Status of Ethical Standards in Emerging Tech
This chasm between invention and accountability is the source of much of the
angst, dismay, and danger. “It is much better to design a system for
transparency and explainability from the beginning rather than to deal with
unexplainable outcomes that are causing harm once the system is already
deployed,” says Jeanna Matthews, professor of computer science at Clarkson
University and co-chair of the ACM US Technology Committee’s Subcommittee on AI
& Algorithms. To that end, the Association for Computing Machinery’s
global Technology Policy Council (TPC) released a new Statement on Principles
for Responsible Algorithmic Systems authored jointly by its US and Europe
Technology Policy Committees in October 2022. The statement includes nine
instrumental principles: Legitimacy and Competency; Minimizing Harm; Security
and Privacy; Transparency; Interpretability and Explainability; Maintainability;
Contestability and Auditability; Accountability and Responsibility; and Limiting
Environmental Impacts, according to Matthews.
Best practices for devops observability
A selected group of engineers may have the lead responsibilities around software
quality, but they will need the full dev team to drive continuous improvements.
David Ben Shabat, vice president of R&D at Quali, recommends, “Organizations
should strive to create what I would call ‘visibility as a standard.’ This
allows your team to embrace a culture of end-to-end responsibility and maintain
a focus on continuous improvements to your product.” One way to address
responsibility is by creating and following a standardized taxonomy and message
format for logs and other observability data. Agile development teams should
assign a teammate to review logs every sprint and add alerts for new error
conditions. Ben Shabat adds, “Also, automate as many processes as possible while
using logs and metrics as a gauge for successful performance.” Ashwin Rajeev,
cofounder and CTO of Acceldata, agrees automation is key to driving observable
applications and services. He says, “Modern devops observability solutions
integrate with CI/CD tools, analyze all relevant data sources, use automation to
provide actionable insights, and provide real-time recommendations.
Why leveraging privacy-enhancing tech advances consumer data privacy and protection
Historically, proprietary privacy-enhancing technologies have been developed by
location technology companies and used internally. However, it’s my firm belief
that for organizations of all types to truly progress toward the level of
consumer data privacy people want and expect, privacy-enhancing technologies
created by location technology companies should be made available to all
companies that could benefit from these advancements. ... These tools help add
industry-leading privacy controls to a company’s own systems and work with any
kind of location data, no matter how it is generated. This helps ensure that a
company is meeting privacy requirements and protecting consumer data. If more
technology companies made the privacy-enhancing features used in their own
systems available to other companies, organizations across industries could
better protect the data stored in their systems, and in turn, consumer data
privacy and protection is likely to progress and improve more quickly. A crucial
starting point is democratizing access to these technologies.
What’s To Come In 2023? Modern Frameworks, CISO Elevation & Leaner Security Stacks
The past year has shown the effects that whistleblowing (Twitter) can have
when an organization ignores its employees flagging activity they consider
fraudulent, unsafe, or illegal. But over the past year, we have also seen the
consequences when CISOs actively ignore or hide security issues. For example,
in the Uber situation, we saw for the first time criminal charges filed and
then later a conviction. These contrasting stories create a potential no-win
situation for CISOs who, on the one hand, may be ignored for calling out
issues or could face jail time if they actively turn a blind eye (and/or hide)
them. ... With the beginning of 2023 fraught with enormous economic and
regulatory uncertainty, we will likely see a consolidation of tools and a
greater focus on which tools are necessary. The nature of tech is that many
organizations adopt tools to fix immediate problems, and often these tools
have overlapping functionality and use cases. Although security budgets are
likely to be a bit safer than other departments in a business, security teams
will still need to consider what they must have to be successful with fewer
resources.
The Benefits of an API-First Approach to Building Microservices
APIs have been around for decades. But they are no longer simply “application
programming interfaces”. At their heart APIs are developer interfaces. Like
any user interface, APIs need planning, design, and testing. API‑first is
about acknowledging and prioritizing the importance of connectivity and
simplicity across all the teams operating and using APIs. It prioritizes
communication, reuseability, and functionality for API consumers, who are
almost always developers. There are many paths to API‑first, but a
design‑led approach to software development is the end goal for most companies
embarking on an API‑first journey. In practice, this approach means API are
completely defined before implementation. Work begins with designing and
documenting how the API will function. ... In the typical enterprise
microservice and API landscape, there are more components in play than a
Platform Ops team can keep track of day to day. Embracing and adopting a
standard, machine‑readable API specification helps teams understand, monitor,
and make decisions about the APIs currently operating in their
environments.
