dall e oren hope breach attempt uBJME

How access management helps protect identities in the cloud

Things are rapidly growing more challenging on the security front in 2023. Many CISOs didn’t expect this much pressure to consolidate tech stacks, make budgets go further and do better at stopping identity-driven breach attempts. CISOs tell VentureBeat that access management (AM), identity and access management (IAM) and privileged access management (PAM) are under attack by threat actors who can quickly monetize stolen identities by becoming access brokers or working with access brokerages.

These access brokerages sell stolen credentials and identities in bulk at high prices on the dark web. This helps explain the skyrocketing rate of attacks aimed at exploiting gaps created by cloud infrastructure misconfigurations and weak endpoint security.

CrowdStrike’s latest Global Threat Report found that cloud attacks aimed at stealing and taking control of credentials and identities grew 95% in 2022. And a recent Unit 42 Cloud Threat Report found that 99% of analyzed identities across 18,000 cloud accounts from more than 200 organizations had at least one misconfiguration, indicating gaps in IAM protection.

Identity-driven attacks are the digital epidemic that no CISO or CIO wants to discuss. Yet they are ravaging mid-tier manufacturers who are months or years behind on security patches and have open ports on their corporate networks. Seventy-eight percent of enterprise security and risk management leaders say that cloud-based identity-based breaches have directly impacted their business operations this year, and 84% have experienced an identity-related breach.

Pressure to accelerate consolidation of tech stacks drives the market

CISOs want their cybersecurity platform providers to speed up efforts to converge PAM and IAM while improving identity proofing. They also point out that effective fraud detection needs to be at the platform level. And they tell VentureBeat that, along with identity governance and administration (IGA), IAM and PAM are the highest priorities, because 80% or more of breach attempts aim first at identities and the systems that manage them.

Identity detection and response (ITDR) addresses gaps in identity protection that are left when hyperscaler-specific IAM, PAM and IGA systems aren’t integrated into a unified tech stack and infrastructure.

Gartner predicts that by 2026, 90% of organizations will use some embedded identity threat detection and response function from access management tools as their primary way to mitigate identity attacks, up from less than 20% today. Access management spending is approximately 6.8% of the worldwide spending on security and risk management software, making it a $4.17 billion market in 2021. But the worldwide IAM market is forecast to increase from $15.87 billion in 2021 to $20.75 billion this year.

Strengthening zero trust with access management

It’s becoming more urgent to consolidate tech stacks while also showing progress on zero-trust initiatives, especially if those initiatives are tied to protecting and growing revenue. CISOs are relying more than ever on their endpoint, IAM, ITDR and unified endpoint management (UEM) vendors to help them more quickly consolidate their tech stacks. Meanwhile, they’re relying on internal teams to orchestrate and implement or modify zero trust frameworks to support new business initiatives.

That’s why 2023 is becoming a much more challenging year than CISOs expected.

Noteworthy providers assisting CISOs and their organizations to modernize IAM systems include CrowdStrike, Delinea, Ericom, ForgeRock, IBM Cloud Identity and Ivanti.

Closing multicloud gaps by replacing on-premise IAM system with cloud platforms

Organizations must consolidate legacy IAM systems that are continuing to increase application and endpoint agent sprawl. Standardizing on a unified cloud-based platform requires in-depth expertise in merging legacy systems and their taxonomies, data, roles and privileged access credentials. IT and cybersecurity teams focused on zero trust are trying to be as pragmatic as possible about moving IAM to the cloud. That’s why they rely on IAM cloud providers to help them transition from on-premise to the cloud.

One CISO told VentureBeat (on condition of anonymity) that the cost of legacy IAM systems is continuing to go up, even as these systems deliver less and less value because they’re not as advanced in API integration as the state-of-the-cloud IAM market. Most importantly, cloud-based IAM apps and platforms can monitor and log every identity, role and privileged access credential — a core tenet of zero trust.

CISOs also want cloud-based IAM platforms to better close the gaps in multicloud configurations that happen when every hyperscaler has its own IAM module or approach to identity management.

