fingers on keyboard
Knowledge & Information Technology
No. 285 - 1 April 2021
The Latest on Software Bills of Materials (SBOM)

The work led by the U.S. National Telecommunications and Information Administration (NTIA) continues. In addition to reportss and a medical device software proof of concept, a demonstration of SBOM interchange is around the corner (see below). If you are a software supplier, you should learn about this and plan when and how you will be able to deliver an SBOM with your product before a customer surprises you with an RFP that mandates it! And if you buy software, you should learn about what you should ask for. Here are recent announcements:
The main remaining challenge is that there is no standard to uniquely identify a piece of software. The community assembled by NTIA continues to research this.
To learn more about the whole initiative, attend the Spring SBOM Community Meeting on April 29, 12:00-16:00 US Eastern Time. The meeting is open to all. Attendance instructions are not available yet but will be posted here, where you can find a whole repository of information about the initiative.
CODASPY 2021: the 11th ACM Conference on Data and Application Security and Privacy
ACM's Special Interest Group on Security, Audit and Control (SIGSAC) announced this virtual conference for April 26-28. It will "feature co-located workshops on Security and Privacy Analytics; Secure and Trustworthy Cyber-Physical Systems; and Software Defined Networks & Network Function Virtualization Security. Panels will address 'Is there a Security Mindset and Can It Be Taught?' and 'AI for Security and Security for AI.'" While you don't have to plan for travel, we're a little concerned that the conference page still doesn't have an agenda or registration instructions. We'll let you know in the next issue if we learn of a change.
What's in a Name? The Case of the Two CaaS

The cloud computing community knows about containers -- a deployment technology that allows workloads to be deployed and ported between different cloud platforms, and a more recent option called Container-as-a-Service, or CaaS. During a recent discussion on the formalization of vocabularies, we discovered that for the International Telecommunications Union (ITU-T), "CaaS" means Communications-as-a-Service. The fact that the same abbreviation can mean different things in different domains is not new -- Wikipedia is full of so-called "disambiguation articles" to address this -- but the fact that this is a clash between two abbreviations in the same area (cloud services) is a bit too uncomfortable. Caveat lector.
AI Surges During COVID-19 But Heightens Privacy Concerns

A new study from consulting firm KPMG found that AI adoption surged during the pandemic, helping (for example) handle the increased level of "remote shopping" through automated chatbots and voice response systems. Less visible to the general public is the use of AI in contact tracing applications or to process the vast amount of medical data from tests and hospitalizations. But this has raised privacy concerns and calls for government regulation. This Datanami article summarizes the study.

(Thanks to former colleague Martin Koistinen of Diveplane Corp. for posting the article on LinkedIn)
Seen Recently...
"Definition of 'edge': everything outside the data center. Definition of 'cloud': someone else's data center."
-- Jeff Ready, CEO of Scale Computing, during a March 18 webinar on Industry 4.0 and Edge Computing
(This is cute, but grossly oversimplified. Your laptop is outside a data center, but I doubt you' d call what it does edge
computing; and someone else's data center that doesn't provide self-provisioning and pay-as-you-go isn't a cloud).

"If by moving a data center to the cloud you are introducing a lot more privacy and security risks, I would argue that you have not architected the rest of your solution correctly."
-- James Parker, of Education First, during a panel at the TechEx Cyber Security and Cloud Expo
(in one of the good moments of an event that otherwise rehashed a lot of known stuff about the reasons to move
to the cloud, the importance of considering the business case, the need to consider the migration costs, etc., etc.)