MITRE ATT&CK Framework: Discerning a Threat Actor’s Mindsetm
Many security solutions offer a wide range of features to detect and track
malicious behavior in containers. Defense evasion techniques are meant to
obfuscate these tools so that everything the bad actor is doing seems
legitimate. One example of defense evasion includes building the container
image directly on the host instead of pulling from public or private
registries. There are also evasion techniques that are harder to identify,
such as those based on reverse forensics. Attackers use these techniques to
delete all logs and events related to their malicious activities so that the
administrator of a security, security information and event management (SIEM),
or observability, tool has no idea that an unauthorized event or process has
occurred. To protect against defense evasion, you’ll need a container security
solution that detects malware during runtime and provides threat detection and
blocking capabilities. Two examples of this would be runtime threat defense to
protect against malware and honeypots to capture malicious actors and
activity.
CIO role: 5 strategies for success in 2023
CIOs must adapt to the changing business landscape brought on by the pandemic.
With many organizations embracing hybrid work, the internet plays a more
prominent role in the overall network strategy. Ensure that your systems and
processes are optimized for this new reality. This includes prioritizing the
user experience of remote workers and implementing better end-user experience
monitoring to ensure that they can be productive and collaborate
effectively. ... As organizations increasingly adopt multi-cloud systems
to manage their IT infrastructure, CIOs must be able to navigate the
complexity of these environments effectively. One approach is implementing a
seamless strategy across all major clouds to streamline management and reduce
complexity. Consider how you can optimize performance and apply security
uniformly across your multi-cloud estate. Also, be mindful of the changing
regulatory and compliance landscape and look for cloud services with built-in
compliance features to minimize the burden on your teams.
How passkeys are changing authentication
The latest in FIDO passkeys specs are multi-device. Once a passkey is
established for a given service, the same device can be used to securely share
it with another device. The devices must be in close proximity, within range
of wirelessly connecting, and the user takes an active role in verifying the
device sync. The remote cloud service for the given device also plays a role.
That means that an iPhone uses Apple's cloud, an Android device uses Google
Cloud Platform (GCP), and Windows uses Microsoft Azure. Efforts are underway
to make sharing passkeys across providers simpler. It's a rather manual
process to share across providers, for example, to go from an Android device
to a MacOS laptop. Passkeys are cryptographic keys, so gone is the possibility
of weak passwords. They do not share vulnerable information, so many password
attack vectors are eliminated. Passkeys are resistant to phishing and other
social engineering attacks: the passkey infrastructure itself negotiates the
verification process and isn’t fooled by a good fake website -- no more
accidentally typing a password into the wrong form.
CIOs sharpen tech strategies to support hybrid work
With competition for talent still tight and pressure on organizations to
maximize employee productivity, Anthony Abbatiello, workforce transformation
practice leader at professional services firm PwC, says CIOs should focus on
what and how they can improve the hybrid experience for users. He advises CIOs
to partner with their counterparts in HR to identify the worker archetypes
that exist in their organizations to understand how they work and what they
need to succeed. “CIOs should be asking how to create the right experience
that each worker needs and what do they need to be productive in their job,”
Abbatiello says. “Even if you’ve done that before, the requirements of people
in a hybrid environment have changed.” Hybrid workers today are looking for
digital workplace experiences that are seamless as they move between home and
office, Abbatiello says. This include technologies that enable them to
replicate in cyberspace the personal connections and spontaneous collegiality
that more easily happen in person, as they seeking experiences that are
consistent regardless of where they’re working on any given day.
Platform Engineering 101: What You Need to Know About This Hot New Trend
Before platform teams can start building their product, they need to define a
clear mission statement to guide the process. This mission statement should
fit the overall goals of the organization and proactively define the role of
the platform team within the organization. It should also inspire your
engineers. Hashicorp’s Director of Platform Engineering Infrastructure Michael
Galloway summarizes this well: “it should be emotional and inspiring. … It
should be simple but meaningful.” You can start by defining your goals. This
could encompass things like enabling the required degree of developer
self-service without adding cognitive load or achieving the desired reduction
of tickets that go to ops without forcing developers to learn
infrastructure-centric technologies end-to-end. After this, you’ll probably
wind up with something like: “Our mission is to standardize workflows to
improve the developer experience, speed up innovation cycles, and shorten time
to market for the engineering organization.” It’s descriptive but not
inspiring. Refine your mission statement to strike a good balance. For
example: “Our mission is to build a platform developers love because it lets
them innovate faster.”
Quote for the day:
"Leadership does not always wear the
harness of compromise." -- Woodrow Wilson
No comments:
Post a Comment