Трите власти – законодателна, изпълнителна и съдебна – са разделени с цел взаимен контрол и предотвратяване на концентрация на власт. Традиционно към тях се добавя и т.нар. „четвъртна власт“ – медиите, които осигуряват допълнителен контрол върху трите власти чрез прозрачността, която осигуряват. Затова между властите има различни механизми – законоустановени или имплицитни – за проверки и баланси (checks and balances).
Поради все по-активното навлизане на технологиите в държавното управление, моята теза е, че те плавно се превръщат в „пета власт“. Във времето много елементи на обществения живот са били обявявани за „пета власт“, така че не твърдя, че това е единственият допълнителен механизъм за проверки и баланси, отвъд утвърдените 3+1 власти, но смятам, че ще става все по-централен и трябва да му обърнем специално внимание.
Общоприета теза е, че „властта корумпира“. Макар това да е опростена теза, както е разгледано в литературата, в сърцевината си тя е вярна – позициите на власт, върху които няма достатъчно външен контрол, създават корупционни практики – не само свързани със злоупотреби със средства, но и по-общо със злоупотреби с власт. Механизмите за възпиране на корупцията са много – съдебен контрол на актове, наказателна отговорност, публичност, парламентарен контрол и др.
проследимост на действията и техните автори, и то по начин, който не позволява да бъдат подменяни;
невъзможност за промяна и антидатиране на документи
защита на данните от неоторизиран достъп (т.е. без „само да погледна тука една папка“)
прозрачност и публичност на данни и докименти, с което да се подхранят разследванията на четвъртата власт
истинско случайно разпределени на преписки, проверки, дела – много експерименти показват, че използването на принципа на случайност намалява корупционния риск
автоматична валидация на данните, което премахва човешкия фактор и възможността за „затваряне на очите“ за някои пропуски
автоматизиране на максимално много дейности, което намалява дискрецията на овластените лица
автоматизиран анализ на риска на база на натрупаните данни, така че да бъдат откривани злоупотреби проактивно
Но преди да бъда обвинен в техно-утопизъм – че виждам технологично решение на всеки проблем – ще отбележка и негативната страна. Както всяка власт, и петата може да е неефективна, корумпирана и да работи в нечий интерес. Както изпълнителната може да се корумпира, както съдебната може да решава дела не само в съответствие със закона, както законодателната може да е прокарва частни интереси и както медиите могат да бъдат необективни и дори „бухалки“, така и технологиите могат да бъдат инструмент за корупция.
И трябва сериозно усилие, за да не бъде така. Институционално и технологично усилие, за да бъде проследимостта реална, а не „наши хора“ да могат да си зачистват следите, за да има реално случайно разпределени, а не едни административни ръководители да могат с тайни клавишни комбинации да предопределят избора, за да се публикуват максимално много данни, а не да се спестяват с оправдания „тя системата няма да издържи“.
Технологиите сами по себе си не са власт, но всички дейности около тях, са именно такава. Петата власт в момента е в ръцете на едни не особено видими хора – ИТ директори, системни администратори, администратори на бази данни, програмисти – в частни компании, в администрацията и в държавната компания Информационно обслужване. Това не е обвинение към тях и не е презумпция за злоупотреба – в мнозинството си това са честни експерти, които си вършат съвестно работата. Но отговорността е далеч по малка спрямо колективната тежест, която все повече ще имат (или „имаме“ – защото и аз продължавам да се причислявам към ИТ експертите).
Допълнителен проблем е и това, че технологиите трудно се разбира и от широката публика, и от политическата класа – както стана болезнено ясно от измислените скандали с машинното гласуване. Но те са само един пример.
Именно заради тези проблеми – че петатат власт се упражнява „между другото“, понякога неосъзнато и без политическа отчетност, трябва технологиите, използвани в държавното управление, да бъдат балансирани от останалите четири власти. Например в законите да е уредено, че не могат да се подменят данни; че има технически-гарантирано случайно разпределение; че кодът на системите е публичен, актуален и одитиран; че за достъп до определени данни не се разчита само на един човек; че чувствителни данни се съхраняват логически разделени; че се използват актуални криптографски методи за защита на конфиденциалността и целостта на данните. Нужно е в съдебната власт (и съдът, и органите на досъдебното производство) да разполага с по-широк набор от експерти по технологични теми. Нужно е изпълнителната власт да разработи механизми за повече прозрачност и проследимост в управлението на информационните и комуникационни технологии.
Петата власт – технологиите в държавното управление – е все още недостатъчно видима, но сме длъжни да говорим за нея, за да бъде използвана за предотвратяване на злоупотреби в другите власти, а не за скрито и трудно-разбираемо вмешателство в тях.
Amazon OpenSearch Service is a fully managed search and analytics service powered by the Apache Lucene search library that can be operated within a virtual private cloud (VPC). A VPC is a virtual network that’s dedicated to your AWS account. It’s logically isolated from other virtual networks in the AWS Cloud. Placing an OpenSearch Service domain within a VPC enables a secure communication between OpenSearch Service and other services within the VPC without the need for an internet gateway, NAT device, or a VPN connection. All traffic remains securely within the AWS Cloud, providing a safe environment for your data. To connect to an OpenSearch Service domain running inside a private VPC, enterprise customers use one of two available options: either integrate their VPC with their enterprise network through VPN or AWS Direct Connect, or make the cluster endpoint publicly accessible through a reverse proxy. Refer to How can I access OpenSearch Dashboards from outside of a VPC using Amazon Cognito authentication for a detailed evaluation of the available options and the corresponding pros and cons.
For managing access to OpenSearch Dashboards in enterprise customers’ environments, OpenSearch Service supports Security Assertion Markup Language (SAML) integration with the customer’s existing identity providers (IdPs) to offer single sign-on (SSO). Although SAML integration for publicly accessible OpenSearch Dashboards works out of the box, enabling SAML for OpenSearch Dashboards within a VPC requires careful design with various configurations.
This post outlines an end-to-end solution for integrating SAML authentication for OpenSearch Service domains running in a VPC. It provides a step-by-step deployment guideline and is accompanied by AWS Cloud Development Kit (AWS CDK) applications, which automate all the necessary configurations.
Overview of solution
The following diagram describes the step-by-step authentication flow for accessing a private OpenSearch Service domain through SSO using SAML identity federation. The access is enabled over public internet through private NGINX reverse proxy servers running on Amazon Elastic Container Service (Amazon ECS) for high availability.
The workflow consists of the following steps:
The user navigates to the OpenSearch Dashboards URL in their browser.
The browser resolves the domain IP address and sends the request.
AWS WAF rules make sure that only allow listed IP address ranges are allowed.
Application Load Balancer forwards the request to NGINX reverse proxy.
NGINX adds the necessary headers and forwards the request to OpenSearch Dashboards.
OpenSearch Dashboards detects that the request is not authenticated. It replies with a redirect to the integrated SAML IdP for authentication.
The user is redirected to the SSO login page.
The IdP verifies the user’s identity and generates a SAML assertion token.
