Daily Tech Digest - November 28, 2023

How a digital design firm navigated its SOC 2 audit

One of the more intense aspects of the audit was the testing of our incident response plan. We had to provide records of past incidents, how they were handled, and the lessons learned. Moreover, the auditors conducted tabletop exercises to assess our preparedness for potential future security events. After weeks of evaluation, the auditors presented their findings. We excelled in some areas, such as in our encryption of sensitive data and our robust user authentication systems. However, they also identified areas for improvement, like the need for more granular access controls and enhanced monitoring of system configurations. Post-audit, we were given a roadmap of sorts--a list of recommendations to address the identified deficiencies. This phase was dedicated to remediation, where we worked diligently to implement the auditors’ suggestions and improve our systems. Reflecting on the transformative impact of SOC 2 certification, L+R has discerned a profound shift in the dynamics of client engagement and internal processes. SOC 2 certification transcends the realm of compliance, fostering enriched dialogues, bolstering trust, and catalyzing decision-making at the executive level.

Is anything useful happening in network management?

The first of these is a management take on something that's already becoming visible in a broader way: absorbing the network into something else. Companies have said for years that the data center network, the LAN, is really driven by data center hardware/software planning and not by network planning. They're now finding that a broader use of hybrid cloud, where the cloud becomes the front-end technology for application access, is pulling the WAN inside the cloud. The network, then, is becoming less visible, and thus explicit network management is becoming less important. ... The second development gaining attention is being proposed by a number of vendors, the largest being Nokia. It envisions using "digital twin" technology, something most commonly associated with IoT and industrial metaverse applications, to construct a software model of the network based on digital twins of network devices. With this approach, the network becomes in effect an industrial system, and potentially could then be monitored and controlled by tools designed for industrial IoT and industrial metaverse deployments. 

The Basis for Business and Solution Architecture

The Business Architect, just like the Solution Architect, is a business technology strategist. The delivery of technology driven business value is core to their professional capability and career. So for that purpose they share a set of skills/competencies, language, professional goals, and experiences with each other. Any other method of architecture has been shown to fail. Without the shared capabilities and focus the team quickly begins to cannibalise its own value proposition to the enterprise and argue about baseline definitions, purpose and ownership. The level of team synergy and shared community is one of the most important first steps to a mature architecture practice. With that in place the Business and Solution Architects work very well together and in alignment with the EA from strategy through execution to measured value. Business Architects must focus on program level outcomes, those that are scoped at the business capability and/or department or region level. These levels are where real business goals and measurements occur and stand closest to the customer while retaining executive authority.

Is the Future of Data Centers Under the Sea?

One of the most appealing aspects of underwater data centers is their proximity to large population centers. Around half of the world’s population lives within 125 miles of a coastal area. Situating data centers near coastal population centers would allow for lower latency and more efficient handling of data. This would increase speeds for various digital services. Perhaps counterintuitively, the servers themselves might also benefit from being dropped in the drink. The inert gases and liquids used to fill underwater data centers are less corrosive than ambient air, leading to longer lifespans for the equipment. The servers are also protected from possible human damage incurred by everyday movement -- people banging into them, dropping them, or accidentally unplugging them. Placing a data center pod or retrieving it for maintenance is fairly simple, according to Subsea Cloud’s Williams. “Let's say the water is 100 meters deep. It's just an hour an hour job. If it’s 3,000 meters deep, it will probably take five or six hours to get the pod down.”

What you don’t know about data management could kill your business

Contributing to the general lack of data about data is complexity. There are many places in the enterprise where data spend happens. Individual business units buy data from third parties, for example. Taking enterprise-wide inventory of all the data feeds being purchased and getting an accurate picture of how all that purchased data is being put to use would be a good first step. The reality is that a significant portion of the data sloshing about modern enterprises is replicated in multiple locations, poorly classified, idiosyncratically defined, locked in closed platforms, and trapped in local business processes. Data needs to be made more liquid in the way of an asset portfolio — that is, transformed to ease data asset reuse and recombination. ... Traditionally business schools have avoided data as a topic, pumping out business leaders who erroneously feel that data is someone else’s job. I recall the mean-spirited dig at early career Harvard Business School alums expecting their assistants to bring in the day’s work arrayed as a case study — that is, a crisp 20-page synopsis of all the relevant issues.

