Identity Trends in Infosec 2022

Identity Trends in Infosec 2022

This week saw the London edition of security of the information Europe: Essentially a smaller version of the RSA Conference a few weeks ago in San Francisco. There were around 15,000 attendees and more than 300 solution providers from a variety of cybersecurity and information security areas. Of course, my main interest was to get briefings and understand the point of view from an identity and access management perspective and to see how far the tentacles of identity were now spreading into other orthogonal areas of security. I was not disappointed and had some conversations that made me think…

Employee Behavior Management

DevOps Connection: DevSecOps @ RSAC 2022

I made up the term above (should I claim this as a new category?!), but there were numerous submissions (including one Wednesday Keynote, by the very knowledgeable Dr Maria Bada, who was fortunate enough to be taught a module on Cyber ​​Crime Psychological Profiling when I was the Information Security Group at Royal Holloway) looking at end user behavior analytics , awareness and incentives to manipulate end user standards. The people aspect of the people-process-technology triad is blamed for many technology and process failures. Ah “it’s the end user’s fault”. “The end user is stupid.” “The end user does not know about security.” No, they don’t and often they shouldn’t. Employees are paid to perform a function in a business workflow. If “security” gets in the way of them doing their job, security screening goes out the window. Employees are incentivized to complete and optimize specific tasks. It’s time for solution providers (and the business too) to see employees and the end user as a key asset in protecting information. They need awareness (and training too), but they also need appropriate ways to report incidents, feel valued, and be in a position to share what they see and hear with the right teams at the right time. The end user really comes first and is becoming the most valuable “firewall” we have.

Immutable tracking of who and what

As identity practitioners and practitioners, we’re also obsessed with “who has access to what” (when, where, and why are also important, but often come later on the maturity curve). I had a good briefing from the emerging vendor RKVST. Their catchphrase is all about having a “zero trust fabric”. The ZT bandwagon we’re all familiar with, but the “fabric” aspect was interesting, and it essentially seeks to create an immutable, blockchain-based approach to describing the what (whether it’s physical assets like nuclear waste) to the who (an end user in the digital or physical worlds) and, more importantly, the relationships and actions between the two. RKVST seeks to create a secure pane of glass in the visibility of what is becoming a very complex supply chain, from devices, their manufacturer, firmware installation and usage, to users and their runtime activities. . By creating an immutable record of interactions, audit leaders and compliance teams can begin to have greater security regarding their ecosystem of assets. Essentially, the guarantee shifted to the left even further up the supply chain. Understand provenance, then track that throughout the asset’s life. Interesting stuff.

Identity for hybrid cloud

I’ve been tracking hybrid cloud for the last 2 years and now we’re at a point where use cases are leveling off, deployments are becoming repeatable, and I think vendors are starting to move away from the market education aspect of its pre-sale process in migration and implementation. A couple of vendors gave me mini-breefings, including hermetic who want to “Secure your identity in the cloud first” with “Holistic protection for AWS, Azure and Google Cloud”. Many organizations have to deal with multiple different infrastructure-as-a-service providers, SaaS everywhere, and then on-premises or private cloud components as well. Visibility becomes an issue. Credential management becomes an issue and all those environments are riddled with misconfigurations. Organizations like Emertic (see Strata Identity and maybe even valence safety also) are addressing this emerging set of use cases that combines CIEM (Cloud Infrastructure Rights Management) and CSPM (Cloud Security Posture Management). Hybrid cloud is not going away. It seems that identity is once again front and center as the new perimeter in how to manage increasing complexity.

Summary

As always in 2022, it was great to be back on the road at a conference and not behind a Zoom or Google Meet screen. The UK train strikes certainly had an impact, but thousands of attendees and over 50 specialist identity providers (out of 300) certainly made for a great conference.

Tune in”The Week in Identity” podcast this week where we will discuss these topics in more detail.


About the Author

Simon Moffatt is founder and analyst at The Cyber ​​Hut. He is a published author with more than 20 years of experience in the cyber and identity and access management industries. His most recent book, “Consumer Identity & Access Management: Design Fundamentals,” is available at Amazon. It is CISSP, CCSP, CEH and CISA. His 2022 Research Diary focuses on “Next Generation Authorization Technology” and “Identity for Hybrid Cloud”.

The charge Identity Trends in Infosec 2022 first appeared in the cyber cabin.

*** This is a syndicated Security Bloggers Network blog from the cyber cabin written by Simon M. Read the original post at: https://www.thecyberhut.com/identity-trends-at-infosec-2022/?utm_source=rss&utm_medium=rss&utm_campaign=identity-trends-at-infosec-2022

Leave a Comment