Photo by Philipp Katzenberger
The second year of the pandemic, 2021 has been eventful as new security threats have emerged and technological breakthroughs have been made. Yet other changes are underway. By 2022, IT and security professionals must be prepared for everything to come, from advances in integrated finance to growing issues of consumer data privacy to data breaches due to data breaches. API leaks.
This is the clear message from Nathanael Coffing, CSO and co-founder of Cloudentity, to Digital journal readers. Coffing identifies four important trends that are expected to occur in 2022. He defines them below.
Integrated finance will revolutionize the tech industry in 2022
For the 2021 main development in the sector, Coffing says, “Integrated finance has quickly become the hottest topic in financial services and the tech industry. Integrated finance provides the “why” by leveraging the “how” capabilities of Open Banking. Businesses that are not financial service providers use built-in financial application programming interfaces (APIs) to deliver financial tools or services, such as loans or payment processing. It is designed to streamline consumers’ financial processes, making it easier for them to access the services they need, when they need them. For example, built-in loans allow someone to apply for and get a loan right at the time of purchase, as we’ve seen with Klarna and AfterPay. The two companies are partnering with retailers to allow consumers to split an online purchase into multiple smaller monthly payments. “
As for what will happen next, Coffing notes, “Given its potential to create new lines of business and efficiency for customers and businesses, many leading financial and technology services companies are implementing implementing major integrated financing initiatives. Google Pay, for example, has already made big investments to manage its integrated financial capacities. For these reasons, there will be massive growth in integrated finance over the coming year. “
Strict regulations will be essential to ensure the protection of consumer privacy
Privacy is set to become an issue, says Coffing, noting, “Today’s consumers demand more control over their data online and how it is used by businesses. While government regulators enforcing privacy laws such as the GDPR, CCPA and ACPL are a step in the right direction, there is still a lot to be done to protect consumer privacy and this must start when ‘registration and continue via API-based data sharing. Every website or application should display an icon (similar to SSL) as soon as a user opens the page that rates the certifications that the company meets to protect its customers’ data.
“These need to be written in a way that is also easy for consumers to understand – without hiding behind confusing legal jargon. Then organizations will have no choice but to be transparent about how they collect, use and share their users’ data. The icon should provide consumers with the ability to control their privacy settings at the attribute level, control their sharing of this attribute, and delete their data once they are done with the website / app, so that the user remains in control of their personal information at all times. . “
Tokenized Identity to Become an Important Method to Mitigate API Data Leaks and Compromised Tokens
Coffing examines the rise of digital ledgers: “Tokenization has become a key method for businesses to strengthen the security of credit card and e-commerce transactions while minimizing the cost and complexity of complying with corporate standards. industry and government regulations. Shifting that same per-transaction security capability to Personally Identifiable Information (PII) can dramatically reduce an organization’s attack surface. Today, most organizations maintain perimeter-based security for their distributed applications in passing Rich overprivileged JSON web tokens (JWT) to any service that requests it.
“However, with the rise of third-party developers and B2B2C business models, cyber attackers need only find the weakest link to start compromising millions of PII records.
A notable example of this happened last year when cybercriminals registered a malicious application with an OAuth 2.0 provider, which generated authorization tokens. If the user accepted and used the token, the attacker could gain access to their mail, transfer rules, files, contacts, notes, profile, and other sensitive data and resources. In 2022, we will start to see very short tokenization and expiration times for tokens to prevent these types of attacks. “
Automation is key to mitigating the growing number of API attacks due to the growing attack surface
For 2022, automation will be more important. Coffing notes, “The number of API attacks will continue to increase as API usage continues to grow exponentially. Indeed, every API and developer is another potential entry point for cyber attacks. The 2021 Status Report on API Security, Privacy and Governance found that over the past year, at least 44% of companies have experienced significant privacy issues, data leaks and exposure of object properties with internal or external APIs. As a result of these issues, 97% of organizations experienced delays in releasing new apps and service enhancements due to identity and authorization issues with APIs and services.
Coffing adds, “To mitigate this looming threat, IT and security teams need to better protect the business by ensuring that APIs are discovered and that the right security safeguards are in place for each API. Given the rapid spread of APIs, automation is becoming the defining requirement to embed the principle of least privilege and zero trust in your APIs. It starts by adding the machine identity, the workload identity and correlating them with the identities of the requesting users to allow mutual authentication. Once every entity in a transaction is authenticated, declarative authorization becomes the next logical step in providing developers with the tools they need to comply with security requirements. Appropriate security measures cannot be implemented for every identity with manual encryption, especially when machine and API transactions are so fast and time-consuming.