Daily Tech Digest - December 08, 2018

HIPAA Compliance in a Containerized Environment
The HIPAA compliance framework is somewhat infamous for setting high-level requirements regarding healthcare data and privacy without recommending specific ways of meeting those requirements. That tendency leaves many developers, admins and DevOps engineers wondering how, exactly, to comply with HIPAA. If you find yourself in that situation, keep reading. This blog post identifies best practices for HIPAA compliance on one of today’s most common types of environments—those built with containers. It draws on the NIST’s Cybersecurity Framework recommendations for addressing the high-level compliance requirements that HIPAA includes. The tips below are drawn from Twistlock’s Guide to HIPAA Compliance for Containers, a 38-page resource that walks through best practices for HIPAA compliance in a containerized environment with the help of the Twistlock platform. 


Facial recognition has to be regulated to protect the public, says AI report


The report calls for the US government to take general steps to improve the regulation of this rapidly moving technology amid much debate over the privacy implications. “The implementation of AI systems is expanding rapidly, without adequate governance, oversight, or accountability regimes,” it says. The report suggests, for instance, extending the power of existing government bodies in order to regulate AI issues, including use of facial recognition: “Domains like health, education, criminal justice, and welfare all have their own histories, regulatory frameworks, and hazards.” It also calls for stronger consumer protections against misleading claims regarding AI; urges companies to waive trade-secret claims when the accountability of AI systems is at stake (when algorithms are being used to make critical decisions, for example); and asks that they govern themselves more responsibly when it comes to the use of AI.


Cyber risk management continues to grow more difficult

Cyber risk management continues to grow more difficult
Cyber risk management is significantly more difficult today than it was two years ago. That's according to new ESG research involving 340 enterprise cybersecurity, GRC, and IT professionals who were asked to compare cyber risk management today to two years ago. (Note: I am an employee of ESG.) The data indicates that 39 percent of survey respondents believe that cyber risk management is significantly more difficult today than it was two years ago, while another 34 percent say that cyber risk management is somewhat more difficult today than it was two years ago ... Think about this data from a CISO perspective. Your bosses are pushing you for more frequent updates on cyber risk management, and they want it presented in a business context. Meanwhile, your staff — which is likely incrementally bigger than it was two years ago, if at all — must collect, process, analyze, and report on risk management across from an increasing and vulnerable attack surface, being targeted by more sophisticated cyber-adversaries.


Best practices for Event Sourcing

In his talk, David gives an example of a service which performs 100 actions in 66 ms. This is an average latency of 0.66 ms. CMF is designed for consistently low latency where the focus is on the worst latencies the system sees. A key measure is often the 99.9%ile latency (worst 1 in 1,000) rather than the average or typical latencies. We recently helped a Tier 1 banking client build an Order Management System with 3 microservices where the wire to wire latency was under 20 micro-seconds 99.9% of the time for a throughput of 20,000 messages per second. Chronicle Decentred is designed for high throughput. Each chain can process a large number of messages across a cluster of servers e.g. 50K/s to 400K/s depending on the hardware. However, the latency is the time to achieve a consensus, which might be 5 ms to 500 ms depending on the network between them.


UK government commits to opening up data in bid to push adoption of AI


“The full benefits to society and the economy that can come from AI can only be realised if it is widely used,” said James. “That means government working together with industry to seize the prize of a reported additional £232bn on GDP by 2030.” However, despite today’s abundance of data, its potential is largely untapped due to much of it being locked in silos. Being a data-driven technology, this is a huge barrier in the further development of AI. “Data is a critical part of our national digital infrastructure and fundamental, of course, to AI,” said James. “Without access to good quality data from a range of sources, AI technologies cannot deliver on that promise of better, more efficient and seamless services. Government is really committed to opening up more data in a way that makes it reusable and easily accessible.” James said the government had already opened up more than 44,000 datasets, citing this as a major reason for the UK topping Oxford Insight’s Government AI Readiness Indexin 2017.


