Daily Tech Digest - April 05, 2024

Time for a Disaster Recovery Health Check

By law, the board and C-level officers have the responsibility of executing due diligence and competence in the conduct of company operations and asset securement. They do not want to see gaping holes and exposures in corporate due diligence that are due to disaster recovery plans that fail to address new security threats or the presence of edge technology. This board awareness can give IT the leverage it needs to prioritize its DR plan update so the revised plan can cover a much broader IT footprint than just the central data center -- and by doing so, address new risks. A good way to present to the board and corporate officers a need to invest time and resources into a DR plan update is to present the need for an update along with the risks of not doing one. This can be accomplished by describing various disaster scenarios that have actually happened to other organizations and explain how they could plausibly happen to the company itself. By showing real life situations, the CIO can present the most likely disaster scenarios and consequences and what is needed in terms of plan revisions and investments to minimize those risks.

Mastering HTTP DDoS attack defence: Innovative strategies for web protection

The threat landscape for HTTP DDoS attacks is constantly expanding, with attackers continually developing new techniques to evade detection. Some common methods include using HTTP GET or POST requests to consume server resources, leveraging malformed HTTP headers to confuse web applications, and employing slowloris attacks that open and maintain multiple connections to the server without closing them, eventually exhausting server resources. These attacks can have devastating effects on businesses, including service disruption, loss of customer trust, and significant financial losses. The need for effective mitigation strategies has never been more critical. ... While Radware’s products offer robust protection against HTTP DDoS attacks, it’s essential for businesses to adopt a proactive security posture. Some best practices include:Regularly Updating Security Systems: Ensure that all security systems are up to date with the latest signatures and detection algorithms. Implementing Access Control Lists (ACLs): Use ACLs to restrict access to resources, minimising the potential impact of an attack. 

5 Cybersecurity Questions Boards Can’t Afford To Ignore

When it comes to cybersecurity incident response, companies need to practice, practice, practice. For the board, that could look like ensuring there are not only clear steps in place for what needs to happen should an incident occur but also ensuring that those steps have been practiced ahead of time in some sort of tabletop exercise—similar to how you’d practice exiting the building during a fire drill to know where to go in the event of an emergency. ... While it’s not a requirement, some businesses have decided to add a cybersecurity or technology expert directly to the board to guide them on risk. Businesses can decide if this makes sense for their risk needs depending on their individual risk profiles. Many former CISOs or former cybersecurity leaders are looking to sit on or advise boards, as well as businesses’ own CISOs. ... Directors should also ask themselves if they are budgeting enough for cybersecurity across the organization. They should also work to understand what financial impacts or even regulatory fines they could face if they don't invest in cybersecurity appropriately or report incidents as required. Is your organization investing enough?

Is it Already Too Late to Get Started with GenAI? No, But the Clock’s Ticking

At some point institutions will bite the bullet and let GenAI interact with customers or with their live data. Smith believes it will be important to alert customers when they are offered a product or process in which generative artificial intelligence plays a role. Both staff and the public must be clear on this and have confidence in what the bank discloses. Some consumer paranoia exists about GenAI, but Smith says Accenture research indicates that many customers will accept its use with their data — if they feel that they are receiving some benefit in return. Asked for an example, Smith points to a frequent beef about bank customer service — having to explain a situation all over again when trying to work out a problem or address a need and being transferred from one staffer to another. “I shouldn’t have to educate you on what happened two days ago,” says Smith. “I want to walk in and find that you already know.” GenAI can help with this type of situation. One last pointer from Smith concerns the customer experience of using processes controlled by GenAI. She says that some customer-facing GenAI provides inferior look and feel, which can become a friction point.

Technical Debt and the Hidden Cost of Network Management: Why it’s Time to Revisit Your Network Foundations

An often-overlooked example of this growing debt is a failure to actively manage and optimize IP addresses and Domain Name System (DNS) configurations—the very pillars of corporate network communication. Internet service providers (ISPs) of dedicated Internet access (DIA) to businesses would often assign blocks of addresses to customers. If those customers ever cancel or change providers, there's often a clean-up process to recover those resources. Businesses going through reorganizations or mergers and acquisitions may lose track (or may never have had good records) of IP address ranges. Security policies and routing policies may then become outdated, leaving an IP address hijacker a window inside the perimeter security measures. Companies using Network Address Translation (NAT) or Carrier-Grade NAT (CGNAT) to share one IP address among many devices may find that those functions, which edit data packets in flight, create unexpected failure modes. Sometimes, they hide problems, such as when malware or address snooping is happening within the boundary of the NAT. 

