Categories
Security

Beanstalk founders dismissed concerns about governance attacks before losing $182 million

On April 17th, the decentralized finance (DeFi) project Beanstalk Farms was exploited for $182 million after an attacker mounted a lightning-fast hostile takeover, buying a controlling stake of tokens and immediately voting to send themself all of the funds.

The incident sparked discussion around “governance attacks,” a way of manipulating blockchain projects that use decentralized governance structures by gaining enough voting rights to reshape the rules.

In the wake of the attack, chat logs and video evidence show that the founders were warned about the risk of exactly this kind of attack, but they dismissed community members’ concerns.

The Beanstalk exploit was made possible by another DeFi mechanism known as a “flash loan,” which allows users to borrow large amounts of cryptocurrency for very short periods of time. In the case of the recent hack, the attacker borrowed close to $1 billion in cryptocurrency assets through a service called Aave, exchanged them for a 67 percent share in the Beanstalk project, voted through their own proposal to withdraw the entire treasury, and returned the borrowed funds — all in less than 13 seconds.

Though the attack shocked Beanstalk users — some of whom claimed to have lost six-figure sums of money — the threat of a governance attack was raised in Beanstalk’s Discord server months previously and in at least one public AMA session held by Publius, the development team behind the project.

On February 12th, in a discussion room centered around a proposal to accept more kinds of cryptocurrency tokens in the “Silo” (Beanstalk’s central fund reserve), a user with the screenname Mr Mochi wrote:

Because of governance attacks, bribes and voter manipulation, governance doesn’t always go as it should. Is this a risk we are willing to take or will there also be an Emergency DAO (like Curve’s) who can block potential attacks?

Later they added:

There’s absolutely ways to mitigate some of this concern in an elegant manner … As far as I can tell, the current rule-set does not account for flash loan governance attacks or rugpull tokens.

Replying to the comment, a Publius admin account wrote that such manipulation was “not a concern in any capacity until Stalk [governance token] is liquid.”

A concern about flash loans was also raised in an AMA-style session hosted by Publius on April 12th, a video of which is available on YouTube. Around 6 minutes into the video, a participant asks via chat: “Can the team go into … why the protocol isn’t susceptible to flash loan type attacks?”

In response, a member of Publius discusses protections against price manipulation via flash loans but doesn’t address the possibility of flash loan-driven governance attacks.

With Beanstalk’s assets entirely depleted by the attack, the project has launched a 10-day fundraiser to try to replenish the lost funds. Without the benefit of VC funding, the company lacks the kind of deep pockets that have helped other hacked protocols backstop even bigger losses. But with the fate of the company hanging in the balance, the success of the fundraiser will depend largely on the community’s trust in the founding team to not make similar mistakes again.

Reached via Discord, Publius had not responded to a request for comment by time of publication.



Repost: Original Source and Author Link

Categories
AI

Cloud governance startup Cloudtamer accumulates $9.5M

The Transform Technology Summits start October 13th with Low-Code/No Code: Enabling Enterprise Agility. Register now!


Cloudtamer.io, a Fulton, Maryland-based startup developing a cloud governance platform, today announced that it raised $9.5 million in series A funding led by Blue Heron Capital and TDF Ventures, with participation from Blu Venture Investors, Early Light Ventures, and Gaingels. CEO Brian Price says that the capital will be used to expand Cloudtamer’s sales, marketing, and engineering operations to fuel growth and bring enhanced management capabilities to market.

With the accelerated adoption of cloud technologies over the past year, the necessity of cloud management solutions has correspondingly grown. Gartner predicts that global spending on public clouds will reach $332.3 billion in 2021, and 57% of companies told CloudCheckr in a recent poll that over half of their infrastructure is in the cloud. But many organizations are experiencing significant deployment challenges, including slow time to value, financial insecurity, and compliance risk within the cloud. A Statista survey identified cybersecurity and a lack of expertise as other major barriers to adoption.

Founded in 2018, Cloudtamer offers a collection of governance services that are deployed directly within Microsoft Azure, Google Cloud, and Amazon Web Services (AWS) accounts. Customers host the entire platform in their clouds, keeping credentials and data private. For example, in AWS, Cloudtamer sends reports from an AWS management account to a Simple Storage Service (S3) billing bucket, which it can access via an identity and access management service role.