First, strengthen cloud platforms with MFA and SSO — because identities are core to AM and zero trust

Identities are the fastest-growing and least-protected threat surface organizations have. Overcoming the challenges of improving multi-factor authentication (MFA) and secure sign-on (SSO) adoption starts by designing process workflows for minimal disruption to workers’ productivity. The most effective MFA and SSO implementations combine what-you-know (password or PIN code) authentication routines with what-you-are (biometric), what-you-do (behavioral biometric) or what-you-have (token) factors. It’s a quick win that CISOs rely on to keep their boards’ interest levels up, further supporting zero-trust and cybersecurity budgets.

Cloud-based PAM vendors are deploying CIEM to harden cloud access management and enforce least privileged access

One of the many reasons cloud infrastructure entitlements management (CIEM) is seeing greater interest is its ability to identify incorrectly configured access rights and permissions on cloud platforms while enforcing least privileged access.

Through 2025, 99% of cloud security failures will be the customer’s fault due to cloud configuration errors. CIEM’s rapid growth is attributable to the increasing complexity of configuring multicloud, hybrid cloud and private cloud configurations. CIEM systems flag and alert risks or inappropriate behavior and use automation to change policies and entitlements.

CIEM also pays off in cloud configurations by providing visibility across all permissions assigned to all identities, actions and resources across cloud infrastructures.

Scott Fanning, senior director of product management and cloud security at CrowdStrike, told VentureBeat in an interview that the most critical design goals are to enforce least privileged access to clouds and to provide continuous detection and remediation of identity threats.

“We’re having more discussions about identity governance and identity deployment in boardrooms,” said Scott.

Top CIEM providers

Leading CIEM vendors include Authomize, Britive, CrowdStrike, CyberArk, Ermetic, Microsoft, SailPoint, Saviynt, SentinelOne (Attivo Networks), Sonrai Security and Zscaler.

CrowdStrike’s Cloud Security product includes new CIEM features and integration of CrowdStrike Asset Graph. The latter offers a way to get an overview of cloud-based assets and better understand and protect cloud identities and permissions using both CIEM and CNAPP.

With these two tools, enterprises can gain visibility and control over which and how users are accessing their cloud-based resources.

Other vendors with CNAPP on their roadmaps include Aqua Security, Lacework, Orca Security, Palo Alto Networks, Rapid7 and Trend Micro.

CISO must-haves for 2023 and beyond

This year, more AM vendors will fast-track their offerings to help their largest enterprise customers consolidate tech stacks while hardening identities. Across the insurance, financial services, manufacturing, supply chain, logistics, pharmaceutical and consumer packaged goods (CPG) industries, CISOs now have a standard set of requirements for AM.

The core aspects of the IAM roadmaps, the “must-haves” for securing identities against record numbers of intrusion attempts, include:

Achieving and scaling continuous authentication of every identity as quickly as possible.Making credential hygiene and rotation policies more frequent; this drives adoption of the latest generation of cloud-based IAM, PAM and IGA platforms.Regardless of industry, tightening which apps users can load independently, opting only for an verified, tested list of apps and publishers.Relying increasingly on AM systems and platforms to monitor all activity on every identity, access credential and endpoint.Improving user self-service, bring-your-own-identity (BYOI) and nonstandard application enablement with more external use cases.

More IT and security teams are evaluating advanced user authentication methods corporate-wide, and are more thoroughly handling standard and nonstandard application enablement. And, passwordless authentication is seeing growing interest.

“Despite the advent of passwordless authentication, passwords persist in many use cases and remain a significant source of risk and user frustration,” Ant Allan, VP analyst, and James Hoover, principal analyst, write in the Gartner IAM Leaders’ Guide to User Authentication.

CISOs need passwordless authentication systems that are intuitively designed not to frustrate users but to ensure adaptive authentication on any device. Leading vendors providing passwordless authentication solutions include Microsoft, Okta, Duo Security, Auth0, Yubico and Ivanti with its zero sign-on product.

Of these, Microsoft’s Authenticator has the most extensive installed base. However, Ivanti’s approach is the most innovative in combining passwordless authentication and zero trust. Ivanti includes ZSO within its unified endpoint management platform. It relies on Apple’s Face ID and biometrics as the secondary authentication factor for accessing personal and shared corporate accounts, data and systems.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.

