Daily Tech Digest - December 16, 2020

5G and the sustainable future: a look to 2025

5G could boost economic resilience by providing a reliable second source of precise location and timing information, not only assisting global navigation satellite systems (GNSS) but complementing them. GNSS only work in “open sky” environments — they can’t provide information in “sheltered” settings such as tunnels or buildings. 5G delivers position and timing information that is just as accurate as GNSS but can do so while providing unbroken indoor and outdoor coverage. Broadband has become essential to our social lives and the world’s economies (both national and local), but there are still many “white spots” where no coverage exists. This digital divide must be addressed if more people are to access the economic opportunities and benefits that mobile connectivity provides. As future economic growth will depend less on basic connectivity and more on advanced service profiles, the harmful effects of these white spots will only become more acute. White spots in farmland hinder modern agricultural water management. An estimated 42 percent of the world’s accessible fresh water is lost through leaky irrigation systems, inefficient application methods and growing crops that are too “thirsty” for their environment.

SSO and MFA Are Only Half Your Identity Governance Strategy

The time employees spend waiting for access approval is paid time when they are not working. As mentioned, the time spent by IT staff entering or resetting passwords adds up. It's an unnecessary and costly allocation of resources. The crux of the problem is not only understanding which roles need access to which application assets but determining what is the right level of access. The faster this can be achieved with less human intervention, the greater the efficiency and cost-saving. New automated solutions that harness machine learning hold promise to help IT and security teams with smart recommendations about where to direct their efforts. Prioritization is essential when managing thousands or tens of thousands of identities. Lost in the sea of identities, it is easy for organizations to lose track of which permissions they have granted. This can lead to permission sprawl and unnecessary exposure. However, automated tracking of users, their roles, and the permissions granted to them can dramatically reduce the risk of unused entitlements that attackers can exploit to gain access to valuable assets. Permission management has a lot of catching up to reach the robustness and adoption of SSO-related tools.

Microservice Architecture and its 10 Most Important Design Patterns

Microservice Architecture is about splitting a large, complex systems vertically (per functional or business requirements) into smaller sub-systems which are processes (hence independently deployable) and these sub-systems communicates with each other via lightweight, language-agnostic network calls either synchronous (e.g. REST, gRPC) or asynchronous (via Messaging) way. ... In a Microservice Architecture, especially with Database per Microservice, the Microservices need to exchange data. For resilient, highly scalable, and fault-tolerant systems, they should communicate asynchronously by exchanging Events. In such a case, you may want to have Atomic operations, e.g., update the Database and send the message. If you have SQL databases and want to have distributed transactions for a high volume of data, you cannot use the two-phase locking (2PL) as it does not scale. If you use NoSQL Databases and want to have a distributed transaction, you cannot use 2PL as many NoSQL databases do not support two-phase locking. In such scenarios, use Event based Architecture with Event Sourcing. In traditional databases, the Business Entity with the current “state” is directly stored. In Event Sourcing, any state-changing event or other significant events are stored instead of the entities.

Researchers develop tool that automates device programming in the IoT

A new solution is now on the table, seeking to standardize the programming of event-driven architectures: the AsyncAPI specification. This specification allows users to define all the relevant information needed to design and run IoT devices in these environments. However, AsyncAPI is still in the early stages of development and therefore the tools that support it remain in short supply. Despite this, the researchers have developed a tool based on this new proposal that allows users to automate the creation of messages in the appropriate format, as well as the sending and receiving of these messages. Abel G√≥mez said: “Much of the work that goes into implementing a program for an IoT device involves creating messages in the format that subscribers to the channel expect and also “translating” messages from other devices in order to process the information. A large amount of code must therefore be programmed and, when done manually, this can be a source of errors.” The researcher continued: “By adopting this new tool, we can significantly shorten the amount of time needed to develop and launch programs, which favours interoperability, improves code quality and in turn limits the number of errors in the software development life cycle.

Covid-19 sparks boom in Middle East digital payments sector

“The biggest opportunities lie in getting everyone in the region into the financial system,” said Dannish, adding that the advent of open banking will allow application programming interfaces (APIs) to transform regional payment systems. “APIs enable innovation and allow businesses to perform in a better way,” he said. “There is so much growth still to be had in this market. The barriers to entry have been lowered since the pandemic.” However, Yusuf noted that fragmentation remains a major barrier to growth for the digital payments sector. “The region is split in terms of payment methods, policy and regulation, infrastructure and consumer preference,” he said. “There is also a generally fragmented landscape in terms of payments partners. Merchants often have to operate payments strategy at a granular level.” Yusuf added that cash as payment remains stubbornly popular in the Middle East. “Despite the momentum away from cash, if we look at the region compared to the rest of the world, it is still cash-centric and digital payments are only on the way to fulfilling their potential,” he said. “While Covid-19 and deep digital penetration are fostering change, our report showed that cash has deep-rooted social and cultural significance in the region, and that won’t be transformed overnight.”

