Identity very much seems to be an acquired taste… Most everyone’s first experience with identity comes down to usernames and passwords. And that’s enough for most users, “just let me get past this screen so I can do what I’m trying to do.”
Historians will remember passwords to be a temporary inconvenience and a cause of struggle and data breaches. They’ll think, “Of course ‘X’ is the best way to validate someone & something is who they say they are. Creating, remembering & tracking passwords! Amazing that our earlier generations had to deal with it.”
Luckily we have enterprises forcing constant evolution in identity out of business-driven use cases. As organizations get larger and become more complex, balance gets exponentially difficult to achieve: the struggle to make sure users have access to the resources they need and don’t have unnecessary/accidental/insecure access to things they don’t need (i.e. authorization). Automation and innovation in identity is a must-have for all organizations, especially the large enterprise.
[ Also Read: The VC View: Cloud Security and Compliance ]
Authorization has only gotten harder over time because business resources have continued to change and grow: endpoints, files, databases, internal applications, saas applications, service accounts, cloud-hosted applications, shared/public compute. This all leading to identity silos (i.e. entitlements on Salesforce different than Active Directory) and reducing visibility.
In the end, identity is still one of the most effective levers in security. Without identities, everything else (data, endpoints, applications, etc.) are unusable because either everyone will have access to everything or to nothing without identity controls. Identity projects are tough but worth doing.
The most recent trend identity nowadays is in Zero Trust. This concept has been evolving for years now and further accelerated by the pandemic. Zero Trust is building controls around an interesting premise: the idea that every resource will one day be internet-facing.
In 2021, I predict that most folks with identity and zero trust in mind will look at a Zero Trust Network Access (ZTNA) solution first. It’s one of the easier projects to deploy and there is existing work to leverage. The overhead, cost and management required for existing networking controls like VPNs are no longer acceptable at our current massive work-from-home scale. For every company, ZTNA, will likely look a bit different ranging from use cases that are simply more cost-effective VPN to use cases that look a lot like SSO or DLP use cases.
Beyond ZTNA, we’re already seen the concept of Zero Trust extend in other categories even if it hasn’t been explicitly called out. Zero Trust in SaaS Applications. Zero Trust in Privileged Credentials. Zero Trust for developer access. Preparation for Zero Trust (cleaning up excess entitlements.) Eventually I envision we’ll recreate the same defense-in-depth we know and love from the corporate network world in the shared resources (public cloud, multi-tenant applications, etc) world; with identity at the forefront.