SolarWinds, a well-known IT managed services provider, has recently become a victim of a cyberattack. Their product Orion Platform, a solution for monitoring and managing their customers’ IT infrastructure, was compromised by threat actors. This resulted in the deployment of a custom Sunburst backdoor on the networks of more than 18,000 SolarWinds customers, with many large corporations and government entities among the victims. According to our Threat Intelligence data, the victims of this sophisticated supply-chain attack were located all around the globe: the Americas, Europe, Middle East, Africa and Asia. After the initial compromise, the attackers appear to have chosen the most valuable targets among their victims. The companies that appeared to be of special interest to the malicious actors may have been subjected to deployment of additional persistent malware. Overall, the evidence available to date suggests that the SolarWinds supply-chain attack was designed in a professional manner. The perpetrators behind the attack made it a priority to stay undetected for as long as possible: after the installation, the Sunburst malware lies dormant for an extended period of time, keeping a low profile and thwarting automated sandbox-type analysis and detection.
One of the arguments in favor of creating independent services is the idea that those services can then "scale independently". Meaning, you can be more targeted in how you provision servers and databases to meet service demands. So, rather than creating massive services to scale only a portion of the functionality, you can leave some services small while independently scaling-up other services. Of all the reasons as to why independent services are a "Good Thing", this one gets used very often but is, in my (very limited) opinion, usually irrelevant. Unless a piece of functionality is CPU bound or IO bound or Memory bound, independent scalability is probably not the "ility" you have to worry about. ... If I could go back and redo our early microservice attempts, I would 100% start by focusing on all the "CPU bound" functionality first: image processing and resizing, thumbnail generation, PDF exporting, PDF importing, file versioning with rdiff, ZIP archive generation. I would have broken teams out along those boundaries, and have them create "pure" services that dealt with nothing but Inputs and Outputs (ie, no "integration databases", no "shared file systems") such that every other service could consume them while maintaining loose-coupling.
The CIOs also shared their challenges and experiences during the pandemic. Responding to the big business focus area that tech and cloud will enable or drive in 2021, Chatterjee shared, “For us, it’s very clear the data and analytics piece, and all the modeling that we are doing around fraud, retention propensity, the entire claims experience, I think, across the value chain, anything that is data and insights. And I will be careful in using the term ‘analytics’, because in a lot of areas we use analysis and we incorrectly call it analytics, but the idea is, cloud will enable the entire data and insights as a capability within the organisation. This is something big for us and will be driven by the cloud.” For SonyLiv, the focus is on harnessing the use of data. “We as an organisation, are digital and are using data in each and every decision that we make, whether it is on the infrastructure side, content programming, content production, churn analysis, retention – everywhere. I think it is all about data and democratisation of the data. We are working big time on introducing some of the prediction models, machine learning models, which can help us to retain users. So, I think data is going to play a critical role. The other area which I feel we as a business, is on the OTT side.
You need to go back to the fundamentals. One way to look at it is understanding that microservices are distributed systems, something many people will have experience with. They should also be familiar with what another panelist, Oswaldo Hernandez Perez, engineering manager at Improbable, called the first law of distribution: “If you don’t need to do it, don’t do it.” So that means focusing on why you are building what you are building. What are you trying to achieve? This is a fundamental question that’s applicable to businesses of all sizes. What problem are you trying to solve, and how will your solution remove friction from its users’ lives? That’s what people care about. Even if you’re developing a niche app for a highly technical audience, they are unlikely to care too much about how it got to them, only that it did and it is fixing a problem for them. If the only way to achieve that is with microservices, then yes, you should definitely use them. If there is an alternative, then consider using that. Do not simply start breaking everything up into microservices just because that is what everyone is currently talking about. Ultimately, microservices are an architectural pattern to reduce complexity. It does this, but it also adds complexity elsewhere. If used in isolation, then you’ll fix your complexity in one dimension and have it proliferate elsewhere.
Technological discussions are essential to provide a solution to a defined improvement area or challenge, but they are meaningful only after there has been a clearly defined use case with concrete and measurable value identified and captured within financial reporting systems. This means that each effort should start with an integrated value design, rather than technology. It needs to be integrated in the sense that the designed target value can be directly linked to an outcome —for example, process improvements enabled by the digital solution that generated a measurable value impact. Value and solution design need to be one integrated effort. In consequence, this also implies that use cases need to be defined bottom-up, by the operators and resources that operate production and thus realize value add, rather than top-down. Within industrial settings, implementing industry 4.0 technologies takes more time and effort, compared to applications in the consumer space, for a variety of reasons. Any industrial customer today depends on existing brownfield installations to run and operate their business—these are mostly highly complex and tailored to the targeted product. Managing this complexity manually would be a Sisyphean struggle. When industrial companies are integrating digital manufacturing and supply chain solutions with their customers, they need to continually adapt the solution stack to customer requirements.
