Nathanael Coffing, CSO of Cloudentity: IAM No Longer Separate From Cyber in 2021
This is part of an ongoing 2021 predictions series. We’ve asked top cyber experts to contribute their insights and expertise to provide a look ahead at what the new year may bring to cybersecurity.
Nathanael Coffing, CSO, of Cloudentity:
"In 2021, Identity Access and Management is no Longer Separate from Cybersecurity
Identity Access and Management (IAM) and security are no longer separate facets of an organization and must be treated holistically. According to 2019 data from the OWASP Foundation, seven out of the top 10 security vulnerabilities for APIs are related to identity. This shows that for the technology industry at large, the era of managing identity outside of cybersecurity is over. API security is a foundational element in today’s app-driven world and all of them need stronger more granular methods of transactional authorization. The risk is palpable as we’ve seen from the dozens of API breaches this, if an API is poorly written, Object or function level authorization issues provide programmatic data leakage to an attacker. An example of this going wrong is Cambridge Analytica, where Facebook’s API exposed raw data from more than 87 million Facebook users which was then exploited by the political consulting firm. If organizations don't take control of their API security, we will see more large-scale data breaches in 2021.
2021 Will Mark Huge Growth in the API Economy
In the last few years, APIs have been elevated from a development technique to a business model driver and boardroom consideration. Essentially, APIs enable companies to more easily build products and exchange data with internal, partner and customer services. According to recent statistics, Salesforce generates half of its revenue through its APIs, while Expedia reportedly derives a staggering 90% of revenue from APIs. In 2020, the API economy boomed and in 2021, we will see an explosion of new applications as a result.
Enterprises thrive on data and APIs provide a key enabler for reusing, sharing and monetizing those APIs; extending the reach of existing services or providing new revenue streams. Therefore, a growing number of large enterprises are building new services that expose legacy data stores allowing developers to use this data to create new APIs to drive new business initiatives. However, along with the rapid growth of API-centric services, there are more risks of APIs having vulnerabilities in their code. APIs should be treated as products and potential security flaws must be addressed at the API-level, ideally in the development stages.
To Lean on API-centric Services to Share Data, Consent Control Must Be More Rigorous
As we’ve seen with popular cloud document-sharing services like Google Docs and Box, API-centric services are relied on every day for seamlessly sharing data and being able to control who can view and edit certain files. Privacy is at the core of these open-data platforms, and authorization and consent are what ensures privacy is maintained. With modern API-centric services, consent has shifted the consumer mindset from “what data can I know about this app” to “what data can this app know about me,” and “what data can this app share about me?” Given consumer privacy regulations such as GDPR and CCPA, APIs must include consent controls that are much more rigorous to prevent sharing consumer data without proper consent. For example, third-party consumer apps like Spotify shouldn’t be able to post to someone’s Instagram page or other social media accounts unless they specifically allow it, even when these apps remain linked to one another.
VPNs Aren’t Dead Yet, but It’s No Longer a Best Practice for Access
With a large percentage of the workforce operating remotely for the foreseeable future, more APIs are being moved outside firewalls to maintain productivity from anywhere and ensure business continuity during the pandemic. Organizations relied heavily on VPNs (Virtual Private Networks) in 2020, but there are security and business risks associated with extending the edge. Given the perimeter-centric ramifications associated with using a VPN, enterprises are moving toward IAM solutions to solve these issues around remote authorization and access. Identity has become the new perimeter for users and services and strong authentication is the front door. Both aspects are critical for remote workers to be able to securely transfer and access important proprietary data."