API security could be the most important consideration in serverless environments for preventing large-scale data breaches
Serverless adoption is growing faster than most would have expected. The majority of companies are already using it, and serverless use will grow significantly over the next two years. With serverless, software engineers are able to build applications that deliver scale and business value without consideration for the complexities of operations and security. The serverless application architecture is so innovative and new that most traditional security tools do not interoperate due to lack of operating system or container access.
A new approach is needed to conduct security analysis and provide protection for serverless apps.
While serverless applications have introduced new security problems, our focus needs to shift to the world of application programming interfaces (APIs), where sensitive data is prominently transferred in these modern application designs.
It is important to discover what organizations are doing to secure their cloud-native apps, especially with the benefits DevSecOps offers. This focus is especially timely these days because fundamental changes to application architectures and the infrastructure platforms hosting them are not served by existing cybersecurity technologies and traditional approaches to securing business-critical workloads.
As we move forward into 2020, we believe that APIs are the most vulnerable attack vector for large-scale data breaches. Security teams need to be able to automate and analyze security behind their apps. Here is a list of what DevOps and IT security teams to consider:
API data breaches could represent more than 50% of records lost in the coming months and become the single largest vector of large-scale hacking. According to Verizon’s 2019 Data Breach Incident Report, external hacking remained the largest threat actor (69%) and threat action (53%) respectively for data breaches reported last year. And the top threat vector successfully attacked was web applications, at approximately 67% of the time. When new reports announcing a company has had tens or hundreds of millions of its records compromised or stolen, the specific web attack vector more often than not appears to be RESTful APIs. It is our belief these incidents of large-scale data breaches from APIs connected to both mobile and web applications will create the largest and most significant data breach headlines in the coming months.
Shadow APIs continue to emerge as a new threat to cloud-first enterprises. According to the ESG Report on Security for DevOps, the top new investment that enterprises plan to make to secure cloud-native apps will be API Security (37% of all respondents marked this as the most important new control needed for cloud security). Cloud services enable businesses to ship new applications (mobile and web) faster and cheaper with more scalability. As a result, the number of new microservices and APIs grows exponentially with cloud-native apps. Enterprise security teams are struggling to keep pace with their DevOps counterparts. New APIs are popping up everywhere and being labeled as “shadow APIs” since it’s not clear who owns them and who is responsible for their ongoing security and compliance.
Serverless continues to outpace Kubernetes and container usage. As much as Kubernetes is being praised by many DevOps thought leaders, the data tells us that most developers appreciate the convenience, speed and ease of building applications with serverless computing. According to CB Insights, serverless is now the highest growth public cloud service ahead of containers, batch computing, machine learning and IoT services. Serverless spending is expected to reach $7.7 billion by 2021, up from $1.9 billion in 2016 with an estimated CAGR of 33%. Today, very few existing security tools can address application security issues specific to serverless applications. This will be an important new security challenge in 2020.
CCPA fines will exceed $200 million in its first year of existence. The California Consumer Privacy Act (CCPA) took effect Jan. 1. However, according to the way the regulation is outlined, lawsuits can be filed for privacy violations occurring in 2019. It is our estimate that very few companies are prepared to meet the guidelines outlined in CCPA. Further, unlike the General Data Protection Regulation (GDPR), which went into effect in May 2018, there are no maximum limits capping how large the fines could be for CCPA violations. The first few CCPA rulings served by the courts may create big headlines to put added pressure on companies to be proactive about protecting the data privacy of their customers.
Many companies successfully mobilized and monetized their data using APIs as an effective way to share information and build services. However, APIs can create compliance and security vulnerabilities the industry is ill-prepared to address. As more companies leverage and build API services and apps natively in the cloud, the industry will face new concerns and cybersecurity threats. While automation is a common practice that enables DevOps speed and scale, security teams need to take advantage of similar automation techniques to keep up with application teams using CI/CD and DevOps practice.
The industry needs to work closely with the top cloud providers to build better application security controls that function across multi-cloud environments. Most organizations are struggling to secure the application layer of their cloud-native apps, and APIs are the most critical attack vector leading to significant data breaches. As an industry, we need to do more to discover and secure APIs to protect ourselves against large-scale data breaches in the months ahead.