School models are, for the most part, outdated–and very overdue for replacement. When students reach high school, research shows that close to 66 percent of students are disengaged. But even students who do successfully navigate their schooling emerge with only a specific (and often narrow) skillset that may or may not match their strengths or interests.
Conventional schooling often leaves students disillusioned, questioning their intelligence and value as it is framed by a system that needs an overhaul.
Learner-centered education can play a critical role in reshaping education systems, offering a more holistic approach to meeting learners’ needs and helping students find fulfillment in their academic accomplishments.
K-12 Value Networks: The Hidden Forces That Help or Hinder Learner-Centered Education, a new report from the Clayton Christensen Institute and authored by CCI senior research fellow Thomas Arnett, offers insight into understanding why schools struggle to change their instructional models, along with tips to establish and support learner-centered education models.
Program leaders, sponsors, learners and their families, staff, community partners, and funders are all critical to the success of these learner-centered education models.
The report describes how five different learner-centered education models–The Met, Virtual Learning Academy Charter School, Iowa BIG, Village High School, and Embark Education–were able to launch and grow their models by assembling value networks congruent with their vision for learner-centered education.
1. The Met: The Metropolitan Regional Career and Technical Center, known as The Met, is a network of six small, public high schools located in Providence and Newport, Rhode Island. The hallmark of The Met’s learner-centered model is that its learners go out in their communities for two days out of the week to lead real-world projects as interns for partner organizations. For example, learners might work with a local bakery, a law firm, a tech company, or a recording studio.
When learners join the Met, they and their families work with an advisor to identify their strengths, needs, and interests, and then develop an individualized learning plan with an internship as its centerpiece. Learners are responsible for researching potential internship opportunities and communicating with partner sites to arrange their internships. Advisors coach them as they do their research and outreach to ensure that internships match their needs and interests.
2. Virtual Learning Academy Charter School: The Virtual Learning Academy Charter School (VLACS) is a statewide virtual school created in 2007 that serves K–12 learners throughout New Hampshire. The concept for the school came from the superintendent of the Exeter Region Cooperative School District, who saw an opportunity to take advantage of a new charter school law to apply for a statewide charter. Rather than create another conventional school, however, the superintendent recognized the distinctive value of using a virtual school model to offer a wide array of flexible, part-time and full-time learning options unavailable through brick-and-mortar campuses.
VLACS’s competency-based model is highly adaptable to learners’ needs and interests. It offers a range of options for learners to earn credits: through online courses, learner-designed projects, and out-of-school learning experiences such as internships and travel. Learners who take online courses move through those courses at their own pace and earn credit whenever they’re able to demonstrate mastery of designated competencies. For projects and other learning experiences, VLACS aligns these experiences with state learning standards and then measures learners’ mastery of standards using performance-based assessments.
What data tells us about student-centered learning
5 ways peer networks lead to better student support systems
Hot on the heels of the arrival of Red Hat Enterprise Linux (RHEL) 8.7, Red Hat has released the next version of its RHEL 9 family, RHEL 9.1.
What's the difference? Why two versions of one enterprise Linux distro? While under the hood there are many specific differences, the big one is that the RHEL 8 distro family is based on older, battle-tried code. RHEL 9, however, is based on the leading-edge CentOS Stream Linux distribution. So, in short, RHEL 8 is what you use if you prefer stability over innovation, while RHEL 9 is the distro for those who want the latest and greatest stable code.
For example, as Gunnar Hellekson, Red Hat's RHEL VP and general manager, put it, "As enterprise IT expands to encompass traditional hardware, multiple public cloud environments, and edge devices, complexity grows in parallel. The latest versions of Red Hat Enterprise Linux continue our commitment to making hybrid cloud computing more than just accessible, but successful at the scale of global business by pairing reliability and stability with features designed for innovation and flexibility."
RHEL 9.1 also puts security front and center. This is a good thing with security disasters on every side of us.
Also: RHEL and its Linux relatives and rivals: How to choose
Specifically, RHEL 9.1 and 8.7 come with pre-configured Linux images designed to meet specific OpenSCAP security demands. OpenSCAP is an open-source project for scanning programs for security problems and setting up default security configurations. For instance, the default RHEL 9.x OpenSCAP is set to use Postfix as the standard e-mail server with specific configurations to make it safer for use. It also discourages you from using the tried and true, but not terribly secure, Sendmail server.
