API attack containment in 2022


Nathanael Coffing, Co-Founder and CSO of Cloudentity, is also a board member. Nathanael has more than 20 years of management and architecture experience in the areas of identity, security, microservices and IT. Before founding Cloudentity, he founded OrchIS.io and helped build numerous technology startups with his experience at Sun, Oracle, Imperva, Washington Mutual and Boeing. Coffing gives us his 2022 predictions on API attacks, privacy, and embedded finance.

In the past six months, embedded finance has quickly become the hottest topic in the financial services and technology industries. Embedded Finance offers the “why” that builds on the “how” capabilities of open banking.

Revolutionize the tech industry in 2022

Non-financial services companies use embedded financial application programming interfaces (APIs) to provide financial instruments or services such as lending or payment processing. It is designed to streamline financial processes for consumers and make it easier for them to access the services they need, when they need them. For example, embedded lending allows someone to apply for and receive credit right at the point of purchase, as we’ve seen with Klarna and AfterPay. Both companies are working with retailers to enable consumers to split an online purchase into several smaller monthly payments.

With the potential to create new lines of business and efficiency gains for customers and companies, many leading financial services and technology companies are implementing major embedded finance initiatives. For example, Google Pay has already made major investments to advance its embedded finance functions. For these reasons, the area of ​​embedded finance will grow massively in the coming year.

Strict regulations will be essential for the next year to push consumer privacy

Consumers today are demanding more control over their online data and how businesses use it. Enforcement of data protection laws like GDPR, CCPA and CPRA by state regulators is a step in the right direction, but more needs to be done to protect consumer privacy and this needs to start with registration and through API-based data sharing be continued. Any website or app should display an icon (similar to SSL) the moment a user opens the page that rates the certifications the company meets to protect its customers’ data. These must be written in an easily understandable way for consumers, without hiding behind confusing legal technical terms. Then companies have no choice but to be transparent about how they collect, use, and share their users’ data. The symbol must enable consumers to control their privacy settings at the attribute level, control their sharing of this attribute and delete their data after they are done with the website / app so that the user remains in control of his personal data at all times.

Tokenized identity is becoming an important way of mitigating API data leaks and compromised tokens

Tokenization has become a key method for businesses to increase the security of credit card and e-commerce transactions while minimizing the cost and complexity of complying with industry standards and government regulations. Shifting the same security function per transaction to personally identifiable information (PII) can drastically reduce a company’s attack surface. Today, most organizations continue to use perimeter-based security for their distributed applications, handing out enriched over-privileged JSON Web Tokens (JWT) to any service that requests them. However, with the advent of third-party developers and B2B2C business models, cyber attackers only need to find the weakest link to compromise millions of PII records.

A notable example of this was last year when cyber criminals registered a malicious app with an OAuth 2.0 provider that generated tokens for authorization. If the user accepts and uses the token, the attacker can access their email, forwarding rules, files, contacts, notes, profiles, and other sensitive data and resources. In 2022 we will see tokenization and very short token expiration times to prevent this type of attack.

In 2022, automation will be key to defending against API attacks due to the growing attack surface

For the next year and beyond, the number of API attacks will continue to grow as API usage continues to grow exponentially. This is because every API and developer is another potential entry point for cyberattacks. The State of 2021 API Security, Privacy and Governance Report shows that in the past year at least 44% of companies have experienced significant problems with regard to data protection, data loss and property risks with internal or external APIs. As a result of these issues, 97% of organizations experienced delays in new application releases and service improvements due to identity and authorization issues with APIs and services.

To mitigate this looming threat, IT and security teams need to better protect the business by making sure APIs are discovered and that the correct security barriers are in place for each API. With APIs proliferating rapidly, automation is becoming a critical requirement in building the principle of least privilege and zero trust in your APIs. This starts with adding machine identity and workload identity and correlating them with the requester’s user identities to enable mutual authentication. Once every entity has been authenticated in a transaction, declarative authorization is the next logical step in giving developers the tools they need to comply with security requirements. It is impossible to implement appropriate security measures with manual coding for every single identity, especially when machine and API transactions are so fast and time-limited.

Subscribe to App Developer Magazine for just $ 5.99 per month and enjoy all of these benefits.

Source link


About Author

Comments are closed.