Mitigating API attacks in 2022

Nathanael Coffing, co-founder and CSO of Cloudentity, is also a board member. Nathanael has over 20 years of management and architecture experience across identity, security, microservices, and IT domains. Prior to founding Cloudentity, he founded OrchIS.io and helped build numerous technology startups leveraging his experience at Sun, Oracle, Imperva, Washington Mutual, and Boeing. Coffing gives us his 2022 predictions about API Attacks, Data Privacy & Embedded Finance.

Over the last six months, embedded finance has rapidly become the hottest topic in financial services and the tech industry. Embedded finance provides the “why” building off of the “how” capabilities of Open Banking.

Revolutionize the Technology Industry in 2022

Companies that aren’t financial service providers use embedded finance application programming interfaces (APIs) to offer financial tools or services, such as lending or payment processing. It’s designed to streamline financial processes for consumers, making it easier for them to access the services they need when they need them. For example, embedded lending lets someone apply for and get a loan right at the point of purchase, as we’ve seen with Klarna and AfterPay. Both companies partner with retailers to let consumers split an online purchase into several smaller monthly payments.

Given its potential to create new lines of business and efficiencies for customers and businesses alike, many leading financial services and tech companies are implementing major embedded finance initiatives. Google Pay, for instance, has already made large investments to drive its embedded finance capabilities. For these reasons, there will be massive growth in embedded finance in the coming year.

Strict Regulations Will be Essential to Drive Consumer Privacy Protection in the Next Year

Consumers today are calling for more control over their online data and how it’s being used by companies. While government regulators enforcing privacy laws such as GDPR, CCPA and CPRA is a step in the right direction, more needs to be done to protect consumers’ privacy and this needs to start at registration and continue through API-based data sharing. Every website or app should display an icon (similar to SSL) as soon as a user opens the page that rates the certifications the company is meeting to protect their customers' data. These must be written in a way that is easy for consumers to understand as well, with no hiding behind confusing legal jargon. Then, organizations will have no choice but to be transparent with how they are harvesting, using, and sharing their users’ data. The icon must provide consumers the ability to control their privacy settings on an attribute level, control their sharing of that attribute and delete their data after they are done with the website/app, so the user remains in control of their personal information at all times.

Tokenized Identity Will Become a Prominent Method to Mitigate API Data Leakage and Compromised Tokens

Tokenization has become a key method for businesses to bolster the security of credit card and e-commerce transactions while minimizing the cost and complexity of compliance with industry standards and government regulations. Moving this same per transaction security capability to personally identifiable information (PII) can drastically reduce an organization's attack surface. Today, most organizations continue the perimeter-based security for their distributed applications passing enriched over-privileged JSON Web Tokens (JWT) to any service that requests them. However, with the rise of third-party developers and B2B2C business models, cyber attackers only have to find the weakest link to start compromising millions of PII records.

A notable example of this occurred last year when cyber criminals registered a malicious app with an OAuth 2.0 provider, which generated tokens for authorization. If the user accepted and used the token, the attacker could gain access to their mail, forwarding rules, files, contacts, notes, profile, and other sensitive data and resources. In 2022, we will start to see tokenization and very short expiration times for tokens to prevent these types of attacks.

In 2022, Automation is Key to Mitigating API Attacks Due to the Growing Attack Surface

In the next year and beyond, the number of API attacks will continue to rise as APIs usage continues to increase exponentially. This is because each API and developer is another potential point of entry for cyberattacks. The State of 2021 API Security, Privacy and Governance Report revealed that in the last year, at least 44% of enterprises have experienced substantial issues concerning privacy, data leakage, and object property exposure with internal or external-facing APIs. As a result of these issues, 97% of enterprises experienced delays in releasing new applications and service enhancements due to identity and authorization issues with APIs and services.

To mitigate this looming threat, IT and security teams must do a better job of protecting the enterprise by ensuring APIs are discovered and the right security guardrails are in place for every API. Given the rapid propagation of APIs, automation becomes the defining requirement for building the principle of least privilege and zero trust into your APIs. This starts by adding machine identity, workload identity and correlating them with the requestor user identities to allow mutual authentication. Once every entity in a transaction is authenticated, declarative authorization becomes the next logical step in providing developers the tools they need to adhere to security requirements. It’s impossible to implement proper security measures for every single identity with manual coding, especially when machine and API transactions are so rapid and temporal.