The new RHEL also includes multi-level security (MLS) support for agencies or other sensitive operations to better document and control classification needs. Red Hat Insights, Red Hat's security service, which comes with RHEL, also boasts a malware detector. In addition, RHEL now comes with the Sigstore Software Bill of Materials (SBOM) service to double-check your native container for unauthorized programs.
For people who are serious about security, you want to use RHEL's SELInux mode. This existing release comes with SELinux 3.4. The most important changes include:
Put together, this makes SELinux easier to use and more secure than ever.
Returning to Insights, Red Hat Smart Management now combines Red Hat Satellite, the operating system's default manual configuration and management tool, with Insight's remediation plans. That makes it easier to run recommended, repetitive life cycle management tasks.
If you prefer, you can also use the latest Ansible DevOps to run your RHEL 9.1 instances. One new feature I especially like with this edition of Ansible is you can remotely verify an RHEL system's boot environment. Again, it's all about security.
Also: Linux devices 'increasingly' under attack from hackers
As always, the latest RHEL comes with the latest coding tools, container tools, computer languages, compilers, open-source databases, and web and cache servers.
Finally, you have more time to plan your RHEL life cycle upgrades. RHEL makes it simpler to plan your long-term operating system needs by supporting two-year Extended Update Support (EUS). Specifically, Leapp now supports in-place upgrades to the latest versions of RHEL, while Convert2RHEL now supports more flexible simultaneous landing releases.
Ready to provide RHEL 9.1 a twirl? If you already have an RHEL subscription, you can get it via the Red Hat Customer Portal. For more down-and-dirty details, check out the RHEL 9.1 release notes and technical blog posts.
November 17, 2022
Two out of five students in California schools speak a language other than English at home. Teachers need more training to bring all of those students to proficiency in English and help them succeed in other subjects.
What makes professional development for teachers of English learners effective? We hear from teachers, parents and professors about workshops that gave them tools to work with students who are learning English, and about what their own childhood experiences as English learners taught them.
Read more from EdSource:
Education Beat is a weekly podcast hosted by EdSource’s Zaidee Stavely and produced by Coby McDonald.
Pop quiz: What’s the definition of “SEO culture” at an enterprise company?
Sorry, your answer of “Another meeting, email, or team bonding event that I have to fake smile through that has no hope of success” is incorrect.
I’m looking for “That warm cozy feeling you get when laundry first comes out of the dryer that makes you feel safe, comfortable, and trusting.”
It’s OK, I’m here to educate you.
Look, SEO at an enterprise company is fun.
Except for the part where you have to learn a dozen different brands and educate yourself on internal lingo terms like “BU” and “QBR.” And that doesn’t even include the fact that you have more than one (sometimes 10 or 20) different business leads you to have to sell and win over with your SEO strategy.
The fact stands: If you want to gain the respect and trust of your peers for your SEO strategy at an enterprise company, you have to dedicate 50% of your time to education and culture.
If you’re thinking “why,” then you’re doing it wrong.
Too often, the idea of “SEO culture” is to over-promise and under-deliver, which is why I’ve done the heavy lifting for you.
After 12 years of working on SEO at enterprise companies, I’m pulling together some golden nuggets of knowledge I’ve learned to help build “SEO culture.” Ahead are a few of my favorites.
The idea of “office hours” started to trend in the tech world when Jason Fried, CEO of 37Signals, announced he was hosting CEO office hours in 2009.
Reread that sentence again – 2009, people.
It’s safe to say that “office hours” needs a makeover.
Let me be clear: I don’t mean this level of a makeover.
Within my first 3 months at an enterprise company, I make an effort to create SEO office hours.
It is all about setting the initiative that SEO is a part of a wider movement – promoting it across the company and different marketing channels.
Even Google’s John Mueller hosts SEO office hours.
The key to succeeding with your SEO office hours at a giant company with thousands of employees is having a thorough plan and schedule in advance.
While I set the schedule and agenda for the SEO office hours in month 3, I don’t kick them off until month 6.
I then host the event biweekly, leaving it open to people with questions. If no one has questions, I use the time as an educational opportunity to share a new update.
The biggest lesson I learned from actively listening and learning during these office hours is the importance of establishing trust. Think of your SEO office hours as an open door where people can share their gripes with the SEO team.