The user is redirected back to the OpenSearch Dashboards URL.
The request goes through the Steps 1–5 again until it reaches OpenSearch. This time, OpenSearch Dashboards detects the accompanying SAML assertion and allows the request.
In the following sections, we set up a NGINX reverse proxy in private subnets to provide access to OpenSearch Dashboards for a domain deployed inside VPC private subnets. We then enable SAML authentication for OpenSearch Dashboards using a SAML 2.0 application and use a custom domain endpoint to access OpenSearch Dashboards to see the SAML authentication in action.
Prerequisites
Before you get started, complete the prerequisite steps in this section.
Create an Amazon Route 53 public hosted zone such as mydomain.com to be used for routing internet traffic to your domain. For instructions, refer to Creating a public hosted zone.
This post is accompanied with a standalone AWS CDK application (opensearch-domain) that deploys a sample OpenSearch Service domain in private VPC subnets. The deployed domain is for demonstration purposes only, and is optional.
If you have an existing OpenSearch Service domain in VPC that you want to use for SAML integration, apply the following configurations:
On the Cluster configuration tab, choose Edit and select Enable custom endpoint in the Custom endpoint section.
For Custom hostname, enter a fully qualified domain name (FQDN) such as opensearch.mydomain.com, which you want to use to access your cluster. Note that the domain name of the provided FQDN (for example, mydomain.com) must be the same as the public hosted zone you created earlier.
For AWS certificate, choose the SSL certificate you created earlier.
In the Summary section, optionally enable dry run analysis and select Dry run or deselect it and choose Save changes.
Otherwise, download the accompanied opensearch-domain AWS CDK application and unzip it. Then, edit the cdk.json file on the root of the unzipped folder and configure the required parameters:
vpc_cidr – The CIDR block in which to create the VPC. You may leave the default of 10.0.0.0/16.
opensearch_cluster_name – The name of the OpenSearch Service cluster. You may leave the default value of opensearch. It will also be used, together with the hosted_zone_name parameter, to build the FQDN of the custom domain URL.
hosted_zone_id – The Route 53 public hosted zone ID.
hosted_zone_name – The Route 53 public hosted zone name (for example, mydomain.com). The result FQDN with the default example values will then be opensearch.mydomain.com.
Finally, run the following commands to deploy the AWS CDK application:
cd opensearch-domain
# Create a Python environment and install the reuired dependencies
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements-dev.txt
pip install -r requirements.txt
# Deploy the CDK application
cdk deploy
With the prerequisites in place, refer to the following sections for a step-by-step guide to deploy this solution.
Create a SAML 2.0 application
We use IAM Identity Center as the source of identity for our SAML integration. The same configuration should apply to other SAML 2.0-compliant IdPs. Consult your IdP documentation.
On the IAM Identity Center console, choose Groups in the navigation pane.
Create a new group called Opensearch Admin, and add users to it. This will be the SAML group that receives full permissions in OpenSearch Dashboards. Take note of the group ID.
Choose Applications in the navigation pane.
Create a new custom SAML 2.0 application.
Download the IAM Identity Center SAML metadata file to use in a later step.
For Application start URL, enter [Custom Domain URL]/_dashboards/. The custom domain URL is composed of communication protocol (https://) followed by the FQDN, which you used for your OpenSearch Service cluster in the prerequisites (for example, https://opensearch.mydomain.com). Look under your OpenSearch Service cluster configurations, if in doubt.
For Application ACS URL, enter [Custom Domain URL]/_dashboards/_opendistro/_security/saml/acs.
For Application SAML audience, enter [Custom Domain URL] (without any trailing slash).
Choose Submit.
In the Assigned users section, select Opensearch Admin and choose Assign Users.
On the Actions menu, choose Edit attribute mappings.
Define attribute mappings as shown in the following screenshot and choose Save changes.
Deploy the AWS CDK application
Complete the following steps to deploy the AWS CDK application:
Edit the cdk.json file and set the required parameters inside the nested config object:
aws_region – The target AWS Region for your deployment (for example, eu-central-1).
vpc_id – The ID of the VPC into which the OpenSearch Service domain has been deployed.
opensearch_cluster_security_group_id – The ID of the security group used by the OpenSearch Service domain or any other security group that allows inbound connections to that domain on port 80 and 443. This group ID will be used by the Application Load Balancer to forward traffic to your OpenSearch Service domain.
hosted_zone_id – The Route 53 public hosted zone ID.
hosted_zone – The Route 53 public hosted zone name (for example, mydomain.com).
opensearch_custom_domain_name – An FQDN such as opensearch.mydomain.com, which you want to use to access your cluster. Note that the domain name of the provided FQDN (mydomain.com) must be the same as the hosted_zone parameter.
opensearch_custom_domain_certificate_arn – The ARN of the certificate stored in ACM.
opensearch_domain_endpoint – The OpenSearch Service VPC domain endpoint (for example, vpc-opensearch-abc123.eu-central-1.es.amazonaws.com).
vpc_dns_resolver – This must be 10.0.0. if your VPC CIDR is 10.0.0.0/16. See Amazon DNS server for further details.
alb_waf_ip_whitelist_cidrs – This is an optional list of zero or more IP CIDR ranges that will be automatically allow listed in AWS WAF to permit access to the OpenSearch Service domain. If not specified, after the deployment you will need to manually add relevant IP CIDR ranges to the AWS WAF IP set to allow access. For example, ["1.2.3.4/32", "5.6.7.0/24"].
Deploy the OpenSearch Service domain SAML integration AWS CDK application:
cd opensearch-domain-saml-integration
# Create a Python environment and install the required dependencies
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements-dev.txt
pip install -r requirements.txt
# Deploy the CDK application
cdk deploy
Enable SAML authentication for your OpenSearch Service cluster
When the application deployment is complete, enable SAML authentication for your cluster:
On the OpenSearch Service console, navigate to your domain.
On the Security configuration tab, choose Edit.
Select Enable SAML authentication.
Choose Import from XML file and import the IAM Identity Center SAML metadata file that you downloaded in an earlier step.
For SAML master backend role, use the group ID you saved earlier.
Expand the Additional settings section and for Roles, enter the SAML 2.0 attribute name you mapped earlier when you created the SAML 2.0 application in AWS Identity Center.
Submit changes and wait for OpenSearch Service to apply the configurations before proceeding to the next section.
Test the solution
Complete the following steps to see the solution in action:
On the IAM Identity Center console, choose Dashboard in the navigation pane.
In the Settings summary section, choose the link under AWS access portal URL.
Sign in with your user name and password (register your password if this is your first login). If your account was successfully added to the admin group, a SAML application logo is visible.
Choose Custom SAML 2.0 application to be redirected to the OpenSearch Service dashboards through SSO without any additional login attempts. Alternatively, you could skip logging in to the access portal and directly point your browser to the OpenSearch Dashboards URL. In that case, OpenSearch Dashboards would first redirect you to the access portal to log in, which would redirect you back to the OpenSearch Dashboards UI after a successful login, resulting in the same outcome as shown in the following screenshot.
