The rise of cybersecurity debt
Complexity is the enemy of security. Some companies are forced to put together
as many as 50 different security solutions from up to 10 different vendors to
protect their sprawling technology estates — acting as a systems integrator of
sorts. Every node in these fantastically complicated networks is like a door or
window that might be inadvertently left open. Each represents a potential point
of failure and an exponential increase in cybersecurity debt. We have an
unprecedented opportunity and responsibility to update the architectural
foundations of our digital infrastructure and pay off our cybersecurity debt. To
accomplish this, two critical steps must be taken. First, we must embrace open
standards across all critical digital infrastructure, especially the
infrastructure used by private contractors to service the government. Until
recently, it was thought that the only way to standardize security protocols
across a complex digital estate was to rebuild it from the ground up in the
cloud. But this is akin to replacing the foundations of a home while still
living in it. You simply cannot lift-and-shift massive, mission-critical
workloads from private data centers to the cloud.
Zero trust: The good, the bad and the ugly
Right from the start, the name zero trust has unwelcome implications. On the
surface, it appears that management does not trust employees or that everything
done on the network is suspect until proven innocent. "While this line of
thinking can be productive when discussing the security architecture of devices
and other digital equipment, security teams need to be careful that it doesn't
spill over to informing their policy around an employer's most valuable asset,
its people," mentioned Jason Meller, CEO and founder at Kolide. "Users who feel
their privacy is in jeopardy, or who do not have the energy to continually
justify why they need access to resources, will ultimately switch to using their
own personal devices and services, creating a new and more dangerous
problem—shadow IT," continued Meller. "Frustratingly, the ill-effects of not
trusting users often forces them to become untrustworthy, which then in turn
encourages IT and security practitioners to advocate for more aggressive zero
trust-based policies." In the interview, Meller suggested the first thing
organizations looking to implement zero trust should do is form a working group
with representatives from human resources, privacy experts and end users
themselves.
From Boardroom To Service Floor: How To Make Cybersecurity An Organizational Priority Now
Of course, companies don’t just want to identify risk. They want to prevent
relevant threats and secure their IT infrastructure. To achieve this,
boardrooms, C-suite executives and cybersecurity teams will need to focus on the
most potent risks — from insider threats to misconfigured databases — to enhance
their defensive posture to meet the moment. This should begin by addressing your
in-house vulnerabilities. With so many data breaches caused, in part, by
employees, companies can defend data by enhancing their educational and
oversight protocols. For instance, employee monitoring that harnesses user
behavior analytics can empower companies to identify employees who might be
vulnerable to a phishing scam, allowing leaders to direct teaching and training
to mitigate the risk. (Full disclosure: Employee monitoring is among my
company’s key provisions.) Similarly, cybersecurity software that restricts data
access, movement and manipulation can ensure that data is available on a
need-to-know basis, reducing opportunities for negligence or accidents to
undermine data security.
How Testers Can Contribute to Product Definition
The approach to closing the understanding gap that has proven successful is
"listening before talking". In practice, this means meeting the stakeholders,
learning about their motivation and goals, building relationships and
establishing a collaboration – basically, a feedback loop. Next was to explore
the clients’ needs and their user personas by either talking to product
manager(s), reading industry-related articles, or analyzing customer data
because each user persona has a different goal and therefore a different task to
complete in our product. For me, it’s essential to understand these differences
to learn what is important to each one of them and aim for the specific quality
characteristics when providing feedback on design, user experience, or product
requirements. ... Practically, the shorter the feedback loop, the better. To
make it shorter, I try to be there when the project starts to kick off and
requirements are shaped, or when first prototypes are done, and generally be
proactive by asking what’s the next important thing, inviting different
stakeholders for pairing and collaborating closely to discover and share
important information about the product.
API Security Depends on the Novel Use of Advanced ML & AI
By creating API-driven applications, we have exposed a much bigger attack
surface. That’s number one. Number two, of course, we have made it challenging
to the attackers, but the attack surface being so much bigger now needs to be
dealt with in a completely different way. The older class of applications took
a rules-based system as the common approach to solve security use cases.
Because they just had a single application and the application would not
change that much in terms of the interfaces it exposed, you could build in
rules to analyze how traffic goes in and out of that application. Now, when we
break the application into multiple pieces, and we bring in other paradigms of
software development, such as DevOps and Agile development methodologies, this
creates a scenario where the applications are always rapidly changing. There
is no way rules can catch up with these rapidly changing applications. We need
automation to understand what is happening with these applications, and we
need automation to solve these problems, which rules alone cannot do.
