2022 Research Focus

 

Securing and Governing the Digital Enterprise

 

The digital world as we know it has dramatically changed and 2022 is an opportunity and possibly a necessity for large organizations to assess and recalibrate their foundation for securely supporting, scaling, and enabling their New Digital Enterprise. As organizations have been immersed in dealing with the ramifications of the pandemic and associated new accelerated digital engagement models, corresponding investments in governance, IAM, security/risk and other foundational capabilities were often delayed. A positive aspect of the pandemic is a proliferation of innovative and disruptive technologies that should be considered as part of many future state portfolios.

2022 is the year to mitigate risk and gain control of the New Digital Enterprise. Developing the tools, architectures, deployment strategies and selecting the right vendor partners in support of our Enterprise Clients are focus areas that TechVision Research will cover in our 2022 research agenda, workshops, consulting services and Chrysalis Conference. This report outlines our core 2022 research themes and then the specific content we plan to offer our clients in 2022.

 

Identity and Access Management (IAM) for the Digital Enterprise

Identity and Access Management needs to evolve to support the dynamic demands of the new Digital Enterprise while accommodating and integrating legacy environments. Simply put, IAM is the single most important element of the new Digital Enterprise. The scale, relationships, regulatory controls, expansion of objects (like IoT devices, RPAs, Consent tokens…) necessary for the new Digital Enterprise require new, improved and possibly disruptive IAM services. It all starts with Identity; “You can’t govern and secure what you can’t explicitly identify”. 2022 is the year to understand and formalize your processes and develop your modern IAM foundation starting with a Reference Architecture, requirements assessment and we’ll provide the tools to help our clients make progress in this most critical area.

Key areas of coverage include our regularly updated IAM reference architectures and extending the IAM scope to include customers, “things”, processes, and RPA objects. It also includes managing these via improved governance technologies and organizational approaches. We start with the premise that traditional physical perimeters are no longer sufficient as a control plane and IAM MUST be at the center of digital control. With devices and identities increasingly owned by employees/customers, new development models (cloud/microservices) and privacy controls changing the landscape, Identity Management is core to mitigating risks and gaining control. 

“Zero Friction/Zero Trust” Security

Security is more important than ever, but not at the expense of customer engagement. Zero Trust was amongst the biggest buzzwords of the past 4 years, and it is important to separate the concepts of Zero Trust Security from the vendor hype associated with this term. TechVision will look to separate the hype from our specific recommendations as to how organizations can achieve improved security using the concepts of Zero Trust.

But it is more than Zero Trust in that access and security controls must be flexible, dynamic, fast, and “usable” by customers, partners, developers, administrators, and employees. This pragmatic approach to security is what TechVision calls “Zero Friction/Zero Trust” security. The Digital Enterprise is all about engagement and cumbersome security measures are counter to this goal. This theme is about achieving a balance; enterprises need robust security, but they also need to pay attention to the user experience.  Core to this theme is our zero trust / zero friction posture and overarching reference architecture and strategy supporting the approach. Key areas of focus include:

• Visibility and analytics – Applying AI and Machine Learning to Security
• Automation and orchestration – Automate data gathering, security alert and transaction execution, analytics to provide organizations the ability to implement comprehensive defense-in-depth capabilities based on contextual data and a robust IAM foundation.
• Developing an Enterprise Zero Friction/Zero Trust Security Program, Strategy and Reference Architecture.

Understanding and Applying Emerging Technologies

Emerging and disruptive technologies create massive opportunities but create inefficiency and risk. TechVision will help organizations assess how and when to leverage disruptive, emerging, and new technologies. These “disruptors” include categories such as Blockchain, AI/ML, new Internet trust models, IoT, new development approaches and other emerging game-changing technology enterprises should at least have on their radar. Some of these technologies will be applied to specific areas such as Decentralized Identity using Blockchain, Web3, the use of AI/ML in achieving “frictionless security” and how DevOps/Microservices/APIs are changing development and expanding business opportunities.

Building an Enterprise Innovation Capability

This will build off our work over the past several years establishing our Innovation Reference Architecture and subsequent work with our clients on developing innovation programs. In 2022 we’ll look at the products, services, approaches, and organizational models that will help organizations achieve more sustainable and business-relevant innovation. Building out innovation isn’t just about disruption; it is having a business and technical foundation to enable and broadly systematize innovation.

Executive Strategy

This track looks at major technology and business trends, their impact on IT and Security decisions and nets out recommendations for large enterprise leaders. Topics such as new IT organizational models, an executive’s guide to Zero Trust and approaches to influencing customer and employee behavior are within this track. In addition, every research report provides an abstract, executive summary and introductory section as well as conclusions with actionable recommendations.