“Cloudtamer was founded as a spinout from Stratus Solutions. I initially began my career working for a number of defense contracting organizations, and I first became exposed to the cloud at Booz Allen Hamilton, while the cloud was still in its infancy,” Price told VentureBeat via email. “I left Booz Allen Hamilton and began working at Stratus, where it became clear that cloud management and governance was a huge barrier to successful cloud operations for organizations. In 2018, my cofounder Joseph Spurrier and I founded Cloudtamer and started with eight employees. Today, Cloudtamer combines cloud governance and cloud management to ensure that users get the full value of the cloud.”

Cloud governance

Security and compliance are often cited as the top challenges facing enterprises when moving legacy systems to the cloud. In a 2021 Lemongrass poll, executives reported that cloud migrations can cost between $100,000 and $250,000 and rarely come in under budget, with nearly half of migrations taking seven months or more to complete.

Cloudtamer aims to address this challenge by calculating costs in “near-real time” as opposed to every 24 hours, like some cloud providers. Actions taken in Cloudtamer trigger a request to the appropriate service and, if applicable, carry out actions in a cloud environment. The platform provides access to cloud consoles within Cloudtamer, allowing users to move between Cloudtamer’s interface and other consoles for flexibility.

“Moving to and managing cloud environments is a step that organizations, in both federal and commercial markets, are focusing on right now, and they need a solution that enables them to make better decisions and achieve granular control,” Price said.

Cloudtamer’s backend database and web frontend app use AWS CloudFormation templates or Azure Resource Manager templates (depending on the cloud provider), allowing for quick setup. Once installed, Cloudtamer runs on a load-balanced series of instances with an AWS Aurora MySQL database or Azure Database for MySQL.

“We have witnessed many organizations struggle with cloud adoption and believe Cloudtamer is best positioned to help them simplify their operations,” Blue Heron Capital cofounder and managing partner Tom Benedetti said in a statement. “Unlike other cloud governance solutions on the market, Cloudtamer.io’s platform brings data that is scattered across cloud providers into one primary location so that organizations have a centralized view into their cloud usage.”

Cloudtamer competes in a multicloud management market that’s predicted to be worth as much as $19.28 billion by 2028. One rival, Cyral, uses stateless interception technology to deliver enterprise data governance across platforms like Amazon S3, Snowflake, Kafka, MongoDB, and Oracle. Another, Stacklet, incorporates hundreds of policies to optimize data governance across different clouds, accounts, and regions.

But 46-employee Cloudtamer has attracted more than 40 high-profile customers to date, including U.S. governmental entities like NASA, the Centers for Disease Control and Prevention, and the National Institutes of Health, along with enterprises such as Indeed and Verizon. For NASA, Cloudtamer helped helped the agency’s field centers manage Earth science data from new satellite launches while also assisting with the onboarding of cloud accounts with different budgets and spend plans, security policies, and user access boundaries.

Cloudtamer’s revenue has grown by double digits every year since 2018, according to Price.

“Digital transformation initiatives have rapidly accelerated over the last two years. I cannot say whether this is because of the pandemic. However, it has spurred the cloud management and governance market, opening many doors for us in the federal space — as well as the enterprise space,” Price said. “We see a lot of need in the healthcare industry, and it’s one of the reasons we chose to partner with Blue Heron Capital as an investor. Their expertise in healthcare and software-as-a-service will help us target this market and deliver solutions to support their critical infrastructure.”

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Repost: Original Source and Author Link

Categories
AI

Orangetheory sees AI data governance as a ‘force multiplier’

Join executive leaders at the Conversational AI & Intelligent AI Assistants Summit, presented by Five9. Watch now!


Ameen Kazerouni, chief analytics officer at Orangetheory Fitness, is well-versed in AI. His experience working as the head of AI and machine learning at Zappos has helped him successfully utilize AI and data at Orangetheory.

At VentureBeat’s virtual Transform 2021 conference, Kazerouni compared data to oil: both are irreplaceably valuable, made so because of a refining process.

“There’s this evolution that data goes through where it goes from data, to knowledge, and to insight,” Kazerouni said. “When you collect data, it’s serving a purpose. And then understanding what that data means and how it relates to other pieces of data is critical.”

In other words, data isn’t useful until it’s contextualized. Companies have realized that data is important and are very diligent about collecting every piece of information they can, Kazerouni said. When one piece of information is seen in conjunction with other pieces of information, it serves as a “force multiplier” that allows businesses to identify correlations and confirm hypotheses about what is happening within the ecosystem. Businesses can make informed decisions derived from data that can dramatically change how consumers experience products, Kazerouni said. Data requires additional work before it becomes extremely valuable.

