Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label GigaOm. Show all posts

GAO Urges Federal Agencies to Implement Key Cloud Security Practices

The Government Accountability Office (GAO) has called on federal agencies to fully implement essential cloud security practices in order to enhance their cybersecurity posture. In a recent report, the GAO highlighted the importance of adopting and adhering to these practices to mitigate risks associated with cloud computing.

According to the GAO, four federal departments have not fully implemented cloud security practices, which puts their systems and data at increased vulnerability. The report emphasizes that addressing these shortcomings is critical for ensuring the confidentiality, integrity, and availability of sensitive information stored in the cloud.

Cloud computing offers numerous benefits to federal agencies, including increased efficiency, scalability, and cost-effectiveness. However, it also introduces unique cybersecurity challenges that must be addressed proactively. The GAO report outlines several key security practices that agencies should prioritize to strengthen their cloud security posture.

One of the primary recommendations is to implement strong identity and access management controls. This involves ensuring that only authorized individuals have access to sensitive data and systems and that user privileges are properly managed and monitored. By implementing multi-factor authentication and robust user access controls, agencies can significantly reduce the risk of unauthorized access.

Another crucial aspect highlighted by the GAO is the need for comprehensive data protection measures. This includes encrypting sensitive data both at rest and in transit, implementing secure data backup and recovery processes, and regularly testing the effectiveness of these measures. By employing encryption and backup protocols, agencies can minimize the impact of data breaches or system failures.

Additionally, the GAO emphasizes the importance of monitoring and logging activities within cloud environments. By implementing robust logging mechanisms and real-time monitoring tools, agencies can detect and respond to security incidents promptly. This enables them to identify unauthorized access attempts, suspicious activities, and potential vulnerabilities that could be exploited by attackers.

The GAO report further highlights the significance of training and awareness programs for agency personnel. It recommends providing comprehensive cybersecurity training to employees, ensuring they are aware of potential threats, best practices, and their role in maintaining a secure cloud environment. Regular training and awareness initiatives can help strengthen the overall security culture within agencies.

The GAO study concludes by serving as a reminder to government agencies of the significance of fully implementing important cloud security measures. Agencies can dramatically improve their cybersecurity posture in the cloud by giving priority to identity and access control, data protection, monitoring, and training. Federal agencies must act quickly on these recommendations and set aside the necessary funds to guarantee the integrity and security of their cloud-based systems and data.

APIs are Everywhere, but the Security is Lacking



With the gradual increase in the number of APIs (Application Programming Interface), spreading across the corporate infrastructure, API is also emerging as the largest attack surface in applications and a big target for threat actors and cyber attackers. 

According to industry experts, the increase in integrated web and mobile offerings that requires data exchange between products of multiple organizations and the reliability of mobile apps on APIs, has eventually led to growth, making API security a huge challenge for CIOs today.

A 2022 survey by 451 Research found that 41% of organizations surveyed had an API security incident in the last 12 months; 63% of respondents said the incident involved a data breach or loss. 

Consequently, cybersecurity startup Wib is looking to zero in on API security. Wib further announced a $16 million investment led by Koch Disruptive Technologies (KDT), the growth and venture arm of Koch Industries, Inc, with participation from Kmehin Ventures, Venture Israel, Techstars, and existing investors. 

Blocking API attacks in the network: 

According to a report by GigaOm research, API security products were developed before API use expanded to the extent seen today and “were based upon the idea that it is asking for failure to insist developers secure the code they write. The report added that “most developers do not knowingly create insecure code,” if they inadvertently develop code with vulnerabilities, most likely because they are unaware of what vulnerabilities an API might suffer from. 

“Once API security was in use, though,” the report said, “IT quickly discovered a new reason to use a security product: Some vulnerabilities are far easier blocked in the network than in each and every application.” 

The report inferred that the idea that it is more effective in blocking some attacks in the network, including data centers, cloud vendors, and SaaS providers — before access to the API occurs, has spurred demand for products that can do this. 

According to Wib, its API security platform aims at providing visibility across the entire API landscape, right from code to production. This would help unify software developers, cyber defenders, and CIOs around a single holistic view of their complete API domain. 

The platform could leverage real-time inspection, management, and control at every stage of the API lifecycle to automate inventory and API change management, according to the company. Wib was created to identify rogue, zombie, and shadow APIs and analyze business risk and impact, helping organizations reduce and harden their API attack surface. 

According to Gil Don, CEO, and co-founder of Wib, API has moved into the spotlight in the past years. “Organizations are using them as the basis of a new generation of complex applications, underpinning their move to competitive and agile digital business models,’’ says Don. 

A Whole New Category of Cyber Threat

Don explains that APIs account for 91% of all web traffic and they fit with the trend towards microservices architectures and the need to respond dynamically to rapidly changing market conditions. But APIs have given rise “to a whole new category of cybersecurity threats that explicitly targets them as a primary attack vector. Web API traffic and attacks are growing in volume and severity.” 

Over half of APIs are invisible to business IT and security teams. “These unknown, unmanaged, and unsecured APIs are creating massive blind spots for CIOs that expose critical business logic vulnerabilities and increase risk,’’ Don continues. 

On the other hand, GigaOm report called out Wib for its API source code scanning and analysis “with an eye toward API weaknesses.” Wib’s platform “provides automatic API documentation to create up-to-date documentation, as well as snapshots of changes to APIs and their risks every time they see a commit to code,” the report further read. 

As its operations grow across the Americas, UK, and EMEA, Wib says the investments will be used in order to improve its comprehensive API security platform and accelerate international growth.