Everything You Need To Know About India’s Centre for Artificial Intelligence and Robotics
CAIR is involved in research and development in AI, robotics, command and
control, networking, information and communication security, along with the
development of mission-critical products for battlefield communication and
management systems. CAIR was appraised for Capability Maturity Model
Integration (CMMI) Maturity Level 2 in 2014 and has ISO 9001:2015
certification. As part of the Defence Research and Development Organisation
(DRDO), robotics was one of the priority areas of CAIR, said V S Mahalingam,
former director, CAIR. Mahalingam joined DRDO in 1986 and served in
Electronics & Radar Development Establishment (LRDE) till 2000 before he
moved to CAIR. “Concentrating on the development of totally indigenous robots,
the lab developed a variety of controllers and manipulators for Gantry, Scara,
and other types of robots. With the experience gained from these initial
years, the lab developed an autonomous guided vehicle (AGV). The expertise in
control systems required for robotics was applied to the development of
control laws for Tejas fighter,” Mahalingam added.
How do I become a network architect?
For the most part, network architects fall into department management roles
overseeing teams of network engineers, system administrators, and perhaps
application developers. The goal of a network architect is to design
efficient, reliable, cost-effective network infrastructures that meet the
long-term information technology and business goals of an organization. The
trick is to accomplish those long-term goals while also permitting the
organization to meet its short-term business goals and financial obligations.
... Successful network architects must be able to see the big picture
regarding current and future information technology infrastructure, not only
for the organization but for the industry and general business environment as
well. Individuals fulfilling the job role must be able to produce a documented
vision of network infrastructure now and in the future. Documentation is
important because a network architect must be able to present their vision of
current and future network needs and goals to C-level management, employees,
and other stakeholders. They must be able to communicate why their vision is
correct, and why those stakeholders should provide the resources necessary to
bring that vision into fruition.
The Beauty of Edge Computing
The volume and velocity of data generated at the edge is a primary factor that
will impact how developers allocate resources at the edge and in the cloud. “A
major impact I see is how enterprises will manage their cloud storage because
it’s impractical to save the large amounts of data that the Edge creates
directly to the cloud,” says Will Kelly, technical marketing manager for a
container security startup. “Edge computing is going to shake up cloud
financial models so let’s hope enterprises have access to a cloud economist or
solution architect who can tackle that challenge for them.” With billions of
industrial and consumer IoT devices being deployed, managing the data is an
essential consideration in any edge-to-cloud strategy. “Advanced consumer
applications such as streaming multiplayer games, digital assistants and
autonomous vehicle networks demand low latency data so it is important to
consider the tremendous efficiencies achieved by keeping data physically close
to where it is consumed,” says Scott Schober, President/CEO of Berkeley
Varitronics Systems, Inc. It’s not much of a stretch to view edge as an
integral computing of the fast evolving hybrid cloud.
Is STG Building a New Cybersecurity Powerhouse?
The consensus is STG will likely form either a complete new company out of its
newly acquired businesses - hoping the sum of the parts will make STG a major
player in the security space - or simply allow customers to pull together a
security plan on an a la carte basis from STG's various parts. "You can see a
future where we're going to have a clash of some really sophisticated industry
heavyweights. You're going to have to compete with Microsoft; you're going to
have to compete with Cisco. So if you're going to get in a fight with
Microsoft and Cisco, you better bring a big stick. And it looks like they've
now got a big stick," says Frank Dickson, program vice president at IDC. Peter
Firstbrook, vice president and analyst with Gartner, believes STG is putting
together a portfolio to deliver a one-stop shopping experience for those
looking for a suite of cybersecurity products and solutions to protect their
organization. "One trend they could take advantage of is the propensity of
buyers to seek out fewer, more strategic vendors that have integrated
solutions," Firstbrook says. "Eighty percent of buyers want to consolidate the
number of security products and vendors to make their security operations more
efficient."
Using Distributed Tracing in Microservices Architecture
Observability is monitoring the behavior of infrastructure at a granular
level. This facilitates maximum visibility within the infrastructure and
supports the incident management team to maintain the reliability of the
architecture. Observability is done by recording the system data in various
forms (tools) such as metrics, alerts (events), logs, and traces. These
functions help in deriving insights into the internal health of the
infrastructure. Here, we are going to discuss the importance of tracing and
how it evolved to a technique called distributed tracing. Tracing is
continuous supervision of an application’s flow and data progression often
representing a track of a single user’s journey through an app stack. These
make the behavior and state of an entire system more obvious and
comprehensible. Distributed request tracing is an evolutionary method of
observability that helps to keep cloud applications in good health.
Distributed tracing is the process of following a transaction request and
recording all the relevant data throughout the path of microservices
architecture.
Quote for the day:
"Every great leader can take you back
to a defining moment when they decided to lead." --
John Paul Warren
No comments:
Post a Comment