How can governance help? The role of governance is to define the rules and policies for how individuals and groups access data properties and the kind of access they are allowed. Yet people in an organization rarely operate according to well-defined roles. They perform in multiple roles, often provisionally. On-ramping has to happen immediately; off-ramping has to be a centralized function. One very large organization we dealt with discovered that departing employees still had access to critical data for seven to nine days! So how can data governance support more intelligent data security? After all, without governance, security would be arbitrary. Many organizations that employ security schemes struggle because such schemes tend to be either too loose or too tight and almost always too rigid (insufficiently dynamic). In this way, security can hinder the progress of the organization. Yet, given the complexity of data architecture today, it’s become impossible to manage security for individuals without a coherent and dynamic governance policy to drive security allowance or grants for exceptions to those rules.
There’s a good reason why software asset inventory and management is the second-most important security control, according to the Centers for Internet Security’s (CIS) Critical Security Controls. It’s “essential cyber hygiene” to know what software is running and being able to access that up-to-date information instantaneously. It’s as though you were a new master-at-arms for a local baron in the Middle Ages. Your first duty would be to map out the castle grounds that you are charged to protect. ... As we put Log4Shell behind us, let’s incorporate these lessons learned for a more prepared future. The allocation of resources by enterprise security teams needs to be more purposeful, as attackers become increasingly sophisticated and continue to have what feels like unlimited resources. The value added through clear visibility and real-time insights into your entire ecosystem becomes all the more important. Remember, the core scope of the security team is to create a secure IT ecosystem, mitigate the exploit of known vulnerabilities and monitor for any suspicious activity.
What can and should IT do about that? Given that these are generally publicly-visible pages, it’s a problem. There are few technical methods to block scrapers that wouldn’t cause problems for the site visitors the enterprise wants. Years ago, I was managing a media outlet that was making a huge move to premium content, meaning that readers would now have to pay for selected premium stories. We ran into a problem. We couldn’t allow people to freely share premium content, as we needed people to buy those subscriptions. That meant that we blocked cut-and-paste and specifically blocked someone from saving the page as a PDF. But that meant that those pages also couldn’t be printed. (Saving as PDF is really printing to PDF, so blocking PDF downloads meant blocking all printers.) It took just a couple of hours before new premium subscribers screamed that they paid for access and they need to be able to print pages and read them at home or on a train. After quite a few subscribers threatened to cancel their paid subscriptions, we surrendered and reinstated the ability to print.
The flaw affects the ubiquitous open-source Apache Log4j framework—found in countless Java apps used across the internet. In fact, a recent report found that the flaw continues to put millions of Java apps at risk, though a patch exists for the flaw. Though it affects a different set of targets, the DNS flaw also has a broad scope not only because of the devices it potentially affects, but also because of the inherent importance of DNS to any device connecting over IP, researchers said. DNS is a hierarchical database that serves the integral purpose of translating a domain name into its related IP address. To distinguish the responses of different DNS requests aside from the usual 5-tuple–source IP, source port, destination IP, destination port, protocol–and the query, each DNS request includes a parameter called “transaction ID.” The transaction ID is a unique number per request that is generated by the client and added in each request sent. It must be included in a DNS response to be accepted by the client as the valid one for request, researchers noted. “Because of its relevance, DNS can be a valuable target for attackers,” they observed.
Managed service providers (MSPs) existed first - before we were talking about the big public cloud providers. “I’ve seen some definitions where MSPs are a superset and all CSPs are MSPs, but not all MSPs are CSPs. That seems a reasonable definition to me,” says Miniman. One historical example of a managed service provider you may know is Rackspace: Their company name literally reflected that you were buying space in their rack to run workloads. The way their business started out was as a hosted service: Your server ran in Rackspace’s data center. But Rackspace also offered other types of services to customers - managed services. ... “When I think of a hosted environment, that is something dedicated to me,” says Miniman. “So traditionally, there was a physical machine…that maybe had a label on it. But definitely from a security standpoint, it was “company X is renting this machine that is dedicated to that environment.” Public cloud service providers sell hundreds of services: You can think of those as standard tools, just like you’d find standard metric tools walking into any hardware store.
