By Doug Dooley, Chief Operating Officer of Data Theorem

As more companies leverage and build API services and apps natively in the cloud

In 2019, many companies successfully mobilized and monetized their data using application programming interfaces (APIs) as a simple and economical way to share information and build services. However, APIs can create compliance and security vulnerabilities the industry is ill prepared to address. As more companies leverage and build API services and apps natively in the cloud, the industry will face new concerns and cybersecurity threats in 2020.

API data breaches will represent more than 50 percent of records lost in 2020, and be the single largest vector of large-scale hacking. According to Verizon's 2019 Data Breach Incident Report, external hacking remained the largest threat actor (69 percent) and threat action (53 percent), respectively, for data breaches reported last year. And the top threat vector that gets successfully attacked was web applications at approximately 67 percent of the time.  Lately, when new reports announcing a company has tens or hundreds of millions of their records compromised or stolen, the specific web attack vector appears to be RESTful APIs. It is our prediction that these incidents of large-scale data breaches from APIs connected to both mobile and web applications will create the largest and most significant data breach headlines in 2020 and beyond.

Shadow APIs will emerge as a new threat for cloud-first enterprises. According to the ESG Report on Security for DevOps, the top new investment that enterprises plan to make to secure cloud-native apps will be API Security (37 percent of all respondents marked this as the most important new control needed for cloud security). Cloud services enable businesses to ship new applications (mobile and web) faster and cheaper with more scalability. As a result, the number of new microservices and APIs grows exponentially with cloud-native apps. Enterprise security teams are struggling to keep pace with their DevOps counterparts. New APIs are popping up everywhere and being labeled as "Shadow APIs" since it's not clear who owns them and who is responsible for their ongoing security and compliance.

Serverless will continue to outpace Kubernetes and Container usage in 2020 and beyond, and will pose a new security challenge. As much as Kubernetes is being praised by many DevOps thought leaders, the data tells us that most developers appreciate the convenience, speed, and ease of building applications with serverless computing. According to CB Insights, serverless is now the highest growth public cloud service ahead of containers, batch computing, machine learning, and IoT services. Serverless spending is expected to reach $7.7B by 2021, up from $1.9B in 2016 with an estimated CAGR of 33 percent.  Today, very few existing security tools can address application security issues specific to serverless applications. I predict this will be an important new security challenge in 2020.

Adversarial Machine Learning techniques can successfully "poison" ML-based models. Researchers and academic leaders in the computer science field have a renewed focus on artificial intelligence and machine learning algorithms. Amazon Alexa, Google Search, Netflix Recommendations, and Tesla Autopilot are hugely popular commercial applications using machine learning to help customers. However, academics and researchers such as Stanford University's computer security research team led by Dan Boneh are continuing to prove that "poisoning" machine learning systems is consistently possible once access to the model or reference model is achieved. Adversarial Machine Learning appears to be in its infancy, but I predict we will start to see more examples in the public in 2020 and beyond.

CCPA fines will exceed $200M in its first year of existence. January 1, 2020, will be the first official day that the California Consumer Privacy Act (CCPA) will go into effect. However, the way the regulation is outlined, lawsuits can be filed for privacy violations occurring in 2019. It is my estimate that very few companies are prepared to meet the guidelines outlined in CCPA. Further, unlike the General Data Protection Regulation (GDPR) which went into effect in May 2018, there are no maximum limits capping how large the fines could be for CCPA violations. The first CCPA rulings served by the courts will no doubt create big headlines, and put added pressure on companies to be proactive about protecting the data privacy of their customers.

##

About the Author

Doug Dooley is the Chief Operating Officer of Data Theorem. He heads up product strategy, marketing, sales, and customer success teams. Before joining Data Theorem, Dooley worked in venture capital leading investments of cloud-centric security, machine-learning, and infrastructure startups for Venrock. While at Venrock, Dooley served on the boards of Evident.io (Palo Alto Networks), Niara (HPE), and VeloCloud (VMware). Prior to Venrock, Dooley spent almost two decades as an entrepreneur and technology executive at some of the most innovative and market dominant technology infrastructure companies - ranging from large corporations such as Cisco and Intel to security and virtualization startups such as Neoteris, NetScreen, and RingCube. Earlier in his career, he held various management, engineering, sales, and marketing roles at Juniper Networks, Inktomi, and Nortel Networks. Dooley earned a B.S. in Computer Engineering from Virginia Tech.