Daily Tech Digest - May 07, 2020

Is Passwordless Authentication the Future?

Implementing passwordless authentication platforms tend to be more complex in comparison to their credential-based counterparts, but the end user experience on a large-scale deployment is much simpler and more likely to be immediately adopted, Kothanath claims. "These devices and the data they collect and store, are becoming part of your digital identity. Your smartphone holds a number of attributes (phone number, IMEI number, carrier information, digital certificates, GPS location, manufacturer information, CPU unique ID, etc.) which can be used to uniquely authenticate you, negating the need for a password." It is extremely difficult to compromise these devices, he says, and technology is available today to enhance the security and reliability of device-based authentication. "As the value of the target asset increases, there can be other trusted devices, such as a Yubi Key and other hardware-based tokens, which can be governed under much tighter controls. All of this is trending towards a cutting-edge, identity-based authentication system and privilege management approach to eliminating passwords from the security equation," Kothanath notes.

Credit card skimmer caught hiding behind website favicon

Padlock on Top of Credit Cards on Keyboard Cyber Security Concept
Upon investigation, though, Malwarebytes discovered that the domain name of myicons.net was registered just a few days prior and hosted on a server previously identified as malicious. Further, myicons.net appropriated all its content from another site named iconarchive.com simply by pointing to that site within an HTML iframe. Digging further, Malwarebytes found that several e-commerce sites were loading an Adobe Magento favicon from the myicons.net domain. Though the security firm suspected that this favicon was malicious, it was unable to find any extra code inside it. However, it did uncover malicious activity on the e-commerce sites that were loading the Magento favicon from myicons.net. Instead of serving up an image file, the myicons.net server was actually loading code consisting of a credit card payment form. This form is loaded dynamically and overrides the PayPal checkout option with its own menu for MasterCard, Visa, Discover, and American Express cards. In the end, any credit card information entered through this form is then sent back to the criminals.

The chief digital officer and COVID-19

CDOs should be considering how to build in work flexibility to account for employees taking care of kids at home by, for example, shifting schedules; ensure access to resources such as tools and information-sharing intranets; educate less digitally fluent colleagues so they don’t feel overmatched by new demands with, for example, brief training sessions; and have frequent touchpoints such as digital town halls and pulse surveys, to gauge people’s mental and physical well-being. This goes beyond the typical work check-ins and is absolutely necessary to help employees deal with the unprecedented stress of this current environment. People are a company’s most precious resource, and how successful a CDO is in making sure that his or her employees are as healthy and supported as possible will be a testament to his or her true leadership skills. ... CDOs should emphasize design-thinking principles, which are predicated on building empathy with customers, to understand their motivations. We know of CDOs who are reaching out to customers for one-on-one conversations, leading customer interviews, and compiling surveys to better understand the challenges that customers face.

Open source database ScyllaDB 4.0 promises Apache Cassandra, Amazon DynamoDB drop-in replacement

Database table with server storage and network in datacenter background
ScyllaDB also brings some noteworthy features from a DevOps perspective. Change Data Capture (CDC) allows users to track changes in their data, recording both the original data values and the new values to records. Changes are streamed to a standard CQL table that can be indexed or filtered to find critical changes to data. Scylla Operator is a Kubernetes extension for Scylla cluster management. It currently supports deploying multi-zone clusters, scaling up or adding new racks, scaling down and monitoring Scylla clusters with Prometheus and Grafana. Both CDC and Scylla Operator are currently in Beta, expected to be fully rolled out soon, as per ScyllaDB's development model. Indeed, having watched ScyllaDB grow from relatively early in its lifecycle, we will have to ascertain the fact that it's catching up and adding new features at a rather fast pace. Laor mentioned they have a slew of more features in the works. When discussing what it is that enables ScyllaDB to make such rapid progress, Laor said that the company now employs about 100 people, and business has been growing well, too.

Remote access needs strategic planning right now

riverbed sdwan
Over the next two to four years, enterprises have the opportunity to strategically plan for a converged architecture that addresses both networking and security: the secure access service edge or SASE (pronounced “sassy”). SASE combines WAN capabilities with security, and delivers them via services based on identity, time, context, compliance with enterprise policies and risk assessment, according to Gartner, which created the term. Technology suppliers are moving rapidly to extending their network and security solutions from the data center and branch office to the remote office, and this could fit the SASE model. Employees working out of their houses need access to any application, from any device, from any location and on any available network. They use critical applications such as VoIP, video and SaaS that require fast, low-latency connections. And because this access is deployed widely, the solution must be easy to install, simple to operate, flexible and cost effective. Work-at-home users must have direct internet access to cloud-based applications to overcome performance and latency issues with traditional remote access VPNs that route traffic from the user to the data center to the cloud, back to the data center and finally back to the user.