Research Agenda

Our 2022 Research agenda is enterprise focused, pragmatic and integrates TechVision’s consulting experience and in-depth

research/analysis.  While this is our current research plan, we will iterate going forward based on changes in technology, the markets, user requirements and input from our clients. Planned and published reports in 2022 include:

An Identity Governance and Administration (IGA) Framework for the New Digital Enterprise (Published Q1)

Organizations embracing digital transformation are taking a hard look at Identity Governance and Administration (IGA) programs. Enterprises need a consistent framework for operationally managing and governing their rapidly expanding digital ecosystem and IGA is an important piece. At its core, the goal behind IGA is simple: Ensuring appropriate access, when and where it is needed. IGA combines entitlement discovery, decision-making processes, access review and certification with identity lifecycle and role management.

Developing a Hybrid IAM Strategy & Reference Architecture (Published Q1)

This report focuses on how Identity and Access Management services should optimally be extended (or new capabilities and architectures developed) to support the migration of data and IAM to the cloud while continuing to serve on-premise applications and services. Over the past 10+ years, enterprise IT is accelerating its overall movement to the cloud and in conjunction with this trend, enterprises have migrated many of their IAM capabilities to the cloud. Today, we find ourselves with a largely mixed set of IAM capabilities residing on-premises, in the cloud, or both. The many components that comprise an IAM environment, such as authentication, authorization, account lifecycle management and privileged access today can be orchestrated in ways that give enterprises the ability to run certain capabilities more efficiently in the cloud and others on premise while retaining requisite governance and security. This report will also debut TechVision’s Hybrid IAM Reference Architecture.

Innovation Governance (Published Q1)

Much like a manufacturing plant focuses on producing product, an innovation system focuses on producing commercialized inventions. And in a similar way, the innovation system needs to be observed, measured, and improved.  This report focuses on recommendations on how to coordinate and govern enterprise innovation.

Securing Your Supply Chain in an Era of Uncertainty (Published Q2)

For years we have been writing about elements of a larger movement to the next generation of web services. Decentralized Identity, Blockchain, Smart Contracts are all subjects we have covered over the years. Many of these elements are being incorporated into a new vision of the Web, Web3. People define it in a few different ways, but at its core is the idea of decentralization, which we’ve seen with cryptocurrencies (key drivers of Web3). Rather than Google, Apple, Microsoft, Amazon, and Facebook hoarding everything, the internet will supposedly become more democratized. This report covers the projects and foundations that are taking this movement forward and attempts to add some perspective beyond the hype.

Can the Industry get to Zero Passwords? (Q2)

Distributed Identity, “password-less” authentication and other approaches to reducing or eliminating passwords continue to resonate with individuals and enterprises.  50% of help desk tickets and customer issues are password related.  Managing 100s of passwords has gotten out of control, and most of the time when accounts are hacked, they are not guessing your password. This report will objectively assess where the industry is, where it is going, where it should be going and how enterprises should prepare for a Zero or at least a reduced password world.

Developing a Modern Unified End Point Security Foundation (Q2)

This report describes a foundational approach to end-point management and security to move from a reactive to a preventative approach. Traditionally endpoint security is comprised of dozens of different solutions, but the pandemic has demonstrated that end-point integration, consolidation, consistency, and usability is the direction most large enterprises need to aspire towards. Major requirements to be addressed in this report include:

• Protecting users by securing endpoints working outside network security boundaries
• Achieving a low-friction user experience to keep the workforce productive
• Support for non-standard and expanding use cases, such as protection for IoT and Linux/Unix devices
• A platform to enable businesses to manage access risk, reduce support costs, and comply with regulatory requirements

Enterprise Security Framework and Updated Reference Architecture (Q2)

This foundational security report builds on our multi-cloud security reference architecture report last year and describes how enterprises can systematically approach risk management with documented, agreed-to and understood policies, procedures, and processes that define how information is consistently managed and decisions are made in an organization. The end goal is to of course decrease risks and security vulnerabilities while increasing confidence internally and externally in the enterprise security posture in an increasingly complex and exposed world.

JIT Access and Authorization (Q2)

This report describes Just in Time (JIT) authorization in the context of the new normal and BYOI.  We examine how enterprises instantly offer access at acceptable risk levels and how Just in Time IAM will be used to make streamlined, real-time authorization decisions. Microsoft and others are putting major stakes in the ground in this area. We’ll examine the technology, the vendor landscape, and make recommendations on the way forward.

