A New Decade of Challenges and Solutions for IT Professionals

Steven Puddephatt
image 4 Min read
Identity & Access Management (IAM)

As we move into a new decade IT professionals will be scratching their heads wondering “what new threat is going to cause me to have to rethink my security architecture or user policy?”. As a solutions architect working with a wide range of customers, here’s my take on what’s coming.

API security to take centre stage

Up until now very little has been done around API security once you get past the basic authentication. What do I mean by this? Well to make an API ‘get’ some data, you feed it a command, let’s say in our case it’s a mobile banking app that shows your name and address as well as account number. To get information from the API, the mobile banking app has to be authenticated with the API, usually with some currently unbreakable encryption method. Great, the connection is trusted and secure. But hackers have shown time and again that once you have access to an API you can usually force it to give you data that wasn’t intended for you.

In my example imagine if swapping out the account number in my API call gave me addresses and account numbers of other bank customers. Sound far fetched? Not really, a vast majority of hacks in the news are done via the API, even Facebook and Google have been victims. You have to ask yourself ‘if Google and Facebook have problems, what are the odds that I do not?’.

And so we’ll see the adoption of machine learning tools for API’s, which, rather than relying on authentication for security, rely on behaviour algorithms instead. Practically everything has an API for it these days, and they were built with ease and portability in mind, security was something of an afterthought, an attitude which will dramatically change in the coming year.

Zero Trust and Identity and Access Management (IAM)

Zero trust is the latest buzzword to have hit nearly all meetings I sit in. Unfortunately for IT managers and sys admins it isn’t just a buzzword, it’s a new paradigm in managing access to resources which means you’ll have to rethink your approach to remote access and logins. There are different approaches to Zero Trust, but for the uninitiated it means the death of old VPN remote access systems and a move to highly secure portals that can only be accessed via a web browser.

Tightly coupled with Zero Trust is IAM, which pushes organisations to have ‘one source of truth’ for what access a user should have. IAM is necessary as we’ve shifted almost entirely to SaaS platforms, most of which are accessed with an email address and password.

How many people reading this article access Salesforce with a user/password type authentication? And how many people have left a company only to find out their old user/password still works? The problem is prolific and companies are way behind on their uptake of Zero Trust and IAM. Rest assured you’ll see more stories of VPN connections being hacked and businesses will be forced to move to new technologies.

Software hygiene and third party scripts

So we’ve all heard the scenario, you need to write a program for something-or-other. After a quick search around it turns out that three pieces of open source software available, which when used together will perform the function you require. Great, so you’ve just saved tonnes of development effort and your time to market is greatly reduced.

The only problem with this is that now you’ve got three pieces of open source code running, each of which can punch a hole in your security posture. Let’s say for example you used an open SSL library as part of this program, and then later a vulnerability is found in this SSL library. Well, how would you know you were affected by this if the library was just compiled into your program? How clean is your program and its composite parts?

This is software hygiene is now becoming a major headache for companies, especially when you’re looking at hundreds of libraries with possibly thousands of known vulnerabilities. Help is at hand and some tech startups are already offering automated tools to alert you to any CVE’s your software might contain.

On the other side of your application you’ve got third party plugins, things which you intentionally allow to access certain parts of your app to provide a feature on your website. This is currently the wild west of the IT world, with companies allowing third party javascript on their site with a very laissez-faire attitude as to what they’re really doing. Attacks leveraging this part of the attack surface roughly come under the name ‘Magecart’, the highest profile incident last year being credit card data theft from British Airways. It’s been coming for a while, but expect to see a big lock down on allowing random open source code and third party add-ons to sites.

Again, there are certain startups that are addressing the issue but I’m fairly sure we’ll see some high profile ‘Magecart’ attacks in 2020 before everyone really takes note. These types of attacks became newsworthy in the last few years and we can be sure that moving forward, they will get much worse – perhaps even bigger attacks and huge fines levied. These weaknesses in the software deployment lifecycle will need careful attention.

*This post originally appeared in SC Magazine UK on February 6, 2020




There’s more to see

slider item
Identity & Access Management (IAM)

How IT can Breeze through Onboardings without Additional Hirings

Dror Arie 25.11.21

Which IT Nuisance Would You Automate First? Employee onboarding is one of the heaviest, most complex operations on a company’s IT. This is especially true in fast-growing companies that may see multiple onboardings per day. And, of course, the wider a company’s software tools array, the more accounts to create and permissions to manage. In […]

Read more
slider item
Identity & Access Management (IAM)

GlobalDots Partners with Authentication Innovator Transmit Security

Li-Or Amir 16.11.21

GlobalDots keeps enriching its IAM (Identity & Access Management) innovation offering, and its Passwordless Authentication range in particular, with the latest addition of highly-valued unicorn Transmit Security. Only this June, Transmit Security announced a $543 million Series A – the largest series A funding round in cybersecurity history, according to Crunchbase. Transmit Security has developed an appless […]

Read more
slider item
Identity & Access Management (IAM)

Webinar: Feel the Breeze – How cool companies X10 their workforce zero-touch

Dror Arie 28.10.21

Most growing companies turn to IAM solutions for compliance purposes. What a waste. Today’s IAM capabilities go way beyond MFA & SSO: Implemented right, IAM can automate all employee-related IT processes, from account provisioning and deprovisioning to permission management. Join us and step into the world of: Automated workforce growth Increased employee & IT productivity […]

Read more

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.
Contact us
figure figure figure figure figure