The key to finding and making use of this information requires what Kazerouni called “building your differentiator.” This means finding a niche that can set a company apart from its competitors, and really investing in that. That could mean buying technology or building it internally. A company with power in-house and a larger team would make a different decision than one entering machine learning and AI for the first time. If the company has a limited set of resources, build what is going to be the differentiator — spend resources on something that other companies are not spending their resources on. That is the best way for a company to focus their efforts because that is why is going to elevate the user experience, drive efficiency, and be different from the rest of the market.

“If you’re trying to build something that somebody else is building as their core product, you will never be able to focus on it as much as a person [who] just does that and nothing else,” he said.

Data governance is critical

For Orangetheory, that effort is directed toward science and AI-informed fitness for its consumers. The company invests in analytics and data governance, and places significant trust in the process. It’s important to understand how data is classified, and clearly define what each piece of data is used for and what level of protection is required. There are a lot of regulatory frameworks out there and being compliant with the major data regulations puts the business in a “very strong position to say that the right types of data are protected with the right protocols and the right best practices,” Kazerouni said.

From a technical perspective, Orangetheory encrypts data in storage as well as in transit, keeps personally identifiable information in isolated environments, and makes sure the PII does not get replicated into analytical environments. The company recognizes there is a computational and resource cost to good data privacy and protection, and is willing to spend because it is critical to keep the consumer’s trust. “It’s important to incur that cost early, and not shortcut around that,” Kazerouni said.

This includes investing early in data engineers who help with the extract, transform, and load (ETL) pipeline and maintain the technical chain of custody, so that the data becomes available in a “very usable and secure fashion,” Kazerouni said. Data analysts, statisticians, and business intelligence analysts, focus on actually deriving insight and telling stories from the data in a way that’s consumable and actionable. Automated machine learning comes after that. Investing in the foundational, building blocks is necessary.

However, contextualizing that data into actionable goals isn’t just for the data analysts and statisticians. Orangetheory works with kinesiologists and a Medical Advisory Board — professionals in the fitness field — and includes them in every decision relating to template design and any fitness and workout related claims.

“We’ll always have a human in the loop,” Kazerouni said, noting that it was important to have someone involved in making decisions on how wearable data and workout data should be used. “[There’s value] in having an exercise physiologist or kinesiology, someone who’s well trained in that, to review what’s coming out of the data before you push it out, and not trying to just automate that.”

Early in the AI journey

Kazerouni described Orangetheory as a greenfield environment — a totally new environment with no legacy code and developing from a clean slate — so the company is in the process of making decisions about whether to build or buy its data infrastructure, where to invest the resources, and how to use the data. There are questions to decide whether prescriptive or predictive analytics would be the most valuable. The team is considering whether it would be possible to prescribe action and strategy based off of the insights available from the data, whether the data can be used to predict schedule optimizations and demand, or even how to tackle the the supply chain for the wearables themselves. “The lessons are really the prioritization of what you build, what you buy, how you bring these assets online, and in what order,” Kazerouni said. “I’m sure we will make mistakes along the way. And probably next year, we will tell you all about them.”

The technological building blocks that Orangetheory set up for itself has led to strong gains, even during the pandemic. The company’s interactive (and remote) Orangetheory Live workout, “a child of innovation [and] circumstance,” was a success thanks to its robust digital platform.

Kazerouni is confident that this emerging change- of virtual presence and remote accessibility is here to stay. “The focus is more life, which is what we try to create … the ability to do more when you’re staying healthy. The hybrid approach that’s emerging is great, because it all results in, more life.” Kazerouni’s statement rings true for both the technological innovation and the AI-powered learning that comes with it.

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Repost: Original Source and Author Link

Categories
AI

Data governance and security startup Cyral raises $26M

Join Transform 2021 this July 12-16. Register for the AI event of the year.


Data security and governance startup Cyral today announced it has raised $26 million, bringing its total to date to $41.1 million. The company plans to put the funds toward expanding its platform and global workforce.

Managing and securing data remains a challenge for enterprises. Just 29% of IT executives give their employees an “A” grade for following procedures to keep files and documents secure, according to Egnyte’s most recent survey. A separate report from KPMG found only 35% of C-suite leaders highly trust their organization’s use of data and analytics, with 92% saying they were concerned about the reputational risk of machine-assisted decisions.

Redwood City, California-based Cyral, which was founded in 2018 by Manav Mital and Srini Vadlamani, uses stateless interception technology to deliver enterprise data governance across platforms, including Amazon S3, Snowflake, Kafka, MongoDB, and Oracle. Cyral monitors activity across popular databases, pipelines, and data warehouses — whether on-premises, hosted, or software-as-service-based. And it traces data flows and requests, sending output logs, traces, and metrics to third-party infrastructure and management dashboards.

