Security-as-Code Gains More Support, but Still Nascent
"The great thing about security-as-code is that you know the configuration that
you have deployed exactly corresponds to what you had specified and analyzed as
meeting your security requirements," he says. "Many breaches out there are not
necessarily the result of an unknown risk, but are usually the result of some
control that the organization thought they had not being deployed and operating
when they needed it the most." Security-as-code is an extension of the
infrastructure-as-code movement that has come about as software-defined networks
and systems have become more popular. DevOps teams have adopted
infrastructure-as-code as the de facto standard for building and deploying
software, containers, and virtual machines, but now companies are betting that
the shift to cloud-native infrastructure will make security-as-code a key part
of a sustainable approach to security. ... Google is joined by others blazing a
trail into the security-as-code arena. The growing movement to encode security
as a configuration file that can be incrementally improved led security firm
Tenable Network Security to acquire Accurics, a maker of security-as-code
technology.The evolving role of the lawyer in cybersecurity
On the purely defensive side, advanced warning of a forthcoming attack can be
the difference between a successful defensive posture or a damaging and costly
incident. With such intelligence in hand, organizations can craft rules on an
email gateway or firewall to effectively prevent attackers’ phishing email from
reaching employee inboxes or to block the ability of an employee to navigate to
a malicious link. Indeed, one of our attorney colleagues in New York used a
bespoke threat intelligence system that he developed to identify and help to
neutralize the domains that hosted a forthcoming cyberattack on the World Health
Organization at the outset of the Coronavirus crisis in March 2020. That bespoke
intelligence identified a domain and subdomain combination that allowed our
colleague to (i) validate the data and establish that he had indeed identified
an active threat to the WHO and (ii) communicate that data to trusted parties,
including law enforcement, enabling defensive countermeasures to be put in
place. This was a bright line example of how counsel can play a role in the
critical day-to-day functions of security operations.
Disruptive Innovation: The emerging sectors applying digital technologies
Property technology, or Proptech, has been disrupting the real estate space,
allowing for the buying, renting and selling of properties online. Like other
industries on this list, Proptech companies have been vital for maintaining
operations during lockdown as company headquarters closed their doors.
Landlords and homeowners can securely list properties on an online market via
a website or app, and in more recent times have been able to upload virtual
viewings. Meanwhile, data analytics and algorithms powered by AI have allowed
users to see what properties would be best for them. Additionally, platforms
such as PlanetRent offer centralised portals for hosting relevant documents
and details in one place. Proptech, and indeed real estate, also encompasses
offices, and demand for companies in this area of the sector have been in high
demand due to the need for organisations to move to smaller spaces, or leave
the office altogether. Here, users can view office listings and make
transactions online.Flexible return-to-office policies are hammering employee experiences
The latest report observed that just more than a third of knowledge workers
(34%) have reverted to working from the office five days a week, the greatest
share since it began surveying in June 2020, but as this was happening,
employee experience scores were plummeting for knowledge workers asked to
return to the office full-time and for those who do not have the flexibility
to set their own work schedules. This includes 28% worse scores on
work-related stress and anxiety and 17% worse scores on work-life balance
compared with the previous quarter. Moreover, the study warned there were
signs that employers will pay a price for this discontent: workers who say
they are unsatisfied with their current level of flexibility – both in where
and when they work – were now three times as likely to look for a new job in
the coming year. The data showed that non-executives were facing far more
strain during the return-to-office era than leaders in the C-suite, further
widening an existing executive-employee disconnect on key job satisfaction
measures revealed in October 2021.
IoT Is a Breakthrough for Automation Systems, But What About Security?
Since the IoT and smart devices collect heaps of consumer data stored over
the cloud and are managed in real-time, leveraging the traditional security
tools and practices to ensure security doesn’t make any sense. As far as the
automation industry is concerned, providing real-time access to applications
and devices and ensuring robust security without human intervention becomes
an uphill battle. Moreover, cybercriminals are always looking for a loophole
in the networks that provide frequent access to resources, devices, and
applications that they can exploit to sneak into a network. Hence, stringent
security mechanisms become crucial for businesses leveraging IoT to automate
their processes. Here’s where the role of a centralized data infrastructure
seamlessly routes all IoT devices through an API that further offers
insights regarding machine-to-machine access and user access in
real-time. Through zero-trust principles and machine-to-machine access
management, businesses can deliver a seamless, secure, and monitored
experience to their customers without compromising their identities and
personal information.
