Identity and Access Management to steal the spotlight at RSAC 2025 – Go Health Pro

Identity and Access Management to steal the spotlight at RSAC 2025 – Go Health Pro

by
It’s been nearly five decades since the question “Who Are You?” was posited by the eponymous British rock band The Who. Fifty years later, the question takes on even more urgency in the context of cyber when it comes to determining exactly who someone is.  In the week ahead, the topic of who and identity will become a focal point in the IT security landscape, one that will be widely addressed, discussed and dissected at the upcoming RSAC conference in San Francisco, which starts this Sunday.

Your identity guide for RSAC 2025

In specific, industry presenters will expound on the crossover between identity and cybersecurity, how and why more attackers are targeting identity and access management (IAM) tools and procedures, new approaches to managing identity (without unnecessarily complicating the user experience) and, perhaps most intriguing, the role of “non-human” or machine identity as well as its use with AI.“Identity has been a significant blind spot, whether it’s from the IAM vendors directly [who have] dropped the ball, as evidenced by most breaches being due to IAM failures and exploits,” says Dave Mahdi, chief information officer for Transmit Security, a Boston-based identity and anti-fraud systems vendor. For his part, Mahdi will be presenting on two separate RSAC panels related to identity issues, “Fraud, Risk, Hollywood & Government — A Strategy for AI Across Industry” and “Scams, Fraud & Identity: Why Attacks Require UX Focused Identity Security.”Like many other industry experts expounding on this heightened focus on identity, Mahdi said he sees more traditional cybersecurity vendors incorporating “identity context and functions into their platforms [as] identity and cybersecurity functions merge.”Mahdi’s presentations will focus largely on how “cybersecurity and fraud are intertwined. Attacks often begin with scams.”“Vendors are blending their capabilities,” he added, “and we’ll see overlap with the anti-fraud space as well.”On the flip side, digital attackers will continue their onslaught on the front end. “Most attacks already involve some identity compromise,” Mahdi pointed out. Hence, he said he expects to see industry demonstrations on detection and remediation at the IAM stage.    Fei Liu, senior emerging tech researcher for Okta Inc., a long-time IAM vendor based in San Francisco, will also be speaking at RSAC, at a presentation entitled: “From Ideal to Real: Demystifying Passkey Concepts and Implementations.”As identity strategies rapidly evolve to combine with IT security and more effectively fend off attackers who want to come in through the front door, Liu said she believes that “passkeys hold great promise to finally replace passwords. They offer more phishing-resistance than passwords and traditional [multi-factor authentication] methods.” However, she added, this transition could introduce a new set of “challenges related to inconsistent experience across operating systems, passkey sprawl, co-existing passwords, and managing lifecycles within various applications.”

Who are you? A bot!

While all these topics warrant closer focus, probably the most critical and hyped identity-related issues at RSAC will swirl around “securing non-human identities” and the closely connected topic of AI, according to both Liu and Mahdi.Non-human identities, including AI agents, are “expected to grow exponentially, but most organizations don’t have a strategy for managing them,” said Liu, which presents a challenge in light of AI’s unprecedented expansion.“Unlike traditional identities, AI agents need access to user-specific data and workflows to make decisions,” Liu added.Without sufficient controls, Liu said that these identities might have “too much access and autonomy – increasing the attack surface and potential for unauthorized movement within an organization’s systems.”“Not only are companies struggling to keep up with the number of non-human identities,” Liu said, “they are also grappling with the new identity security threats that go along with them.” Mahdi agreed that managing these machine and non-human identities (which can incorporate APIs, containers, applications and cloud assets) is a subject that is “gaining urgency” — and one he expected to be talked up at RSAC. Unsurprisingly, the effect that generative AI — especially the buzz around so-called “agentic AI identity” — will have on identity management is expected to pull focus at the conference, he added.“AI will continue to drive new threats and identity security challenges,” agreed Liu, adding, as an example that AI-enabled deepfakes have made phishing attacks more sophisticated. Liu cited Okta’s 2025 Businesses at Work Report, which found that concern for deepfakes is driving adoption of ID proofing tools, which have grown 11% since last year as companies try to prevent AI attacks including deepfakes.“Generative AI is also making attackers more efficient and effective,” Liu noted, even when it comes to identity.As an example, he pointed out that Okta Threat Intelligence research revealed that North Korean IT worker scammers are using GenAI tools to apply for and gain employment in remote technical roles. “The scammers use GenAI tools to do everything from managing communications of multiple personas to testing and improving the likelihood that a job application will pass automated checks.”

Product Palooza 

In 1971, years before The Who musically asked “Who Are You?,” the band’s guitarist and chief lyricist Pete Townshend said he and his generational peers “Won’t Get Fooled Again.” For the companies that want to reduce their risk of getting fooled by compromised or fake identities, there are a host of vendors announcing new products and services, as well as increased funding for their efforts, at RSAC 2025. These include:

  • LastPass, a Boston-based password and identity management, will launch its Secure Access Experiences service, which is targeted at supporting small- and mid-sized businesses better manage their systems’ login and access management. “For too long, solutions that manage employee access to critical systems and data have been overly complex and expensive for small- and mid-sized enterprises,” said Don MacLennan, chief product officer at LastPass, in a prepared release. The initial rollout will begin with SaaS monitoring, which should be available through browser extension in mid-May. 
  • Seoul, South Korea-based CryptoLab, which has long focused on homomorphic encryption, is debuting its “Encrypted Facial Recognition” product. The CryptoLab facial recognition product “aims to overcome the security limitations of conventional facial recognition systems” by encrypting both the stored facial templates, but also conducting biometric matching while encrypted. It also is promised to not only fend off current threats, but also “those posed by future quantum computing,” according to the company’s release. 
  • X-PHY just launched its Deepfake Detector, directed at helping companies “to verify the authenticity of videos, audio, and images directly on their devices, without relying on the cloud,” according to a release from the San Francisco-based cybersecurity products provider.  
  • On a similar front: Atlanta-based email security vendor Ironscales will unveil its own “deepfake protection for enterprise email security” designed to identify and neutralize deepfake-driven threats in real time. 

    • Leave a Comment