Expect a sharper focus on understanding and optimizing processes as a direct result of the shift from RPA adoption to evaluation and optimization. Plenty of organizations will realize their initial efforts were stymied by processes that they didn’t fully understand or that simply weren’t good fits for RPA. Day predicts that process-focused technologies and practices – such as process mining – will gain a greater share of attention in the new year. Related terms and technologies such as process discovery, process intelligence, process optimization, and process orchestration will similarly become a bigger part of the RPA vocabulary and toolkit. And as we wrote about recently, we could see a closer relationship between business process management (BPM) and RPA going forward. “Most companies are jumping straight into RPA or trying to automate processes without first adopting process mining, which leads to more strategic deployment of RPA and a more efficient automation framework overall,” Day says. “By more closely associating RPA with process mining and process management, RPA will stand a better chance for success – and organizations will not adopt automation for automation’s sake, and instead focus on ROI and higher success rates.”
There will be two pathways for companies to get AI software," said Andrew Bartels, VP and principal analyst serving CIO professionals at Forrester Research. The first movers will continue to build their own for speed to market and differentiation. It's a more expensive path, but some organizations will find value in pursuing it. Meanwhile, other organizations in the future will take another pathway. "The second pathway will be to wait for existing vendors to add the relevant functionality into existing products," Bartels said. "We think over time that will be the more dominant pathway." ... Bartels offers a simple model for assessing the maturity of your vendor's AI and whether it is the right fit for the task you have. He uses the metaphor of K-12 grade school students. If a vendor says they are adding AI functionality to their roadmap, that is a pre-kindergarten level. If they are actually developing the technology, they are in kindergarten. If they have it in beta with clients, they are a third grader. If they are in production with multiple clients for a few years then they are an eighth grader. The scale continues along the same lines with more advanced work. Bartels said enterprise IT leaders need to ask themselves: "Is this a task that an eighth grader could do? Then trust an AI engine to do it. Or, is this a task we would not give to a human who did not have an equivalent of an 11th grade education?"
Recent events heightened the need to instill the cybersecurity culture and mindset into businesses and local governments. When employees understand how to monitor, spot, and recover from threats, systems can become more resilient. Murphy says, "When I talk with folks about cybersecurity, I tell them the most important thing is to educate your employees or citizens on how they should behave and the things to watch out for. The second component is to know what's going on in your world and then be able to respond or recover your environment. Educating your employees while using AI is key." At this point, even if companies and local governments have limited resources, there are still strategies they can take to secure their environment. Murphy says, "If you don't have the money, at least do things like segment your network. There are certain design criteria that you can build for a safer environment. There are best practices that don't require capital investment. At a minimum, there's good change control and configuration management practices that must be implemented." Without a foundation of cybersecurity, innovation cannot progress.
While there will be a whole host of systems that businesses and individuals will interact with in the future, they must be intelligent, they need to involve us, they need to sense and be able take decisions, some on their own. What this means for businesses is that while the digital presence of systems and processes will only increase, increasing their intelligence and continually enhancing them will be crucial. Therefore, we can expect the role of AI to be far more strategic than ever before, particularly as we think about emotional intelligence in the future. The beauty of this change will be greater demand for people and skills. While AI will start making systems intelligent and reduce demand on maintenance and smaller operations, the next innovations, the roadmap development, the enhancements, and emotional intelligence will require more man=power. Up to now AI investment in industry has been aimed at solving specific business challenges and driving cost reduction, now businesses really need to invest in creating an enterprise grade AI stack to responsibly scale AI across the enterprise. Ultimately, organisations need to focus on improving the end user and customer experience, using AI to drive hyper-personalisation such as conversational commerce tools.
IoT devices and systems represent additional enterprise attack surface — the same as allowing users to "bring your own device" for mobile devices. These devices expose the organization to the same types of risk as other devices deployed on the corporate network. Security flaws in IoT devices can lead to device takeover and the exposure of sensitive data, and they provide attackers a foothold in the corporate network that can be used to launch additional attacks. Additionally, these IoT systems tend to traffic in a lot of sensitive data, including confidential and proprietary information, and information that has privacy implications. This data will leave the corporate firewall and be processed by services hosted by the IoT system provider and places the burden on the enterprise to understand how these IoT systems affect their risk posture. Third-party risk must be approached in a structured manner as part of an overall vendor risk management program. New IoT systems that are going to be deployed on enterprise networks and process sensitive enterprise information need to be run through a vetting process, so the organizations understand the change in risk exposure. This process can share many of the same characteristics of a standard vendor risk management program but may need to be augmented to address some of the specific concerns that IoT systems raise.
Quote for the day:
"Appreciation is a wonderful thing: It makes what is excellent in others belong to us as well." -- Voltaire