Building stronger multicloud security: 3 key elements

The typical enterprise IT infrastructure and solutions stack today includes not only public and private cloud deployments but also an average of 288 different SaaS offerings, according to the 2020 SaaS Trends report from tech vendor Blissfully. (That’s in addition to legacy technologies in many cases, too.) These various elements have different security requirements as well as different levels and types of built-in security capabilities. Different cloud providers have different tools, they often use different terms for the same class of tools, and they have differing positions on their security responsibilities. All this leaves CISOs having to stitch together a cohesive whole that documents whether the cloud-provided security features are adequate, whether more security is needed, and where and what additional security measures are warranted. “Cloud was supposed to make our lives simpler, and it a lot of ways it does; it provides a lot of benefits. But from a security perspective it adds a lot of complexity because there’s so much to do,” says Garrett Bekker... Respondents to the 2020 Cloud Threat Report survey from Oracle and KPMG cited complexity as significant challenge, with 70% of respondents saying that too many specialized tools are required to secure their public cloud footprints and 78% highlighting the need for varying security policies and procedures between their cloud-resident and on-premises applications.

6 container concepts you need to understand

This architecture provides agility that is not feasible with VMs. Furthermore, containers support a more flexible model when it comes to compute and memory resources, and they allow resource-burst modes so that applications can consume more resources, when required, within the defined boundaries. In other words, containers provide scalability and flexibility that you cannot get from running an application on top of a VM. Containers make it easy to share and deploy applications on public or private clouds. More importantly, they provide consistency that helps operations and development teams reduce the complexity that comes with multi-platform deployment. Containers also enable a common set of building blocks that can be reused in any stage of development to recreate identical environments for development, testing, staging, and production, extending the concept of "write-once, deploy anywhere." Compared to virtualization, containers make it simpler to achieve flexibility, consistency, and the ability to deploy applications faster—the main principles of DevOps. Docker has become synonymous with containers. Docker revolutionized and popularized containers, even though the technology existed before Docker.

Concerns Run High as More Details of SolarWinds Hack Emerge

The security vendor has described UNC2452 as a threat actor that it has not encountered previously. FireEye has released indicators of compromise (IoCs) and signatures so organizations can detect the threat. But so far it has not publicly, at least, attributed the attack to any specific nation-state sponsor. Numerous media reports, however, have pinned the campaign on APT29, or Cozy Bear, a group thought to be associated with Russia's intelligence apparatus. Paul Prudhomme, cyber-threat intelligence analyst at IntSights, says his firm has so far not been able to corroborate or independently verify the claimed attribution to state-sponsored Russian cyber-espionage groups. "But we do nonetheless find the claim credible and worthy of further consideration," he says. The campaign is consistent with what IntSights has observed with state-sponsored Russian actors, including the targeting of the US government, the tight operational security, and the generally high level of sophistication and tradecraft involved. At the same time, "technology supply chain compromises of this kind are more typical of Chinese cyber-espionage groups than their Russian counterparts," Prudhomme says.

The state of AI in 2020: Biology and healthcare's AI moment

There's a ton of topics we could pick to dissect from Benaich and Hogarth's work, such as the use of PyTorch overtaking TensorFlow in research, the boom in federated learning, the analysis on talent and retainment per geography, progress (or lack thereof) in autonomous vehicles, AI chips, and AutoML. We encourage readers to dive into the report to learn more. But we wrap up with something different. Hogarth mentioned that the speculation phase in AI for biology and healthcare is starting, with lots of capital flowing. There are going to be some really amazing companies that come out of it, and we will start to see a real deployment phase kick in. But it's equally certain, he went on to add, there are going to be instances that will be revealed to be total frauds. So, what about AI ethics? Benaich and Hogarth cite work by pioneers in the field, touching upon issues such as commercial gender classification, unregulated police facial recognition, the ethics of algorithms, and regulating robots. For the most part, the report focuses on facial recognition. Facial recognition is widespread the world over and has lead to controversy, as well as wrongful arrests. More thoughtful approaches seem to gather steam, Benaich and Hogarth note.

Security automation: Time for a new playbook

Start by examining the processes and procedures your organization’s security team already has in place and identify the tasks that consume the majority of team member’s time. These will be the key use cases where SOAR can provide the most benefit by applying efficiency, speed and consistency. For example, in many organizations this might include processes such as looking up asset information or reviewing additional data points related to a security alert or a reported phishing email. It could be the process of pulling data on what’s running in memory on a device and adding that detail to an existing incident management ticket to assist in an investigative decision. Or it could be isolating hosts or blocking an IP range on the network in order to stop a threat from spreading. These are all common use cases that can be effectively automated, but only if the underlying processes and procedures are mature and well-defined. Different categories of automation require different levels of maturity in the underlying processes. If you plan to introduce any type of automated response – such as automated threat containment – you must be absolutely certain that the underlying processes are mature, or it could have a greater than intended impact the availability of systems and people.

Quote for the day:

"People with good intentions make promises, but people with good character keep them." -- Joubert Botha

No comments:

Post a Comment