I heard about potential worries from the editorial team about SEO delaying work. I listened to complaints from the product marketing team that our keywords don’t align with the brand vision. I had to hear out what the web development team thought of some of the technical SEO recommendations.
At first, it may seem like you’re a punching bag. But the reality is, when you bring SEO into an enterprise company that’s been around for years, you’re bringing change.
People fear change.
Eventually, you’ll settle in. Conversations will flow. Laughs will be had.
You’ll learn stuff about your coworkers that you probably wish you hadn’t (like this person is dating this person). At this point, it would behoove you to grab a frosted donut and pour that bourbon you’ve been saving for a special moment into your lukewarm coffee.
Get the daily newsletter search marketers rely on.
First order of business: Let's remove the "lunch" from lunch-and-learns.
No one wants to shovel 63 burritos into their mouth in less than 10 minutes like Joey Chestnut in a hot dog eating contest to pretend to participate.
The most important part of lunch-and-learns is the "learn" part.
Use this as an opportunity to walk through something related to your next quarter plan.
For example, if I'm managing 1,000+ domains and I want to start implementing best practices in Q1 for all domains, I would walk through schema markup best practices, which help set the stage for the next quarter.
It helps generate buy-in for your quarterly plan, and if there are any questions that push back, this opens the floor for a bigger conversation.
Defining how you create an SEO culture at an enterprise company is difficult.
As the SEO lead, director or VP, you set the tone. If you want to deliver solid SEO results, it requires a culture and mindset of trust in you and your SEO achievements.
When you can align your enterprise SEO strategy and your leadership, a strong SEO culture engraining within the company will drive positive outcomes for all teams.
Opinions expressed in this article are those of the guest author and not necessarily Search Engine Land. Staff authors are listed here.
New on Search Engine Land
Decentralized finance (DeFi) markets may have cooled down over the past year, but the technology powering these applications continues to advance. In particular, smart contract platforms that enable transactions to take place across DeFi applications are maturing to meet enterprise requirements.
While it’s notable that enterprises have previously shown interest in DeFi use cases, smart contract limitations have hampered adoption. A report published by Grayscale Research in March puts this in perspective, noting that “Despite handling millions of transactions per day, smart contract platforms in their current state would be incapable of handling even 10% of the worlds’ internet traffic.”
This notion is particularly troublesome considering the market opportunity behind DeFi. For instance, Grayscale Research’s report mentions that DeFi and Metaverse applications combined are likely to have a market capitalization much larger than the current digital asset market.
Given this potential, it’s become clear that smart contracts must advance in order to accommodate growth. John Woods, chief technology officer of the Algorand Foundation — the supporting organization of the eponymous blockchain ecosystem — told Cointelegraph that today’s smart contracts have a number of technical restrictions, such as scalability issues, which have resulted in slow transaction time and the inability to process complex computations.
Recent: How smart contracts can Boost efficiency in healthcare
Woods shared that smart contracts uploaded to the Algorand blockchain are applied primarily to traditional DeFi use cases that enable things like automatic trading of on-chain digital assets. Yet, when it comes to enterprise use cases, Woods mentioned that he believes it’s best to put as little information on-chain as possible. He said:
“I’ve previously worked with large enterprises that would want to conduct DeFi use cases like post-trade settlement on a blockchain network. When I was building those enterprise applications, I would only put the most important pieces of information on-chain. This would allow smart contracts to perform efficiently without having to do heavy computation on-chain.”
According to Woods, this methodology allows enterprises to benefit from smart contacts, yet only when simple computations are involved. While this may serve as a solution to current limitations, advancements are being made to ensure that all enterprise data can be supported by smart contracts.
For example, Scott Dykstra, chief technology officer and co-founder of Space and Time — a decentralized data platform — told Cointelegraph that his firm is building a community-operated off-chain data platform that can handle any workload in a single cluster.
“We’re working to enable developers to run queries against data we’ve indexed from all major blockchains and data loaded from any off-chain source,” he explained. After queries are run, Dykstra explained that Space and Time uses patented novel cryptography, known as “Proof of SQL,” which can prove each query result is accurate and that the underlying data hasn’t been tampered with.
This is an important point, as Dykstra pointed out that enterprise data queries are typically run in off-chain data warehouses. But, because these data warehouses are centralized, query results often can’t be trusted by a smart contract and, therefore can result in limitations.
Given that Space and Time can cryptographically prove that each data query result is accurate, Dykstra explained that this allows for complex computations to be connected directly to smart contracts without limitations.
