February 15, 2022
Kannan Subbiah
FCA | CISA | CGEIT | CCISO | GRC Consulting | Independent Director | Enterprise & Solution Architecture | Former Sr. VP & CTO of MF Utilities | BU Soft Tech | itTrident
Data residency and data sovereignty are increasingly governed by local laws. There is an increasing push towards data sovereignty, in part because of supply chain and security concerns. As Mathieu Gorge, CEO at compliance experts Vigitrust, points out, firms and governments alike are increasingly concerned about geopolitical risk. Firms also need to be aware of data adequacy requirements if they intend to move data across borders. This could come into play if they move between hyperscaler regions and AZs, or change SaaS providers. “There is adequacy between the UK and EU, but you are still relying on clauses in the contract to demonstrate that adequacy,” he cautions. Meanwhile, the challenge of data residency is becoming more complicated as more countries roll out data sovereignty regulations. The EU’s GDPR does not actually include stipulations on data residency, relying instead on data adequacy. The UK’s post-Brexit approach follows that of GDPR. But the growth local of data privacy laws is increasingly linked to more localised, or even nationalistic, views of IT resources, and specific regulations and laws can also set out data residency requirements.
“Open source is not the problem,” stated Dr. Trey Herr, director of the Cyber Statecraft Initiative with Atlantic Council think tank during a US Senate Committee on Homeland Security & Government Affairs hearing this week. “Software supply-chain security issues have bedeviled the cyber-policy community for years.” Experts have been predicting a long-term struggle to remedy the Log4j flaw and its impact. Security researchers at Cisco Talos for example stated that Log4j will be widely exploited moving forward, and users should patch affected products and implement mitigation solutions as soon as possible. The popular, Java-logging software is widely used in enterprise and consumer services, websites, and applications as an easy-to-use common utility to support client/server application development. If exploited, the Log4j weakness could let an unauthenticated remote actor take control of an affected server system and gain access to company information or unleash a denial of service attack. The Senate panel called on experts in order to find out about industry responses and ways to prevent future software exposures.
Automate as much as you can. A declarative approach is the goal. While there are many options available now using independent data management software to manage policies across storage, many organizations still employ IT managers and spreadsheets to create and track policies. The worst part of this bespoke manual effort is searching for files containing certain attributes and then moving or deleting them. These efforts are inefficient, incomplete, and impede the goals of having policies; it’s painful to maintain them, and IT professionals have too many competing priorities. Plus, this approach limits the potential of using policies to continuously curate and move data to data lakes for strategic AI and ML projects. Instead, look for a solution with an intuitive interface to build and execute on a schedule and that runs in the background without human intervention. Measure outcomes and refine. Any data management policy should be mapped to specific goals, such as cost savings on storage and backups. It should measure those outcomes and let you know their status so that if those goals are not being met, you can change the plans accordingly.
Recommended by LinkedIn
Microservices envy is a problem, because microservices aren’t the sort of thing we should be envying. One of our consultants has a heuristic that if a client keeps talking about Netflix and asking for microservices, he knows the engagement is in trouble. Almost certainly, they’re not moving to microservices for the right reason. If the conversation is a bit deeper, and covers things like coupling and cohesion, then he knows they’re in the right space. The starting ambition for a microservices transformation should never be the microservices themselves. Microservices are the means to achieve a higher-level goal of business agility or resiliency or equivalent. Actually, microservices are not even the only means; they're a means. ... It’s important to ask "do you have microservices, or do you have a monolith spread over hundreds of Git repos?" That, unfortunately, is what we often see. This is a distributed monolith, and it’s a terrible thing. It's hard to reason about. It's more prone to errors than its monolithic equivalent. With a conventional monolith where it's all contained in a single development environment, you get benefits such as compile-time checking and IDE refactoring support.
Cyber resilience and digital security overlap different “pillars” of the strategy but share the same goal of enhancing the security posture of the UK, which requires a whole of society outlook. The government’s efforts in taking an active role in the development and adoption of technologies critical to cyber space is applaudable. To remain in sync with the pace of change, there needs to be collaborative and active engagement with experts that have a deep understanding of the threats in cyber space and how to secure the technologies required. The National Cyber Strategy outlines the government’s vision to build on its influence and take on a leading role in promoting technologies and security best practices critical to cyber space globally. It must not wait until the telecommunications industry encounters problems with 5G deployments and organisations are left trying to retrospectively fix their security weaknesses. Organisations must build their networks securely from the start, and effective guidance will be key to supporting this development.
BlackCat's migration to Rust, which can run on embedded devices and integrate with other languages, comes as no surprise to Carolyn Crandall, chief security advocate at network security specialist Attivo Networks. She tells ISMG that attackers are always going to innovate with new code that is designed to circumvent endpoint defense systems. Crandall says BlackCat ransomware is "extremely sophisticated" because it is human-operated and command line-driven. ... Anandeshwar Unnikrishnan, senior threat researcher at cybersecurity firm CloudSEK, tells ISMG that threat actors, especially malware developers, will eventually move away from traditional programing languages they formerly used to write malware, such as C or C++, and adopt newer languages, such as Rust, Go and Nim. Unnikrishnan says there are plenty of reasons for malware developers to migrate to languages such as Rust, Go and Nim. But the main reasons are because these newer languages are fast and can evade static analysis of most malware detection systems.