MPL Newzoo PCG hcIWGq

Mobile ‘paid competitive gamers’ are on the rise Newzoo & MPL

Connect with top gaming leaders in Los Angeles at GamesBeat Summit 2023 this May 22-23. Register here. Newzoo and Mobile Premier League (MPL) released a report this week about paid competitive games (PCG). According to the report, this new subsection of mobile games represent a new and growing form of game monetization. By the report’s definition, PCGs are skill-based mobile games that offer monetary rewards, and players earn those rewards by participating in PvP contests. It’s separate from play-to-earn games, though both categories reward players with monetary prizes. P2E games tend to reward players with cryptocurrency while PCGs offer real money. PGCs account for 7% of the global consumer spending on games, and Newzoo expects it to rise to 14% by 2024. Notably, PCGs are formatted as ”skill-based”

Read More »
Like a Dragon Ishin BsMea

Like A Dragon Ishin: A mini-review Kaser Focus

Connect with top gaming leaders in Los Angeles at GamesBeat Summit 2023 this May 22-23. Register here. It’s a strange week when the announcement of Counter-Strike 2 is the highlight. We had a lot of interesting news from GDC, and peeks at upcoming games like Redfall and a TMNT game adaptation of The Last Ronin. But I’ve been in a mood to talk about games themselves. So indulge me while I talk about a title that got eclipsed when Resident Evil 4 Remake dropped into my lap: Like A Dragon: Ishin! I returned to playing the game after RE4R and have a few thoughts about it. Ishin takes place in Bakumatsu-era Japan, and follows a fictionalized telling of real ronin Ryoma Sakamoto. He, like every other character in

Read More »
gordon moore DLcPG

The enduring legacy of Gordon Moore

Connect with top gaming leaders in Los Angeles at GamesBeat Summit 2023 this May 22-23. Register here. Gordon Moore, the elder statesman of the technology industry, passed away today at the age of 94. He was one of the nation’s greatest citizens as a pioneer of the semiconductor industry and chairman emeritus of Intel, which he cofounded in 1968. He was known for formulating Moore’s Law in 1965. He predicted that the number of components on a chip would double every couple of years or so. That prediction has held up remarkably well for about 58 years. In 1965, chip makers could fit about 64 transistors on a chip. By 1971, Intel could fit 2,300 transistors on its first microprocessor, the Intel 4004. Nvidia can now put 80

Read More »
toa heftiba n tf YANE unsplash e yVlHF

Top 5 stories of the week: Generative AI market heating up (even more)

Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More Once again, AI news topped the tech headlines this week — in particular, the generative AI market is becoming increasingly competitive, with both new and well-established enterprises making significant investments. This includes GitHub’s new Copilot X; startup Codium AI’s new code-integrity tool TestGPT; and a whole slew of new tools, services and capabilities from Nvidia. Still, skepticism remains, with OpenAI’s CEO Sam Altman even expressing apprehension. Not topping the list (but still noteworthy AI news): Databricks released its GPT-like Dolly; OpenAI turned ChatGPT into a platform overnight with several new plugins; OpenAI rival Character AI announced a $1 billion valuation; and Google released Bard, a

Read More »
d k eDvZA

Reigning VALORANT world champions use an unstoppable comp on Lotus

LOUD remain at the top of the VALORANT world, having been crowned the game’s second-ever world champion in 2022 and just missing out on making history in the LOCK//IN finals earlier this month. Heading into the first-ever VCT Americas season, LOUD is a heavy favorite to qualify for both Masters Tokyo and Champions 2023 with its South American roster not missing a beat despite replacing two of its players. Aside from boasting one of the most well-respected lineups in the world, however, LOUD has demonstrated time and time again how there are levels to their approach to the game from a strategy standpoint, and the team recently showcased this on Lotus. During LOCK//IN, LOUD actually didn’t play the newest VALORANT map until its very final best-of-five series. Despite

Read More »
mondoposters lAILZ

Funko Has Laid Off Mondo Staff, But Its Movie Poster Business Will Continue

It’s the end of an era for movie fans, as Mondo will reportedly no longer produce unique and stylish movie posters. Mondo’s parent company, Funko, has apparently laid off most of the staff at the Austin-based company and killing off its poster division. [Update: While the layoffs have been confirmed, a representative also told GameSpot that Mondo’s poster business will continue.] According to sources who spoke to TheWrap, Mondo co-founders Rob Jones and Mitch Putnam were also laid off and the company’s division for cutting-edge experiences and products, The Lab, has been shut down. Only the toys and records divisions remain, but as the sources explained, it’s not clear how long they’ll be around for. Senior creative director Eric Garza has also been let go. Funko purchased Mondo

Read More »