Cyral can prevent unauthorized access from users, apps, and tools and provide dynamic attribute-based access control, as well as ephemeral access with “just-enough” privileges. The platform supports both alerting and blocking of disallowed accesses and continuously monitors privileges across clouds, tracking and enforcing just-in-time and just-enough privileges for all users and apps.

Identifying roles and anomalies

Beyond this, Cyral can identify users behind shared roles and service accounts to tag all activity with the actual user identity, enabling policies to be specified against them. And it can perform baselining and anomaly detection, analyzing aggregated activity across data endpoints and generating policies for normal activity, which can be set to alert or block anomalous access.

“Cyral is built on a high-performance stateless interception technology that monitors all data endpoint activity in real time and enables unified visibility, identity federation, and granular access controls. [The platform] automates workflows and enables collaboration between DevOps and Security teams to automate assurance and prevent data leakage,” the spokesperson said.

Cyral

Existing investors, including Redpoint, Costanoa Ventures, A.Capital, and strategic investor Silicon Valley CISO Investments, participated in Cyral’s latest funding round. Since launching in Q2 2020, Cyral — which has 40 employees and occupies a market estimated to be worth $5.7 billion by 2025, according to Markets and Markets — says it has nearly doubled the size of its team and close to quadrupled its valuation.

“This is an emerging market with no entrenched solutions … We’re now working with customers across a variety of industries — finance, health care, insurance, supply chain, technology, and more. They include some of the world’s largest organizations with complex environments and some of the fastest-growing tech companies,” the spokesperson said. “With Cyral, our company was built during the pandemic. We have grown the majority of our company during this time, and it has allowed us to start our company with a remote-first business model.”

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Repost: Original Source and Author Link

Categories
AI

Proper data hygiene critical as enterprises focus on AI governance

Join Transform 2021 this July 12-16. Register for the AI event of the year.


Today’s artificial intelligence/machine learning algorithms run on hundreds of thousands, if not millions, of data sets. The high demand for data has spawned services that collect, prepare, and sell them.

But data’s rise as a valuable currency also subjects it to more extensive scrutiny. In the enterprise, greater AI governance must accompany machine learning’s growing use.

In a rush to get their hands on the data, companies might not always do due diligence in the gathering process — and that can lead to unsavory repercussions. Navigating the ethical and legal ramifications of improper data gathering and use is proving to be challenging, especially in the face of constantly evolving legal regulations and growing consumer awareness about privacy and consent.

The role of data in machine learning

Supervised machine learning, a subset of artificial intelligence, feeds on extensive banks of datasets to do its job well. It “learns” a variety of images or audio files or other kinds of data.

For example, a machine learning algorithm used in airport baggage screening learns what a gun looks like by seeing millions of pictures of guns — and millions not containing guns. This means companies need to prepare such a training set of labeled images.

Similar situations play out with audio data, says Dr. Chris Mitchell, CEO of sound recognition technology company Audio Analytic. If a home security system is going to lean on AI, it needs to recognize a whole host of sounds including window glass breaking and smoke alarms, according to Mitchell. Equally important, it needs to pinpoint this information correctly despite potential background noise. It needs to feed on target data, which is the exact sound of the fire alarm. It will also need non-target audio, which are sounds that are similar to — but different from — the fire alarm.

ML data headaches

As ML algorithms take on text, images, audio, and other various data types, the need for data hygiene and provenance grows more acute. As they gain traction and find new for-profit use cases in the real world, however, the provenance of related data sets is increasingly coming under the microscope. Questions companies increasingly need to be prepared to answer are:

  • Where is the data from?
  • Who owns it?
  • Has the participant in the data or its producer granted consent for use?

These questions place AI data governance needs at the root of ethical concerns and laws related to privacy and consent. If a facial recognition system scans people’s faces, after all, shouldn’t every person whose face is being used in the algorithm need to have consented to such use?

Laws related to privacy and consent concerns are gaining traction. The European Union’s General Data Protection Regulation (GDPR) gives individuals the right to grant and withdraw consent to use their personal data, at any time. Meanwhile, a 2021 proposal from the European Union would set up a legal framework for AI governance that would disallow use of some kinds of data and require permission before collecting data.

