Okta's Identity and Trust Predictions for 2023
The new year brings for many a sense of cautious optimism as the lockdowns and restrictions imposed to constrain the coronavirus recede into history. However, to remain secure, businesses and individuals need to respond effectively to a range of trends that gained momentum last year. These include:
- Worsening geopolitical, social, and economic instability.
- Adoption by businesses of a range of solutions–some used successfully, some not–to enable productive remote and agile workforces.
- Industrialisation of and continued success of phishing and credential-based attacks.
- Growing targeting of supply chains as a weak point in larger organisations’ ecosystems, despite increased security and governance applied to suppliers.
- Businesses leveraging the deepening and increasingly intricate interdependencies between SaaS platforms to drive better customer experiences–with attackers aiming to locate the weakest entry point through which they can compromise these systems.
- An explosion of AI-powered ideas, use cases and proofs of concept–some of which are concerning and fascinating in equal measure.
In this context, here are my cybersecurity predictions for 2023:
The ubiquitous importance of Identity
Confidence in identity, whether an individual, a device, software or a business or government organisation, is key to everything we do. This confidence is increasingly important in an environment of growing risk. We see the role of identity in social, work, education, and healthcare contexts, as well as across a wide range of citizen and government use cases.
Identity is equally important across the supply chain–often the weak underbelly and entry point for attacks. In 2023, I expect to see greater reference to the Software Bill of Materials (SBOM), described by the Cybersecurity & Infrastructure Security Agency in the United States as a list of the ingredients that make up software components. The SBOM will clarify identity and material inputs across supply chains.
Zero Trust Security–about which so much has been written recently–starts and ends with secure identity.
Mass adoption of passwordless, phishing-resistant authentication
Over the past year, we have seen huge growth in multifactor authentication (MFA) as a core requirement of identity and access security. This growth is being driven by initiatives from major corporates and industry groups, and intervention and enforcement from regulatory bodies.
The increasing use of MFA to protect sensitive data and systems has prompted attackers to improve their ability to circumvent MFA protection. Their measures range from novel Adversary-in-the-Middle attacks (in which an attacker inserts themselves between two parties, such as users or systems, to capture their communications) that target authenticated sessions to less sophisticated MFA Push Fatigue attacks (in which attackers send a flood of unsolicited push notifications to users) that aim to fatigue a user into accepting a notification that will give the attacker access to systems or data.
Solutions to these attacks exist in the form of passwordless and phishing-resistant authentication, and I expect to see a rapid ramp-up of passwordless authentication in 2023. Organisations’ own initiatives, as well as increased expectations from both regulators and consumers, will each independently influence this trend.
Escalation of AI concepts and use cases
AI-enabled applications will escalate to impact all areas of our work and social lives as synthetic identities and deepfake audio-visuals become easier to generate and improve in quality. In 2023, we see these applications becoming more common in social and corporate fraud.
Automated learning machines designed to probe and attack vulnerabilities will become common and prompt businesses and government organisations to adopt defensive automation and machine learning. Expect an explosion of applications and a more gradual evolution, consolidation, adaptation, and survival of the fittest over 2023 and beyond.
The importance of trust
Whether it’s building confidence in identity and security capability or underpinning a commitment to privacy and customer wellbeing, trust is fast becoming an organisation’s most critical resource.
Trust is often the most compelling differentiator for digital entities operating online.
To establish trust, a business or organisation needs the capability to achieve an outcome and the ability to generate confidence among observers that expected actions occur when a situation moves from the ‘known’ to the ‘unknown’. Trust must also be communicated effectively and consistently to maintain or generate value.
In 2023, corporates, individuals and governments will all take steps to build and demonstrate trust to operate effectively in the digital world. Unfortunately, criminals will also aim to create or erode trust to achieve their own nefarious ends. Trust will be difficult to generate, challenging to demonstrate and increasingly easy to lose–making it an extremely valuable commodity.
For businesses and government organisations, investing time and resources into these areas in 2023 and beyond is key to managing many of the trends that gained momentum in 2022 and new, unexpected developments this year.