“Space and Time’s ability to connect analytic query results directly to smart contracts (with cryptographic guarantees), will serve as a trustless intermediary between enterprise data and the limited storage of the blockchain,” he said. In turn, this process will automate more complex business logic for enterprise use.
Although this solution allows for complex data to be processed by smart contracts, privacy concerns remain. Paul Brody, global blockchain lead at EY, told Cointelegraph that while the value proposition of smart contracts for enterprises is enormous, so are the obstacles. He said:
“The biggest is privacy — public blockchains don’t natively support privacy. Since companies consider their buying arrangements to be sensitive information, no firm will deploy these solutions until they are confident in the privacy approach.”
Woods is also aware that enterprises are hesitant to use smart contracts due to privacy concerns. “Everything currently done across a public blockchain network is transparent, but enterprise use cases require some level of privacy. What’s coming next is privacy on smart contracts,” he said.
As such, Woods shared that Algorand is currently working on a smart contract privacy solution. While no other details were revealed, Woods — who previously worked as the director of Cardano architecture at Input Output Global (IOHK) — explained that IOHK is also looking into solving privacy around smart contracts with a product called Midnight.
Brody further noted that EY is building tools to enable both private payments and transfers on the public Ethereum network and is developing its own privacy-enabled products. For example, in July 2021, EY announced the release of Nightfall 3, a product that combines zero-knowledge proofs with Optimistic Rollups to Boost transaction efficiency and privacy on Ethereum.
“Nightfall is a zero knowledge-optimistic roll-up for payments and transfers under privacy,” Brody said. He added that Starlight is another product from EY, which acts as a compiler that converts solidity contracts into zero knowledge, privacy-enabled circuits. “Both are contributions into the public domain and accessible to all,” he said.
Even with privacy across smart contracts, anonymity remains an issue for large companies. Weijia Zhang, vice president of engineering at Wanchain and the regional head of China at the Enterprise Ethereum Alliance, told Cointelegraph that smart contracts today do not have a mechanism to verify a user’s identity. In turn, bad actors can exploit flaws in a smart contract’s design, which can result in stolen assets by unidentified actors. Indeed, this is a major concern as DeFi hacks continue to increase.
Concerns aside, it’s notable that solutions are being developed to advance smart contract capabilities. Industry experts are, therefore, confident that enterprises will use smart contracts in the future.
“There is no doubt that enterprises will eventually adopt smart contract solutions. There are multiple promising technological innovations occurring in the public blockchain space that have smart contracts at their core,” said Zhang.
That said, it’s important to mention that platforms on which smart contracts execute are also advancing. For example, Woods noted that Algorand focuses on scalability to support enterprise use cases. “It’s not that smart contracts need to get more expressive, but we need to provide more resources to smart contracts as well. We also need to focus on scaling blockchains to make sure they are faster and able to connect to more smart contracts per second.”
Zhang further explained that a zero-knowledge Ethereum Virtual Machine can solve privacy and data challenges, while cross-chain bridge technology can solve interoperability issues. He added that sharding can solve scalability.
Recent: How NFT court summons could change the legal landscape
“Smart contract solutions will revolutionize complex systems that require the participation of multiple parties, resulting in system-wide efficiencies. It’s not that enterprises will want to use these solutions. It’s that they’ll have to,” he said. Yet, Brody mentioned that it’s important to temper expectations, noting:
“Companies implement systems slowly and usually only when necessary, because of a major upgrade or a change in business operations. This means that adoption rates that we see in the consumer world are not likely. What takes a decade for consumers might happen slowly over 30 years in the enterprise space.”
There is currently relatively little objective evidence that the much-promoted "learner-centered" approach to teaching is effective, according to new research.
Learner-centered pedagogy is designed to encourage pupils to become more involved in decision-making in the school and more active in class and participate in lessons.
It has been advocated by international bodies such as UNESCO and World Bank, and many countries worldwide have invested considerable time, money, and resources in LCP despite the lack of a comprehensive body of evidence regarding its implementation and outcomes.
New research by Dr. Nozomi Sakata, Dr. Leanne Cameron and Dr. Nicholas Bremner shows how the approach can have positive results, but there is currently little objective evidence to prove its effectiveness. Researchers have called for more larger-scale, objective, rigorous research on its effectiveness over time.
