2020 Hindsight and 2021 Foresight – Lessons Learned and Predictions for the Velocity of Business
They say that hindsight is 2020, which has certainly been the case this year. For most organizations, 2020 orchestrated a fundamental shift to the way we work. The paradigm shift to work from home has introduced some major hurdles but it is also an opportunity. Whether an organization views the shift to remote work as good or bad most likely depends on if they are an early adopter or a late adopter of cloud migration.
When we look to the trends that enable remote work, such as cloud services, these are trends the tech industry has been discussing for more than a decade. But as the tech industry so often fixates on crossing the chasm from early adopters to the early majority, it is easy to forget that late adopters and laggards still make up a major portion of the population. The transition to remote work has been much more painful for organizations that have been more risk averse or resource constrained in their cloud adoption, and that is without even mentioning security.
Accelerating the Post-Perimeter Era
The pandemic has been a catalyst that has accelerated digital transformation trends that weren’t expected to reach widespread adoption for at least five years, but it has also introduced a new set of risks, as organizations have been forced to move beyond the corporate perimeter. Outside of the most forward-thinking technology companies, almost every organization is facing different challenges along this spectrum. Some may be grappling with enabling a more API-driven application architecture, while others have graduated to worrying about the protection of data flowing through those APIs.
Cloud Migration Goes Big
The impact of widespread cloud migration will be felt from application development to application service delivery, and its associated security. For anyone that follows the industry closely, these are not new trends, but the widespread and rapid adoption of cloud services (i.e. Microsoft Office 365 or Google Workspace) to enable remote workers has not been seen on this scale previously. Of course, Microsoft and Google have their own massive computing environments, but many other technology providers make use of Microsoft Azure or Amazon Web Services to rapidly scale their own cloud service delivery. In 2021, cloud migration will reach widespread adoption.
However, the major difference is between the companies that have already been doing this for 5-10 years and the companies that have been doing this for 5-10 months. The former have been able to intentionally build their architecture, policies, procedures and controls, while the latter have been forced to respond to this crisis. And again, every effort to maintain a sense of normalcy in 2020 is commendable, but these unassuming organizations may not be aware of the risks hiding in the shadows.
The Rise (and Risk) of Application Delivery as a Service
First, let’s talk about service providers that have made a recent shift to embrace widespread cloud migration. Regardless of whether these developers provide a cloud-hosted service, or a software solution that can be deployed on a public or private cloud, their architecture must now account for the cloud. Developers are now delivering their applications to customers and partners “as a service” just like the SaaS model. That means that APIs (the application programming interface that enables applications to communicate with each other) are now propagating across the enterprise.
The risk here is two-fold. Service providers (or more specifically, the operations and security teams of these service providers) need to maintain visibility into all of the APIs their developers are generating to ensure the availability and integrity of their service is not interrupted. This is easier said than done, especially since accelerated development timelines frequently result in overlooking this basic application development hygiene.
Security Takes a Closer Look at Third-Party Risk
And this risk is also extended to customers, clients and users of these cloud-based solutions, particularly if a third-party API is integrated into another service. Without visibility into the data within their APIs and how they behave, organizations remain blind to threats that could already be lurking within their network. And just to be clear, this risk also exists for enterprise-scale organizations with their own internal development teams and proprietary services – no matter who you are, you cannot protect what you don’t know exists.
Organizations Get Fed Up with Legacy Solutions
Secondly, if we look beyond these service providers (which are of course only one portion of a larger population), there are many organizations that are doing the bare minimum to enable remote work. For some this even includes continuing to use older virtual desktop (VDI) and virtual private network (VPN) solutions, which have been painful to manage at scale. The more distance between a user and the corporate network, and the more users on the corporate network, the worse these models degrade. Once a user connects to the network through this model, there is limited control over what they can do to a service. And of course, the end user experience is awful — it’s like connecting through a dial-up modem in the 90s. If organizations have been using VDI and VPN throughout 2020 and plan to continue remote work into 2021, then they are certainly looking for an alternative solution.
Cloud migration has become the popular choice. The adoption of Microsoft Office 365 and Google Workspace (and all of their associated services) is great because it commoditizes a lot of traditional security services like malware inspection and email phishing protection, but it also eradicates the traditional network security model of the network perimeter protecting the corporate network. Of course, a corporate network perimeter still protects whatever data may still reside on premise, but once users are connecting directly to cloud services from their own home network, then the corporate network perimeter never enters the equation.
Zero Trust Goes Mainstream
This sort of “main street” adoption of cloud services is going to subsequently drive the adoption of identity and access management solutions. The so-called “zero trust” model popularized by Google BeyondCorp has become very popular within the security industry, but is still just beginning to gain more widespread awareness. There is a major risk for organizations that implement cloud-based workspaces without considering identity and access management – the theft of end user credentials (through a phishing attack) could leave a wellspring of information exposed to attack.
A Growing Need to Secure Critical Data in APIs
Many organizations do not realize that APIs represent an additional avenue for credential abuse since fraudulent access tokens could trick control mechanisms into allowing unauthorized access to sensitive information. Many organizations realize they need to protect their users, but do not take the necessary steps to protect their application infrastructure. We predict large enterprises will become more aware of API risks in the coming months, and take steps to address them in 2021.
A New Wave of Data Breaches on the Horizon
We anticipate that many of the challenges organizations have faced throughout 2020 will persist into 2021. Enterprises will continue their rapid adoption of cloud migration to enable the speed of their innovation, but they must also retrofit their security post haste. The breakneck speed of digital transformation cannot be impeded by security, yet security concerns persist. The rhetoric of enabling a “new normal” has required organizations to bring down their barriers, which represents both opportunity and danger. But make no mistake, as difficult as this year has been for so many organizations, business is booming for cybercriminals and fraud. These attacks have already occurred and remain undetected, look for them in the headlines in the coming year. Many other attacks will continue to occur. These attacks will not be brought to light until organizations improve their visibility into their APIs and data flows. Organizations that take an enlightened approach to discover, monitor and secure their API data flows have the best chance of actually preventing these attacks.
And enterprises that take an enlightened approach to both seeing and securing their APIs have the highest probability of actually preventing these attacks.