Microservices, Macro Risk (Q2)

We have seen microservices become a highly popular method for developing cloud-based applications. It is simple to deploy, and the ability to upgrade application components without significant downtime allows providers to offer enhanced service level agreements and reliability statements for their customers, resulting in an overall better customer experience. Many of the applications and services we use daily are developed in this way. They have become so reliable that even a moment of outage feels unacceptable, when in the past, it could be the expected norm for systems to go offline for hours in a month for ‘service upgrades.’

For all the positive benefits of microservices, security has proven to be a challenge as microservice adoption and deployment grows. Each microservice needs to expose its own set of APIs, communication methods and entry/exit points to be viable – and each of these carries a level of risk. Because applications are made of these components as well as services developed by third parties the industry have begun to understand that securing the “software supply chain” is critical to business success. This report covers the need and approaches to securing the software supply chain.

New and Emerging European Identity & Cybersecurity Initiatives and Regulations (Q2)

This document describes the plethora of regulations, directives, and supranational organizations in Europe focused on identity, cybersecurity, and privacy.  

In 2021 the European Commission (EC) proposed a framework for a European Digital Identity which will be available to all EU citizens, residents, and businesses in the EU. 

In parallel the EU is adopting a wide range of cybersecurity, trust, and privacy-related measures to protect infrastructure, governments, businesses, and citizens. This includes:

• The revised directive on security of network and information systems (NIS)
• The EU Cybersecurity Act, including the strengthened role of ENISA (the European Union Agency for Cybersecurity) and the introduction of the European Cybersecurity Certification Framework
• The EU blueprint for coordinated responses to large scale cyber incidents
• The European Cybersecurity industrial, technology and research competence centre, together with the network of national cybersecurity centres
• The European Cyber Security Organisation (ECSO)
• Data Governance Act (proposed)

This report will help businesses with interests in Europe meaningfully navigate this labyrinth of inter-related initiatives and give US-based organizations food for thought as to where they should be going.

Recalibrating the Future State IT Organization (Q2)

TechVision developed a future state document several years ago called “The End or EA an IT as we know it” that described an environment in which IT was becoming “cloudified” how this fundamentally changed IT. We followed up with a document describing the new IT organizational model. Given the changes in technology and the world over the last few years it is time to revisit IT organizational models and goals in the context of the new Digital Enterprise

Secure Access Service Edge (SASE) Level Set and Enterprise Strategy (Q2)

Secure Access Services Edge is the latest buzzword in network security.  This research report builds on previously published Zero Trust Networking and discusses how enterprises can leverage SASE in their Zero Trust strategy.  This research also looks at zScaler, PaloAlto, Fortinet, and Cisco solutions and how each approaches SASE.

The Future of Identity Management 2022-2026 (Q2)

This is an updated version of a report we have produced annually since 2015. This includes TechVision’s Top 12 list of IAM areas of enterprise investment consideration over the next few years based on key future-state requirements, business needs and technology directions. The future of IAM will be driven by the needs of the Digital Enterprise and will have a major impact on key security and identity services.

Unified Communications as a Service (UCaaS) Security (Q2)

Most enterprises have stringent document and email management policies but lack real-time collaboration and communication security and privacy controls. Platforms such as Cisco’s WebEx, Microsoft Teams, and Zoom offer different levels of security and privacy control.  This research builds on the previously published UC security research and provides enterprises with recommendations on how they should secure their collaboration tools in this time where people are working from everywhere and using cloud-based collaboration platforms.

Zero Trust Strategy and Approach: Executive Level-Set (Q2)

Zero Trust is one of the most visible and most misunderstood terms in the security space. This has opened the door for a massive amount of marketing by vendors and confusion by executives. Zero Trust is not a product or service, but an approach to providing modern security services. This document provides an Executive Level-Set supporting the development of a well-thought-out security program including the concept of Zero Trust. Our goal is to simplify the concepts, cut through the hype and focus on the steps enterprises should take to modernize their security programs. 

AI Support for Network Performance and Security (Q3)

Networks spew tons of data regarding users and devices connecting to services and applications.  Artificial Intelligence is allowing enterprises and service providers to harness this data into meaningful information including anomaly detection of suspicious/malicious traffic and common problems and bottlenecks that impact performance. This research provides enterprise recommendations on how, when and to what level AI should be leveraged within their network and security management portfolio.