Troubleshooting
Your public-facing IP must be allow listed by the AWS WAF rule, otherwise a 403 Forbidden error will be returned. Allow list your IP CIDR range via the AWS CDK alb_waf_ip_whitelist_cidrs property as described in the installation guide and redeploy the AWS CDK application for changes to take effect.
Clean up
When you’re finished with this configuration, clean up the resources to avoid future charges.
On the OpenSearch Service console, navigate to the Security configuration tab of your OpenSearch Service domain and choose Edit.
Deselect Enable SAML authentication and choose Save changes.
After the Amazon SAML integration is disabled, delete the opensearch-domain-saml-integration stack using cdk destroy.
Optionally, if you used the provided OpenSearch Service sample AWS CDK stack (opensearch-domain), delete it using cdk destroy.
Conclusion
OpenSearch Service allows enterprise customers to use their preferred federated IdPs such as SAML using IAM Identity Center for clusters running inside private VPC subnets following AWS best practices.
In this post, we showed you how to integrate an OpenSearch Service domain within a VPC with an existing SAML IdP for SSO access to OpenSearch Dashboards using IAM Identity Center. The provided solution securely manages network access to the resources using AWS WAF to restrict access only to authorized network segments or specific IP addresses.
Mahdi Ebrahimi is a Senior Cloud Infrastructure Architect with Amazon Web Services. He excels in designing distributed, highly-available software systems. Mahdi is dedicated to delivering cutting-edge solutions that empower his customers to innovate in the rapidly evolving landscape in the automotive industry.
Dmytro Protsiv is a Cloud Applications Architect for with Amazon Web Services. He is passionate about helping customers to solve their business challenges around application modernization.
Luca Menichetti is a Big Data Architect with Amazon Web Services. He helps customers develop performant and reusable solutions to process data at scale. Luca is passioned about managing organisation’s data architecture, enabling data analytics and machine learning. Having worked around the Hadoop ecosystem for a decade, he really enjoys tackling problems in NoSQL environments.
Krithivasan Balasubramaniyan is a Principal Consultant with Amazon Web Services. He enables global enterprise customers in their digital transformation journey and helps architect cloud native solutions.
Muthu Pitchaimani is a Search Specialist with Amazon OpenSearch Service. He builds large-scale search applications and solutions. Muthu is interested in the topics of networking and security, and is based out of Austin, Texas.
Customers from around the world often tell me that digital sovereignty is a top priority as they look to meet new compliance and industry regulations. In fact, 82% of global organizations are either currently using, planning to use, or considering sovereign cloud solutions in the next two years, according to the International Data Corporation (IDC). However, many leaders face complexity as policies and requirements continue to rapidly evolve, and have concerns on acquiring the right knowledge and skills, at an affordable cost, to simplify efforts in meeting digital sovereignty goals.
At Amazon Web Services (AWS), we understand that protecting your data in a world with changing regulations, technology, and risks takes teamwork. We’re committed to making sure that the AWS Cloud remains sovereign-by-design, as it has been from day one, and providing customers with more choice to help meet their unique sovereignty requirements across our offerings in AWS Regions around the world, dedicated sovereign cloud infrastructure solutions, and the recently announced independent European Sovereign Cloud. In this blog post, I’ll share how the cloud is helping organizations meet their digital sovereignty needs, and ways that we can help you navigate the ever-evolving landscape.
Digital sovereignty needs of customers vary based on multiple factors
Digital sovereignty means different things to different people, and every country or region has their own requirements. Adding to the complexity is the fact that no uniform guidance exists for the types of workloads, industries, and sectors that must adhere to these requirements.
Although digital sovereignty needs vary based on multiple factors, key themes that we’ve identified by listening to customers, partners, and regulators include data residency, operator access restriction, resiliency, and transparency. AWS works closely with customers to understand the digital sovereignty outcomes that they’re focused on to determine the right AWS solutions that can help to meet them.
Meet requirements without compromising the benefits of the cloud
We introduced the AWS Digital Sovereignty Pledge in 2022 as part of our commitment to offer all AWS customers the most advanced set of sovereignty controls and security features available in the cloud. We continue to deeply engage with regulators to help make sure that AWS meets various standards and achieves certifications that our customers directly inherit, allowing them to meet requirements while driving continuous innovation. AWS was recently named a leader in Sovereign Cloud Infrastructure Services (EU) by Information Services Group (ISG), a global technology research and IT advisory firm.
Customers who use our global infrastructure with sovereign-by-design features can optimize for increased scale, agility, speed, and reduced costs while getting the highest levels of security and protection. Our AWS Regions are powered by the AWS Nitro System, which helps ensure the confidentiality and integrity of customer data. Building on our commitment to provide greater transparency and assurances on how AWS services are designed and operated, the security design of our Nitro System was validated in an independent public report by the global cybersecurity consulting firm NCC Group.
Customers have full control of their data on AWS and determine where their data is stored, how it’s stored, and who has access to it. We provide tools to help you automate and monitor your storage location and encrypt your data, including data residency guardrails in AWS Control Tower. We recently announced more than 65 new digital sovereignty controls that you can choose from to help prevent actions, enforce configurations, and detect undesirable changes.
All AWS services support encryption, and most services also support encryption with customer managed keys that AWS can’t access such as AWS Key Management Service (KMS), AWS CloudHSM, and AWS KMS External Key Store (XKS). Both the hardware used in AWS KMS and the firmware used in AWS CloudHSM are FIPS 140-2 Level 3 compliant as certified by a NIST-accredited laboratory.
Infrastructure choice to support your unique needs and local regulations
AWS provides hybrid cloud storage and edge computing capabilities so that you can use the same infrastructure, services, APIs, and tools across your environments. We think of our AWS infrastructure and services as a continuum that helps meet your requirements wherever you need it. Having a consistent experience across environments helps to accelerate innovation, increase operational efficiencies and reduce costs by using the same skills and toolsets, and meet specific security standards by adopting cloud security wherever applications and data reside.
We work closely with customers to support infrastructure decisions that meet unique workload needs and local regulations, and continue to invent based on what we hear from customers. To help organizations comply with stringent regulatory requirements, we launched AWS Dedicated Local Zones. This is a type of infrastructure that is fully managed by AWS, built for exclusive use by a customer or community, and placed in a customer-specified location or data center to run sensitive or other regulated industry workloads. At AWS re:Invent 2023, I sat down with Cheow Hoe Chan, Government Chief Digital Technology Officer of Singapore, to discuss how we collaborated with Singapore’s Smart Nation and Digital Government Group to define and build this dedicated infrastructure.
We also recently announced our plans to launch the AWS European Sovereign Cloud to provide customers in highly regulated industries with more choice to help meet varying data residency, operational autonomy, and resiliency requirements. This is a new, independent cloud located and operated within the European Union (EU) that will have the same security, availability, and performance that our customers get from existing AWS Regions today, with important features specific to evolving EU regulations.
