Daily Tech Digest - April 12, 2022

What Data Privacy Really Needs Now Is A Digital Transformation

To begin your company's data privacy digital transformation, you should do two main things. First, define your company's privacy requirements. Create a clear list of the current needs you have. Do you need help managing and fulfilling users' privacy requests? Do you need a consent management tool? Do you want to automate your data mapping efforts? Do you need third-party risk assessment? Make sure you clearly define your desired set of requirements based on your user base size, business assets and countries of operation. Depending on where your business and customers reside, you will need to research the requirements for data privacy compliance in each of those countries. ... A digital transformation will help the data privacy field make strides as it progresses. With privacy technology and automation, companies can seamlessly integrate data privacy into their businesses, products and customer experiences. Data ownership marks a new era in the digital world, and to make it possible and successful, we have to welcome this change with smart technologies and an open mind.

Introduction to BigLake tables

BigLake is a unified storage engine that simplifies data access for data warehouses and lakes by providing uniform fine-grained access control across multi-cloud storage and open formats. BigLake extends BigQuery's fine-grained row- and column-level security to tables on data resident object stores such as Amazon S3, Azure Data Lake Storage Gen2, and Google Cloud Storage. BigLake decouples access to the table from the underlying cloud storage data through access delegation. This feature helps you to securely grant row- and column-level access to users and pipelines in your organization without providing them full access to the table. After you create a BigLake table, you can query it like other BigQuery tables. BigQuery enforces row- and column-level access controls, and every user sees only the slice of data that they are authorized to see. Governance policies are enforced on all access to the data through BigQuery APIs. For example, the BigQuery Storage API lets users access authorized data using open source query engines such as Apache Spark ... For data administrators, BigLake lets you abstract access management on data lakes from files to tables, and it helps you manage users' access to data on lakes.

Creating a Security Culture Where People Can Admit Mistakes

The serious lesson from that is to acknowledge but forgive errors. "He's said, many times, that he knew at that moment it was going to be OK," Ellis says. "Creating a safe culture requires a lot of practices, and one of them is closure. Humor is a great way to provide closure because you rarely laugh about something that is still creating tension." There isn't a lot to laugh about in cybersecurity, with security teams fighting off a growing number of cyberattacks and deploying protective measures for a fast-evolving environment. But security shouldn't be about browbeating people into doing the right thing or scaring them with the prospect of punishment. For security to be a team sport, you need to make people want to play. It's vitally important to your business to create a security culture — that is, an atmosphere in which someone who messes up and breaks something feels they can report it without getting blasted for their actions. This idea isn't new, but considering recent analysis about how some companies aren't backing up their source code, sometimes stories need to be repeated.

OpenSSH goes Post-Quantum, switches to qubit-busting crypto by default

The discrepancy in effort between multiplying two known primes together, and splitting that product back into its two factors, is pretty much the computational basis of a lot of modern online security…so if quantum computers ever do become both reliable and powerful enough to work their superpositional algorithmic magic on 3072-digit prime factors, then breaking into messages we currently consider uncrackable in practice may become possible in theory. Even if you’d have to be a nation state to have even the tiniest chance of succeeding, you’d have turned a feat that everyone once considered computationally unfeasible into a task might just be worth having a crack at. This would undermine a lot of existing public-key crypto algorithms to the point that they simply couldn’t be trusted. Even worse, quantum computers that could crack new problems might also be used to have a go at older cryptographic puzzles, so that data we’d banked on keeping encrypted for at least N years because of its high value might suddenly be decryptable in just M years, where M < N, perhaps less by an annoyingly large amount.

7 tips for leading productive remote teams

“Managing productivity is one of the most complex things any one person or organization can aspire to do,” says Dr. Sahar Yousef, a cognitive neuroscientist at University of California—Berkeley. The first step, though, is to define what you mean by productive, she says. “You can’t improve or change something that is not measurable.” And you can’t trust your team if you can’t also verify that they are working productively. If, in the past, you measured how hard people were working by noting who was at their desk or who spoke up in meetings, you’ll have to find a new way. Those things aren’t available anymore and they were never a good measure of productivity anyway. “We measure baselines around productivity, not hours worked,” says Andi Mann, CTO at Qumu. Because tracking how many hours someone worked doesn’t tell you much about productivity, even when you could tell the difference between work and home. “I spent nine hours at work,” says Mann. “Does that mean I accomplished something? Not necessarily. So that’s not the measure I’m looking for. My team are grownups — coders, engineers, smart people. I measure metrics that matter — outputs and accomplishments.”