Applying Artificial Intelligence (AI) and Machine Learning (ML) to Security (Q3)

Consumers and employees want security that isn’t invasive or cumbersome. The use of big data analytics, AI and ML provide a path towards more proactive security that “may” be less burdensome for the users. Virtually every security vendor claims to be leveraging AI, but all applications of AI and ML are not created equal. We’ll describe the approaches, enterprise recommendations and key vendor offerings in this report.

Decentralized Identity Enterprise Planning Guide (Q3)

This is an area TechVision has extensively covered for the past five years, and this report focuses on providing an update as to the vendor landscape, use cases, architecture, integration with other technologies with specific recommendations for vendors and end-user organizations.

Developing a Customer IAM (CIAM) Strategy and Roadmap (Q3)

Customer IAM (CIAM) provides a gateway to the customer and is one of the most important elements of any Digital Transformation program. CIAM is often the first “touch point” an organization has with a prospect and is an on-going reflection of a brand. Get CIAM right and you will attract customers, drive revenue, and represent your organization in the best light; get it wrong and your business will suffer.

In this report, we provide a foundation for enterprises looking to build an IAM foundation to support the engagement of customers, prospective customers, and external stakeholders in the context of business goals. We’ll also release our updated vendor short list as this market has substantially changed over the past few years.

Global Digital Identities: Standards, Schemes and Scale (Q3)

The vision of a global digital identity framework has been around for decades and has been as elusive as the legendary pot of gold at the end of a rainbow. From the early days of directory services to the more recent promise of distributed ledger technologies, there have been numerous proposals and initiatives to crack the nut, which at first appears deceptively straightforward but gets ever more complicated the further you examine it.

This report will analyse the key standards, architectural elements, governance models and integration tools and approaches needed to extend/integrate existing services while transitioning to lay the foundation for the future. 

IAM Use Case: Supporting List and Campaign Manager (LCM) in Contact Centers (Q3)

Contact Centers are where people who do not know each other have a conversation in real-time.  Establishing identity and trust is critical to ensuring a successful interaction and experience.  This research will look at evolving industry best practices in the Life Cycle Management of Identity and Access Management (IAM) in contact centers and taking advantage of smart devices to provide a seamless experience.

Multi-Cloud Internetworking & Security (Q3)

Setting up AWS, Azure, Google is straight forward, but getting applications to work across multiple IaaS platforms requires additional planning and tools.  Enterprises looking at creating shared services to be used across private and public clouds such as IAM, Logging, MFA, … will find that this research offers a reference architecture in how to set this up. 

Proactively Addressing the Security Talent Gap (Q3)

There is a massive global shortage of cybersecurity professionals; and it is even more daunting with the high demand for newer skill sets in areas like SecDevOps, cloud and hybrid security, the use of AI/ML and rapidly updated security frameworks. The importance of this area has accelerated during the pandemic and narrowing this gap is a major challenge for most organizations. This report outlines how enterprises are coping with the scarcity of critical security resources and suggests approaches to get ahead of the security talent gap.

Supporting Methods and Procedures for Innovation (Q3)

For innovation to be effective, it needs to become a core competency, it must be supported as any other business activity within the company. It needs to have a defined business process, specific tools and methods, resources, incentives, and training. These are the focus of this report.

The State of Enterprise Blockchain 2022 (Q3)

Bitcoin’s underlying blockchain technology has certainly caught the attention of the world’s largest corporations and organizations to date. Despite the growth of thousands of cryptocurrencies and decentralized solutions, there is also a growing wave of enterprise adoption, and the growth of these technologies as major companies and huge corporations look to implement distributed ledger technology.

There is no denying that the integration of blockchain technology has begun, and the move towards more advanced, and more decentralized solutions is happening. In this report, we will be examining the way in which enterprise platforms have adopted blockchain technology over the last few years, and how the integration is going today.

Using Location in MFA Strategies (Q3)

Every location in the world has a unique RF signature that should be added to enterprise MFA strategy.  UWB technology used in Apple Airtags is another location-based solution that can ensure secure access and is a factor that can’t be stolen or forced from a person. This report highlights the different technologies that can pinpoint an access location that can be used as part of IAM risk assessment.

Building a multi-cloud strategy (Q4)

Moving forward, more organizations will likely build cloud-native apps with little to no reliance on a specific cloud provider. This enables enterprises to avoid vendor lock-in and exploit best-of-breed solutions. Some other significant benefits of adopting a multi-cloud strategy include better disaster recovery, optimal ROI, high level of security, and low latency. These value propositions alone justify the widespread adoption of multi-cloud infrastructure solutions in the future.

