Virtualization Technology News and Information
Cloudentity 2022 Predictions: Rising API Attacks, Data Privacy Concerns & the Future of Embedded Finance

vmblog predictions 2022 

Industry executives and experts share their predictions for 2022.  Read them in this 14th annual series exclusive.

Rising API Attacks, Data Privacy Concerns & the Future of Embedded Finance

By Nathanael Coffing, Co-founder and CSO of Cloudentity

As the second year of the pandemic and the age of remote work, 2021 was a busy year for cybersecurity professionals between the pandemic, remote work and massive investment in new remote services for customers. Attack surfaces exploded due to distributed services, new zero-days were discovered and online assets were increasingly targeted by hackers. Meanwhile, security innovations due to Open Banking, financial application programming interfaces (APIs) and privacy provided a robust level of protection in regulated OpenBanking marketplaces.

Looking to 2022, IT and security professionals must be prepared for what comes next - from embedded finance to mounting consumer data privacy concerns to data breaches and leaky APIs. Below are four predictions about what enterprise leaders can expect in the coming year.

Embedded Finance Will Revolutionize the Technology Industry in 2022  

Over the last six months, embedded finance has rapidly become the hottest topic in financial services and the tech industry. Embedded finance provides the "why" building off of the "how" capabilities of Open Banking. Companies that aren't financial service providers use embedded finance application programming interfaces (APIs) to offer financial tools or services, such as lending or payment processing. It's designed to streamline financial processes for consumers, making it easier for them to access the services they need when they need them. For example, embedded lending lets someone apply for and get a loan right at the point of purchase, as we've seen with Klarna and AfterPay. Both companies partner with retailers to let consumers split an online purchase into several smaller monthly payments. 

Given its potential to create new lines of business and efficiencies for customers and businesses alike, many leading financial services and tech companies are implementing major embedded finance initiatives. Google Pay, for instance, has already made large investments to drive its embedded finance capabilities. For these reasons, there will be massive growth in embedded finance in the coming year. 

Strict Regulations Will be Essential to Drive Consumer Privacy Protection in the Next Year  

Consumers today are calling for more control over their online data and how it's being used by companies. While government regulators enforcing privacy laws such as GDPR, CCPA and CPRA are a step in the right direction, more needs to be done to protect consumers' privacy and this needs to start at registration and continue through API-based data sharing. Every website or app should display an icon (similar to SSL) as soon as a user opens the page that rates the certifications the company is meeting to protect their customers' data. These must be written in a way that is easy for consumers to understand as well - no hiding behind confusing legal jargon. Then, organizations will have no choice but to be transparent with how they are harvesting, using and sharing their users' data. The icon must provide consumers the ability to control their privacy settings on an attribute level, control their sharing of that attribute and delete their data after they are done with the website/app, so the user remains in control of their personal information at all times. 

Tokenized Identity Will Become a Prominent Method to Mitigate API Data Leakage and Compromised Tokens   

Tokenization has become a key method for businesses to bolster the security of credit card and e-commerce transactions while minimizing the cost and complexity of compliance with industry standards and government regulations. Moving this same per transaction security capability to personal identifiable information (PII) can drastically reduce an organization's attack surface. Today, most organizations continue the perimeter-based security for their distributed applications passing enriched over-privileged JSON Web Tokens (JWT) to any service that requests them. However, with the rise of third-party developers and B2B2C business models, cyber attackers only have to find the weakest link to start compromising millions of PII records.

A notable example of this occurred last year when cybercriminals registered a malicious app with an OAuth 2.0 provider, which generated tokens for authorization. If the user accepted and used the token, the attacker could gain access to their mail, forwarding rules, files, contacts, notes, profile and other sensitive data and resources. In 2022, we will start to see tokenization and very short expiration times for tokens to prevent these types of attacks.

In 2022, Automation is Key to Mitigate the Rising Number of API Attacks Due to the Growing Attack Surface   

In the next year and beyond, the number of API attacks will continue to rise as APIs usage continues to increase exponentially. This is because each API and developer is another potential point of entry for cyberattacks. The State of 2021 API Security, Privacy and Governance Report revealed that in the last year, at least 44% of enterprises have experienced substantial issues concerning privacy, data leakage and object property exposure with internal or external-facing APIs. As a result of these issues, 97% of enterprises experienced delays in releasing new applications and service enhancements due to identity and authorization issues with APIs and services. 

To mitigate this looming threat, IT and security teams must do a better job of protecting the enterprise by ensuring APIs are discovered and the right security guardrails are in place for every API. Given the rapid propagation of APIs, automation becomes the defining requirement for building the principle of least privilege and zero trust into your APIs. This starts by adding machine identity, workload identity and correlating them with the requestor user identities to allow mutual authentication. Once every entity in a transaction is authenticated, declarative authorization becomes the next logical step in providing developers the tools they need to adhere to security requirements. It's impossible to implement proper security measures for every single identity with manual coding, especially when machine and API transactions are so rapid and temporal.  



Nathanael Coffing 

Nathanael Coffing is co-founder and CSO of Cloudentity, as well as a board member. Nathanael has over 20 years of management and architecture experience across identity, security, microservices and IT domains. Prior to founding Cloudentity, he founded and helped build numerous technology startups leveraging his experience at Sun, Oracle, Imperva, Washington Mutual and Boeing.

Published Wednesday, January 26, 2022 7:35 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2022>