There is a lot of complexity involved with navigating the evolving digital sovereignty landscape—but you don’t have to do it alone. Using the cloud and working with AWS and our partners can help you move faster and more efficiently while keeping costs low. We’re committed to helping you meet necessary requirements while accelerating innovation, and can’t wait to see the kinds of advancements that you’ll continue to drive.
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.
We’re excited to announce that Amazon Web Services (AWS) has completed the 2023 South Korea Cloud Service Providers (CSP) Safety Assessment Program, also known as the Regulation on Supervision on Electronic Financial Transactions (RSEFT) Audit Program. The financial sector in South Korea is required to abide by a variety of cybersecurity standards and regulations. Key regulatory requirements include RSEFT and the Guidelines on the Use of Cloud Computing Services in the Financial Industry (FSIGUC). Prior to 2019, the RSEFT guidance didn’t permit the use of cloud computing. The guidance was amended on January 1, 2019, to allow financial institutions to use the public cloud to store and process data, subject to compliance with security measures applicable to financial companies.
AWS is committed to helping our customers adhere to applicable regulations and guidelines, and we help ensure that our financial customers have a hassle-free experience using the cloud. Since 2019, our RSEFT compliance program has aimed to provide a scalable approach to support South Korean financial services customers’ adherence to RSEFT and FSIGUC. Financial services customers can annually either perform an individual audit by using publicly available AWS resources and visiting on-site, or request the South Korea Financial Security Institute (FSI) to conduct the primary audit on their behalf and use the FSI-produced audit reports. In 2023, we worked again with FSI and completed the annual RSEFT primary audit with the participation of 59 customers.
The audit scope of the 2023 assessment covered data center facilities in four Availability Zones (AZ) of the AWS Asia Pacific (Seoul) Region and the services that are available in that Region. The audit program assessed different security domains including security policies, personnel security, risk management, business continuity, incident management, access control, encryption, and physical security.
Completion of this audit program helps our customers use the results and audit report for their annual submission to the South Korea Financial Supervisory Service (FSS) for their adoption and continued use of our cloud services and infrastructure. To learn more about the RSEFT program, see the AWS South Korea Compliance Page. If you have questions, contact your AWS account manager.
If you have feedback about this post, submit comments in th Comments section below.
At the beginning of November, we let it be
known that we were looking to hire a writer/editor to augment the LWN
team. In past attempts, we have found it difficult to attract writers who
could produce the kind of content that LWN readers expect. This time
around, as we have said before, was different; we had a number of
candidates who could have filled the bill and were forced to make some
difficult choices.
While “hire them all” was an attractive idea, it was not one that our
budget would support. We did conclude, however, that we could stretch to a
second hire. So we are pleased to announce that the opportunity to bring
Joe Brockmeier on board was too good to pass up — so we didn’t. You will
start to see his work return to LWN within the next few days.
Go 1.22, the most recent version of the Go programming language, has been released. It comes with two language changes to for loops: a fix for a longstanding “gotcha” with accidentally sharing loop variables between iterations and adding the ability to range over integer values. There are also additions to the standard library, improved performance, and more. See the release notes for further information.
What is IP fragmentation, why is it important, and do people understand
it? The answer to that last question is “not as well as they think”. This
article will also answer the rest of those
questions and introduce fragquiz, a game that I
wrote to allow players to guess how IP packets will behave when they are
too large for the network. As evidence that IP fragmentation is not
well-understood, a room full of networking experts played fragquiz and got
a score that was
nowhere close to perfect. In addition, I will describe a new algorithm for
fragmentation avoidance, which some colleagues and I
developed, that helped motivate development of fragquiz.
Rapid7 is committed to promoting research that identifies the latest cybersecurity trends so that organizations can leverage these insights and create programs that make sense for the modern SOC. To that end, we’ve singled out five quick insights security professionals and stakeholders should consider when looking ahead. These findings are based on Top Trends in Cybersecurity for 2024, a new research report from Gartner®.
Organizations Will Focus on Improving Resilience
As cloud continues to be adopted at a frenzied pace across organizations large, small, and everything in between, it’s critical to maintain organizational resiliency as attack surfaces expand and security becomes more urgent than ever. Indeed, the research notes that: “Improving organizational resilience has become a primary driver of security investments for several interconnected reasons:
“Digital ecosystems continue to sprawl, due to increasing cloud adoption.
Organizations are entrenching hybrid work arrangements.
The threat environment continues to evolve as emerging capabilities also embolden attackers.”
Continuous Threat Exposure Management Programs Will Take Off
Organizational attack surfaces have expanded for many reasons: the adoption of SaaS, remote work, custom application development, and more. All of these changes are efficiency drivers for businesses, but can also become liabilities rife with vulnerabilities. As organizations put more products and policies into place – especially from multiple vendors – it can become more difficult to manage this new attack surface at scale.
The research stipulates that, in order to try and solve this issue, “security and risk management (SRM) leaders have introduced pilot processes that govern the volume and importance of threat exposures and the impact of dealing with them with continuous threat exposure management (CTEM) programs.” Short-term remediations can only go so far; the game is accelerating and long-term solutions must be put into place.
Generative AI Will Inspire Long-Term-Yet-Cautious Hope
Security organizations are embracing generative AI (GenAI) to help gain visibility across hybrid attack surfaces, spot threats fast, and automatically prioritize risk signals. In other sectors, unmanaged and uncontrolled uses of GenAI need reigning in before they can cause real societal damage with things like deepfakes, misinformation, and copyright infringement.
The research states that “the most notable issues were the use of confidential data in third-party GenAI applications and the copyright infringement and brand damage that could result from the use of unvetted generated content.” As AI companies continue to release new products that are more readily customizable by developers, laws and security policies will need to be put into place to curtail this potential third-party threat.
The C-Suite Communications Gap Will Narrow
With clearer outcome-driven metrics (ODMs) comes the ability to more easily convince the boardroom that direct investment in a cybersecurity initiative is imperative. Indeed, CISOs and other key security personnel and stakeholders have for years been running up against budgetary pushback that all too often leads to a porous attack surface as well as the inability to properly respond or prepare.
According to the research, “the 2023 Gartner Evolution of Cybersecurity Leader Survey asked chief information security officers (CISOs) the following question: ‘What has been the impact of changing business objectives on your cybersecurity strategy?’ In response, 60% said there had been some impact or a major impact.” When goals and/or key performance indicators (KPIs) shift, the security organization must be able to readily communicate where potential risk could lie in the changed environment.
ODMs can create a clearer path for security. From the report:
“Explain material cyber incidents to executives and guide specific investments to remediate them.
Support transparency to educate executives, lines of business and corporate functions about inappropriate or cavalier risk acceptance.
Expose matrixed management problems, such as the role the IT team plays in patching problems for which the security organization is typically held accountable.”
Cybersecurity Reskilling Will Help to Future-Proof
There is a continuing cybersecurity talent gap and, at the same time, there seems to be a shift in the types of skills practitioners need to bring to the job. Think of the implications this “moving target” has on both security organizations and people strategy teams tasked with scouring the marketplace for this magical unicorn.