Even buying datasets does not grant a company immunity from responsibility for their use. This was seen when the Federal Trade Commission slapped Facebook with a $5 billion fine over consumer privacy. One of the many prescriptions was a mandate for tighter control over third-party apps.

The take-home message is clear, Mitchell says: The buck starts and stops with the company using the data, no matter the data’s origins. “It’s now down to the machine learning companies to be able to answer the question: ‘Where did my data come from?’ It’s their responsibility,” Mitchell said.

Beyond fines and legal concerns, the strength of AI models depends on robust data. If companies have not done due diligence in monitoring the provenance of data, and if a consumer retracts permission tomorrow, extracting that set of data can prove to be a nightmare as AI channels of data use are notoriously difficult to track down.

The complicated consent landscape

Asking for consent is a good prescription, but one that’s difficult to execute. For one thing, dataset use might be so far removed from the source that companies might not even know from whom to obtain consent.

Nor would consumers always know what they’re consenting to, says Dr. James Giordano, director of the Program in Biosecurity and Ethics at the Cyber-SMART Center of Georgetown University and co-director of the Program in Emerging Technology and Global Law and Policy.

“The ethical-legal construct of consent, at its bare minimum, can be seen as exercising the rights of acceptance or refusal,” Giordano said. “When I consent, I’m saying, ‘Yes, you can do this.’ But that would assume that I know what ‘this’ is.”

This is not always practical. After all, the data might have originally been collected for some unrelated purpose, and consumers and even companies might not know where the trail of data breadcrumbs actually leads.

“As a basic principle, ‘When in doubt, ask for consent’ is a sensible strategy to follow,” Mitchell said.

So, company managers need to ensure robust, well-governed data is the foundation of ML models. “It’s rather simple,” Mitchell said. “You’ve got to put the hard work in. You don’t want to take shortcuts.”

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Repost: Original Source and Author Link

Categories
AI

Kryon throws down the gauntlet for better RPA governance

Join Transform 2021 this July 12-16. Register for the AI event of the year.


Robotic process automation (RPA), which mimics human activity and automates mundane tasks, is all the rage. But privacy and governance concerns persist. Recognizing these challenges, Kryon recently became the first RPA vendor to earn ISO 27701 certification.

“This framework is essential for any RPA company doing business in Europe, due to GDPR, or any other region with similar data privacy regulations,” Kryon CTO Shay Antebi told VentureBeat. He believes ISO 27701 could become the first widely adopted data privacy standard for RPA vendors. The ISO certification applies to real-time process discovery, as well as bot design, deployment, and management.

RPA applications, called bots, are often programmed to access sensitive systems and information as part of process automation projects. An attacker can exploit access to these bots to steal data or gain unauthorized access to systems and applications in a cyberattack.

RPA and process mining vendors have addressed several standards and best practices to ensure privacy. While ISO 27001 is an older certification for information security management systems (ISMS), ISO 27701 is an extension standard that builds upon and enhances that with a framework for privacy information management systems (PIMS) to secure and manage personally identifiable information.

Updating the certification

Kryon had already achieved ISMS certification back in 2019, so catching up with the new extension was a matter of building on this earlier work. Organizations looking to get certified to ISO 27701 will either need to have an existing ISO 27001 certification or implement ISO 27001 and ISO 27701 together as a single implementation audit.

Enterprises need to maintain vigilance around industry-specific regulation, particularly in health care and finance, two of the largest markets for RPA.

Enterprises using ISO-certified tools like Kryon’s will still need to ensure that their existing systems and applications that interact with RPA tools are compliant. RPA platforms often integrate with other applications on the back end to complete a process. For example, Kryon created a software bot for a health care organization in Israel that automates setting up appointments for patients to receive the two-shot COVID vaccine. That front-end bot, which chats with the patient, also interacts with the organization’s patient record system behind the scenes to complete the process. These applications need to be secured, as well.

“This is a great example of when an upfront investment is absolutely necessary to protect yourself from potentially huge losses,” Antebi said.

Meeting security certifications requires not only an investment of time and resources but also the right technology, processes, and framework. Security sometimes comes as an afterthought in the software development lifecycle. But it needs to be considered first for RPA to scale. “If the goal is widespread adoption of RPA in the enterprise, then the industry needs to deliver solutions with enterprise-grade security,” Antebi said.

Kryon has been investing in solutions to push the envelope of privacy and governance further, such as a way to mask sensitive information in documents and on systems screens without losing the necessary context. Antebi said, “We are always looking for more ways to add value for our customers — offering the best security available is one way to do that.”

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Repost: Original Source and Author Link