The ideal state for asynchronous teams is to remain aligned passively - or with little effort - eliminating the need for frequent meetings or lengthy documentation of the minutiae of every project. To pull this off, visual collaboration should be a key element of Agile management for teams that are working remotely and asynchronously. Visual collaboration brings the ease of alignment of the whiteboard into the digital workplace, giving developers a living artifact of project plans that can include diagrams, UX mockups, embedded videos, and other communication tools that can make async work nearly error-proof. Our team at Miro uses a variety of visual tools to manage our development, and many of these tools are available as free templates that other teams can use. The agile product roadmap helps prioritize work and shift tasks as priorities change. And the product launch board helps our team visually align design, development, and GtM teams as we come down to the wire on a new launch. The shared nature of these tools gives us confidence as we work.
Businesses clearly need to know more about their data to meet compliance needs, but the challenge is sorting through the noise in all the volume. Data analytics is essential for enterprises looking to increase efficiency, improve business decision-making and attain that important competitive edge while still ensuring that they comply with today’s data standards. However, while big data can add significant value to the decision-making process, supporting large volumes of unstructured data can be complex, as inadequate data management and data protection introduce unacceptable levels of risk. The emergence of DataOps, which is an automated and process-oriented methodology aimed at improving the quality of data analytics, further supports the requirement for enhanced data management. Driving faster and more comprehensive analytics is key to leveraging value from data, but this can only be done if data is managed correctly, the right governance protocols are in place, and data quality is kept to the highest standard.
The growth of IoT has spurred a rush to deploy billions of devices worldwide. Companies across key industries have amassed vast fleets of connected devices, creating gaps in security. Today, IoT security is overlooked in many areas. For example, a sizable percentage of devices share the userID and password of “admin/admin” because their default settings are never changed. The reason security has become an afterthought is that most devices are invisible to organizations. Hospitals, casinos, airports, cities, etc. simply have no way of seeing every device on their networks. ... Cities rely on 1.1 billion IoT devices for physical security, operating critical infrastructure from traffic control systems, street lights, subways, emergency response systems and more. Any breach or failure in these devices could pose a threat to citizens. You see it in the movies: brilliant hackers control the traffic lights across a city, with perfect timing, to guide an armored vehicle into a trap. Then there’s real life; for instance, when a hacker in Romania took control of Washington DC’s outside video cameras days before the Trump inauguration.
Making matters more complex, especially in areas of public policy and defense, real-life leaders do not have a neat economist’s single measure of value. Instead, they are faced with a bundle of conflicting ambitions—a group of desires, goals, intents, values, and fears—that cannot all be satisfied simultaneously. Forging a sense of purpose from this bundle is part of the gnarly problem. Making matters most complex is the fact that the connection between potential actions and actual outcomes is unclear. A gnarly challenge is not solved with analysis or the application of preset frameworks. A coherent response arises only through a process of diagnosing the nature of the challenges, framing, reframing, chunking down the scope of attention, referring to analogies, and developing insight. The result is a design, or creation, embodying purpose. I call it a creation because it is often not obvious at the start, the product of insight and judgment rather than an algorithm. Implicit in the concept of insightful design is that knowledge, though required, is not, by itself, sufficient.
The movement to shift security left has empowered developers to find and fix defects early so that when the application is pushed into production, it is as free as possible from known vulnerabilities at that time… But shifting security left is just the beginning. Vulnerabilities arise in software components that are already deployed and running. Organizations need a comprehensive approach that spans left and right, from development through production. While there’s no formulaic one-size-fits-all way to achieve end-to-end security, there are some worthwhile strategies that can help you get there. ... Shifting left can help organizations develop applications with security in mind. But no matter how confident you are in the security of an application when it leaves development, there is no guarantee that it will remain secure in production. We have seen on a large scale that vulnerabilities are often disclosed well after being deployed to production. Reminders include Apache Struts, Heartbleed, and, most recently, Log4j, which was first published in 2013 but discovered just last year.
Quote for the day:
"Leaders are more powerful role models when they learn than when they teach." -- Rosabeth Moss Kantor