Stop panic buying your security products and start prioritizing

Look inward and optimize. Companies need to understand what inside their networks and data is most attractive and most vulnerable to attackers. Get visibility into what you have, calculate the value of your tools, and use the information to move forward. Understanding risk by gaining full visibility into what you already have can allow companies to communicate better with investors and the public in the case of an attack or breach. For example, they will be able to give clear information about the impact (or lack of impact) on the business when an attack occurs and lay out clear steps for remediation, not having to guess the next best course of action. ... It is important to remember that the goal is not to buy more tools to chase the growing number of vulnerabilities that experts find every day, but to protect the assets that are most relevant to overall vital business operations and limit the fallout of inevitable cyber incidents. By attaching a dollar value to the cyber risks the organization is up against, you will be in a much better position to discuss your security plan and budgetary needs.

US, UK Cyber Agencies Spearhead Global AI Security Guidance

The guidance, the agencies say, is good for all AI developers but is particularly aimed at AI providers who use models hosted by a third party or who use APIs to connect to a model. Risks include adversarial machine learning threats stemming from vulnerabilities in third-party software and hardware applications. Hackers can exploit those flaws to alter model classification and regression performance and to corrupt training data and carry out prompt injection or data poisoning attacks that influence the AI model's decisions. Hackers can also target vulnerable systems to allow unauthorized actions as well as extract sensitive information. The guidance describes cybersecurity as a "necessary precondition" for AI safety and resilience. CISA, in particular, has been on a protracted campaign to evangelize the benefits of secure by design while also warning tech companies that the era of releasing products to the public containing security flaws must come to an end (see: US CISA Urges Security by Design for AI). The guidelines represent a "strong step" in providing universal standards and best practices for international AI security operations and maintenance, according to Tom Guarente, vice president of external and government affairs for the security firm Armis. "But the devil is in the details."

Data De-Identification: Balancing Privacy, Efficacy & Cybersecurity

There are two primary laws guiding online privacy: the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA), although many countries and states have started to write their own. Among the various safeguard measures, data de-identification is a prime one. Both define data de-identification as the process of making PII anonymized in a way that any piece of secondary information, when associated with the personal data, cannot identify the individual. The industry unanimously agrees on some entities as personal data including a name, address, email address, and phone number. Others, such as an IP address (and versions of it) are based on interpretation. These laws neither explicitly list the attributes that are personal nor do they mention how and when to anonymize, beyond sharing a few best practices. ... However, full anonymization of personal data and the data linked to it is useless to businesses in this ever-digital world. Every new technological breakthrough demands massive input of data sets — both personal and aggregated. 

NCSC publishes landmark guidelines on AI cyber security

The set of guidelines has been designed to help the developers of any system that incorporates AI make informed decisions about cyber security during the development process – whether it is being built from scratch or as an add-on to an existing tool or service provided by another entity. The NCSC believes security to be an “essential pre-condition of AI system safety” and integral to the development process from the outset and throughout. In a similar way to how the secure-by-design principles alluded to by CISA’s Easterly are increasingly being applied to software development, the cognitive leap to applying the same guidance to the world of AI should not be too difficult to make. The guidelines, which can be accessed in full via the NCSC website, break down into four main tracks – Secure Design, Secure Development, Secure Deployment and Secure Operation and Maintenance, and include suggested behaviours to help improve security. These include taking ownership of security outcomes for customers and users, embracing “radical transparency”, and baking secure-by-design practices into organisational structures and leadership hierarchies.

AI partly to blame for spike in data center costs

The research firm attributes the year-over-year jump in absorption to the impact of AI requirements, as well as the growth of traditional cloud computing needs across the region. However, the industry is facing challenges, not the least of which is securing enough power. "Securing power continues to be a challenge for developers, pushing some to the outskirts of primary markets, as well as fueling growth in secondary and tertiary markets. This has led to an uptick in land-banking by companies hoping to secure space and power for future growth," DatacenterHawk said in its report. ... Cloud providers continue to consume most of the capacity in North America. AI and machine learning also continue to drive activity across US and Canadian markets, though the full impact of these rapidly growing industries has yet to be seen, the report noted. Submarkets within major markets will continue to grow from hyperscale users and data center operators, DatacenterHawk predicts. Older, enterprise data centers will be targets for AI companies that need bridge power quickly, providing an environment that allows them to grow larger over time.

Quote for the day:

"Amateurs look for inspiration; the rest of us just get up and go to work." -- Chuck Close

No comments:

Post a Comment