Some studies report teachers' and students' feedback that the teaching style helped to boost motivation, confidence, and enhanced relationships. But there is little proof it is more effective than what teachers have been doing previously.
Dr. Bremner, from the University of Exeter, said, "Existing evidence has shown learner-centered pedagogy can have a positive impact, but not enough to justify such a massive policy emphasis worldwide. Much of the evidence is too thin and simplistic to recommend either schools either abandon it or embrace it.
"On the basis of current evidence, there is a real gap in hard data to prove or disprove the value of LCP, especially given its continued prominence in worldwide policy discourses. Many policies have been introduced with good intentions, but they could be implemented in a more thoughtful way which allows teachers to make sensible decisions about using different methods and approaches at different times."
In the article, published in the International Journal of Educational Development, researchers conducted a review of 62 journal articles from 2001 to 2020 reporting the outcomes of LCP implementation in low- to middle-income countries around the world.
A total of 28 texts cited examples of teachers' positive experiences of LCP; 7 others were negative. However, only 9 out of the 62 studies contained objective evidence of improved academic learning outcomes.
A total of 26 out of the 62 texts cited examples of teachers or students' perspectives of enhanced student learning, while 9 texts cited examples of little to no improvement in student learning.
Dr. Bremner said, "Larger-scale experimental studies may be challenging from a methodological perspective and are likely to imply a large investment in time and resources. However, on the basis of current evidence, there is a real gap in hard data to prove or disprove the value of LCP, especially given its continued prominence in worldwide policy discourses.
"The more subjective research—for example, studies presenting perspectives of teachers and students—was more prevalent than objective research, and did seem to lean towards positive experiences of LCP for non-academic outcomes such as student motivation and confidence, as well as enhanced relationships. Such outcomes may not always be the priority for educational policymakers, but many would argue they are extremely important."
More information: Nicholas Bremner et al, The outcomes of learner-centred pedagogy: A systematic review, International Journal of Educational Development (2022). DOI: 10.1016/j.ijedudev.2022.102649
Citation: Little objective evidence to show effectiveness of learner-centered teaching methods, study warns (2022, November 15) retrieved 14 December 2022 from https://phys.org/news/2022-11-evidence-effectiveness-learner-centered-methods.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.
In Victoria, you must be 16 years or older to obtain a learner permit, granted that you also meet the eligibility requirements. This includes having a Victorian residential address; being medically fit to drive; not being currently subject to a Fines Victoria license sanction; and having passed all of the appropriate tests.
Once you’ve confirmed your eligibility, which can be completed online at VicRoads, you can then take the learners permit online or in-person.
The Learner Permit Test Online is an interactive 4-6 hour online course which teaches you the knowledge required to pass the test. As of 15 August 2022, a Victorian’s first attempt to take the online test is free. After the first attempt, the online test costs $25.40.
To take the test in person, you will need to book an appointment at a VicRoads branch. The appointment costs $19.60, while the test costs $25.4o (total of $45 for each attempt).
Once you’ve passed the test to obtain a learners permit, you still need to purchase the license in order to officially get behind a wheel as a learner driver. In Victoria, a new learner permit (whether for car or motorcycle) is usually $26.
However, as of August 15, 2022, this permit issue fee is being waived for new drivers under the Victorian government’s Motorist Package and Safe Driver Discount.
Your learner permit is the first step in obtaining your full driver’s licence, and it comes with certain rules and restrictions.
Along with all road laws and rules, you will also need to:
In Victoria, there is no set speed limit when driving on your Ls. Instead, you must always drive within the designated speed limit for the area you are in.
VicRoads recommends learner drivers only have their supervised driver with them while driving; however, it is not illegal to have additional passengers on your Ls as long as they do not cause any distractions.
This article is part of a VB special issue. Read the full series here: Zero trust: The new security paradigm.
With remote work exploding amid the COVID-19 pandemic, zero trust has become a security process that enterprises depend on to protect hybrid working environments.
Yet while so many organizations are looking to embrace zero-trust networking, many are getting it wrong, implementing limited access controls or turning to “zero trust in a box” solutions.
Research shows that, according to one report, 84% of enterprises are implementing a zero-trust strategy — but 59% say they don’t have the ability to authenticate users and devices on an ongoing basis and are struggling to monitor users post-authentication.
