This chasm between invention and accountability is the source of much of the angst, dismay, and danger. “It is much better to design a system for transparency and explainability from the beginning rather than to deal with unexplainable outcomes that are causing harm once the system is already deployed,” says Jeanna Matthews, professor of computer science at Clarkson University and co-chair of the ACM US Technology Committee’s Subcommittee on AI & Algorithms. To that end, the Association for Computing Machinery’s global Technology Policy Council (TPC) released a new Statement on Principles for Responsible Algorithmic Systems authored jointly by its US and Europe Technology Policy Committees in October 2022. The statement includes nine instrumental principles: Legitimacy and Competency; Minimizing Harm; Security and Privacy; Transparency; Interpretability and Explainability; Maintainability; Contestability and Auditability; Accountability and Responsibility; and Limiting Environmental Impacts, according to Matthews.
A selected group of engineers may have the lead responsibilities around software quality, but they will need the full dev team to drive continuous improvements. David Ben Shabat, vice president of R&D at Quali, recommends, “Organizations should strive to create what I would call ‘visibility as a standard.’ This allows your team to embrace a culture of end-to-end responsibility and maintain a focus on continuous improvements to your product.” One way to address responsibility is by creating and following a standardized taxonomy and message format for logs and other observability data. Agile development teams should assign a teammate to review logs every sprint and add alerts for new error conditions. Ben Shabat adds, “Also, automate as many processes as possible while using logs and metrics as a gauge for successful performance.” Ashwin Rajeev, cofounder and CTO of Acceldata, agrees automation is key to driving observable applications and services. He says, “Modern devops observability solutions integrate with CI/CD tools, analyze all relevant data sources, use automation to provide actionable insights, and provide real-time recommendations.
Historically, proprietary privacy-enhancing technologies have been developed by location technology companies and used internally. However, it’s my firm belief that for organizations of all types to truly progress toward the level of consumer data privacy people want and expect, privacy-enhancing technologies created by location technology companies should be made available to all companies that could benefit from these advancements. ... These tools help add industry-leading privacy controls to a company’s own systems and work with any kind of location data, no matter how it is generated. This helps ensure that a company is meeting privacy requirements and protecting consumer data. If more technology companies made the privacy-enhancing features used in their own systems available to other companies, organizations across industries could better protect the data stored in their systems, and in turn, consumer data privacy and protection is likely to progress and improve more quickly. A crucial starting point is democratizing access to these technologies.
The past year has shown the effects that whistleblowing (Twitter) can have when an organization ignores its employees flagging activity they consider fraudulent, unsafe, or illegal. But over the past year, we have also seen the consequences when CISOs actively ignore or hide security issues. For example, in the Uber situation, we saw for the first time criminal charges filed and then later a conviction. These contrasting stories create a potential no-win situation for CISOs who, on the one hand, may be ignored for calling out issues or could face jail time if they actively turn a blind eye (and/or hide) them. ... With the beginning of 2023 fraught with enormous economic and regulatory uncertainty, we will likely see a consolidation of tools and a greater focus on which tools are necessary. The nature of tech is that many organizations adopt tools to fix immediate problems, and often these tools have overlapping functionality and use cases. Although security budgets are likely to be a bit safer than other departments in a business, security teams will still need to consider what they must have to be successful with fewer resources.
APIs have been around for decades. But they are no longer simply “application programming interfaces”. At their heart APIs are developer interfaces. Like any user interface, APIs need planning, design, and testing. API‑first is about acknowledging and prioritizing the importance of connectivity and simplicity across all the teams operating and using APIs. It prioritizes communication, reuseability, and functionality for API consumers, who are almost always developers. There are many paths to API‑first, but a design‑led approach to software development is the end goal for most companies embarking on an API‑first journey. In practice, this approach means API are completely defined before implementation. Work begins with designing and documenting how the API will function. ... In the typical enterprise microservice and API landscape, there are more components in play than a Platform Ops team can keep track of day to day. Embracing and adopting a standard, machine‑readable API specification helps teams understand, monitor, and make decisions about the APIs currently operating in their environments.
