Digital privacy – you’re gonna need a better lock.
• Digital privacy is becoming more complex as technology evolves.
• The rising bot threat is more one of numbers than of complexity.
• Digital privacy depends on API visibility.
Talking to founders on this year’s Cyber Runway business accelerator in the UK, we ran a wide gamut of topics, showing quite how broad the cyber industry is in 2023. Next in our line of interviews, we spoke to Mayur Upadhyaya – CEO and Co-founder of API security company Contxt about the increasing complexity of digital privacy in a world of evolving APIs.
THQ:
This might sound like an obvious question, but what role do privacy and trust play in modern digital experiences?
MU:
Over the last ten years, there’s been a lot more education from consumers around their rights on digital privacy. And so it becomes appropriate to think about a famous line from Cory Doctorow: “If the product is free, you’re the product.”
Thanks to the likes of Edward Snowden, and the likes of Cambridge Analytica, the landscape of digital privacy has changed significantly. Consumers are aware that they should have an expectation around how their data is treated, and certainly in Europe, the GDPR has enshrined that notion in law.
Digital privacy and security by design.
If you start to think about some elements in the GDPR that talk about “security by design,” you can’t have security by design unless you have privacy by design – they go hand in hand, and it’s a very European concept that security and privacy are two sides of the same coin.
I think it’s beholden on companies that you shouldn’t collect data on consumers unless you can protect it, so if you can’t protect it, don’t collect it. And I think that’s where we’re getting to. The biggest concern for companies is that trust is really hard to regain once it’s lost. I’m really worried about that we’re entering a time of “breach fatigue,” where consumers start to think “What’s the point of data privacy if companies are going to just lose the data in breaches?”
In terms of digital experiences, it’s worth thinking about the supply chain that Jonathan’s team is protecting. Every organization ships data to other vendors, and to other parts of their applications over APIs – we’re now at the point where APIs make up more than 70% of all internet traffic, so it’s become a critical part of the infrastructure and digital experience. And so it’s becoming a new sort of perimeter to protect.
The bot factor.
THQ:
More and more bots are learning specifically to target APIs – we’ve seen reports on that in 2023. Does API vulnerability present new challenges as we go forward?
MU:
Yes, largely because in most enterprises and organizations, there’s no owner for the API. Who owns your API – is it the architects who designed it? The developer who built it? Or is it the infrastructure team that maintains it?
Big bad bots – plentiful, but relatively unsophisticated?
THQ:
With no power comes no responsibility…
MU:
There’s certainly a real lack of ownership there. So going to the bot problem – frankly, these bots are not very sophisticated. There’s maybe 20 to 100 known vulnerabilities from an API, and they just cycle through them.
And because it’s so programmatic, there’s no reason why organizations can’t run the same tests on their own APIs before shipping to production. And so, so right now, the tools that the attackers are using should be used as part of that hygiene protocol, regardless of whether it’s us or somebody else. There should be some sort of guardrail between moving your API code from design to production. I think the statistic is that 84% of all API attacks are just known vulnerabilities, so it should be easy to shut them down.
THQ:
So it becomes like a noise floor, essentially? “Oh, that’s happening again.”
Bots! Bots everywhere!
MU:
Yeah, exactly. And that’s why we need really clear stakeholder ownership for data and for cloud. We need to get to the point where APIs are seen in the same way as a database is seen in any enterprise, with a level of clearly understood governance around it.
We need more and more API product owners to turbocharge their job function, so that you’re thinking about it holistically because it is a perimeter. And every time you ask a developer to spin up another integration, you’re opening up a port straight into your infrastructure.
So we’ve got that sophistication from a web applications, firewall perspective, and we have sophistication in a posture for free APIs. And because they’re custom and a developer-driven, they’re proprietary, as long as what they do is through open standards.
The power of visibility.
THQ:
Let’s talk about visibility, because that’s always been described as the one true essential for delivering security. So how do you do that at Contxt?
MU:
Yeah. If you just think about APIs from a visibility perspective, they’re actually quite hard. And there are lots of things that you can do an API that makes it weak. So typically, they have poor access control and weak authorization. So sometimes you have cases where if you’re authenticated, and you pull your record out of a database, the question is whether you only pull your record and not somebody else’s record, right? That’s one thing.
And in many cases, because developers do reuse API code, they take more data than they need. So you have these fundamental problems around APIs. Then you think about how they come about.
There’s a simplicity to that, because business APIs won’t exist without having gone through a lot of governance in an organization. So let’s just say for example, your editor urgently needs a report. Your in-house team spin something up, you do what you need, then you decommission it, That’s an example from a telecommunications company – it had an API for an internal migration to move from one system to the other, that was never supposed to be suddenly facing outward, and suddenly, it reached internet.
So the challenge is, now you’ve got these APIs that are built for internal tasks and accidentally, some of the APIs are out there. These APIs were put in ten years ago, by a service provider with whom you no longer work, and they haven’t been documented.
Then you’ve got challenges. You’ve got your known knowns and your known unknowns, What APIs do you have? Which of them falls under what remit? If you think about modern infrastructure, most enterprises are going to have multiple clouds. They’re going to have multiple API gateways, they’re going to have containers, they’re going to have different servers, they might have commissioned a PR agency or a design agency to spin up a campaign, and that campaign might have customer data on it.
Visibility is vital to digital privacy in modern environments.
And so on.
So the average enterprise probably has 3000 APIs. And I can’t imagine that they’re monitoring each one of them.
You can imagine, if you have that sort of number of APIs, and that complexity of potential issues, how important visibility gets in a very great hurry.
THQ:
Ah – so that’s why everybody calls it the true essential for delivering privacy.
How much do we care about digital privacy? And how much budget are we willing to allocate to it?
In the final part of this article, we’ll talk to Shelley Langan-Newton – CEO of identity verification platform SQR – about issues of modern identity management.
5 March 2024