In addition, Microsoft notes that while (according to another report) 76% of organizations have started implementing a zero-trust strategy, and 35% claim to have it fully implemented, those claiming to have achieved full implementation admit they haven’t finished implementing zero trust steadily across all security risk areas and components.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
Although these may seem small oversights, they can increase an organization’s exposure to risk significantly. A accurate IBM report found that 80% of critical infrastructure organizations don’t adopt zero-trust strategies, which increased their average data breach costs by $1.17 million compared to those enterprises that do.
One of the most significant reasons that enterprises are getting zero trust wrong is that many software vendors use marketing that misleads them, not just about what zero trust is, but how to apply it, and whether certain products can implement zero trust.
All too often, these marketing practices trick CISOs and security leaders into thinking zero trust can be purchased.
“There’s a couple of mistakes a lot of people make in zero trust. First, and probably most common too, is approaching zero trust as something you can buy, a situation abetted by many vendors using the term in their marketing whether it applies to the product or not,” said Charlie Winckless, a senior analyst at Gartner.
That being said, Winckless does note that there are legitimate solutions you can buy to lay the foundation for zero-trust architecture, such as zero-trust network access (ZTNA) and microsegmentation products.
At the same time, Winckless warns enterprises about falling into the trap of trying to apply zero trust at too granular a level at the behest of software vendors.
“Second (and again, I think a lot of the way vendors are latching onto the term) is trying to push too much security into zero trust. Fundamentally, Gartner thinks of zero trust as replacing implicit trust with adaptive explicit trust. If you push too much into it, then it becomes impossible to achieve well,” Winckless said.
The reality of zero-trust adoption is that it’s a journey and not a destination. There’s no quick fix for implementing zero trust because it’s a security methodology designed to be continuously applied throughout the environment to control user access.
“Organizations that get zero trust wrong are the ones looking for a quick fix or silver bullet. They also tend to look to a set of products to get them zero trust. They fail to understand or don’t want to acknowledge that zero trust is a strategy, it is an information security model,” said Baber Amin, COO of Veridium.
Amin added, “Products can and do help achieve zero trust, but they need to be applied correctly. It’s just like purchasing the most expensive lock, which does not do anything if the door itself is not properly reinforced.”
Amin also noted some of the most common mistakes organizations make besides confusing zero-trust strategy with product offerings.
These mistakes include:
To build a successful zero-trust strategy, security teams must be able to do more than continually authenticate users and devices. They must also monitor those users and devices post-authentication; microsegment their networks; and implement controls across on-premise and cloud environments to secure access to data at the application level.
Making the zero-trust journey is often easier said than done, since many enterprises are operating in environments with outdated and inflexible legacy infrastructure. This makes it more difficult to manage user access at speed.
Over-reliance on legacy infrastructure is a well-recognized barrier to zero-trust adoption. For instance, a survey of 300 federal IT and program managers found that 58% said the biggest challenge to implementing zero trust is rebuilding or replacing existing legacy infrastructure.
As a result, adopting zero trust is as much about undergoing digital transformation and replacing legacy infrastructure as it is about implementing new security controls and applying the principle of least privilege throughout the environment.
“Traditionally organizations have always been behind the ball when it comes to adopting a ‘security first’ environment, and have purposely stuck with legacy models in order to cut costs on CIAM/IAM infrastructure [and] ensure users are not ‘burdened’ with extra authentication when accessing sites, files, etc., which may cause bad [user] experience or slow down overall productivity,” said Charles Medina, security engineer at Token.
Organizations that need to deploy new tools to enable their zero-trust journeys also need to make sure that they’re training employees how to use the new solutions effectively.
“The worst is when an organization deploys great tools that help with pushing a zero-trust model, but either aren’t trained in a proper deployment due to cost or simply don’t take the environment seriously,” Medina said.
Finally, achieving the buy-in necessary to undergo effective digital transformation rests on the ability of CISOs and security leaders to present zero-trust adoption as not just a security issue, but a business issue.
CISOs need buy-in from other key stakeholders if they are to replace underlying legacy infrastructure and applications. After all, without significant investment in digital transformation, security teams won’t have the tools to implement basic access control and authentication models to manage and monitor user access.
“Deployment is a step-by-step process which starts with developing and socializing a strategy with the business and establishing a governance framework which engages stakeholders in the change initiative — not just the CIO and CISO teams, but those business units who may be impacted by the implementation,” said Akhilesh Tuteja, global cybersecurity practice leader at KPMG.
