Interview: Doug Dooley, COO, Data Theorem

The concept of Shadow IT is not new to any IT professional; the trend of employees using personal devices unmaliciously to get their jobs done has been an issue for more than 10 years, and has moved from being about phones to being about SaaS apps and cloud storage.

Is the next frontier of Shadow IT set to be about APIs? According to the ESG Report on Security for DevOps, the top new investment that enterprises plan to make to secure cloud-native apps will be API Security (37% of all respondents marked this as the most important new control needed for cloud security).

Cloud services enable businesses to ship new applications (mobile and web) faster and cheaper with more scalability. As a result of an expanding number of available cloud services, the number of new microservices and APIs is growing exponentially with cloud-native apps, and this has led enterprise security teams to struggle to keep pace with their DevOps counterparts.

This is according to Data Theorem, who claimed that new APIs “are popping up everywhere and being labeled as Shadow APIs since it’s not clear who owns them and who is responsible for their ongoing security and compliance.”

Infoseurity spoke to Data Theorem COO Doug Dooley, who said it will be a bigger part of the attack vector moving forward. “For us, it is about how we prevent application security data breaches,” adding that the next tier of data analytics (beyond Big Data) is to utilize software applications. “You’re seeing that with mobile and a single page application (SPA) which is basically mobile done on the web rendered in a browser.” 

Dooley said that the best apps are constructed with APIs, and on average 15-30 different APIs are connected to an app, and 50-60% are owned by the publisher and the remainder belong to a third party. 

One issue with mobile apps in particular is false or cloned apps, which Dooley said the company does analysis on to see how close they are to the original app, and found that the cloned app had one-tenth of the code length as it was using serverless development. “So if you can write one-tenth of the amount of code and still deliver the comparable capability and software, you’re essentially getting the cloud provider to do all of the spinning up of containers,” he explained.

“There is so much stuff a developer has to do to make a piece of software scale and perform well, and if a cloud provider can do it all for you, it’s amazing!”

However, the API is the only way to see what sort of data is coming out of the serverless app or cloud function, “so to us, writing these tiny little microservices, and particularly in a serverless architecture, is also fueling an API explosion.”

So how does this reflect upon Shadow APIs? Dooley said that there is little knowledge of what is happening from a data risk perspective, and it doesn’t mean the APIs are bad or good, but just do not have any governance. Dooley quoted one customer who said that they did not have an API inspection process, but once they got the API they knew how to interrogate and analyze it, and how to remedy most of the problems, but discovery was the biggest problem.

“As long as a developer can operate in the cloud, create five lines of code and hit publish, tons of infrastructure and API can be created within minutes,” he said. “Each API is delivering some sort of capability.” He said that many times private keys, storage buckets and APIs are publicly available, and you would think it is rare, but in the public cloud it is frequent.

So if this is about developers having so much power and capability that IT governance, compliance and security don’t have a seat at the table and a right to keep up with DevOps, “they will never be invited to the party.” 

To resolve this, Dooley said there is a need for businesses to remain agile and “catch the next train and continue to provide the resources and data in a way that is consumable by a development team and operations team.” He also said there needs to be a realization that developer and operations staff “don’t want to become security guys, they already have a job – they work on Jira tickets, so give them a ticket and leave them alone.”

Dooley also argued that software is shipped all of the time, but DevOps guys cannot be penalized for making security mistakes, as putting them through weeks of security training is pointless.

“The point is, there is going to be Shadow APIs, cloud services, shadow assets that could hurt the company,” he said. “You’ve got to have a system that is continually finding them, assigning them and having a risk adjusted approach, and when those problems occur, get them back to the development team and show them the evidence.” This is about working with them at the point of impact, and not trying to teach them security.

What’s Hot on Infosecurity Magazine?