Faceoff: Auditable AI Versus the AI Blackbox Problem
“The notion of auditable AI extends beyond the principles of responsible AI,
which focuses on making AI systems robust, explainable, ethical, and efficient.
While these principles are essential, auditable AI goes a step further by
providing the necessary documentation and records to facilitate regulatory
reviews and build confidence among stakeholders, including customers, partners,
and the general public,” says Adnan Masood ... “There are two sides of auditing:
the training data side, and the output side. The training data side includes
where the data came from, the rights to use it, the outcomes, and whether the
results can be traced back to show reasoning and correctness,” says Kevin
Marcus. “The output side is trickier. Some algorithms, such as neural networks,
are not explainable, and it is difficult to determine why a result is being
produced. Other algorithms such as tree structures enable very clear
traceability to show how a result is being produced,” Marcus adds. ...
Developing explainable AI remains the holy grail and many an AI team is on a
quest to find it. Until then, several efforts are underway to develop various
ways to audit AI in order to have a stronger grip over its behavior and
performance.
A developer’s guide to the headless data architecture
We call it a “headless” data architecture because of its similarity to a
“headless server,” where you have to use your own monitor and keyboard to log
in. If you want to process or query your data in a headless data architecture,
you will have to bring your own processing or querying “head” and plug it into
the data — for example, Trino, Presto, Apache Flink, or Apache Spark. A headless
data architecture can encompass multiple data formats, with data streams and
tables as the two most common. Streams provide low-latency access to incremental
data, while tables provide efficient bulk-query capabilities. Together, they
give you the flexibility to choose the format that is most suitable for your use
cases, whether it’s operational, analytical, or somewhere in between. ... Many
businesses today are building their own headless data architectures, even if
they’re not quite calling it that yet, though using cloud services tends to be
the easiest and most popular way to get started. If you’re building your own
headless data architecture, it’s important to first create well-organized and
schematized data streams, before populating them into Apache Iceberg tables.
The Hidden Costs of the Cloud Skills Gap
Properly managing and scaling cloud resources requires expertise in load
balancing, auto-scaling, and cost optimization. Without these skills, companies
may face inefficiencies, either by over-provisioning or under-utilizing
resources. Inexperienced or overstretched staff might struggle with performance
optimization, resulting in slower applications and services, which can
negatively impact user satisfaction and harm the company's reputation. ...
Employees lacking the necessary skills to fully leverage cloud technologies may
be less likely to propose innovative solutions or improvements, potentially
leading to a lack of new product development and stagnation in business growth.
The cloud presents abundant opportunities for innovation, including AI, machine
learning, and advanced data analytics. Companies without the expertise to
implement these technologies risk missing out on significant competitive
advantages and exciting new discoveries. The bottom line is that skilled
professionals often drive the adoption of new technologies because they have the
knowledge to experiment in the field.
Architectural Retrospectives: The Key to Getting Better at Architecting
The traditional architectural review, especially if conducted by outside
parties, often turns into a blame-assignment exercise. The whole point of
regular architectural reviews in the MVA approach is to learn from experience
so that catastrophic failures never occur. ... The mechanics of running an
architectural retrospective session are identical to those of running a Sprint
Retrospective in Scrum. In fact, an architectural focus can be added to a more
general-purpose retrospective to avoid creating yet another meeting, so long
as all the participants are involved in making architectural decisions. This
can also be an opportunity to demonstrate that anyone can make an
architectural decision, not only the "architects." ... Many teams skip
retrospectives because they don’t like to confront their shortcomings,
Architectural retrospectives are even more challenging because they examine
not just the way the team works, but the way the team makes decisions. But
architectural retros have great pay-offs: they can uncover unspoken
assumptions and hidden biases that prevent the team from making better
decisions. If you retrospect on the way that you create your architecture, you
will get better at architecting.
Design flaw has Microsoft Authenticator overwriting MFA accounts, locking users out
Microsoft confirmed the issue but said it was a feature not a bug, and that it
was the fault of users or companies that use the app for authentication.
Microsoft issued two written statements to CSO Online but declined an
interview. Its first statement read: “We can confirm that our authenticator
app is functioning as intended. When users scan a QR code, they will receive a
message prompt that asks for confirmation before proceeding with any action
that might overwrite their account settings. This ensures that users are fully
aware of the changes they are making.” One problem with that first statement
is that it does not correctly reflect what the message says. The message says:
“This action will overwrite existing security information for your account. To
prevent being locked out of your account, continue only if you initiated this
action from a trusted source.” The first sentence of the warning window is
correct, in that the action will indeed overwrite the account. But the second
sentence incorrectly tells the user to proceed as long as two conditions are
met: that the user initiated the action; and that it is a trusted source.
Automation Resilience: The Hidden Lesson of the CrowdStrike Debacle
Automated updates are nothing new, of course. Antivirus software has included
such automation since the early days of the Web, and our computers are all
safer for it. Today, such updates are commonplace – on computers, handheld
devices, and in the cloud. Such automations, however, aren’t intelligent. They
generally perform basic checks to ensure that they apply the update correctly.