It’s critical that CISOs highlight the potential cost savings of going zero trust.
They might, for instance, highlight Forrester research that illustrates how organizations that adopt Microsoft’s zero-trust solutions can generate a 92% return on investment (ROI) and a 50% lower chance of a data breach. This could help make the business case for investing in zero-trust controls.
However, even with the support of other key stakeholders, zero trust isn’t a one-time effort, but an ongoing process.
“At every stage in the process, there is potential for missteps and many surprises. Few businesses understand their IT estate, and quite how the various systems and applications interact. As you implement segregation and new access controls, things will break. Unexpected dependencies will be discovered, with surprising data flows and long-forgotten applications,” Tuteja said.
No matter how far along an enterprise is in its zero-trust journey, CISOs and security leaders can reduce the chance of making mistakes by viewing zero trust as a continual process, and committing to making incremental improvements to this process.
Taking simple steps like making an inventory of assets that need to be protected, then deploying identity and access management (IAM) and privileged access management (PAM), can help to build zero trust from the ground up and develop a cultural mindset of continuous improvement.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.
If you haven't switched over to the Red Hat Enterprise Linux (RHEL) 9 family, and your company lives and dies with RHEL, then chances are you're running RHEL 8.x. If that's you, pay attention because the latest version, RHEL 8.7, has just arrived at a obtain site near you.
Why make a move at all? It's not like RHEL 8.6 is going to fall apart on you. That's true, but the latest RHEL does come with bigger, better security features. And, unless you've been hiding your head in the sand for the last few years, you know security attacks are happening more than ever.
Also: Linux devices 'increasingly' targeted by hackers
Specifically, Red Hat is implementing new built-in authentication and security features. These are:
Red Hat is also improving its Software Bill of Materials (SBOM) with Secure Software Supply Chain methodologies. Red Hat did this by adopting Sigstore, the well-regarded open-source software signing service for its build pipelines and tools. This makes RHEL and the programs built within it much more trustworthy.
The company is also incorporating Sigstore into its Podman, its Open Containers Initiative (OCI) rival to Docker. Since Podman works natively with Kubernetes, the incredibly popular cloud orchestration tool, it's become very popular in its own right.
If securing your software isn't reason enough for you, keep in mind that SBOMs are now required by government regulation and presidential decree. SBOMs are not just a good idea; they're the law.
Also: Linux is not just for developers and command line pros
In addition, RHEL's Network Security Services (NSS) libraries now require all RSA secure keys to be at least 1023 bits. This, perforce, makes all your encrypted keys stronger.
Beyond these, and other minor, security fixes, RHEL has also moved to a new Linux kernel. It now runs with the 4.18.0-425 kernel version.
Of course, the new RHEL also includes the latest coding tools, container tools, computer languages, compilers, open-source databases, and web and cache servers. It wouldn't be an RHEL release without them. These include:
RHEL also includes Application Streams. With each of these, your programmers can use different versions of software. This allows the user to use whichever version best suits their needs. These user-space components are delivered and updated more frequently than the core operating system packages.
Your developers will be thrilled to see these ready to run in their toolchains.
Finally, it's easier than ever to upgrade from one version of RHEL to the next. Leapp, Red Hat's upgrade tool, now supports in-place upgrades for two two-year Extended Update Support (EUS) periods. So, for example, you can easily shift from RHEL 7.9 to 8.4 or 8.6, 8.6 to 9.0. This gives you two years to understand and plan for your upgrades. The related tool, Convert2RHEL, also now supports similar upgrades from CentOS Linux to RHEL updates. For instance, from CentOS Linux 7.9 to RHEL 7.9 and from CentOS Linux 8.4 to RHEL 8.4.
Taken all-in-all, RHEL 8.7 is an impressive step forward for RHEL users. I'd provide serious consideration to moving to it sooner rather than later. The Sigstore support alone makes it a top upgrade priority in my book.
Enterprises are spending nearly $1,200 a year per employee to address the risk that cloud-based workforce collaboration apps bring to their business.
It's a well-known reality at this point that with corporate workers more dispersed than ever due to the changing work patterns introduced during the pandemic, enterprises are increasingly relying on new Web-based tools beyond email. These include cloud-based messaging, storage, shared workplaces, customer relationship management (CRM), and other apps and services.