Bank Four Zeros Crucial for Banking Resilience, says Huawei

“Banking Everywhere means that, from a technology point of view, we have to make sure that any transactions should 100% not result in any problems or risks. It’s not easy. For example, on the Tube in London, how do you deliver 5G to enable transactions? Banking Everywhere is easy to say, but hard to do.” Cao highlights the high availability and easy migration of GaussDB. He says after GaussDB was deployed in one of the biggest banks in China, the recovery time objective (RTO) was slashed to 120 seconds – a world-leading level. He says Huawei is working on reducing this to just 30 seconds. ... “Some banks say we are in the AI era, some say the intelligent era, some say the open banking era, but a lot of banks still struggle working with a traditional model. So today it is like a multi-generational industry,” he says. “On the one hand, exciting things are coming, like Gen AI, and we have to be prepared. We have to be realistic to see what challenges we face today. If a bank is not resilient enough, it’s very hard to embrace Gen AI, or any intelligent opportunities.

The Three Pillars of HIPAA Compliance

Policies and procedures must be developed on all aspects of HIPAA but not just to allow boxes to be ticked in a HIPAA compliance checklist. That may be sufficient to pass a very basic document review, but policies alone will not make an organization HIPAA compliant. All members of the workforce must be provided with the policies and must receive training relevant to their role. Every individual in a healthcare organization has a role to play in making their organization HIPAA compliant and must be trained to allow them to perform their duties in a HIPAA-compliant way. Employees should not have to guess how HIPAA applies. In addition to training, employees must be made aware of the sanctions policy and the repercussions of HIPAA violations and the sanctions policy must be enforced. HIPAA calls for training to be provided during the onboarding process, regardless of whether a new hire is a seasoned healthcare professional or is new to the industry. It is the responsibility of the compliance officer to ensure that appropriate training programs are developed and that all members of the workforce receive adequate training. 
And herein lies the problem, says Ma: When business stakeholders seek to understand EA’s value proposition, or even check the status of a project, they may get different answers depending on whom they ask. It’s the three-blind-men-describing-an-elephant problem: The man who feels the tail describes an animal very different from the one described by the man feeling the abdomen, or by the one feeling the ears and tusks. Though the variety in their descriptions may reflect the function’s comprehensiveness, to the uneducated executive, it sounds like misalignment. ... First, the full-stack architect could ensure the function’s other architects are indeed aligned, not only among themselves, but with stakeholders from both the business and engineering. That last bit shouldn’t be overlooked, Ma says. While much attention gets paid to the notion that architects should be able to work fluently with the business, they should, in fact, work just as fluently with Engineering, meaning that whoever steps into the role should wield deep technical expertise, an attribute vital to earning the respect of engineers, and one that more traditional enterprise architects lack.

What is cloud native and how can it generate business value?

Cloud-native workloads are conceived with the cloud in mind, focusing on scalability, agility, and application independence. Building applications directly in the cloud is a core component of agile development and DevOps practices, allowing developers to quickly update their stack to meet business needs. A definitive example of cloud-native workloads would be microservices, in which different elements of an application run in parallel as independent services, communicating via application programming interfaces (APIs). ... “Companies who deliver cloud services have demonstrated that they can … free us up from having to manage infrastructure hands-on,” Purcell tells ITPro. In the “old days,” Purcell explains, a prospective provider of cloud-native services would have had to rent property, procure hardware, and have a core IT team capable of establishing a framework to deliver the application. “By running it in the cloud … you just don't have to do any of that,” Purcell says. Because the main public cloud providers continue “building for builders,” as Purcell puts it, cloud native continues to be a dominant concept. Of course, applications in the private cloud can be cloud native as well.

Why It’s Time to Rethink Generative AI in the Enterprise

One of the biggest changes is the increasing availability of foundation models beyond those supplied by companies that specialize in generative AI services. In addition to open-source models that have been released by companies like Meta and Google, we’re now seeing vendors like SAP developing their own foundation models. Crucially, these models will provide greater opportunity for enterprises to custom-model operations by injecting their own parameters to control the context in which the model operates. In some cases, they can also train or retrain models on custom data. ... Integrating AI models with all the data that exists in a business is a complex task, not least because it is often unclear which dataset is most relevant for a specific use case. For instance, when querying sales data, should the model be prompted using data from the ERP system, the CRM, a manually prepared spreadsheet, or something else? To tackle this issue, businesses are likely to adopt what I refer to as “data dispatchers.” A data dispatcher is an integration tool that efficiently exposes data to GenAI services in an efficient way, making it easy for enterprises to leverage their data for custom model training. 

Quote for the day:

"Great achievement is usually born of great sacrifice, and is never the result of selfishness." -- Napoleon Hill

No comments:

Post a Comment