The annual Gartner Security and Risk Management Summit is always fertile ground for discovering the latest trends in cyber security, with this year being no exception. The 2023 event was held in early June, and central themes of this year’s summit were the increasing complexity of managing cybersecurity adversaries, the increase in data breaches, and the heightened risk identity poses in an ever-evolving digital landscape.
One of the most significant takeaways from this year’s summit is the role of Privileged Access Management (PAM) within the Cybersecurity Mesh. The Cybersecurity Mesh distributed architectural approach to scalable, flexible, and reliable cybersecurity control. The Cybersecurity Mesh allows the security perimeter to be defined around the identity of a person or thing, highlighting the critical role PAM plays in modern cybersecurity strategies. The shift to remote work, accelerated by the global pandemic, and the subsequent rise in cloud-based infrastructures, have further emphasized the importance of the shift from infrastructure-based perimeters to identity perimeters.
Granting privileged access from the identity POV was echoed by many of the Summit’s speakers, reflecting a growing concern that many organizations are inadequately prepared for the risks, especially as outsourcing of IT and infrastructure management reach new heights. Oversight in managing privileged access is one of the leading causes of data breaches, internally and externally to the organization.
Zero Trust and PAM
Another key talking point was the intersection of PAM and Zero Trust frameworks. The Zero Trust model operates under the principle that no user or system should be automatically trusted, even those within the network perimeter.
With the increasing adoption of Zero Trust frameworks, PAM is positioned as the most critical component in achieving significantly reduced risk. The summit emphasized how PAM is crucial in implementing a successful Zero Trust strategy, as it helps enforce the principle of least privilege, limiting access rights for users to the bare minimum permissions they need to perform their work.
PAM and Cloud Security Posture Management
The Gartner event also addressed the growing importance of PAM in securing cloud environments. Speakers and attendees discussed the need to manage privileged access not just for human users but also for an ever-growing population of non-human entities such as bots, service accounts, and APIs.
As the number of identities exponentially grows and as organizations increasingly adopt multi-cloud and hybrid cloud strategies, the need for a single identity security umbrella across environments becomes crucial. Discussions emphasized the need for solutions capable of discovering all identities and credentials that exist, then extending the principles of entitlements management, just-in-time privilege controls, and robust auditing across-cloud.
AI and Automation, and the Impact on Identity Security
Many of the conversations at the Summit were centered around the role of artificial intelligence (AI) and automation in enhancing PAM capabilities. With increasingly complex IT environments, manually managing access privileges can be challenging. Leveraging AI and automation can help identify potential risks, enforce consistent access controls, and streamline the auditing process.
Gartner analysts highlighted the growing adoption of these technologies in PAM and projected that their use will become more mainstream in the coming years. However, they also noted that while automation can reduce the risk of human error and improve efficiency, it should be complemented by well-defined processes and controls to mitigate potential risks.
With AI and ML being increasingly used to improve security measures and predict threats, there’s also a rising concern around their use for malicious purposes. The need for AI and ML in cybersecurity and the risks associated with them are likely a hot topic.
Simplicity Drives User Adoption
One question posed by a speaker was, “Where is the chocolate in the security program?” The question referenced how people simply do what is natural, such as being lazy or being fearful of shame and thus often take the easy way out like choosing chocolate vs. Kale. Both keynotes emphasized the need to simplify security in order to gain end user adoption, reinforcing the goal to make security easy to adopt and simple to use.
With the plethora of security tools and the massive lack of cybersecurity professionals, Gartner called for Minimum Effective Insights as indicators of successful security programs, and Minimum Effective Toolsets to achieve the desired results. Gartner analysts specifically called out both consolidation where it makes sense and the need for better interoperability through a cybersecurity mesh.
Gartner also appealed for Minimum Effective Expertise given that demand for cybersecurity professionals continues to increase even as a 3.5M person deficit exists, driving the need for cyber risk-informed autonomous decisions. And finally, Minimum Effective Friction is needed to gain user adoption by making it simpler to do the right thing vs. knowingly bypassing security guidelines, reiterating the need to adopt Passkeys (FIDO2) and adaptive access controls.
As security professionals and vendors, we need to work to remove the friction to enable people to behave in a security conscious way.
The Future of PAM
Looking to the future, the summit’s discussions pointed towards a continuous evolution in the PAM space. With the increasingly hybrid nature of working environments, organizations will need to take a more holistic and adaptive approach to PAM, one that can effectively manage privileges across a diverse range of systems and environments, cloud and on prem.
Gartner analysts also forecasted that the next generation of PAM solutions will likely incorporate more advanced features like behavioral analytics and predictive risk scoring, adding more layers to the security of privileged accounts.
The 2023 Gartner Security and Risk Management Summit underscored that in a world where the digital landscape is changing rapidly, the value of effective Privileged Access Management cannot be overstated. The event served as a critical reminder that organizations need to prioritize PAM to secure their digital assets and protect against the increasingly sophisticated cyber threats that lie ahead.