Why the future of APIs must include zero trust
Devops leaders are pressured to deliver digital transformation projects on time
and under budget while developing and fine-tuning APIs at the same time.
Unfortunately, API management and security are an afterthought when the devops
teams rush to finish projects on deadline. As a result, API sprawl happens fast,
multiplying when all devops teams in an enterprise don’t have the API Management
tools and security they need. More devops teams require a solid, scalable
methodology to limit API sprawl and provide the least privileged access to them.
In addition, devops teams need to move API management to a zero-trust framework
to help reduce the skyrocketing number of breaches happening today. The recent
webinar sponsored by Cequence Security and Forrester, Six Stages Required for
API Protection, hosted by Ameya Talwalkar, founder and CEO and guest speaker
Sandy Carielli, Principal Analyst at Forrester, provide valuable insights into
how devops teams can protect APIs. In addition, their discussion highlights how
devops teams can improve API management and security.
India withdraws personal data protection bill that alarmed tech giants
The move comes as a surprise as lawmakers had indicated recently that the bill,
unveiled in 2019, could see the “light of the day” soon. New Delhi received
dozen of amendments and recommendations from a Joint Committee of Parliament
that “identified many issues that were relevant but beyond the scope of a modern
digital privacy law,” said India’s Junior IT Minister Rajeev Chandrasekhar. The
government will now work on a “comprehensive legal framework” and present a new
bill, he added. ... “The Personal Data Protection Bill, 2019 was deliberated in
great detail by the Joint Committee of Parliament 81 amendments were proposed
and 12 recommendations were made towards comprehensive legal framework on
digital ecosystem. Considering the report of the JCP, a comprehensive legal
framework is being worked upon. Hence, in the circumstances, it is proposed to
withdraw. The Personal Data Protection Bill, 2019′ and present a new bill that
fits into the comprehensive legal framework,” India’s IT Minister Ashwini
Vaishnaw said in a written statement Wednesday.
Don't overengineer your cloud architecture
A recent Deloitte study uncovered some interesting facts about cloud computing
budgets. You would think budgets would make a core difference in how businesses
leverage cloud computing effectively, but they are not good indicators to
predict success. Although this could indicate many things, I suspect that money
is not correlated to value with cloud computing. In many instances, this may be
due to the design and deployment of overly complex cloud solutions when simpler
and more cost-effective approaches would work better to get to the optimized
value that most businesses seek. If you ask the engineers why they designed the
solution this way (whether overengineered or not), they will defend their
approach around some reason or purpose that nobody understands but them. ...
This is a systemic problem now, which has arisen because we have very few
qualified cloud architects out there. Enterprises are settling for someone who
may have passed a vendor’s architecture certification, which only makes them
proficient in a very narrow grouping of technology and often doesn’t consider
the big picture.
Leveraging data privacy by design
Privacy laws and regulations, therefore, can include guidelines for
facilitating industry standards, benchmarks for privacy enhancing technologies
and funding privacy by design research to incentivise technology designers to
enhance privacy safeguard measures in the product designs; thereby promoting
technological models that are privacy savvy. The above can be better
understood from the following example. For instance, the price paid for a
helmet by a motorbike rider is compliance cost as it is an additional purchase
requirement for safety over and above his immediate need for using a bike as a
tool for commutation. However, a seat belt that is subsumed as a component of
a car and not an additional requirement is perceived differently by the owner.
Thus, compliance requirements that are perceived as additional obligations
result in the perception of increased compliance costs whereas compliance
requirements embedded in the design of the product itself are considered as
part of the total product price and not separate costs. Privacy by design can
thus prompt a shift in a business model whereby through the incorporation of
privacy features within the technological design of the product itself
Is it bad to give employees too many tech options?
The most important question in developing (or expanding) an employee-choice
model is determining how much choice to allow. Offer too little and you risk
undermining the effort's benefits. Offer too much and you risk a level of tech
anarchy that can be as problematic as unfettered shadow IT. There isn’t a
one-size-fits-all approach. Every organization has unique culture,
requirements/expectations, and management capabilities. An approach that works
in a marketing firm would differ from a healthcare provider, and a government
agency would need a different approach than a startup. Options also vary
depending on the devices employees use — desktop computing and mobile often
require differing approaches, particularly for companies that employ a BYOD
program for smartphones. ... Google is making a play for the enterprise by
offering ChromeOS Flex, which turns aging PCs and Macs into Chromebooks. This
allows companies to continue to use machines that have dated or limited
hardware, but it also means adding support for ChromeOS devices.
Patterns and Frameworks - What's wrong?
