Consolidation and Regulation in Identity and Access Management
Find out how consolidation strategies and regulations affect the evolution of IAM.
2022 has been a huge year for the cybersecurity industry. The market has swelled to a hitherto unimaginable size, attack rates have soared, and the threat of cyber war has become worryingly close to reality. But 2023 has the potential to be even more impactful, says Alan Radford, regional CTO at One Identity.
Incoming vendor consolidation and CNI regulation is set to rock the industry at a scale that is without precedent and will have seismic effects on how security and IT budgets are set and how security vendors engage with both their customer base and regulators.
Where Does Consolidation Feature In IAM (Identity and Access Management)?
Vendor consolidation will be one of the most significant trends of 2023. The market is crying out for consolidation and simplification, and we’ve already seen hints of this in the latter part of 2022. For customers, it is no longer enough to have a point solution anymore. They’re looking for more unified security solutions. This is confirmed by a recent One Identity survey, which revealed that 83% of security professionals believe complexity is holding them back from implementing the appropriate security controls, while 65% backed a unified model. This will cause that in 2023 will see a flurry of major M&A activity.
This obviously is a huge step for the industry development, but in the first stage it also may cause significant disruption. Renewed contracts, which are going to be a major result of M&A activity, will be the most sensitive for clients. Some vendors will move away from more traditional license renewal models in favor of subscription services that provide annual recurring revenue. This strategy will allow them to cut costs and therefore lead to the discontinuation of on-premises products in favor of SaaS.
This presents a problem for customers, especially those with perpetual licenses and who are not ready for completely moving onto a subscription model. As a result, customers will begin to move away from vendors that do this.
To avoid such situations, the transition must be smooth. While the market is moving towards SaaS-delivered services, not all customer segments and regions are adopting SaaS at the same rate. Therefore, many businesses will need to adopt hybrid models for at least another two to three years.
However, the reality is, vendor consolidation is sorely needed. According to Microsoft research, the average large company has a staggering 75 security solutions, while 13% of all businesses use over 20. The problems inherent in managing so many security solutions are innumerable and could spell disaster for many organizations if they aren’t remediated.
As an economic downturn looms, organizations are looking to cut costs wherever possible. Throughout 2023, we saw countless examples as to why jettisoning cybersecurity programs is a bad idea, but businesses have done so and will continue to do so unless the cost of those programs is brought down in a significant way. By consolidating security solutions, organizations can achieve this, thus eradicating the need to cut cybersecurity initiatives in their entirety.
What’s more, managing too many security tools can leave organizations vulnerable. Not only is managing multiple vendor relationships costly and time-consuming, but it also results in information siloes. Siloed information means weak visibility, which can be exploited by cybercriminals. By consolidating solutions, organizations ensure that these siloes are eradicated – security insights are displayed on fewer dashboards and thus are less likely to be missed.
See More: World Backup Day: Backing Up Your Data Starts with Securing It
How Do Evolving Regulations Affect IAM?
Earlier this year, the UK Government put forward a proposal for new security regulations and codes of practice in the telecoms sector. Set to be implemented by March 2023, the proposal is without question one of the most significant cybersecurity documents ever published.
The proposal is a particularly impactful example of a government waking up to the fact that the internet is a legitimate avenue of war and has been for some time. It’s a recognition of the fact that ineffective cybersecurity in the UK telecoms sector is a threat to national security.
Far from being a one-off, the proposal is likely a precursor of wide-ranging security regulations across the UK’s critical national infrastructure (CNI). Throughout 2023, we will see regulations such as mandated multi-factor authentication (MFA), breach and attack simulation (BAS), and log in location tracking slapped onto the UK’s CNI organizations, with sectors such as energy and water likely the next dominoes to fall.
The UK government has been historically reluctant to interfere with the private sector’s affairs, and the cybersecurity of private businesses has been no different. But the dam has seemingly burst – 2022’s National Cyber Security Strategy expressed a need for a “holistic” approach to national cybersecurity in which the private sector plays a far more significant role. The telecoms security proposal seems to be the first major step towards achieving that, and it’s likely only the beginning.
We see these sweeping regulations being suggested across the Globe: The USA’s all-powerful Securities and Exchange Commission has also suggested incoming rulings which would impose mandatory and regular disclosures on cybersecurity practices at public companies. The proposition suggested would mean that public companies would need to disclose the following:
- When the incident was discovered and whether it is ongoing.
- A brief description of the nature and scope of the incident.
- Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose.
- The effect of the incident on the company’s operations.
- Whether the company has remediated or is currently remediating the incident.
The European Union is another region where 2023 looks to be a year of increased regulation. The NIS2 Directive drawn up in 2016 came into force in 2023, which provides legal measures to boost the overall level of cybersecurity in the EU by ensuring:
- Member states are prepared with a Computer Security Incident Response Team (CSIRT) and a competent national network and information systems (NIS) authority,
- Increased Cooperation among all the Member States, by setting up a Cooperation Group to support and facilitate strategic cooperation and the exchange of information among Member States.
A Culture of Security
Most difficult to enforce, however, is the requirement for a culture of security across sectors that are vital for our economy and society and that rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.
All in all, 2023 is set to be one of the most important years in the history of cybersecurity. The market will be rocked by vendor consolidation, resulting in a tumultuous but largely positive year. Private businesses, especially CNI sectors, will be forced to adhere to unprecedented regulations in the face of threats to national security.
How are you improving your Identity access management (IAM) strategies? Share with us on Facebook, Twitter, and LinkedIn. We’d love to know!
MORE ON CONSOLIDATION & REGULATION
