2021 Predictions: Securing the API Economy, Identity and Rigorous Consent Controls

By Nathanael Coffing, CSO, Cloudentity

It goes without saying that 2020 was an unprecedented year and the security landscape was completely transformed for cybersecurity professionals. Due to COVID-19 and the U.S. presidential election, the tumultuous year was a perfect storm for hackers to take advantage of. The sudden shift to a remote workforce in March 2020 meant that security perimeters were greatly extended and sometimes non-existent, enabling millions of employees to maintain productivity during the pandemic. This led to a never-seen-before spike in cyberattacks across all sectors; the FBI and other federal agencies issued a warning for all U.S. businesses, particularly hospitals and the public health sector, to be weary of ransomware attacks.

Additionally, we saw explosive growth in the API economy as consumers shifted toward primarily using online apps for managing finances, healthcare and other important transactions on mobile devices. Consumers also became more aware of how companies are collecting and storing their data when using these types of apps. Given the major shift from in-person to digital in 2020, below are a few cybersecurity and enterprise tech trends that we can expect to emerge in 2021.

1) In 2021, Identity Access and Management is no Longer Separate from Cybersecurity   

Identity Access and Management (IAM) and security are no longer separate facets of an organization and must be treated holistically. According to 2019 data from the OWASP Foundation, seven out of the top 10 security vulnerabilities for APIs are related to identity. This shows that for the technology industry at large, the era of managing identity outside of cybersecurity is over. API security is a foundational element in today’s app-driven world and all of them need stronger more granular methods of transactional authorization. The risk is palpable as we’ve seen from the dozens of API breaches this, if an API is poorly written, Object or function level authorization issues provide programmatic data leakage to an attacker.  An example of this going wrong is Cambridge Analytica, where Facebook’s API exposed raw data from more than 87 million Facebook users which was then exploited by the political consulting firm. If organizations don’t take control of their API security, we will see more large-scale data breaches in 2021.

2) 2021 Will Mark Huge Growth in the API Economy  

In the last few years, APIs have been elevated from a development technique to a business model driver and boardroom consideration. Essentially, APIs enable companies to more easily build products and exchange data with internal, partner and customer services. According to recent statistics, Salesforce generates half of its revenue through its APIs, while Expedia reportedly derives a staggering 90% of revenue from APIs. In 2020, the API economy boomed and in 2021, we will see an explosion of new applications as a result.

Enterprises thrive on data and APIs provide a key enabler for reusing, sharing and monetizing those APIs, extending the reach of existing services or providing new revenue streams. Therefore, a growing number of large enterprises are building new services that expose legacy data stores allowing developers to use this data to create new APIs to drive new business initiatives. However, along with the rapid growth of API-centric services, there are more risks of APIs having vulnerabilities in their code. APIs should be treated as products and potential security flaws must be addressed at the API-level, ideally in the development stages.

3) To Lean on API-centric Services to Share Data, Consent Control Must Be More Rigorous  

As we’ve seen with popular cloud document-sharing services like Google Docs and Box, API-centric services are relied on every day for seamlessly sharing data and being able to control who can view and edit certain files. Privacy is at the core of these open-data platforms, and authorization and consent are what ensures privacy is maintained. With modern API-centric services, consent has shifted the consumer mindset from “what data can I know about this app” to “what data can this app know about me,” and “what data can this app share about me?” Given consumer privacy regulations such as GDPR and CCPA, APIs must include consent controls that are much more rigorous to prevent sharing consumer data without proper consent. For example, third-party consumer apps like Spotify shouldn’t be able to post to someone’s Instagram page or other social media accounts unless they specifically allow it, even when these apps remain linked to one another.

4) VPNs Aren’t Dead Yet, but It’s No Longer a Best Practice for Access   

With a large percentage of the workforce operating remotely for the foreseeable future, more APIs are being moved outside firewalls to maintain productivity from anywhere and ensure business continuity during the pandemic. Organizations relied heavily on VPNs (Virtual Private Networks) in 2020, but there are security and business risks associated with extending the edge. Given the perimeter-centric ramifications associated with using a VPN, enterprises are moving toward IAM solutions to solve these issues around remote authorization and access. Identity has become the new perimeter for users and services and strong authentication is the front door. Both aspects are critical for remote workers to be able to securely transfer and access important proprietary data.

About the Author

Nathanael Coffing is the cofounder, CSO and a board member of Cloudentity. He is a technology visionary with a big picture view geared towards simplifying and integrating disparate technologies. Nathanael honed his skills at Sun, Oracle and Imperva. Since then, he’s helped build a number of technology startups ranging from Consumer RFID to Mobile Applications. Nathanael can be reached online via Twitter, LinkedIn and at Cloudentity’s website: https://cloudentity.com/