Interim CIOs Favored as Organizations Seek Digitalization Push
This is happening because of an overall talent shortage juxtaposed with
talent growth in the on-demand talent pool, coupled with more demand for the
CIO role because of digital transformation. “Companies need more from the
CIO; it’s harder to get this talent, they need to move faster, and there's
fantastic talent that can work remotely,” he explained. Neil Price, head of
practice, CIO and executive technology leadership for Harvey Nash Group,
pointed out the concept of an interim CIO is not new. However, it is
becoming ever more attractive due to the volume of technology transformation
that businesses are looking to execute to keep pace in the post-pandemic
digital environment. “They need accelerated change, and for this, an interim
CIO who comes in with a very specific brief and a clear deadline or end-date
can bring the concentrated focus and impetus needed,” he said. “It’s easier
to deliver change with a fresh set of eyes, and this is something an interim
CIO offers.” He added the concept of an interim CIO can apply equally across
all types of business, and any organization that wants to change at pace can
see the benefits, whether it’s a small or medium-sized business or a large
enterprise.
Artificial Intelligence (AI) strategy: 4 priorities for CIOs
One of the most critical priorities is identifying high-impact areas with
opportunities to embed AI-based, real-time decisions in business processes.
The ability to process contextual information in real time to make on-the-fly
decisions is a powerful way to differentiate products, services, and
experiences in the crowded marketplace. For example, insurance firms can
automate claims processing for real-time approvals based on pictures and
videos provided by the claimant right from the place and time of the incident.
Lenders can analyze risks in real time based on collateral and background
information to offer on-the-spot loan approvals. Organizations can personalize
and customize products and services across a broad array of use cases through
the judicious injection of AI in their business processes. ... Since AI
engineering differs from “traditional” software engineering, CIOs must
establish a strategy to institutionalize AI and ML methodologies. Many
enterprises have found that the most effective way to do this is to establish
a robust platform supported by a governance model.Securely Scaling the Myriad APIs in Real-World Backend Platforms
Most real-world software platforms will also interact with external APIs from business partners or third-party providers. A good authorization server and an understanding of OAuth standards will also improve your capabilities for this type of “federation.” One interesting use case is shown below, where a partner user is authorized to sign in to the company’s app. The partner authorization server could then act as an identity provider to authenticate the user according to the partner’s security policy and with familiar credentials. An embedded token from the business partner could then be used by the company’s APIs to call partner APIs. ... JWT libraries will allow APIs to use a clock skew when validating access tokens, and it is possible to configure this slightly higher for downstream APIs. It is not recommended to rely on expiry times, however, since there can be multiple reasons for a JWT to fail validation. In some setups, this might be caused by an infrastructure event such as a load balancing failover. Instead, it is recommended to implement standard expiry handling. In this case, retrying from the client is often the most resilient option.AWS Serverless Lambda Resiliency: Part 1
This is critical as serverless Lambda functions are charged based on Memory
limits (which determines the CPU allocation) along with the duration for
which these functions are invoked. Without appropriate resiliency, our
Lambda services could execute for a longer duration than required, our
Lambda could overwhelm the backend services when they are having issues and
not available or being in a degraded state, and client experiences that
invoke our Lambda functions do not get an immediate fallback response. ...
AWS Lambda Serverless capabilities themselves have multiple use cases when
invoked synchronously or asynchronously and hence the context of how they
can be made resilient can differ between the different invocations. The
approaches change based on whether the solution is deployed in a single
region vs. multiple regions. There is also a dependency on where the
provider service is deployed, e.g., on AWS (same or another region) or
outside AWS. We will identify ways to ensure that warm start Lambdas are not
carrying forward issues that happened during cold start initialization. The
overall objective is to reduce Lambda functions' execution time/memory
consumption by optimizing them before deployment.
Cross-platform UIs ‘go live’ with .NET MAUI
You can best think of MAUI as a way to unify the various platform-specific .NET APIs so that C# and XAML code can be written once and run everywhere, with the option of providing platform-specific code to avoid a lowest common denominator approach. MAUI sits above both native code and the common base-class libraries. Your code calls MAUI APIs, which then call the requisite platform APIs. If you prefer to have native-specific features, you can call platform APIs directly if they don’t have MAUI coverage. This approach gives you a base set of common controls, much like those used by Xamarin Forms, with a layout engine that allows UI code to scale between different device form factors and screen sizes. It’s important to be aware of the capabilities of your target devices and, at the same time, come up with UI designs that can support the shift between landscape PC and Mac experiences and portrait mobile screens. Much of MAUI is the familiar XAML design experience, with a page description and code-behind to manage interactions with the rest of your application, as well as a canvas for displaying and interacting with custom graphic elements.Quote for the day:
"The great leaders are like best conductors. They reach beyond the notes to reach the magic in the players." -- Blaine Lee
No comments:
Post a Comment