Many people say that we should prefer libraries to frameworks and I must say
that might be true. If a library could do the job you need (for example, the
communication between a client and a server I presented at the beginning of
the article) and meets the performance, security, protocols and any other
requirements your service needs to support, then the fact we can have a
"Framework" automate some class generations for us might be of minor
importance, especially if such a Framework will not be able to deal with the
application classes and would force us to keep creating new patterns just to
convert object types. ... Yet, they fall short when dealing with app specific
types and force us to either change our types just to be able to work with the
framework or, when two or more frameworks are involved, there's no way out and
we need to create alternative classes and copy data back and forth, doing the
necessary conversions, which completely defeats the purpose of having the
transparent proxies.
Where are all the technologists? Talent shortages and what to do about them
Instead of looking for that complete match, shift to 80% instead – the other
20% can almost always be met through training, support and development once in
the job. Another flexibility is around age. The most sought-after candidates
are in the 35-49 age bracket. But don’t rule out the under-35s or the
over-50s. There are brilliant people in both groups – one with all the
potential for the future, the other with invaluable experience and work
knowhow. This brings us to another absolutely key approach: to invest in
training and upskilling. I have one client who is looking ahead and can see
that they will have a significant software development skills requirement in
about four years’ time. So they are training their existing software engineers
now, so they can move into these roles when the time comes. There is a growing
emphasis among digital leaders on increasing the amount of internal
cross-training into tech. This is something that can be applied externally,
too. Look outside the business for talent that can be supported into a tech
career – people who may be in other fields right now but have the right
aptitude, mindset and ambition.
We’re Spending Billions Each Year on Cybersecurity. So Why Aren’t Data Breaches Going Away?
As companies invest heavily in technology, communication, and training to
reduce cybersecurity risk and as they begin seeing the positive impact of
those efforts, they may let their guard down—not paying as much attention to
the risks, not communicating as often, or failing to ensure that new employees
(or employees in new positions) are receiving the information and training
they need. Cybercrooks only need to be successful once to achieve their goals,
but companies need to be successful 100% of the time to avoid being
compromised. Consider this: security is subject to the same natural laws that
govern the rest of the universe. Entropy is real… we move from order to chaos.
... A strong security culture is a must-have to combat the continuous threats
that all companies are subject to. Employees’ security awareness, behaviors
and the organization’s culture must be assessed regularly. Policies and
training programs should be consistently updated to address the changing
threat landscape. Failure to do so puts companies at risk of data theft,
business interruption, or falling victim to ransomware scams.
What is supervised machine learning?
A common process involves hiring a large number of humans to label a large
dataset. Organizing this group is often more work than running the algorithms.
Some companies specialize in the process and maintain networks of freelancers
or employees who can code datasets. Many of the large models for image
classification and recognition rely upon these labels. Some companies have
found indirect mechanisms for capturing the labels. Some websites, for
instance, want to know if their users are humans or automated bots. One way to
test this is to put up a collection of images and ask the user to search for
particular items, like a pedestrian or a stop sign. The algorithms may show
the same image to several users and then look for consistency. When a user
agrees with previous users, that user is presumed to be a human. The same data
is then saved and used to train ML algorithms to search for pedestrians or
stop signs, a common job for autonomous vehicles. Some algorithms use
subject-matter experts and ask them to review outlying data. Instead of
classifying all images, it works with the most extreme values and extrapolates
rules from them.
Machine learning creates a new attack surface requiring specialized defenses
While all adversarial machine learning attack types need to be defended
against, different organizations will have different priorities. Financial
institutions leveraging machine learning models to identify fraudulent
transactions are going to be highly focused on defending against inference
attacks. If an attacker understands the strengths and weaknesses of a fraud
detection system, they can use that to alter their techniques to go
undetected, bypassing the model altogether. Healthcare organizations could be
more sensitive to data poisoning. The medical field has been some of the
earliest adopters of using their massive historical data sets to predict
outcomes with machine learning. Data poisoning attacks can lead to
misdiagnosis, alter results of drug trials, misrepresent patient populations
and more. Security organizations themselves are presently focusing on machine
learning bypass attacks that are actively being used to deploy ransomware or
backdoor networks. ... The best advice I can give to a CISO today is to
embrace patterns we’ve already learned on emerging technologies.
Quote for the day:
"There are three secrets to managing.
The first secret is have patience. The second is be patient. And the third
most important secret is patience." -- Chuck Tanner
/filters:no_upscale()/articles/k8s-external-secrets-operator/en/resources/1pasted%20image%200-10-1659174794947.jpeg)