The report details how, “in the U.S. alone, there are only enough qualified cybersecurity professionals to meet 70% of current demand – an all-time low over the past decade.” A plethora of trends are leading to this current disparity, including: accelerated cloud adoption, the emergence of GenAI, threat-landscape expansion, and vendor consolidation.
Greater business acumen as well as AI ethics and human psychology are just a few of the soft skills that will come to have greater prominence in job descriptions of security talent. Indeed, this may signal a stronger coming partnership between talent acquisition teams and security teams so that all parties involved can be sure that the right talent is recruited in the best way possible.
Gartner, Top Trends in Cybersecurity for 2024, Richard Addiscott, Jeremy D’Hoinne, et al., 2 January 2024
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
As more organizations collectively progress toward adopting a SASE architecture, it has become clear that the traditional SASE market definition (SSE + SD-WAN) is not enough. It forces some teams to work with multiple vendors to address their specific needs, introducing performance and security tradeoffs. More worrisome, it draws focus more to a checklist of services than a vendor’s underlying architecture. Even the most advanced individual security services or traffic on-ramps don’t matter if organizations ultimately send their traffic through a fragmented, flawed network.
Single-vendor SASE is a critical trend to converge disparate security and networking technologies, yet enterprise “any-to-any connectivity” needs true network modernization for SASE to work for all teams. Over the past few years, Cloudflare has launched capabilities to help organizations modernize their networks as they navigate their short- and long-term roadmaps of SASE use cases. We’ve helped simplify SASE implementation, regardless of the team leading the initiative.
Announcing (even more!) flexible on-ramps for single-vendor SASE
Today, we are announcing a series of updates to our SASE platform, Cloudflare One, that further the promise of a single-vendor SASE architecture. Through these new capabilities, Cloudflare makes SASE networking more flexible and accessible for security teams, more efficient for traditional networking teams, and uniquely extend its reach to an underserved technical team in the larger SASE connectivity conversation: DevOps.
These platform updates include:
Flexible on-ramps for site-to-site connectivity that enable both agent/proxy-based and appliance/routing-based implementations, simplifying SASE networking for both security and networking teams.
New WAN-as-a-service (WANaaS) capabilities like high availability, application awareness, a virtual machine deployment option, and enhanced visibility and analytics that boost operational efficiency while reducing network costs through a “light branch, heavy cloud” approach.
Zero Trust connectivity for DevOps: mesh and peer-to-peer (P2P) secure networking capabilities that extend ZTNA to support service-to-service workflows and bidirectional traffic.
Cloudflare offers a wide range of SASE on- and off-ramps — including connectors for your WAN, applications, services, systems, devices, or any other internal network resources — to more easily route traffic to and from Cloudflare services. This helps organizations align with their best fit connectivity paradigm, based on existing environment, technical familiarity, and job role.
We recently dove into the Magic WAN Connector in a separate blog post and have explained how all our on-ramps fit together in our SASE reference architecture, including our new WARP Connector. This blog focuses on the main impact those technologies have for customers approaching SASE networking from different angles.
More flexible and accessible for security teams
The process of implementing a SASE architecture can challenge an organization’s status quo for internal responsibilities and collaboration across IT, security, and networking. Different teams own various security or networking technologies whose replacement cycles are not necessarily aligned, which can reduce the organization’s willingness to support particular projects.
Security or IT practitioners need to be able to protect resources no matter where they reside. Sometimes a small connectivity change would help them more efficiently protect a given resource, but the task is outside their domain of control. Security teams don’t want to feel reliant on their networking teams in order to do their jobs, and yet they also don’t need to cause downstream trouble with existing network infrastructure. They need an easier way to connect subnets, for instance, without feeling held back by bureaucracy.
Agent/proxy-based site-to-site connectivity
To help push these security-led projects past the challenges associated with traditional siloes, Cloudflare offers both agent/proxy-based and appliance/routing-based implementations for site-to-site or subnet-to-subnet connectivity. This way, networking teams can pursue the traditional networking concepts with which they are familiar through our appliance/routing-based WANaaS — a modern architecture vs. legacy SD-WAN overlays. Simultaneously, security/IT teams can achieve connectivity through agent/proxy-based software connectors (like the WARP Connector) that may be more approachable to implement. This agent-based approach blurs the lines between industry norms for branch connectors and app connectors, bringing WAN and ZTNA technology closer together to help achieve least-privileged access everywhere.
Agent/proxy-based connectivity may be a complementary fit for a subset of an organization’s total network connectivity. These software-driven site-to-site use cases could include microsites with no router or firewall, or perhaps cases in which teams are unable to configure IPsec or GRE tunnels like in tightly regulated managed networks or cloud environments like Kubernetes. Organizations can mix and match traffic on-ramps to fit their needs; all options can be used composably and concurrently.
Our agent/proxy-based approach to site-to-site connectivity uses the same underlying technology that helps security teams fully replace VPNs, supporting ZTNA for apps with server-initiated or bidirectional traffic. These include services such as Voice over Internet Protocol (VoIP) and Session Initiation Protocol (SIP) traffic, Microsoft’s System Center Configuration Manager (SCCM), Active Directory (AD) domain replication, and as detailed later in this blog, DevOps workflows.
This new Cloudflare on-ramp enables site-to-site, bidirectional, and mesh networking connectivity without requiring changes to underlying network routing infrastructure, acting as a router for the subnet within the private network to on-ramp and off-ramp traffic through Cloudflare.
More efficient for networking teams
Meanwhile, for networking teams who prefer a network-layer appliance/routing-based implementation for site-to-site connectivity, the industry norms still force too many tradeoffs between security, performance, cost, and reliability. Many (if not most) large enterprises still rely on legacy forms of private connectivity such as MPLS. MPLS is generally considered expensive and inflexible, but it is highly reliable and has features such as quality of service (QoS) that are used for bandwidth management.
Commodity Internet connectivity is widely available in most parts of the inhabited world, but has a number of challenges which make it an imperfect replacement to MPLS. In many countries, high speed Internet is fast and cheap, but this is not universally true. Speed and costs depend on the local infrastructure and the market for regional service providers. In general, broadband Internet is also not as reliable as MPLS. Outages and slowdowns are not unusual, with customers having varying degrees of tolerance to the frequency and duration of disrupted service. For businesses, outages and slowdowns are not tolerable. Disruptions to network service means lost business, unhappy customers, lower productivity and frustrated employees. Thus, despite the fact that a significant amount of corporate traffic flows have shifted to the Internet anyway, many organizations face difficulty migrating away from MPLS.
SD-WAN introduced an alternative to MPLS that is transport neutral and improves networking stability over conventional broadband alone. However, it introduces new topology and security challenges. For example, many SD-WAN implementations can increase risk if they bypass inspection between branches. It also has implementation-specific challenges such as how to address scaling and the use/control (or more precisely, the lack of) a middle mile. Thus, the promise of making a full cutover to Internet connectivity and eliminating MPLS remains unfulfilled for many organizations. These issues are also not very apparent to some customers at the time of purchase and require continuing market education.
