Daily Tech Digest - December 18, 2020

Chaos Engineering: A Science-based Approach to System Reliability

While testing is standard practice in software development, it’s not always easy to foresee issues that can happen in production. Especially as systems become increasingly complex to deliver maximum customer value. The adoption of microservices enables faster release times and more possibilities than we’ve ever seen before, however they introduce challenges. According to the 2020 IDG cloud computing survey, 92 percent of organizations’ IT environments are at least somewhat in the cloud today. In 2020, we saw highly accelerated digital transformation as organizations had to quickly adjust to the impact of a global pandemic. With added complexity comes more possible points of failure. The trouble is that we humans managing these intricate systems cannot possibly understand or foresee all of the issues because it’s impossible to understand how each of the individual components of a loosely coupled architecture will relate to each other. This is where Chaos Engineering steps in to proactively create resilience. The major caveat of Chaos Engineering is that things are broken in a very intentional and controlled manner while in production, unlike regular QA practices, where this is done in safe development environments. It is methodical and experimental and less ‘chaotic’ than the name implies.

ECLASS presents the Distributed Ledger-based Infrastructure for Industrial Digital Twins

Advancing digitalization, increasing networking and horizontal integration in the areas of purchasing, logistics and production, as well as in the engineering, maintenance and operation of machines and products, are creating new opportunities and business models that were unimaginable before. Classic value chains are turning more and more into interconnected value networks in which partners can seamlessly find and exchange the relevant information. Machines, products and processes receive their Digital Twins, which represent all relevant aspects of the physical world in the information world. The combination of physical objects and their Digital Twins creates so-called Cyber Physical Systems. Over the complete lifecycle, the relevant product information and production data captured in the Digital Twin must be available to the partners in the value chain at any time and in any place. The digital representation of the real world in the information world, in the form of Digital Twins, is therefore becoming increasingly important. However, the desired horizontal and vertical integration and cooperation of all participants in the value network across company boundaries, countries, and continents can only succeed on the basis of common standards

Data Protection Bill won’t get cleared in its current version

Pande from Omidyar Network India said stakeholders of the data privacy regulations should consider making the concept of consent more effective and simple. The National Institute of Public Finance and Policy (NIPFP) administered a quiz in 2019 to test how well urban, English speaking college students understand privacy policies of Flipkart, Google, Paytm, Uber, and WhatsApp. The students only scored an average of 5.3 out of 10. The privacy policies were as complex as a Harvard Law Review paper, Pande said. Facebook’s Claybaugh, however, said that “despite the challenges of communicating with people about privacy, we do take pretty strong measures both in our data policy which is interactive, in relatively easy-to-understand language compared to, kind of, the terms of service we are used to seeing.” Lee, who earlier worked with Singapore’s Personal Data Protection Commission said challenges of a (DPA) are “manifold”. She said it must be ensured that the DPA is “independent” and is given necessary powers especially when it must regulate the government. The DPA must be staffed with the right people with knowledge of technical and legal issues involved, she added.

India approves game-changing framework against cyber threats

The office of National Security Advisor Ajit Doval, sources said, noted that with the increasing use of Internet of Things (IoT) devices, the risk will continue to increase manifold and the advent of 5G technology will further increase the security concerns resulting from telecom networks. Maintaining the integrity of the supply chain, including electronic components, is also necessary for ensuring security against malware infections. Telecom is also the critical underlying infrastructure for all other sectoral information infrastructure of the country such as power, banking and finance, transport, governance and the strategic sector. Security breaches resulting in compromise of confidentiality and integrity of information or in disruption of the infrastructure can have disastrous consequences. Sources said that in view of these issues, the NSA office had recommended a framework -- 'National Security Directive on Telecom Sector', which will address 5G and supply chain concerns. Under the provisions of the directive, in order to maintain the integrity of the supply chain security and in order to discourage insecure equipment in the network, government will declare a list of 'Trusted Sources/Trusted Products' for the benefit of the Telecom Service Providers (TSPs).

The case for HPC in the enterprise

Essentially, HPC is an incredibly powerful computing infrastructure built specifically to conduct intensive computational analysis. Examples include physics experiments that identify and predict black holes. Or modeling genetic sequencing patterns against disease and patient profiles. In the past year, the Amaro Lab at UC San Diego performed modeling on the COVID-19 coronavirus to an atomic level using one of the top supercomputers in the world at the Texas Advanced Computing Center (TACC). I hosted a webinar with folks from UCSD, TACC and Intel discussing their work here. Those types of compute intensive workloads are still happening. However, enterprises are also increasing their demand for compute intensive workloads. Enterprises are processing increasing amounts of data to better understand customers and business operations. At the same time, edge computing is creating an explosive number of new data sources. Due to the sheer amount of data, enterprises are leveraging automation through the form of machine learning and artificial intelligence to parse the data and gain insights while making faster and more accurate business decisions. Traditional systems architectures are simply not able to keep up with the data tsunami.

