images
Blog

A New Decade of Challenges and Solutions for IT Professionals

Steven Puddephatt, Senior Cloud Architect @ GlobalDots
13.02.2020
image 4 Min read
Identity & Access Management (IAM)

As we move into a new decade IT professionals will be scratching their heads wondering “what new threat is going to cause me to have to rethink my security architecture or user policy?”. As a solutions architect working with a wide range of customers, here’s my take on what’s coming.

API security to take centre stage

Up until now very little has been done around API security once you get past the basic authentication. What do I mean by this? Well to make an API ‘get’ some data, you feed it a command, let’s say in our case it’s a mobile banking app that shows your name and address as well as account number. To get information from the API, the mobile banking app has to be authenticated with the API, usually with some currently unbreakable encryption method. Great, the connection is trusted and secure. But hackers have shown time and again that once you have access to an API you can usually force it to give you data that wasn’t intended for you.

In my example imagine if swapping out the account number in my API call gave me addresses and account numbers of other bank customers. Sound far fetched? Not really, a vast majority of hacks in the news are done via the API, even Facebook and Google have been victims. You have to ask yourself ‘if Google and Facebook have problems, what are the odds that I do not?’.

And so we’ll see the adoption of machine learning tools for API’s, which, rather than relying on authentication for security, rely on behaviour algorithms instead. Practically everything has an API for it these days, and they were built with ease and portability in mind, security was something of an afterthought, an attitude which will dramatically change in the coming year.

Zero Trust and Identity and Access Management (IAM)

Zero trust is the latest buzzword to have hit nearly all meetings I sit in. Unfortunately for IT managers and sys admins it isn’t just a buzzword, it’s a new paradigm in managing access to resources which means you’ll have to rethink your approach to remote access and logins. There are different approaches to Zero Trust, but for the uninitiated it means the death of old VPN remote access systems and a move to highly secure portals that can only be accessed via a web browser.

Tightly coupled with Zero Trust is IAM, which pushes organisations to have ‘one source of truth’ for what access a user should have. IAM is necessary as we’ve shifted almost entirely to SaaS platforms, most of which are accessed with an email address and password.

How many people reading this article access Salesforce with a user/password type authentication? And how many people have left a company only to find out their old user/password still works? The problem is prolific and companies are way behind on their uptake of Zero Trust and IAM. Rest assured you’ll see more stories of VPN connections being hacked and businesses will be forced to move to new technologies.

Software hygiene and third party scripts

So we’ve all heard the scenario, you need to write a program for something-or-other. After a quick search around it turns out that three pieces of open source software available, which when used together will perform the function you require. Great, so you’ve just saved tonnes of development effort and your time to market is greatly reduced.

The only problem with this is that now you’ve got three pieces of open source code running, each of which can punch a hole in your security posture. Let’s say for example you used an open SSL library as part of this program, and then later a vulnerability is found in this SSL library. Well, how would you know you were affected by this if the library was just compiled into your program? How clean is your program and its composite parts?

This is software hygiene is now becoming a major headache for companies, especially when you’re looking at hundreds of libraries with possibly thousands of known vulnerabilities. Help is at hand and some tech startups are already offering automated tools to alert you to any CVE’s your software might contain.

On the other side of your application you’ve got third party plugins, things which you intentionally allow to access certain parts of your app to provide a feature on your website. This is currently the wild west of the IT world, with companies allowing third party javascript on their site with a very laissez-faire attitude as to what they’re really doing. Attacks leveraging this part of the attack surface roughly come under the name ‘Magecart’, the highest profile incident last year being credit card data theft from British Airways. It’s been coming for a while, but expect to see a big lock down on allowing random open source code and third party add-ons to sites.

Again, there are certain startups that are addressing the issue but I’m fairly sure we’ll see some high profile ‘Magecart’ attacks in 2020 before everyone really takes note. These types of attacks became newsworthy in the last few years and we can be sure that moving forward, they will get much worse – perhaps even bigger attacks and huge fines levied. These weaknesses in the software deployment lifecycle will need careful attention.

*This post originally appeared in SC Magazine UK on February 6, 2020

 

Comments

0 comments

There’s more to see

Infographic: Identity Automation Impact & Case Studies
Identity & Access Management (IAM)
Dror Arie, Senior Solutions Architect @ GlobalDots 24.03.22

75% of the IT work related to the employee lifecycle can be automated. For 56% of the organizations, this is the #1-priority workflow automation to implement. In the infographic below you’ll explore: Key benefits of workflow automation Impact in numbers Case study highlights [download full case study here]

Read more
2022: The Year End-User Accounts Go Passwordless
Identity & Access Management (IAM)
Steven Puddephatt, Senior Cloud Architect @ GlobalDots 23.02.22

Why Passwordless, Why Now? Advances in technologies pose new dangers online as more people use devices to do their shopping and finances. The remote work era pedaled, further extending technology adoption, so growing concerns regarding security and new methods are more valid than ever. Progress comes with leaving behind obsolete methods to improve efficiency and […]

Read more
Technical Whitepaper: Biometric Passwordless Authentication (FIDO2 WebAuthN)
Identity & Access Management (IAM)
Steven Puddephatt, Senior Cloud Architect @ GlobalDots

The booming cost of account takeover (ATO) attacks, from $4BN in 2020 to $16BN in 2021, makes passwordless authentication a truly pressing need for all businesses. Most current “passwordless” technologies still contain shared secrets and friction – deeming them irrelevant to the world’s most prominent workforce and buying power: Gen Y and Gen Z. Biometric […]

Read more
Unlock Your Cloud Potential
Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.
Contact us