“In the new cyber threat environment, Identity and Access Management (IAM) and Application Programming Interface (API) management technologies are central to protecting systems, networks, devices and data, and to enabling secure interactions with customers and citizens.”
This is the key point that CA Technologies made in its response to the recent Request for Information put forth by President Obama’s Commission on Enhancing National Cybersecurity, a select group of public and private sector leaders and experts in the security space that was recently established to make recommendations to mitigate cyber risks, while also encouraging technology development.
Applications have become the critical point of engagement for organizations of all sizes, optimizing experiences, and providing a direct and constant connection to end users. APIs make it possible for organizations to open their backend data and functionality for reuse in new application services. API management software authenticates devices and data and is fundamental to securing the applications, devices and data inherent in the burgeoning Internet of Things (IoT). IAM software authenticates individuals and services and governs the actions they are permitted to take.
Identity Is Today’s Security Perimeter
Identity is now the attack vector of choice for cyber criminals. In virtually every large network breach in recent memory, compromised identities were the common thread. Protecting identities is foundational to robust security in the application economy. Effective access management enables users to perform tasks critical to fulfilling their roles, but restricts them from exceeding this permitted access.
In a world where identities constitute the new security perimeter and are the single unifying control point across all apps, devices, data and users, effective IAM is increasingly important with respect to privileged users, who have greater access to back-end systems and databases.
APIs are, however, vulnerable to many of the security threats that have plagued the Web, in addition to a range of new API-specific threats. It is, therefore, vital to deploy strong, API-specific security at the edge of an organization’s API architecture, both to authenticate devices and data, and to secure and protect the APIs themselves.
In addition to highlighting the critical role of IAM and API Management software in securing the digital economy, CA made the following recommendations for the Commission in its response:
- The government and commercial sectors should build security into their systems on the front end, rather than bolting security on afterward;
- The Federal Government should develop an IoT strategy to drive policy and regulatory alignment across Federal agencies and independent regulators;
- Policy-makers should leverage international, market-driven standards rather than country-specific technology mandates for IoT;
- The Federal Government should promote alignment of federal information security systems with the Framework for Improving Critical Infrastructure Cybersecurity;
- The Federal Government should continue to promote automated mechanisms for sharing cyber threat indicators in close to real time, while also protecting privacy; and
- The Federal Government should focus on accelerated deployment of information security programs, such as the EINSTEIN and CDM program.
What do you think are the most important recommendations for strengthening public and private sector cybersecurity over the next decade? I invite you to share your thoughts below.