Daily Tech Digest - April 20, 2022

Security-as-Code Gains More Support, but Still Nascent

"The great thing about security-as-code is that you know the configuration that you have deployed exactly corresponds to what you had specified and analyzed as meeting your security requirements," he says. "Many breaches out there are not necessarily the result of an unknown risk, but are usually the result of some control that the organization thought they had not being deployed and operating when they needed it the most." Security-as-code is an extension of the infrastructure-as-code movement that has come about as software-defined networks and systems have become more popular. DevOps teams have adopted infrastructure-as-code as the de facto standard for building and deploying software, containers, and virtual machines, but now companies are betting that the shift to cloud-native infrastructure will make security-as-code a key part of a sustainable approach to security. ... Google is joined by others blazing a trail into the security-as-code arena. The growing movement to encode security as a configuration file that can be incrementally improved led security firm Tenable Network Security to acquire Accurics, a maker of security-as-code technology.


The evolving role of the lawyer in cybersecurity

On the purely defensive side, advanced warning of a forthcoming attack can be the difference between a successful defensive posture or a damaging and costly incident. With such intelligence in hand, organizations can craft rules on an email gateway or firewall to effectively prevent attackers’ phishing email from reaching employee inboxes or to block the ability of an employee to navigate to a malicious link. Indeed, one of our attorney colleagues in New York used a bespoke threat intelligence system that he developed to identify and help to neutralize the domains that hosted a forthcoming cyberattack on the World Health Organization at the outset of the Coronavirus crisis in March 2020. That bespoke intelligence identified a domain and subdomain combination that allowed our colleague to (i) validate the data and establish that he had indeed identified an active threat to the WHO and (ii) communicate that data to trusted parties, including law enforcement, enabling defensive countermeasures to be put in place. This was a bright line example of how counsel can play a role in the critical day-to-day functions of security operations.


Disruptive Innovation: The emerging sectors applying digital technologies

Property technology, or Proptech, has been disrupting the real estate space, allowing for the buying, renting and selling of properties online. Like other industries on this list, Proptech companies have been vital for maintaining operations during lockdown as company headquarters closed their doors. Landlords and homeowners can securely list properties on an online market via a website or app, and in more recent times have been able to upload virtual viewings. Meanwhile, data analytics and algorithms powered by AI have allowed users to see what properties would be best for them. Additionally, platforms such as PlanetRent offer centralised portals for hosting relevant documents and details in one place. Proptech, and indeed real estate, also encompasses offices, and demand for companies in this area of the sector have been in high demand due to the need for organisations to move to smaller spaces, or leave the office altogether. Here, users can view office listings and make transactions online.


Flexible return-to-office policies are hammering employee experiences

The latest report observed that just more than a third of knowledge workers (34%) have reverted to working from the office five days a week, the greatest share since it began surveying in June 2020, but as this was happening, employee experience scores were plummeting for knowledge workers asked to return to the office full-time and for those who do not have the flexibility to set their own work schedules. This includes 28% worse scores on work-related stress and anxiety and 17% worse scores on work-life balance compared with the previous quarter. Moreover, the study warned there were signs that employers will pay a price for this discontent: workers who say they are unsatisfied with their current level of flexibility – both in where and when they work – were now three times as likely to look for a new job in the coming year. The data showed that non-executives were facing far more strain during the return-to-office era than leaders in the C-suite, further widening an existing executive-employee disconnect on key job satisfaction measures revealed in October 2021. 


IoT Is a Breakthrough for Automation Systems, But What About Security?

Since the IoT and smart devices collect heaps of consumer data stored over the cloud and are managed in real-time, leveraging the traditional security tools and practices to ensure security doesn’t make any sense. As far as the automation industry is concerned, providing real-time access to applications and devices and ensuring robust security without human intervention becomes an uphill battle. Moreover, cybercriminals are always looking for a loophole in the networks that provide frequent access to resources, devices, and applications that they can exploit to sneak into a network. Hence, stringent security mechanisms become crucial for businesses leveraging IoT to automate their processes. Here’s where the role of a centralized data infrastructure seamlessly routes all IoT devices through an API that further offers insights regarding machine-to-machine access and user access in real-time. Through zero-trust principles and machine-to-machine access management, businesses can deliver a seamless, secure, and monitored experience to their customers without compromising their identities and personal information.