Many security solutions offer a wide range of features to detect and track malicious behavior in containers. Defense evasion techniques are meant to obfuscate these tools so that everything the bad actor is doing seems legitimate. One example of defense evasion includes building the container image directly on the host instead of pulling from public or private registries. There are also evasion techniques that are harder to identify, such as those based on reverse forensics. Attackers use these techniques to delete all logs and events related to their malicious activities so that the administrator of a security, security information and event management (SIEM), or observability, tool has no idea that an unauthorized event or process has occurred. To protect against defense evasion, you’ll need a container security solution that detects malware during runtime and provides threat detection and blocking capabilities. Two examples of this would be runtime threat defense to protect against malware and honeypots to capture malicious actors and activity.
CIOs must adapt to the changing business landscape brought on by the pandemic. With many organizations embracing hybrid work, the internet plays a more prominent role in the overall network strategy. Ensure that your systems and processes are optimized for this new reality. This includes prioritizing the user experience of remote workers and implementing better end-user experience monitoring to ensure that they can be productive and collaborate effectively. ... As organizations increasingly adopt multi-cloud systems to manage their IT infrastructure, CIOs must be able to navigate the complexity of these environments effectively. One approach is implementing a seamless strategy across all major clouds to streamline management and reduce complexity. Consider how you can optimize performance and apply security uniformly across your multi-cloud estate. Also, be mindful of the changing regulatory and compliance landscape and look for cloud services with built-in compliance features to minimize the burden on your teams.
The latest in FIDO passkeys specs are multi-device. Once a passkey is established for a given service, the same device can be used to securely share it with another device. The devices must be in close proximity, within range of wirelessly connecting, and the user takes an active role in verifying the device sync. The remote cloud service for the given device also plays a role. That means that an iPhone uses Apple's cloud, an Android device uses Google Cloud Platform (GCP), and Windows uses Microsoft Azure. Efforts are underway to make sharing passkeys across providers simpler. It's a rather manual process to share across providers, for example, to go from an Android device to a MacOS laptop. Passkeys are cryptographic keys, so gone is the possibility of weak passwords. They do not share vulnerable information, so many password attack vectors are eliminated. Passkeys are resistant to phishing and other social engineering attacks: the passkey infrastructure itself negotiates the verification process and isn’t fooled by a good fake website -- no more accidentally typing a password into the wrong form.
With competition for talent still tight and pressure on organizations to maximize employee productivity, Anthony Abbatiello, workforce transformation practice leader at professional services firm PwC, says CIOs should focus on what and how they can improve the hybrid experience for users. He advises CIOs to partner with their counterparts in HR to identify the worker archetypes that exist in their organizations to understand how they work and what they need to succeed. “CIOs should be asking how to create the right experience that each worker needs and what do they need to be productive in their job,” Abbatiello says. “Even if you’ve done that before, the requirements of people in a hybrid environment have changed.” Hybrid workers today are looking for digital workplace experiences that are seamless as they move between home and office, Abbatiello says. This include technologies that enable them to replicate in cyberspace the personal connections and spontaneous collegiality that more easily happen in person, as they seeking experiences that are consistent regardless of where they’re working on any given day.
Before platform teams can start building their product, they need to define a clear mission statement to guide the process. This mission statement should fit the overall goals of the organization and proactively define the role of the platform team within the organization. It should also inspire your engineers. Hashicorp’s Director of Platform Engineering Infrastructure Michael Galloway summarizes this well: “it should be emotional and inspiring. … It should be simple but meaningful.” You can start by defining your goals. This could encompass things like enabling the required degree of developer self-service without adding cognitive load or achieving the desired reduction of tickets that go to ops without forcing developers to learn infrastructure-centric technologies end-to-end. After this, you’ll probably wind up with something like: “Our mission is to standardize workflows to improve the developer experience, speed up innovation cycles, and shorten time to market for the engineering organization.” It’s descriptive but not inspiring. Refine your mission statement to strike a good balance. For example: “Our mission is to build a platform developers love because it lets them innovate faster.”
Quote for the day:
"Leadership does not always wear the harness of compromise." -- Woodrow Wilson