5 reasons IT should consider client virtualization

First is the compatibility to run different operating systems or different versions of the same operating system. For example, many enterprise workers are increasingly running applications that are cross-platform such as Linux applications for developers, Android for healthcare or finance, and Windows for productivity. Second is the potential to isolate workloads for better security. Note that different types of virtualization models co-exist to support the diverse needs of customers (and applications in general are getting virtualized for better cloud and client compatibility). The focus of this article is full client virtualization that enables businesses to take complete advantage of the capabilities of rich commercial clients including improved performance, security and resilience. Virtualization in the client is different from virtualization in servers. It’s not just about CPU virtualization, but also about creating a good end-user experience with, for example, better graphics, responsiveness of I/O, network, optimized battery life of mobile devices and more. A decade ago, the goal of client virtualization was to use a virtual machine for a one-off scenario or workload.

The top 6 use cases for a data fabric architecture

A data fabric architecture promises a way to deal with many of the security and governance issues being raised by new privacy regulations and the rise in security breach incidents. "By far the largest positive impact of a data fabric for organizations is the focus on enterprise-wide data security and governance as part of the deployment, establishing it as a fundamental, ongoing process," said Wim Stoop, director of product marketing at Cloudera. Data governance is often seen in isolation, tied to a use case like tackling regulatory compliance needs or departmental requirements in isolation. With a data fabric, organizations are required to take a step back and consider data management holistically. This delivers the self-service access to data and analytics businesses demand to experiment and quickly drive value from data. Such a degree of management, governance and security of data then also makes proving compliance -- both industry and regulatory -- more or less a side effect of having implemented the fabric itself. Although this is not a full solution, it greatly reduces the effort associated with adhering to compliance requirements. Platz cautioned that there is a wide gulf between a vision for a perfect data fabric and what is practical today. "In practice, many first versions of data fabric architectures look more like just another data lake," Platz said.

Malicious Browser Extensions for Social Media Infect Millions of Systems

"This could be used to gather credentials and other sensitive corporate data from the websites visited by the victim," he says. "We are preparing a technical blog post with more technical information and IoCs, but for now, we can share the ... malicious domains." The malicious extensions are the latest attempt by cybercriminals to hide code in add-ons for popular browsers. In February, independent researcher Jamila Kaya and Duo Security announced they had discovered more than 500 Chrome extensions that infected millions of users' browsers to steal data. In June, Awake Security reported more than 70 extensions in the Google Chrome Web store were downloaded more than 32 million times and which collected browsing data and credentials for internal websites. In its latest research, Avast found the third-party extensions would collect information about users whenever they clicked on a link, offering attackers the option to send users to an attacker-controlled URL before forwarding them to their destinations. The extensions also collect the users' birthdates, e-mail addresses, and information about the local system, including name of the device, its operating system, and IP addresses.

How to use Agile swarming techniques to get features done

Teams that concentrate on individual skills and tasks end up with some members far ahead and others grinding away at unfinished work. For example, a back-end developer is still working on a feature, while the front-end developer for that feature has finished coding. The front-end developer then starts coding the next feature. The team can design hooks into the code to let the front-end developers validate their work. However, a feature is not done until a team completes the whole thing, fully integrates it and tests it. Letting developers move asynchronously through the project might result in good velocity metrics, but those measures don't always translate to the team delivering the feature on time. If testers discover issues in a delivered feature, the entire team must return to already completed tasks. Let this scenario play out in a real software organization, and you end up with partially completed work on many disparate tasks, and nothing finished. The goal of Agile development is not to ensure the team is 100% busy, with each person grabbing new product backlog items as soon as they complete their prior task. This approach to development results in extensive multitasking and ultimately slows the flow of completed items.

Application Level Encryption for Software Architects

Unless well-defined, the task for application-level encryption is frequently underestimated, poorly implemented, and results in haphazard architectural compromises when developers find out that integrating a cryptographic library or service is just the tip of the iceberg. Whoever is formally assigned with the job of implementing encryption-based data protection, faces thousands of pages of documentation on how to implement things better, but very little on how to design things correctly. Design exercises turn out to be a bumpy ride every time you don’t expect the need for design and have a sequence of ad-hoc decisions because you anticipated getting things done quickly: First, you face key model and cryptosystem choice challenges, which hide under “which library/tool should I use for this?” Hopefully, you chose a tool that fits your use-case security-wise, not the one with the most stars on GitHub. Hopefully, it contains only secure and modern cryptographic decisions. Hopefully, it will be compatible with other team’s choices when the encryption has to span several applications/platforms. Then you face key storage and access challenges: where to store the encryption keys, how to separate them from data, what are integration points where the components and data meet for encryption/decryption, what is the trust/risk level toward these components?

Quote for the day:

"Public opinion is no more than this: What people think that other people think." -- Alfred Austin

No comments:

Post a Comment