This “cloud expansion” in multiple directions, supporting many teams with different needs, is now becoming commonplace for enterprises. The proliferation of multiple public cloud providers, private cloud environments, edge cloud providers and data centers have their tradeoffs. Within each environment is an ecosystem of proprietary tools — security, automation, training, analytics, disaster recovery. IT leaders are increasingly looking for converged, connected tools that are built and deployed on a variety of different architectures and hosted in different environments. They need and want to unify applications, integrate cloud services, and deliver flexible and deployable consumption models.

This report outlines an approach to a multi-cloud strategy, including recommendations on deployment strategies, management platforms, cost management, data security, and governance.

Changing Customer and Employee Behaviors (Q4)

The best technology strategy does not translate into the best digital strategy.  Humans are emotional and getting them to change can be daunting.  This research will touch on ways CIO’s can manage their staff, customer base and partners to ensure the best outcomes.  For instance, if CIO’s permit bad behavior (even with and especially with strong performers), they are implicitly promoting it, and it will eventually spiral out of control.  Valerie Slaymaker, who is a PhD Clinical Psychologist, and spent 20 years at Hazelden Betty Ford, researching and teaching on changing behaviors, will co-author this paper with TechVision.

Cloud-based Identity Services (Q4)

Cloud identity management is a lot more than just a simple web app SSO solution. Think of Cloud-based Identity Services as the next generation of IAM; a holistic shift of the entire identity infrastructure to the cloud, including the identity provider, SSO, MFA, PAM, IGA, and much more.

This modern adaptation of IAM is optimized to be used across any device, on any operating system, with any on-prem or web-based application or any cloud, on-prem, or remote resource. Modern cloud IAM solutions are also focused on being multi-protocol to enable virtually any IT resource to connect in their “native” authentication language.

This report will outline recommendations on identifying requirements using a reference architecture and a short list of vendors that support the various aspects of this next generation of IAM.

Developing a Culture of Innovation (Q4)

This executive track report describes the people and culture aspects of innovation. For the foreseeable future, innovation will require people and their connections with other people to succeed. To succeed in internal innovation, the enterprise must be conscious of the soft factors, culture, employee skills, and motivation that drive behavior. You must adjust these soft factors to match what’s needed to foster and nourish intrapreneurs. These changes as well as organizational structures are covered in this report.

DevOps – The Next Normal (Q4)

DevOps has established itself as an indispensable software development methodology. Courtesy of its enticing benefits such as faster software delivery, improved quality, and high customer satisfaction. Amid the pandemic, DevOps gained huge prominence as it streamlined remote collaboration to facilitate agile development practices and infrastructure flexibility.

Even though DevOps is not a buzzword anymore, there are significant changes afoot in the field. New practices, technologies, and trends are making DevOps an exciting place to be right now – and in the future. In this report, we have curated the top trends and predictions that are set to shape the future of DevOps.

Identity Lifecycle Management (Q4)

Managing digital identities is a complex task, especially as it relates subjects (people, assets, services, etc.) and their relationship with organizational resources with a digital representation. As these identities proliferate it becomes harder to effectively enable subjects and protect resources. Automation can enable the organization to scale more effectively and keep the identities and their access to resources accurate from the moment a subject is on-boarded to the moment they leave the network.

This report will outline the lifecycle management phases for subjects, applications, and resources as well as the strategies that can be used to define and govern digital identities.

Master Data Model for Security (Q4)

The Master Data Model is an information model of business concepts (or entities) and how they relate to one another. The key distinction from other information data models is that the Master Data Model uses business terms and is simplified to serve the business interests and purpose. Master Data defines ownership, governance, security levels, data quality and more. In short, the business decides what Master Data is and how to govern it, whereas IT makes it work seamlessly between systems on a technical level.

TechVision has a strong belief that all security rules should be easily understood by both humans and machines. In other words, security needs a Master Data Model. This report provides a foundation for developing understandable security and forging stronger links between business goals and security policy.

The Next Frontier of Risk Management (Q4)

This report describes TechVision’s risk management framework and control taxonomy. It builds on the Factor Analysis of Information Risk (FAIR) by making it more granular and connecting this model with effective controls.

Zero Knowledge Proof (Q4)

This document focuses on the task of getting rid of centralized databases containing passwords, biometrics, and other private data – A continuation of the Zero Passwords story but providing minimal disclosure of PII serves customers and partners concerned about privacy and mitigates regulatory risk. This report covers the current landscape and future state of Zero Knowledge Proof.

Zero Trust Networking (Q4)