A New Decade of Challenges and Solutions for IT Professionals

Nesh (Steven Puddephatt) Senior Solutions Engineer @ GlobalDots
4 Min read

As we move into a new decade IT professionals will be scratching their heads wondering “what new threat is going to cause me to have to rethink my security architecture or user policy?”. As a solutions architect working with a wide range of customers, here’s my take on what’s coming.

Reduce your AWS costs by over 50%

Discover your Cloud Saving Potential – Answer just 5 simple questions. AppsFlyer, Playtika, Lufthansa, IBM, top leading companies are already using our FinOps services.

Reduce your AWS costs by over 50%

API security to take centre stage

Up until now very little has been done around API security once you get past the basic authentication. What do I mean by this? Well to make an API ‘get’ some data, you feed it a command, let’s say in our case it’s a mobile banking app that shows your name and address as well as account number. To get information from the API, the mobile banking app has to be authenticated with the API, usually with some currently unbreakable encryption method. Great, the connection is trusted and secure. But hackers have shown time and again that once you have access to an API you can usually force it to give you data that wasn’t intended for you.

In my example imagine if swapping out the account number in my API call gave me addresses and account numbers of other bank customers. Sound far fetched? Not really, a vast majority of hacks in the news are done via the API, even Facebook and Google have been victims. You have to ask yourself ‘if Google and Facebook have problems, what are the odds that I do not?’.

And so we’ll see the adoption of machine learning tools for API’s, which, rather than relying on authentication for security, rely on behaviour algorithms instead. Practically everything has an API for it these days, and they were built with ease and portability in mind, security was something of an afterthought, an attitude which will dramatically change in the coming year.

Zero Trust and Identity and Access Management (IAM)

Zero trust is the latest buzzword to have hit nearly all meetings I sit in. Unfortunately for IT managers and sys admins it isn’t just a buzzword, it’s a new paradigm in managing access to resources which means you’ll have to rethink your approach to remote access and logins. There are different approaches to Zero Trust, but for the uninitiated it means the death of old VPN remote access systems and a move to highly secure portals that can only be accessed via a web browser.

Tightly coupled with Zero Trust is IAM, which pushes organisations to have ‘one source of truth’ for what access a user should have. IAM is necessary as we’ve shifted almost entirely to SaaS platforms, most of which are accessed with an email address and password.

How many people reading this article access Salesforce with a user/password type authentication? And how many people have left a company only to find out their old user/password still works? The problem is prolific and companies are way behind on their uptake of Zero Trust and IAM. Rest assured you’ll see more stories of VPN connections being hacked and businesses will be forced to move to new technologies.

Software hygiene and third party scripts

So we’ve all heard the scenario, you need to write a program for something-or-other. After a quick search around it turns out that three pieces of open source software available, which when used together will perform the function you require. Great, so you’ve just saved tonnes of development effort and your time to market is greatly reduced.

The only problem with this is that now you’ve got three pieces of open source code running, each of which can punch a hole in your security posture. Let’s say for example you used an open SSL library as part of this program, and then later a vulnerability is found in this SSL library. Well, how would you know you were affected by this if the library was just compiled into your program? How clean is your program and its composite parts?

This is software hygiene is now becoming a major headache for companies, especially when you’re looking at hundreds of libraries with possibly thousands of known vulnerabilities. Help is at hand and some tech startups are already offering automated tools to alert you to any CVE’s your software might contain.

On the other side of your application you’ve got third party plugins, things which you intentionally allow to access certain parts of your app to provide a feature on your website. This is currently the wild west of the IT world, with companies allowing third party javascript on their site with a very laissez-faire attitude as to what they’re really doing. Attacks leveraging this part of the attack surface roughly come under the name ‘Magecart’, the highest profile incident last year being credit card data theft from British Airways. It’s been coming for a while, but expect to see a big lock down on allowing random open source code and third party add-ons to sites.

Again, there are certain startups that are addressing the issue but I’m fairly sure we’ll see some high profile ‘Magecart’ attacks in 2020 before everyone really takes note. These types of attacks became newsworthy in the last few years and we can be sure that moving forward, they will get much worse – perhaps even bigger attacks and huge fines levied. These weaknesses in the software deployment lifecycle will need careful attention.

*This post originally appeared in SC Magazine UK on February 6, 2020


Latest Articles

Embark on Your Cloud Security Journey with GlobalDots CNAPP and its New CIEM Capability

Imagine being the captain of a vast space station, floating in the endless cosmos. Your station is filled with various facilities, each serving its unique purpose, and inhabited by astronauts, each following their own set of rules. Without a proficient system to manage these rules, chaos could reign. An astronaut might accidentally enter a restricted […]

Nesh (Steven Puddephatt) Senior Solutions Engineer @ GlobalDots
27th July, 2023
Long-Term LastPass Breach Sounds Alarm For Static Credentials

LastPass’ password management service has introduced millions of users to the convenience and security of unique passwords. Across mobile and browser, LastPass promises a near-passwordless experience for millions of individuals and over 100,000 businesses. However, recent news threatens to drop a bombshell on credential-based security.  The Year-Long LastPass Dual Breach  In August 2022, LastPass released […]

Beshoy Halim Cloud Engineer @ GlobalDots
2nd March, 2023
It’s time to get rid of passwords!

In addition to being outdated, passwords create frictions and hassles for workflows, teams, and users. We enable the complete elimination of passwords, securely and with an optimal user experience – by implementing the latest IAM & CIAM innovative solutions.  We are using a technology called FIDO2 (Fast ID Online) Authentication – new passwordless authentication method that relieves credentials […]

Nesh (Steven Puddephatt) Senior Solutions Engineer @ GlobalDots
10th November, 2022
GlobalDots Partners With Transmit to Make Passwords Extinct

As we rely more and more on online services, managing passwords becomes increasingly challenging. Compromised passwords lead to account takeovers, which pose existential threats to customer-facing businesses. Account takeovers led to an estimated $11.4 billion in losses in 2021, caused mostly by compromised passwords. GlobalDots, a cloud innovation leader, partners with Transmit Security, a leading […]

8th September, 2022

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

Unlock Your Cloud Potential