Evolution of the enterprise WAN
Cloudflare Magic WAN follows a different paradigm built from the ground up in Cloudflare’s connectivity cloud; it takes a “light branch, heavy cloud” approach to augment and eventually replace existing network architectures including MPLS circuits and SD-WAN overlays. While Magic WAN has similar cloud-native routing and configuration controls to what customers would expect from traditional SD-WAN, it is easier to deploy, manage, and consume. It scales with changing business requirements, with security built in. Customers like Solocal agree that the benefits of this architecture ultimately improve their total cost of ownership:
“Cloudflare’s Magic WAN Connector offers a centralized and automated management of network and security infrastructure, in an intuitive approach. As part of Cloudflare’s SASE platform, it provides a consistent and homogeneous single-vendor architecture, founded on market standards and best practices. Control over all data flows is ensured, and risks of breaches or security gaps are reduced. It is obvious to Solocal that it should provide us with significant savings, by reducing all costs related to acquiring, installing, maintaining, and upgrading our branch network appliances by up to 40%. A high-potential connectivity solution for our IT to modernize our network.” – Maxime Lacour, Network Operations Manager, Solocal
This is quite different from other single-vendor SASE vendor approaches which have been trying to reconcile acquisitions that were designed around fundamentally different design philosophies. These “stitched together” solutions lead to a non-converged experience due to their fragmented architectures, similar to what organizations might see if they were managing multiple separate vendors anyway. Consolidating the components of SASE with a vendor that has built a unified, integrated solution, versus piecing together different solutions for networking and security, significantly simplifies deployment and management by reducing complexity, bypassed security, and potential integration or connectivity challenges.
Magic WAN can automatically establish IPsec tunnels to Cloudflare via our Connector device, manually via Anycast IPsec or GRE Tunnels initiated on a customer’s edge router or firewall, or via Cloudflare Network Interconnect (CNI) at private peering locations or public cloud instances. It pushes beyond “integration” claims with SSE to truly converge security and networking functionality and help organizations more efficiently modernize their networks.
New Magic WAN Connector capabilities
In October 2023, we announced the general availability of the Magic WAN Connector, a lightweight device that customers can drop into existing network environments for zero-touch connectivity to Cloudflare One, and ultimately used to replace other networking hardware such as legacy SD-WAN devices, routers, and firewalls. Today, we’re excited to announce new capabilities of the Magic WAN Connector including:
High Availability (HA) configurations for critical environments: In enterprise deployments, organizations generally desire support for high availability to mitigate the risk of hardware failure. High availability uses a pair of Magic WAN Connectors (running as a VM or on a supported hardware device) that work in conjunction with one another to seamlessly resume operation if one device fails. Customers can manage HA configuration, like all other aspects of the Magic WAN Connector, from the unified Cloudflare One dashboard.
Application awareness: One of the central differentiating features of SD-WAN vs. more traditional networking devices has been the ability to create traffic policies based on well-known applications, in addition to network-layer attributes like IP and port ranges. Application-aware policies provide easier management and more granularity over traffic flows. Cloudflare’s implementation of application awareness leverages the intelligence of our global network, using the same categorization/classification already shared across security tools like our Secure Web Gateway, so IT and security teams can expect consistent behavior across routing and inspection decisions – a capability not available in dual-vendor or stitched-together SASE solutions.
Virtual machine deployment option: The Magic WAN Connector is now available as a virtual appliance software image, that can be downloaded for immediate deployment on any supported virtualization platform / hypervisor. The virtual Magic WAN Connector has the same ultra-low-touch deployment model and centralized fleet management experience as the hardware appliance, and is offered to all Magic WAN customers at no additional cost.
Enhanced visibility and analytics:The Magic WAN Connector features enhanced visibility into key metrics such as connectivity status, CPU utilization, memory consumption, and device temperature. These analytics are available via dashboard and API so operations teams can integrate the data into their NOCs.
Extending SASE’s reach to DevOps
Complex continuous integration and continuous delivery (CI/CD) pipeline interaction is famous for being agile, so the connectivity and security supporting these workflows should match. DevOps teams too often rely on traditional VPNs to accomplish remote access to various development and operational tools. VPNs are cumbersome to manage, susceptible to exploit with known or zero-day vulnerabilities, and use a legacy hub-and-spoke connectivity model that is too slow for modern workflows.
Of any employee group, developers are particularly capable of finding creative workarounds that decrease friction in their daily workflows, so all corporate security measures need to “just work,” without getting in their way. Ideally, all users and servers across build, staging, and production environments should be orchestrated through centralized, Zero Trust access controls, no matter what components and tools are used and no matter where they are located. Ad hoc policy changes should be accommodated, as well as temporary Zero Trust access for contractors or even emergency responders during a production server incident.
Zero Trust connectivity for DevOps
ZTNA works well as an industry paradigm for secure, least-privileged user-to-app access, but it should extend further to secure networking use cases that involve server-initiated or bidirectional traffic. This follows an emerging trend that imagines an overlay mesh connectivity model across clouds, VPCs, or network segments without a reliance on routers. For true any-to-any connectivity, customers need flexibility to cover all of their network connectivity and application access use cases. Not every SASE vendor’s network on-ramps can extend beyond client-initiated traffic without requiring network routing changes or making security tradeoffs, so generic “any-to-any connectivity” claims may not be what they initially seem.
Cloudflare extends the reach of ZTNA to ensure all user-to-app use cases are covered, plus mesh and P2P secure networking to make connectivity options as broad and flexible as possible. DevOps service-to-service workflows can run efficiently on the same platform that accomplishes ZTNA, VPN replacement, or enterprise-class SASE. Cloudflare acts as the connectivity “glue” across all DevOps users and resources, regardless of the flow of traffic at each step. This same technology, i.e., WARP Connector, enables admins to manage different private networks with overlapping IP ranges — VPC & RFC1918, support server-initiated traffic and P2P apps (e.g., SCCM, AD, VoIP & SIP traffic) connectivity over existing private networks, build P2P private networks (e.g., CI/CD resource flows), and deterministically route traffic. Organizations can also automate management of their SASE platform with Cloudflare’s Terraform provider.
The Cloudflare difference
Cloudflare’s single-vendor SASE platform, Cloudflare One, is built on our connectivity cloud — the next evolution of the public cloud, providing a unified, intelligent platform of programmable, composable services that enable connectivity between all networks (enterprise and Internet), clouds, apps, and users. Our connectivity cloud is flexible enough to make “any-to-any connectivity” a more approachable reality for organizations implementing a SASE architecture, accommodating deployment preferences alongside prescriptive guidance. Cloudflare is built to offer the breadth and depth needed to help organizations regain IT control through single-vendor SASE and beyond, while simplifying workflows for every team that contributes along the way.
