I have a confession: blogging can be a chore. But for some reason, sitting down to write is never quite as difficult when I’m inspired by a real-world security breach or data leak. Perhaps it’s a perverse bit of schadenfreude or the ever-present challenge of fighting a cyber-war against globally-distributed hackers looking to attack enterprise IT systems, but these topics are always the most invigorating.
However, in the past year, I’ve gotten at least four notices from companies with which I’ve done business – retail merchants, entertainment vendors, healthcare providers, even my university – about potential data losses. And that tends to change one’s perspective. When I’m sorting through offers for free credit monitoring because my personal data may have been compromised, I start thinking more about solutions.
After any major breach, an enterprise typically goes through a standard list of responses – getting PR under control, reassuring customers that their business is valuable and performing security forensics to root out the source of the breach and fix the problem. However, these clean-up operations never seem to make me feel any better because it’s often clear that the problem could have been prevented in the first place. As they say: “An ounce of prevention is worth a pound of cure.”
The complexities of today’s IT architectures present a lot of attack surfaces – from physical access (stolen laptop/phone) to psychological attacks (phishing) to good old-fashioned hacks. Some can only be solved by education and awareness but there are plenty of technological attacks that can be addressed by appropriate levels of IT security.
In the last couple of years, there’s been a disturbing trend toward breaches due (in whole or in part) to insecure APIs. As more businesses realize the value that an API can provide to mobile enablement, omni-channel customer engagement and B2B agility, this vector of attack has increased in tandem with the number of APIs available.
For many enterprises, API security might be treated as an afterthought or implemented last-minute by a mobile developer more interested in user experience than adequate protection. There’s also a very shallow understanding of the potential threats, especially when compared to a conventional Web application model. But sacrificing security for UX or providing inadequate threat coverage can be catastrophic given the importance of the data and application access being exposed by these APIs.
On March 25, I’ll be taking part in a CA Technologies webinar, where we’ll talk about the most common API exploits, real-world breaches that have occurred as a result and methods for mitigating those threats to your APIs without sacrificing user experience. The next time I get a letter saying that my personal data has been compromised, I want to make sure it isn’t because of an insecure API – because that’s just inexcusable!