Avatier’s CEO Gives 2015 Identity and Access Management Predictions

It’s a new year, and Avatier CEO Nelson Cicchitto follows a lengthy new year’s tradition in making a whole slew of predictions for the coming year. Nelson acknowledges that lots of others in the IAM industry are doing the same thing when he says “Naturally, my predictions float in a sea of them.” Nevertheless, some of his 10 predictions below provide food for thought on subjects not yet discussed here.

His first is a safe bet: that enterprise security will increasingly revolve around the cloud, the Internet of Things and BYOD: “The migration to SaaS platforms and cloud computing, physical access control single card solutions, virtual facilities, and BYOD in the workplace will place new and expanded emphasis on information security,” in his words. This one has been beaten to death, but one interesting add on he makes is that he expects solutions in the marketplace that are “self aware.” Skynet, anyone?

His next prediction is that organizations in important industries and government functions will see an increase in state-sponsored cyber attacks, and advises government agencies to be ready to help private sector and utility targets.

His third is that we will see an increase in attacks utilizing Crime-as-a-Service (CaaS) platforms. CaaS significantly reduces the cost of entry into cyber crime, and thus simple economics predicts an increased number of crooks looking to pad their accounts at your expense, or perhaps simply watch the world burn. IAM solutions will need to be increasingly automated (self-aware?) in order to combat this threat.

Fourth, in order to drive business value IAM should focus less on access management and more on assignments:

“Enterprise-class solutions put less emphasis on access rights alone and begin leveraging identity management solutions for requesting, approving, tracking and granting assignments. Business leaders work with IT to solve overall organizational challenges based on the holistic management of people, access, assets and assignments resulting in more efficient operations, governance controls and risk management. Concurrently, an increase in IAM automation frees IT resources to perform more value-added and strategic work.”

Fifth, he predicts that organized crime will start charging ransoms to organizations for keeping sensitive data private. Given that Sony paid $61 million “to investigate, provide services, respond to lawsuits, and pay for counterfeit fraud losses,” expect the payouts to be huge. My question is, will companies try to keep such payouts secret, or will it be too much money to creatively account away?

Sixth and more troubling, educational institutions will struggle to churn out enough qualified cyber warriors with white hats even as demand for them grows.

Seventh, although this is more of a best practices recommendation, is that organizations need to adopt better incident response processes, as those that do will find themselves more secure than those that don’t, no matter what kind of IAM technology they invest in. Nelson gives a great comparison to illustrate:

“Although 76 million households and seven million small business accounts were comprised, JPMorgan Chase was able to respond and remove the malware before irreparable harm was done to customer accounts. In contrast, Target took over two weeks to respond even though they deployed the same state-of-art security products as JPMorgan Chase. Target’s much smaller security team was simply unable to filter through the high volume of alerts being generated by their security infrastructure and slow to assess the criticality.”

Eighth, because so many of the recent breaches involved privileged user accounts such as administrator, increased attention will be paid to securing those accounts. That said, the solutions recommended can be applied to more places than just there: “passwords, SMS, voice, biometrics, device recognition will be applied as multi-factored controls over privileged user requests and workflow,” and applying governance to “critical networks, systems and cloud services” will improve accountability by “removing gaps in privileged ID management processes.”

Ninth, the hackability of biometrics may leave the IAM solution type in a secondary position within a multifactor authentication scheme. Nelson explains why hacking biometrics is more dangerous:

“In a demonstration that “security in depth” remains critical, hackers recently used high-resolution photographs to duplicate fingerprints. These hacks are more serious than a cracked password, because a fingerprint, once compromised, can’t be changed.”

His final prediction is:

That pretty much every prediction that people make about IAM for 2015 is going to come true.

Pretty bold, IMO. He doesn’t really explain this one, so my guess is that it’s his way of trying to fit in his predictions at the end of January without getting shouted down. Some of his other predictions/recommendations are pretty good though, especially the comparison of JP Morgan Chase and Target. There are definitely some lessons to be learned from that comparison.