Other SASE vendors designed their data centers for egress traffic to the Internet. They weren’t designed to handle or secure East-West traffic, providing neither middle mile nor security services for traffic passing from branch to HQ or branch to branch. Cloudflare’s middle mile global backbone supports security and networking for any-to-any connectivity, whether users are on-prem or remote, and whether apps are in the data center or in the cloud.
Abstract: Humans are capable of strategically deceptive behavior: behaving helpfully in most situations, but then behaving very differently in order to pursue alternative objectives when given the opportunity. If an AI system learned such a deceptive strategy, could we detect it and remove it using current state-of-the-art safety training techniques? To study this question, we construct proof-of-concept examples of deceptive behavior in large language models (LLMs). For example, we train models that write secure code when the prompt states that the year is 2023, but insert exploitable code when the stated year is 2024. We find that such backdoor behavior can be made persistent, so that it is not removed by standard safety training techniques, including supervised fine-tuning, reinforcement learning, and adversarial training (eliciting unsafe behavior and then training to remove it). The backdoor behavior is most persistent in the largest models and in models trained to produce chain-of-thought reasoning about deceiving the training process, with the persistence remaining even when the chain-of-thought is distilled away. Furthermore, rather than removing backdoors, we find that adversarial training can teach models to better recognize their backdoor triggers, effectively hiding the unsafe behavior. Our results suggest that, once a model exhibits deceptive behavior, standard techniques could fail to remove such deception and create a false impression of safety.
Especially note one of the sentences from the abstract: “For example, we train models that write secure code when the prompt states that the year is 2023, but insert exploitable code when the stated year is 2024.”
And this deceptive behavior is hard to detect and remove.
В началото на последната януарска седмица правителството произведе новина, която даде на обществото нова тема за дебат. Премиерът Николай Денков огласи идеята да отпаднат таксите за студентите по държавна поръчка в българските университети. Мярката според правителството е с цел „да се подобри достъпът до висше образование на студентите от по-ниски социални слоеве и по-малки населени места, които имат материални затруднения“. Чрез нея следва да се осигури „достъпно, всеобхватно и качествено образование“. Цел е и младите хора да бъдат задържани в България, вместо да ходят да следват в чужбина.
Предложението предизвика реакции на двата полюса и между тях. Докато едни изтъкват аргумента, че по този начин много материално затруднени младежи ще получат шанс да следват висше образование, според други няма как да се постигне високо академично качество без такси, а мярката само ще натовари бюджета. Трети обръщат внимание върху възможностите за студентски кредити, четвърти – че така се обезсмислят защитените специалности в приоритетни професионални направления, като педагогика, енергетика и др., за които и сега не се плащат такси, и т.н.
Нека поразсъждаваме върху аргументите на правителството за предлагането на мярката.
Достъпност
България е най-бедната страна в ЕС, при това със силно изразено неравенство. Действително има млади (а и не толкова млади, защото човек на всяка възраст може да поиска да повиши образованието си) хора, за които и най-ниските студентски такси са непреодолимо препятствие. Те не могат да си позволят безплатно висше образование в друга страна членка на ЕС, защото не могат да покрият разходите си за живот там, а някои и не владеят чужд език на достатъчно високо ниво.
Само че хората „от по-ниски социални слоеве и по-малки населени места, които имат материални затруднения“, с отпадането на таксите няма да получат равен шанс с тези от по-високите слоеве и големите градове. Много от тях не са имали достъп до добро училище, защото няма такова в населеното им място или близо до него, както и защото липсата на пари означава също липса на частни уроци, от което следва и липса на достъп до някоя от иначе безплатните „елитни гимназии“. Означава и по-голяма вероятност за по-ниски резултати на матурите, оттам – по-малки шансове за влизане в университет.
С тези уточнения, мярката действително би направила висшето образование по-достъпно, но все пак – не за всички.
Всеобхватност
По данни на Евростат България все още е на опашката в ЕС по дял на висшистите. През 2022 г. средно 34,3% от хората в ЕС между 25 и 64 г. са с висше образование, докато България е на 21-во място с 29,8% висшисти в същата възрастова група.
От друга страна, незавидното място на страната ни в тази класация не е поради липса на предлагане. В българските висши училища има място практически за всеки. За същата 2022 година например броят на явяващите се на матура е 46 655, а местата за зрелостниците във висшите училища (общо държавна поръчка и платено обучение) – 44 014.
Не бива да съпоставяме тези бройки механично, защото някои отиват да следват в чужбина, други не издържат матурата, трети по различни причини не се насочват към висше образование. Освен това в България идват хиляди чуждестранни студенти. Ала все пак сравнението дава ясна картина за размера на предлагането.
На този фон местата за студенти продължават да се множат. Софийският университет например вече има филиал в Бургас, в който се открива специалност „Църковна археология“, както и магистърски програми „Християнско поклонничество“ и „Църковен мениджмънт“.
Добре е България да догони средния дял висшисти за ЕС, но трябва ли да бъде държавна политика всеки да има висше образование? Една страна се нуждае също от строители, готвачи и от представители на още много професии, за които не е нужно да си висшист. България и сега изпитва недостиг на работна ръка в редица области, за които и средното образование е достатъчно.
Във висшите училища се предлагат специалности за мениджмънт на какво ли не (щом вече има и църковен), например „Строителен мениджмънт“. Но ако в последните години сте правили ремонт, голяма е вероятността да сте имали проблем с майсторите – трудно се намират (особено пък добри), а и изчезват за неопределени периоди, понякога така и не се появяват повече. Рискът от твърде много мениджъри и твърде малко хора за менажиране е съществен.
Известен ми е случай, в който архитектка собственоръчно извършваше довършителни дейности по изпълнението на свой проект за вътрешен дизайн. Защото „никой майстор няма да се навие за толкова малко работа“. А самият шеф на архитектурното бюро отдели част от времето си за хамалски дейности по същия проект.
Всичко това не означава, че критерият кой да следва висше образование, трябва да е финансов. Тук стигаме до следващата цел на правителството:
Качеството
Ако е ясно как отпадането на студентските такси може да допринесе за достъпност и всеобхватност на висшето образование, то никак не е ясно как може да спомогне за повишаване на качеството му. И то не защото ще стане безплатно – в редица европейски страни също е безплатно, но е далеч по-добро от българското. А защото качеството на висшето образование у нас (с малки изключения) и без това е под всякаква критика, а отпадането на таксите няма пряко отношение към него.
Ще дам няколко примера за „качеството“ на университетското образование в България от последните години. С едно изключение, те са все от Софийския университет. Няма да конкретизирам кои са специалностите и героите на историите, защото конкретните случаи не са някакво изключение, а са възможни поради общото равнище.
Библиографията на дипломна работа, оценена с шестица, се състои основно от медийни публикации. Например се цитира американската философка в областта на джендър изследванията Джудит Бътлър през ултраконсервативната мислителка Габриеле Куби, и то по публикация в жълто издание. Това е като да цитираш Истанбулската конвенция през Корнелия Нинова, цитирана от ПИК. Студентката е подходила към темата с критична рефлексия и е свършила сериозна работа, но никой не я е научил как се работи с източници, как се структурира дипломна работа и как се цитира. И най-вече – че трябва да се четат книги. А отличната ѝ оценка е знак, че тези неща не се изискват от нея.
