I’m actually not a fan of the tech industry’s tradition of winter prognostications. It’s a weird combination of throwing darts, shoehorning guesses into the “but a clock is right twice a day” box, and the dregs from a white elephant exchange at the office: predictions that are wildly off-base but entertaining to read; predictions that pose no risk to the prediction-maker if they don’t turn out, or look like a fluke if they do; and predictions that are throwaways.
I promise I’m not a holiday grinch. So, to prove it, I’ll lay out five tech predictions for 2024 — and how executive and management teams can prepare for the coming year.
A greater focus on single sign-on…by attackers
In the waning days of 2023, Microsoft Threat Intelligence warned us of attackers “misusing OAuth applications as an automation tool in financially motivated attacks.” OAuth, and similar technologies like SAML and WS-Federation, are frequently used in larger enterprises to streamline authentication across multiple applications. For example, OAuth can allow users to switch seamlessly between Microsoft 365, Salesforce, and Zscaler, through the use of token-based authentication, rather than each application separately prompting for username/password credentials. And what’s made single sign-on (SSO) authentication useful is the ability to overlay multi-factor authentication (MFA) and conditional access and risk controls to logons.
But as Windows admins learned in the 2010s, tokens are not a golden ticket for security (pun fully intended). The targets of OAuth attacks, as Microsoft writes, were accounts lacking unique passwords, MFA, or some form of conditional access or risk evaluation — and, of course, accounts with admin-like privileges to create and manage OAuth applications.
Prediction: Cyber threat intelligence firms will see a notable increase in attacks targeting SSO in 2024.
To-do for ’24: take a cue from your favorite cybersecurity risk management framework and ensure you have an inventory of your privileged users. Then make sure you’re logging and auditing their actions, and enforce the use of multi-factor authentication and conditional access policies.
Bonus to-do: Log and audit your identity management system for changes to your SSO configurations. Every enrollment — and de-enrollment — should correspond to an approved change. Your SOC should be able to line up a config change in OAuth with a change request, without having to call the product manager at 3 am.
SaaS platforms will go hard on MFA adoption
In recent years, vendors building web-based software — Software-as-a-Service, or SaaS platforms — have added multi-factor authentication (MFA) to user logins, or started enforcing MFA either for privileged users or for all users.
In October 2023, the genetics testing firm 23andMe fell under scrutiny for what was initially believed to be a data breach, in light of a dark web post hawking customer data. As subsequent news reports and the company’s own statement clarified, the breach turned out to be a case of credential stuffing — where users reuse the same password on multiple sites, and a breach of an unrelated site exposes the password. While 23andMe offered MFA for users, it wasn’t required.
Prediction: Big names in SaaS platforms and “apps”, both for consumer and business, will force users to enroll in MFA starting in 2024.
To-do for ’24: Management teams should look hard at the SaaS platforms they integrate with. Do they support MFA, or tie into your own MFA by way of SSO? If not, think hard. Your firm may be taking on a lot of risk, and remember: with SaaS, you don’t control the data.
Generative AI will be 2024’s metaverse
In case you haven’t read, I’m a huge critic of generative AI. Not because I don’t think the technology can be useful — it can be — and not because I don’t think the underlying technology has broader applications — it does — but because too many companies are trying to apply a nondeterministic technology (generative AI) to problems that require deterministic solutions.
Matt Day of Bloomberg Technology wrote in late December about Amazon Web Services’ annual convention, re:Invent. He pointed out that this year’s event, which draws tens of thousands of AWS customers and prominent names in tech to the Las Vegas Strip, felt like an attempt to shove the letters “A” and “I” into every presentation, breakout session, fireside chat, and freebie giveaway. It was, as Day wrote, “evidence of a massive, companywide effort to catch up” with the likes of Microsoft, OpenAI, and Google. He cited a Wall Street analyst note: “This is what last place looks like.”
Yet most of the AI madness is centered around generative AI — think chatbots like ChatGPT and Bard, or image generators like Stable Diffusion. The use of AI for predictive analytics, machine learning, and similar applications — which rely heavily on the same graphics processing unit (GPU) chipsets from companies like Nvidia and the same technical concepts like neural networks — has been around for just as long, but product successes have so far been few and far between.
Prediction: generative AI will fizzle out in 2024. But AI for analytics will start to hit its stride in late 2024 as C-suites pivot and find use cases that actually pay off.
To-do for ’24: Now is the time for management to look across the business and see where analytics can play a role. Identify areas of inefficiency that don’t lend themselves to traditional statistical analysis — these will be great candidates for the next phase of AI/ML, and while your competitors’ data scientists are sitting on their hands, your team will be busy crunching vectors.
Windows Server 2025 is announced…with on-prem AD deprecated
*bombshell*
The current version of Windows Server 2022 was yet another iteration of the longtime server operating system from Redmond, Washington. And to no one’s surprise, there was no new forest or domain functional level, no schema updates, etc. On-premises Active Directory hasn’t had anything new for quite a while.
We already know that Microsoft is developing IAKerb, which will replace NTLM as the non-domain-joined authentication method for accessing AD domain resources. And devices can be Microsoft Entra joined, the work-from-anywhere version of a traditional AD domain. On-premises AD really only exists when you, well, have your own AD hardware on-site. But in a world where Microsoft 365…
Prediction: Microsoft announces Windows Server 2025 in spring 2024. Microsoft also announces they are deprecating Active Directory Domain Services (AD DS).
To-do for ’24: If you’re still running on-premises AD, you really need to ask yourself one question. (No, not “why.”) “How do we successfully migrate to Microsoft Entra?”
Bonus to-do: In today’s world, services truly requiring a domain-joined machine are a rarity. Your email is in the cloud; so is the HR application, your code repository, point-of-sale system, accounting, etc. Cloud compute workloads are rarely logged-in to, and secrets management software can provide emergency RDP or SSH credentials on a just-in-time basis. Take a step back and review your technology stack. You might be surprised by how much doesn’t rely on the proprietary aspects of Active Directory.
The humble watch will see a resurgence, on the wrists of Gen Z
Millennials who traded their peak Bitcoin for the luxury watch market might be regretting their decision, as Bloomberg reported in December 2023 that prices on fancy timepieces are in a clear decline. “I believe that we will never see this ever again,” said the CEO of Audemars Piguet, a high-end Swiss watchmaker, about the Covid-era craze for all things horological.
Gen Z seems to be on a similar trajectory with smartphones. They’re recognizing the dark patterns implemented by social network platforms and app developers, and the stress of always-on communications channels in the form of iMessage, Whatsapp, Instagram, and Tiktok. Putting a miniature smartphone on the wrist just adds another level of always-on connectivity.
Prediction: Smartwatch adoption will fall as the younger demographic chooses to adopt non-smart watches.
To-do for ’24: Embrace the idea of digital detox and see how it feels to only have the date and time within reach.