“Standards don’t die; they just become legacy.”
So said Keith Casey, Okta’s ‘Solver’ of API Problems (that’s an official title) during this week’s Oktane 19 event. It’s a challenge many businesses face. How do we integrate new ways of doing things that offer safer, more efficient and more secure systems while making them fit with over systems that aren’t designed with the same assumptions in mind?
When it comes to security, Casey said this is no longer 2009 when we were trying to figure out what APIs can do. That means we can think about specific use-cases where new risks and opportunities can be assessed. Some of the most significant privacy and security breaches of the last few years, such as Equifax, Facebook and British Airways, he said, came about through the misuse or abuse of APIs. But these breaches also give us the opportunity for “self reflective moments, he said.
“We don’t have to stop and figure out how attacks might happen. We can look around and see how they happen. But I recommend people go a step further and say ‘What happens if the information we have is shared inappropriately?’. What is the absolute worse case use-case that could happen. Once people go through that process, they can stop and consider the bad things that could happen. Instead of trying to do everything with version 1 of the API, let’s address these specific use-cases”.
Looking outside is important. Seeing how other businesses are breached and using those as a near miss experience is a good way of looking at would is possible and then coming up with ways to address the risks appropriately.
Know your normal
Casey mentioned a recent attack on the US phone carrier T-Mobile. With 77 million customers, T-Mobile holds a significant amount of data that is of value to criminals. A recent attack was detected and stopped when an API was used in an attempt to steal that customer data. Systems detected unusual activity and blocked the API. While the hackers accessed about two million records, they were prevented from accessing the full repository.
Assessing what normal looks like for your business does require effort. Casey recommends starting small with a low risk part of the business and then use APIs there.
Shifting to cloud based authentication
When moving any service from an on-prem solution to the cloud, the path of least resistance often looks like a simple “lift and shift”. Just take what you have today and purchase enough IaaS and PaaS services to move everything as is. But that doesn’t always make sense. For example, assumptions you might have made in your infrastructure design around power failures or networking issues no longer stack up.
“They carry over the same constraints and requirements they’ve always had. They don’t reconsider that the rules have changed, and perhaps changed in their favour so they can take advantage of the new paradigm, the new approach,” said Casey.
One of the challenges Casey sees is a desire to often lock things down so only users inside the trusted, usually internal, network can connect to the corporate cloud services. But that breaks down when users try to access systems when offsite. And while that’s possible, it actually creates more headaches than it fixes. The big challenge is that we need to prove that someone is who they say they are.
Better authentication can happen in different ways. For example, instead of passwords, users can receive push notifications to their phone. Or, in the case of the game Fortnite, if you choose a second authentication factor you’re rewarded with a new Fortnite dance. The key, said Casey, is to make the smarter and more secure tool the default.
Authentication as infrastructure
One of the big challenge faced by businesses as they introduce better authentication systems is the need to integrate with legacy systems. And, alongside that, is the growing number of different authentication tools.
“I think, inherently, it’s going to become part of the infrastructure,” said Casey. “I think it’s going to become the infrastructure of our devices, of our websites, for that 40-year old COBOL system it’s going to be a layer on top”.
In time, Casey expects that authentication services will become ubiquitous services that will mimic the electricity system. There will be standard APIs that apps link into to and just work.
But those standards will persist for many years. Once a standard like SAMIL is baked into a company’s infrastructure, it will persist there for many years, perhaps decades. Casey said he expects SAMIL to be there for another 25 years. So, in time, we’ll see today’s bleeding edge become tomorrow’s legacy.
Anthony Caruana attended Oktane 19 in San Francisco as a guest of Okta