But they don’t check to see if the update performs properly after deployment,
and they certainly have no way of rolling back a problematic update. If the
CrowdStrike automated update process had checked to see if the update worked
properly and rolled it back once it had discovered the problem, then we
wouldn’t be where we are today. ... The good news: there is a technology that
has been getting a lot of press recently that just might fit the bill:
intelligent agents. Intelligent agents are AI-driven programs that work and
learn autonomously, doing their good deeds independently of other software in
their environment. As with other AI applications, intelligent agents learn as
they go. Humans establish success and failure conditions for the agents and
then feed back their results into their models so that they learn how to
achieve successes and avoid failures.
Is HIPAA enough to protect patient privacy in the digital era?
HIPAA requires covered entities to establish strong data privacy policies, but
it doesn’t regulate cybersecurity standards. HIPAA was deliberately designed
to be tech agnostic, on the basis that this would keep it relevant despite
frequent technology changes. But this could be a glaring omission. For
example, Change Healthcare, a medical insurance claims clearinghouse,
experienced a data breach when a hacker used stolen credentials to enter the
network. If Change had implemented multi-factor authentication (MFA), a basic
cybersecurity measure, the breach might not have taken place. But MFA isn’t
specified in the HIPAA Security Rule, which was passed 20 years ago.
Cybersecurity in the healthcare industry falls through the cracks of other
regulations. The CISA update in early 2024 requires companies in critical
infrastructure industries to report cyber incidents within 72 hours of
discovery. ... “Crucially, there are many third-parties in the healthcare
ecosystem that our members contract with who would not be considered ‘covered
entities’ under this proposal, and therefore, would not be obligated to share
or disclose that there had been a substantial cyber incident – or any cyber
incident at all,” warns Russell Branzell, president and CEO of CHIME.
The downtime dilemma: Why organizations hesitate to switch IT infrastructure providers
Making a switch is not always an easy decision. So, how can a business be sure
it’s doing the right thing? There are four boxes that a business should look
for its IT infrastructure provider to tick before contemplating a move.
Firstly, is the provider there when needed? Reliable round the clock customer
support is crucial for addressing any issues that arise before, during, and
after a switch. For businesses with small IT departments or limited resources,
this external support offers reliable infrastructure management without
needing an extensive in-house team. Next, does the provider offer high uptime
guarantees and Service Level Agreements (SLAs) outlining compensation for
downtime? By prioritizing service providers with Uptime Institute’s tier 4
classification, businesses are opting for a partner that’s certified as fully
fault-tolerant, highly resilient, and guaranteeing an uptime of 99.9 percent.
This protects the business’ crucial IT systems, keeping them operational
despite disruptive activity such as a cyberattack, failing components, or
unexpected outages.
Inside CIOs’ response to the CrowdStrike outage — and the lessons they learned
The first thing Alli did was gather the incident response team to assess the
situation and establish the company’s immediate response plan. “We had to
ensure that we could maintain business continuity while we addressed the
implications of the outage,’’ Alli says. Communication was vital and Alli kept
leadership and stakeholders informed about the situation and the steps IT was
taking with regular updates. “It’s easy to panic in these situations, but we
focused on being transparent and calm, which helped to keep the team
grounded,’’ Alli says. Additionally, “The lack of access to critical security
insights put us at risk temporarily, but more importantly, it highlighted
vulnerabilities in our overall security posture. We had to quickly shift some
of our security protocols and rely on other measures, which was a reminder of
the importance of having a robust backup plan and redundancies in place,’’
Alli says. Mainiero agrees, saying that in this type of situation, “you have
to take on a persona — if you’re panicked, your teams are going to panic.” He
says that training has taught him never to raise his voice.
SASE: This Time It’s Personal
Working patterns are changing fast. Millennials and GenZs – the first true
digital generation – no longer expect to go to the same place every day. Just
as the web broke the link between bricks and mortar and shopping, we are now
seeing the disintermediation of the workplace, which is anywhere and
everywhere. The trend was accelerated by the pandemic, but it’s a mistake to
believe that the pandemic created hybrid working. So, while SASE makes the
right assumptions about the need to integrate networking and security, it
doesn't go far enough. The networking and security stack is still office-bound
and centralized. If you were designing this from the ground up, you wouldn't
start from here. A more radical approach, what we call personal SASE, is to
left-shift the networking and security stack all the way to the user edge.
Think of it like the transition from the mainframe to the minicomputer to the
PC in the early 1980s, a rapid migration of compute power to the end user.
Personal SASE involves a similar architectural shift with commensurate
productivity gains for the modern hybrid workforce, who expect but rarely get
the same level of network performance and seamless security that they
currently experience when they step into the office.
Quote for the day:
"If you really want the key to
success, start by doing the opposite of what everyone else is doing." --
Brad Szollose
No comments:
Post a Comment