The problem is, these tools also have widely expanded the attack surface for threat actors and increased exposure of corporate assets to the internet. Cybercriminals have quickly recognized the opportunity to exploit this reality — helped along by the fact that many of these apps are largely unproven, security-wise, according to a white paper published Nov. 22 by Osterman Research and sponsored by Perception Point.
"Threat actors have responded quickly to the emergence of new channels for employee productivity and collaboration," the researchers wrote.
Specifically, organizations are now paying $1,197 per employee each year to address successful cyber incidents across email services, cloud collaboration apps or services, and Web browsers — meaning a 500-employee company spends, on average, $600,000 on an annual basis, the researchers found. This cost excludes compliance fines, ransomware mitigation costs, and business losses from non-operational processes, they said.
Researchers ran a survey of 250 security and IT decision-makers to parse this surge in malicious incidents against these new services, and found that 60% of the attack attempts arrive via email — which remains the most widely attacked enterprise service, the researchers found.
Moreover some attacks — such as those involving malware installed on an endpoint — are occurring with even more frequency, up 87%.
The situation is only likely to get worse, with more than 70% of respondents believing the frequency of security threats will remain the same or increase over the next two years, the researchers said. This outlook is due to the time organizations need time to respond to the rapid rate of expansion in the use of these apps and adjust their new security posture accordingly, they acknowledged.
On average, organizations surveyed said they use about six various apps and services for communication and collaboration across their workforce.
Among the most popular apps being used for workforce collaboration now include messaging apps such as Microsoft Teams, Slack, or WhatsApp; cloud storage and collaboration apps such as Google Drive, OneDrive, SharePoint, or Box; shared workspaces such as Microsoft Teams, Google Workspace, or Huddle; enterprise social networks such as Facebook Workplace, Jive, or Microsoft Yammer; CRM tools such as Salesforce, HubSpot, Zendesk, or Microsoft Dynamics CRM; cloud storage services such as AWS S3 buckets or Microsoft Blob Storage; and online meeting tools such as Zoom, WebEx, or Microsoft Teams meetings.
Moreover, employees also use a host of unsanctioned communication and cloud collaboration apps, such as personal Dropbox storage accounts or personal Zoom accounts, which also put the enterprise at risk.
There have been accurate security incidents that highlight the vulnerability of these apps and why enterprises should be paying close attention. Researchers from Varonis Threat Labs, for instance, recently found multiple security vulnerabilities — including a nasty SQL injection bug — in Zendesk's Web-based CRM platform that could have allowed attackers to access sensitive information from potentially any customer account.
Meanwhile, legions of databases — and, thus, customers' personally identifiable information (PII) — are being inadvertently exposed to the Internet monthly through a feature of Amazon Relational Database Service, a popular cloud-based data-backup service offered by Amazon Web Services, according to accurate research from the Mitiga Research Team.
Both of these incidents demonstrate the security weaknesses lurking in the cloud-based apps that are becoming the backbone of enterprise workforce collaboration, with 19% of respondents acknowledging that they use as many as nine of these tools, significantly increasing their attack surface, the researchers said.
"Using such a wide range of tools increases the amount of vectors which attackers can target," they wrote.
Not only are there more attacks against these apps and services but they're also increasing in sophistication, the researchers found. A full 72% of respondents indicated that attacks against cloud storage services have grown more sophisticated over the past year, and 57% said the same about attacks against email.
"This trend is especially concerning given the rapid rate of adoption of new cloud-based apps and services," the researchers noted.
The situation clearly demands a response from enterprises, which have a number of options for how they can address and minimize their risk of attack against these various apps and services, the researchers said.
However, it will take some effort on their part, including an updating of traditional security postures, noted Michael Sampson, senior analyst at Osterman Research
"Organizations cannot afford — financially or reputationally — to rely on outdated approaches," he said in a press statement. "Our survey demonstrates the clear need for agile and holistic threat prevention solutions."
Enterprises are already on the case, according to the report. Some ways organizations said they will try to mitigate the situation in the coming year include deploying at least one new security tool to combat threats, with 69% of respondents saying they plan to deploy three or more.
Enterprises also should be consolidating their security stack for more holistic and efficient threat protection, as well as leveraging managed services to support their security teams with scalable and flexible incident response capabilities, the researchers advised.
"Fast, holistic, and accurate threat prevention across all channels is singularly important in an era of increasingly frequent and sophisticated cyber incidents," they wrote.