Industrial espionage fears arise over Chrome extension caught stealing browsing history

An extension collecting browsing history might sound benign, but in a phone call today, the ExtraHop team told ZDNet that this behavior is extremely worrisome when observed in this particular case. The ExtraHop team raised concerns that developers usually access URLs of internal networks, APIs, and applications, and whoever is collecting this browsing history will gain access to URLs that may reveal details about unreleased products, hidden features, or a company's intranet or internal network structure. For example, a developer making API calls to something like "/product/beta/car_dashboard/automatic_breaks/engage/pedestrian_detection/" may reveal quite a lot. In the hands of a determined attacker, such information is both valuable, as it could be sold to unethical competitors, but it could also be used to plan future attacks. The discovery of this extension comes on the heels of Netscout revealing that North Korean nation-state hackers have used a Chrome extension for the first time in a government-orchestrate cyber-espionage campaign.


The path to cloud security goes through integration

The path to cloud security goes through integration
First, establish a plan for how the security systems are going to talk. For the most part, this is a secure directory system, but there are common databases you can also use. Note that you will have to plan and coordinate across organizational silos. Second, find a security management and monitoring product that provides a “single pane of glass” between you and the security systems, both on-premises and in the cloud. This should be the single source of truth when it comes to who, what, when, how, and why. It’s kind of a mastermind for all enterprise security. Third, cross-system security testing should be a common occurrence. Often overlooked by IT, such testing will provide tuning for your security ecosystem and spot issues before the hackers do. While all this seems simple in concept, it’s actually a pain in the butt to deploy. If you’re dealing with all systems in an enterprise, organizational politics often pops up. Also, many enterprises lack the talent needed to get security going at all points. But you still need to do it, because the alternative is very unpleasant.


Remember: It’s not all about the 1s and 0s

spinning globe smart city iot skyscrapers city scape internet digital transformation
It’s critical that you control who has access to your physical plants – offices, warehouses, distribution centers, etc. I’ve seen people talk their way past guards and gates way too easily. Many offices I visit no longer have receptionists, which was traditionally the first line of defense, having been replaced by locked doors and badge readers. But if your employees don’t practice good access control, it’s all for naught. The biggest culprit here is tailgating – one employee badges-in to open a door and multiple people follow her into the office. I met someone who allowed a person to tailgate into her office building, and that person turned out to be an attacker who shot his ex-girlfriend once he was inside. But those same tailgaters might be there to steal your digital data as well. Last year, a medical devices firm in Massachusetts found a foreign national in their offices after hours trying to hack into their network. He had tailgated in at closing that day as employees rushed out of the office for Labor Day weekend.


CA Technologies' Agile Transformation: A Firsthand Perspective


Agile isn’t just a new way of developing software, it’s a new mindset, a new culture and a new way of running a business. That may sound like a lot to take on, but the results speak for themselves. Since we began practicing agile at scale and business agility, we’ve reduced time to market, improved customer satisfaction, boosted innovation and increased employee engagement. We’ve made it easier for leaders, lines of business and teams to work together -- and with our customers -- on a global scale.  But reinventing a business isn’t easy. It’s a transformation that must be meticulously designed as a series of experiments on and in a complex system, and these experiments need to be executed with discipline. Here’s a firsthand look at how CA Technologies successfully engineered our agile transformation, starting with our people. ... Investing in people is probably the most important part of any business transformation, so establishing a safe environment that nurtures employee confidence is essential. 


Lack of Business Associate Agreement Triggers HIPAA Fine
OCR's investigation revealed that ACH never entered into a business associate agreement with the individual providing medical billing services to ACH, as required by HIPAA, and failed to adopt any policy requiring business associate agreements until April 2014. "Although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014," OCR says. "This case is especially troubling because the practice allowed the names and Social Security numbers of thousands of its patients to be exposed on the internet after it failed to follow basic security requirements under HIPAA," says OCR Director Roger Severino. In addition to the monetary settlement, ACH has agreed to implement a corrective action plan that includes the adoption of business associate agreements, completion of an enterprisewide risk analysis and the creation of comprehensive policies and procedures to comply with the HIPAA rules, OCR says.



Quote for the day:


"Success is most often achieved by those who don't know that failure is inevitable." -- Coco Chanel