Interim CIOs Favored as Organizations Seek Digitalization Push

This is happening because of an overall talent shortage juxtaposed with talent growth in the on-demand talent pool, coupled with more demand for the CIO role because of digital transformation. “Companies need more from the CIO; it’s harder to get this talent, they need to move faster, and there's fantastic talent that can work remotely,” he explained. Neil Price, head of practice, CIO and executive technology leadership for Harvey Nash Group, pointed out the concept of an interim CIO is not new. However, it is becoming ever more attractive due to the volume of technology transformation that businesses are looking to execute to keep pace in the post-pandemic digital environment. “They need accelerated change, and for this, an interim CIO who comes in with a very specific brief and a clear deadline or end-date can bring the concentrated focus and impetus needed,” he said. “It’s easier to deliver change with a fresh set of eyes, and this is something an interim CIO offers.” He added the concept of an interim CIO can apply equally across all types of business, and any organization that wants to change at pace can see the benefits, whether it’s a small or medium-sized business or a large enterprise.


Artificial Intelligence (AI) strategy: 4 priorities for CIOs

One of the most critical priorities is identifying high-impact areas with opportunities to embed AI-based, real-time decisions in business processes. The ability to process contextual information in real time to make on-the-fly decisions is a powerful way to differentiate products, services, and experiences in the crowded marketplace. For example, insurance firms can automate claims processing for real-time approvals based on pictures and videos provided by the claimant right from the place and time of the incident. Lenders can analyze risks in real time based on collateral and background information to offer on-the-spot loan approvals. Organizations can personalize and customize products and services across a broad array of use cases through the judicious injection of AI in their business processes. ... Since AI engineering differs from “traditional” software engineering, CIOs must establish a strategy to institutionalize AI and ML methodologies. Many enterprises have found that the most effective way to do this is to establish a robust platform supported by a governance model.


Securely Scaling the Myriad APIs in Real-World Backend Platforms

Most real-world software platforms will also interact with external APIs from business partners or third-party providers. A good authorization server and an understanding of OAuth standards will also improve your capabilities for this type of “federation.” One interesting use case is shown below, where a partner user is authorized to sign in to the company’s app. The partner authorization server could then act as an identity provider to authenticate the user according to the partner’s security policy and with familiar credentials. An embedded token from the business partner could then be used by the company’s APIs to call partner APIs. ... JWT libraries will allow APIs to use a clock skew when validating access tokens, and it is possible to configure this slightly higher for downstream APIs. It is not recommended to rely on expiry times, however, since there can be multiple reasons for a JWT to fail validation. In some setups, this might be caused by an infrastructure event such as a load balancing failover. Instead, it is recommended to implement standard expiry handling. In this case, retrying from the client is often the most resilient option.


AWS Serverless Lambda Resiliency: Part 1

This is critical as serverless Lambda functions are charged based on Memory limits (which determines the CPU allocation) along with the duration for which these functions are invoked. Without appropriate resiliency, our Lambda services could execute for a longer duration than required, our Lambda could overwhelm the backend services when they are having issues and not available or being in a degraded state, and client experiences that invoke our Lambda functions do not get an immediate fallback response. ... AWS Lambda Serverless capabilities themselves have multiple use cases when invoked synchronously or asynchronously and hence the context of how they can be made resilient can differ between the different invocations. The approaches change based on whether the solution is deployed in a single region vs. multiple regions. There is also a dependency on where the provider service is deployed, e.g., on AWS (same or another region) or outside AWS. We will identify ways to ensure that warm start Lambdas are not carrying forward issues that happened during cold start initialization. The overall objective is to reduce Lambda functions' execution time/memory consumption by optimizing them before deployment.


Cross-platform UIs ‘go live’ with .NET MAUI

You can best think of MAUI as a way to unify the various platform-specific .NET APIs so that C# and XAML code can be written once and run everywhere, with the option of providing platform-specific code to avoid a lowest common denominator approach. MAUI sits above both native code and the common base-class libraries. Your code calls MAUI APIs, which then call the requisite platform APIs. If you prefer to have native-specific features, you can call platform APIs directly if they don’t have MAUI coverage. This approach gives you a base set of common controls, much like those used by Xamarin Forms, with a layout engine that allows UI code to scale between different device form factors and screen sizes. It’s important to be aware of the capabilities of your target devices and, at the same time, come up with UI designs that can support the shift between landscape PC and Mac experiences and portrait mobile screens. Much of MAUI is the familiar XAML design experience, with a page description and code-behind to manage interactions with the rest of your application, as well as a canvas for displaying and interacting with custom graphic elements.



Quote for the day:

"The great leaders are like best conductors. They reach beyond the notes to reach the magic in the players." -- Blaine Lee

No comments:

Post a Comment