November 02, 2023

November 02, 2023

How Banks Can Turn Risk Into Reward Through Data Governance

To understand why data governance is critical for banks, we must understand the underlying challenges facing financial services organizations as they modernize. Rolling out new cloud applications or Internet of Things (IoT) devices into an environment where legacy on-premises systems are already in place means more data silos and data sets to manage. Often, this results in data volumes, variety, and velocity increasing much too quickly for banks. This gives rise to IT complexity—driven by technical debt or the reliance on systems cobbled together and one-off connections. Not only that, it also raises the specter of 'shadow IT' as employees look for workarounds to friction in executing tasks. This can create difficulties for banks trying to identify and manage their data assets in a consistent, enterprise-wide way that is aligned with business strategy. Ultimately, barely controlled data leads to errant financial reporting, data privacy breaches, and non-compliance with consumer data regulations. Failing to counter these risks can lead to fines, hurt brand image, and trigger lost sales. 


Key Considerations for Developing Organizational Generative AI Policies

It's crucial to ensure that all relevant stakeholders have a voice in the process, both to make the policy comprehensive and actionable and to ensure adherence to legal and ethical standards. The breadth and depth of stakeholders involved will depend on the organizational context, such as, regulatory/legal requirements, the scope of AI usage and the potential risks associated (e.g., ethics, bias, misinformation). Stakeholders offer technical expertise, ensure ethical alignment, provide legal compliance checks, offer practical operational feedback, collaboratively assess risks, and jointly define and enforce guiding principles for AI use within the organization. Key stakeholders—ranging from executive leadership, legal teams and technical experts to communication teams, risk management/compliance and business group representatives—play crucial roles in shaping, refining and implementing the policy. Their contributions ensure legal compliance, technical feasibility and alignment with business and societal values.


CIOs sharpen cloud cost strategies — just as gen AI spikes loom

One key skill CIOs are honing to lower costs is their ability to negotiate with cloud providers, said one CIO who declined to be named. “People better understand the charges, and [they] better negotiate costs. After being in cloud and leveraging it better, we are able to manage compute and storage better ourselves,” said the CIO, who notes that vendors are not cutting costs on licenses or capacity but are offering more guidance and tools. “After some time, people have understood the storage needs better based on usage and preventing data extract fees.” Thomas Phelps, CIO and SVP of corporate strategy at Laserfiche, says cloud contracts typically include several “gotchas” that IT leaders and procurement chiefs should be aware of, and he stresses the importance of studying terms of use before signing. ... CIOs may also fall into the trap of misunderstanding product mixes and the downside of auto-renewals, he adds. “I often ask vendors to walk me through their product quote and explain what each product SKU or line item is, such as the cost for an application with the microservices and containerization,” Phelps says. 


Misdirection for a Price: Malicious Link-Shortening Services

Security researchers gave the service the codename "Prolific Puma." They discovered it by identifying patterns in links being used by some scammers and phishers that appeared to trace to a common source. The service appears to be have active since at least 2020 and regularly is used to route victims to malicious domains, sometimes first via other link-shortening service URLs. "Prolific Puma is not the only illicit link shortening service that we have discovered, but it is the largest and the most dynamic," said Renee Burton, senior director of threat intelligence for Infoblox, in a new report on the cybercrime service. "We have not found any legitimate content served through their shortener." Infoblox, a Santa Clara, California-based IT automation and security company, published a list of 60 URLs it has tied to Prolific Puma's attacks. The URLS employ such domains as hygmi.com, yyds.is, 0cq.us, 4cu.us and regz.information. Infoblox said many domains registered by the group are parked for several weeks while being used, since many reputation-based security defenses will treat freshly registered domains as more likely to be malicious.


DNS security poses problems for enterprise IT

EMA asked research participants to identify the DNS security challenges that cause them the most pain. The top response (28% of all respondents) is DNS hijacking. Also known as DNS redirection, this process involves intercepting DNS queries from client devices so that connection attempts go to the wrong IP address. Hackers often achieve this buy infecting clients with malware so that queries go to a rogue DNS server, or they hack a legitimate DNS server and hijacks queries as more massive scale. The latter method can have a large blast radius, making it critical for enterprises to protect DNS infrastructure from hackers. The second most concerning DNS security issue is DNS tunneling and exfiltration (20%). Hackers typically exploit this issue once they have already penetrated a network. DNS tunneling is used to evade detection while extracting data from a compromised. Hackers hide extracted data in outgoing DNS queries. Thus, it’s important for security monitoring tools to closely watch DNS traffic for anomalies, like abnormally large packet sizes. The third most pressing security concern is a DNS amplification attack (20%). 


Data governance that works

Once we've found our targeted business initiatives and the data is ready to meet the needs of those initiatives, there are three major governance pillars we want to address for that data: understand, curate, and protect. First, we want to understand the data. That means having a catalog of data that we can analyze and explain. We need to be able to profile the data, to look for anomalies, to understand the lineage of that data, and so on. We also want to curate the data, or make it ready for our particular initiatives. We want to be able to manage the quality of the data, integrate it from a variety of sources across domains, and so on. And we want to protect the data, making sure we comply with regulations and manage the life cycle of the data as it ages. More importantly, we need to enable the right people to get to the right data when they need it. AWS has tools, including Amazon DataZone and AWS Glue, to help companies do all of this. It's really tempting to attack these issues one by one and to support each individually. But in each pillar, there are so many possible actions that we can take. This is why it's better to work backwards from business initiatives.

Read more here ...

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics