2017 was a devastating year in security: Equifax, Verizon, WannaCry – enough said. Even more so, the Instagram vulnerability, OneLogin breach, Circle with Disney web filter flaws, Oracle’s Identity Manager vulnerability and Wishbone hack hit close to home, reinforcing what we’ve been preaching ad nauseam: that IAM tools and APIs remain at risk.
The good news, though, is that C-suite executives are continuing to ramp up their investments in security technologies, practices, and education. According to CEB (now part of Gartner), 2017 was the seventh continuous year of budget increases for security; and looking ahead to 2018, Gartner predicts that information security spending will continue to grow, reaching a total of $93 billion.
With 2017 as our backdrop, there’s no denying that there’s a lot at stake. But, unfortunately, (security) change doesn’t happen overnight. Here’s what Forum Systems anticipates seeing more of in 2018:
1) Identity and Access Management (IAM): A Target for Hacking and Compromise
As the trend toward identity consolidation and centralized IAM continues, the false sense of security around IAM platforms will result in high-profile hacking of enforcement points. IAM enforcement, or more plainly stated, the locations where credentials are authenticated and authorized, are high-value targets. Compromising these points in the architecture provides a means to impersonate users and hijack the identity decisions that dictate subsequent “trusted users’” acceptance of communications based on trust of the IAM engine. In 2018, we expect to see more (not-so-positive) stories coming from IAM vendors and their solutions.
2) AMQP and IoT Cloud: Transforming Business Workflows
The emergence of IoT Hub technologies such as Azure IoT Hub, which uses standards-based AMQP instead of traditional proprietary JMS-based solutions, will allow organizations to dramatically reduce their JMS environment costs. By adopting the open-standard AMQP messaging format and leveraging IoT Hub implementations, businesses will leverage the same workflow capabilities, but at a fraction of the cost of typical ESB infrastructures.
3) API Security: A Business Use-case
From IoT to mobile and cloud, APIs underlie the modern computing infrastructure. The OWASP Top 10 2017 calls out APIs in 9 of the top 10 items which highlight the rampant growth of API-based vulnerabilities that shows that organizations continue to expose under-protected APIs that are susceptible to compromise and malicious access.
The explosive proliferation of APIs will continue in 2018, and the loss of data and impact to reputation will spur organizations to (finally) carve out a meaningful portion of security spending for protecting APIs.
By analyzing many of the security flaws and breaches of 2017, it’s shockingly clear that there’s a lack of education and resources devoted to securing APIs. Moreover, the Ponemon Institute and Radware survey arrived at the same conclusion. It found that while 60% of organizations both share and consume data via APIs (including PII, usernames/passwords, payment details, medical records, etc.), over 50% don’t inspect the data that’s transferred back and forth nor do they perform any security audits or analyze API vulnerabilities prior to integration.
APIs have been an integral strategy in more organizations and the explosive growth of APIs will continue in the New Year. So, we certainly hope our third prediction comes to fruition.
That said, as you reflect on 2017 and budget/strategize about what’s best for your company, partners and customers in 2018, don’t be a statistic. Be better than the more than 50%; with every new data breach headline you read, you’ll be grateful.
As we head into the end of the year, we wish you a happy, healthy and secure holiday season!