on adopting quantum-resistant cryptography to ensure the investments you make in 2023 and 2024 will remain secure in 2033 and 2034. Just like past infrastructural challenges, an ounce of prevention over the coming years will help you avoid pounds of pain in the future.
Password Management Strategies to Combat Return to Office Delays
The delays in returning to work have created a new global workforce that is composed simultaneously of remote, hybrid, and in-office employees. This reality has resulted...
The Top Trends in Higher Education IAM According to IT Leaders
Higher education institutions face numerous challenges when it comes to identity and access management (IAM), and this year has only intensified them. From the volume of...