Expanding Devops With Infrastructure As Code

Given the need to software companies to constantly grow their customer bases, the relative low cost of cash for the past decade and a half, and the ability to cross sell and upsell, it is natural for software conglomerations to form. And so it was only a matter of time before Puppet Software and its peers, Ansible, Chef and SaltStack, were acquired once they built up sufficient momentum to demonstrate their likely longevity across service providers, smaller clouds, and enterprises that do not build their own DevOps software stacks. So Red Hat bought Ansible in October 2015 for around $100 million, and Ansible was absolutely one of the reasons why IBM was compelled to pay $34 billion to acquire Red Hat in October 2018. ... And then VMware paid an undisclosed sum to buy SaltStack in that same month. HashiCorp, which has built a big following with its Terraform and Vagrant configuration management tools, has gone all the way and built a complete DevOpsContainer platform and has also gone public – but HashiCorp is the exception, not the rule, and it will have to keep expanding its platform and adding more tools if it hopes to keep growing its business.

3 Ways Developers Can Boost Cloud Native Security

Developers’ interest in security has been a long time coming. Google search data shows that queries for terms like “what is DevSecOps” and “DevSecOps vs. DevOps” first popped up in 2014 and have been steadily rising since 2017. The cloud, microservices, containerization and APIs are responsible for this burgeoning interest. These innovative technologies aren’t only changing the way applications are built and operated, they’re also changing what’s needed from a security perspective. In a modern environment, developers, engineers and architects need to think about data privacy and security because today’s applications benefit from having security measures baked into discrete components. Before the cloud became as ubiquitous as it is today, traditional cybersecurity relied on a perimeter-based model. Measures like firewalls and browser isolation systems essentially “surrounded” on-premise networks and systems. Applications and data were secure because they were hosted on physically isolated infrastructure. 

Data democratization leaves enterprises at risk

Data democratization strategies ensure that company data is easily accessible by all employees, regardless of their position, without the involvement of the IT department. As valuable company data is placed in the hands of more individuals, cybercriminals can broaden the scope of potential targets to hack. Now an entire organization’s employee population theoretically faces an increased risk of malware penetration, and IT departments have a more difficult time deciphering when an unauthorized user has infiltrated the cloud-based systems where the data lives. Many organizations have implemented traditional detection-based security technology to thwart these threats, yet these solutions are only able to detect threats with known malware signatures. As enterprises work to secure their cloud infrastructures, they need to consider that solutions that focus on detecting threats are unable to protect against sophisticated attacks. As mentioned, proper security is critical for data democratization. Yet, in order for data democratization to work and make an impact, productivity has to be a critical focus.

How CISOs Are Walking the Executive Tightrop

High-performing CISOs are taking strategic business objectives and efforts into account and adapting their security programs to deliver results that multiply business velocity and revenue, instead of hindering the business by basing a security program on threats and vulnerabilities alone. This means CISOs are also having to become more business-savvy, helping promote a security culture through shared values, trust, and accountability, often more through influencing skills than with the security and compliance hammer. “We're seeing the CISO role being elevated out from underneath the CIO's IT umbrella and becoming a direct report to the CEO,” explains John Hellickson, field CISO executive advisor for Coalfire. “This means they are expected to bring a high degree of business acumen in how they represent risk to their business peers and stakeholders.” He said the need for establishing business-aligned cybersecurity programs that go beyond typical control frameworks is now table stakes -- the ability to demonstrate positive business outcomes and ROI of security risk management activities and investments will continue to be expected in the years to come.

Patch Tuesday to End; Microsoft Announces Windows Autopatch

"A security gap forms when quality updates that protect against new threats aren't adopted in a timely fashion. A productivity gap forms when feature updates that enhance users' ability to create and collaborate aren't rolled out. As gaps widen, it can require more effort to catch up," Bela says. In a separately released Windows Autopatch FAQ, Microsoft says the updates will be applied to a small initial set of devices, evaluated and then graduated to increasingly larger sets, with an evaluation period at each progression. "This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to assure that registered devices are always up to date and disruption to business operations is minimized, which will free an IT department from that ongoing task," Microsoft says. In addition, Microsoft says that in case of an issue, the Autopatch service can be paused by the customer or the service itself. "When applicable, a rollback will be applied or made available," it says.

Quote for the day:

"The secret of a leader lies in the tests he has faced over the whole course of his life and the habit of action he develops in meeting those tests." -- Gail Sheehy

No comments:

Post a Comment