COVID-19, Cyber Security and the “New Normal”

new normal
First, from a technology perspective, the large scale remote working experiment we are having to endure is simply working: Platforms have scaled, and networks have not collapsed. We may or may not like it, but we are starting to adjust to new ways of interacting. More generally, the digital economy has successfully scaled up at pace and the COVID-19 crisis has dramatically accelerated the digital transformation of many sectors. It is impossible to say what the long-term impact will be (e.g. to what extend will we continue to work from home), but this is bound to bring a positive outlook for the tech industry at large. Second, over the last six weeks and in the face of countless scams and fraud attempts, we have had in front of us the largest real-life cyber security awareness campaign anyone could ever have imagined, and this is bound to have a significant cultural impact on people, in particular if the lockdown continues or comes back. Cyber security has had to be on the agenda, as a necessary dimension of lives and business activities now entirely dependent on digital services. Nobody can risk a cyber-attack right now, and good cyber security measures have become key to keeping the lights on. One cannot imagine cyber security moving down the priority list with senior executives post-COVID.

How Tesla uses open source to generate resilience in modern electric grids

"(The) majority of our microservices run in Kubernetes, and the pairing of Akka and Kubernetes is really fantastic," Breck said. "Kubernetes can handle coarse-grained failures in scaling, so that would be things like scaling pods up or down, running liveness probes, or restarting a failed pod with an exponential back off. Then we use Akka for handling fine-grained failures like circuit breaking or retrying an individual request and modeling the state of individual entities like the fact that a battery is charging or discharging." For modeling each site in software, this so-called digital twin, they represent each site with an actor. The actor manages state, like the latest reported telemetry from a battery and executes a state machine, changing its behavior if the site is offline and telemetry is delayed. It also provides a convenient model for distribution, concurrency, computation, and failover management. The programmer worries about modeling an individual site in an actor, and then the Akka runtime handles scaling this to thousands or millions of sites. It's a very powerful abstraction for IoT in particular, essentially removing the worry about threads, or locks, or concurrency bugs.

What does the new NHSX contact tracing app for coronavirus mean for data protection?

What does the new NHSX contact tracing app mean for data protection? image
Although elementary, automated contact tracing has significant practical limitations. Bluetooth is an imprecise tool, and it risks false positives such as proximity through a wall. Necessarily it is ‘blind’ to disease transmission in spaces vacated by infected individuals moments before, where no Bluetooth handshake between handsets would take place. Crucially, automated contact tracing relies on uptake. In the UK, 60% of the population would need to download the app for it to make a positive difference, and with 20% of Britain’s population estimated not to own a smartphone and many older devices with limited app capability, many people would be excluded. A further difficulty arises from the multiplicity of contact tracing apps currently under development – how will they work together? Moreover, once international travel resumes, will national contact tracing apps be interoperable? Finally, there is a risk that automated contact tracing will be seen as a panacea by ‘fanboys’ for utopian technological solutions, whereas in reality, it can only be part of the answer, along with adequate infection testing and traditional confirmatory contact tracing, which are essential components of any useful roll-out.

Industry 4.0 requires whole-of-business approach to be successful

Even though the IoT revolution actually started in industrial settings in the 1960s and '70s, operators today still limit measurements to what is easy to measure. They also tend to apply the analytics and data created by those measurements too narrowly. As operational technologies (OT) and IT continue to blend (with operational analytics, for example, taking place on cloud platforms and the output being subsequently shared with ERP and supply chain management systems) using all operational data and analytics to uncover if technology-led process improvements are actually achieving the objectives for which they were deployed is more important than ever. "What we saw in our test bed activities is all these parties need to be brought onto the same page in order to declare success," said said Jacques Durand, co-chair of IIC's Digital Transformation working group and lead author of the report. "Saying that you just want to reduce a product error rate … is one thing but you have to be precise: What product? When do you measure? There are many aspects of measuring the condition of what you are measuring." Because of the tight integration taking place between OT, IT, and business workflows, today's process improvement goals go well beyond the factory floor.

Data Gateways in the Cloud Native Era

Data Gateways in the Cloud Native Era
Microservices influence the data layer in two dimensions. First, it demands an independent database per microservice. From a practical implementation point of view, this can be from an independent database instance to independent schemas and logical groupings of tables. The main rule here is, only one microservice owns and touches a dataset. And all data is accessed through the APIs or Events of the owning microservice. The second way a microservices architecture influenced the data layer is through datastore proliferation. Similarly, enabling microservices to be written in different languages, this architecture allows the freedom for every microservices-based system to have a polyglot persistence layer. With this freedom, one microservice can use a relational database, another one can use a document database, and the third microservice one uses an in-memory key-value store. While microservices allow you all that freedom, again it comes at a cost. It turns out operating a large number of datastore comes at a cost that existing tooling and practices were not prepared for.

Quote for the day:

"Make heroes out of the employees who personify what you want to see in the organization." -- Anita Roddick

No comments:

Post a Comment