Преподавателка проверява писмените работи на цял курс (от по няколко страници всяка) за общо половин час. Отказва да даде обратна връзка на студентите, които се осмелят да я питат защо са получили една или друга оценка.
Друга преподавателка издава книга със записките от лекции, които чинно си е водила като студентка. Авторката на въпросните лекции не ги е публикувала, така че трудно може да се бори за правата си.
Авторитетен и известен в публичното пространство професор обяснява на студентите си какво са транс хората така: „Ами аз мога да реша, че съм делфин.“
Тази трагична ситуация не се оправя с такси или с премахването им, а е необходима цялостна реформа в образованието – от началното до висшето.
Задържането на младите хора в България
Малко вероятно е критична маса младежи да отиват да учат в чужбина, защото в България им е по-скъпо. И съответно да се върнат веднага щом разберат, че студентските такси в родината им са отпаднали. Както вече стана дума, дори да няма такси, издръжката на живота в западноевропейски университет в общия случай излиза по-скъпо, отколкото в България. Да не говорим за Великобритания или САЩ, където се плащат такси, но това не спира доста студенти от България.
Защо тогава много зрелостници избират университети в чужбина, където трябва да се справят с чужд език и чужда култура, да плащат скъпи квартири? Защото знаят, че качеството в българските висши училища не е добро, и искат по-високо. Много от тях не харесват и средата в България; за тях следването в чужбина е и опит да се установят трайно някъде другаде.
Някои биха се върнали по родните си места, ако се създадат подходящите инфраструктурни и икономически възможности, които да направят живота им там привлекателен. Други са заминали, за да избягат от социалната среда – от корупцията, връзкарството, расизма, хомофобията и т.н. И едните, и другите надали ще бъдат привлечени от отпадането на студентските такси.
България впрочем привлича студенти от чужбина. По-голямата част се насочват към медицинските специалности. А в тях повече от половината чуждестранни студенти са от европейски страни. За обучението си в това направление студентите от чужбина плащат такси, каквито някои от тях в родината си не биха дължали.
Но в Германия например приемът в медицинските специалности е ограничен и за него се изисква отличен успех, какъвто малцина имат. По-лесно е за един чужденец да го приемат в България, а после може да работи в родината си и с диплома от български университет. Някои успяват да се прехвърлят във висше училище в родната си страна още по време на следването.
Огромната част от чуждестранните студенти в медицинските специалности не остават в България, за да попълват вакантните места за лекари, стоматолози и фармацевти, а се връщат по родните си места. Но те не са и целева група на мярката на правителството с отпадането на таксите.
Реформи, реформи, реформи
Ако нещо може да накара младите хора масово да поискат да следват висше образование в България, това е само доброто качество на образованието – ни повече, ни по-малко. Кой обаче може да зададе критериите за добро качество?
Пазарът на труда не е достатъчен критерий по ред причини. Например завършилите определена специалност може да си намират работа по специалността не защото добре са научени, а поради недостиг на специалисти в тази област. Други може да са получили образование на световно равнище, но в страната им да няма пазар за техните умения.
Оценяването по формални показатели, като брой публикации в реномирани издания, е подходящо за точните и природните науки, но не и за хуманитарните, особено в страни с непопулярни езици.
Критериите за оценка се определят от хора, поради което е все по-трудно да се отсее зърното от плявата, защото некачественото образование се възпроизвежда на всички равнища. Затова е необходимо да се реформира цялото образование.
Защото училищата произвеждат млади хора, които не са функционално (нерядко и буквално) грамотни, но пък могат да възпроизвеждат патриотични клишета. В университета може не само практически всеки да влезе, а и да завърши. И даже да получава оценки на изпити, на които не се е явявал, от преподаватели, които не преподават по съответните дисциплини. Може да защити дисертация и да се хабилитира с преписване – ако в един университет не мине номерът, ще го вземат в друг. И професор може да стане.
Само че образователните реформи са непопулярни. Пак ще се почне с „махат Вазов“, „махат Ботев“ и „опорочават българската история“ (дори никой да не смята да прави подобно нещо). А ефектите от реформата ще проличат след много години. Нужна е сериозна политическа воля и смелост, за да се осъществят, плюс компетентност и способност за мислене в перспектива – коя реформа какви последствия ще има. Далеч по-лесно е да премахнем студентските такси.
The certification assessment covered the operation of infrastructure (including compute, storage, networking, databases, and security) in the AWS Asia Pacific (Seoul) Region. AWS was the first global cloud service provider (CSP) to obtain the K-ISMS certification back in 2017 and has held that certification longer than any other global CSP. In this year’s audit, 144 services running in the Asia Pacific (Seoul) Region were included.
Sponsored by the Korea Internet & Security Agency (KISA) and affiliated with the Korean Ministry of Science and ICT (MSIT), K-ISMS serves as a standard for evaluating whether enterprises and organizations operate and manage their information security management systems consistently and securely, such that they thoroughly protect their information assets.
This certification helps enterprises and organizations across South Korea, regardless of industry, meet KISA compliance requirements more efficiently. Achieving this certification demonstrates the AWS commitment on cloud security adoption, adhering to compliance requirements set by the South Korean government and delivering secure AWS services to customers.
The Operational Best Practices (conformance pack) page provides customers with a compliance framework that they can use for their K-ISMS compliance needs. Enterprises and organizations can use the toolkit and AWS certification to reduce the effort and cost of getting their own K-ISMS certification.
Customers can download the AWS K-ISMS certification from AWS Artifact. To learn more about the AWS K-ISMS certification, see the AWS K-ISMS page. If you have questions, contact your AWS account manager.
If you have feedback about this post, submit comments in the Comments section below.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Mahdi Ebrahimi is a Senior Cloud Infrastructure Architect with Amazon Web Services. He excels in designing distributed, highly-available software systems. Mahdi is dedicated to delivering cutting-edge solutions that empower his customers to innovate in the rapidly evolving landscape in the automotive industry.
Dmytro Protsiv is a Cloud Applications Architect for with Amazon Web Services. He is passionate about helping customers to solve their business challenges around application modernization.
Luca Menichetti is a Big Data Architect with Amazon Web Services. He helps customers develop performant and reusable solutions to process data at scale. Luca is passioned about managing organisation’s data architecture, enabling data analytics and machine learning. Having worked around the Hadoop ecosystem for a decade, he really enjoys tackling problems in NoSQL environments.
Krithivasan Balasubramaniyan is a Principal Consultant with Amazon Web Services. He enables global enterprise customers in their digital transformation journey and helps architect cloud native solutions.
Muthu Pitchaimani is a Search Specialist with Amazon OpenSearch Service. He builds large-scale search applications and solutions. Muthu is interested in the topics of networking and security, and is based out of Austin, Texas.
