reporter

Apple Arcade will be adding four new games on Thursday, January 8, including True Skate+, Cozy Caravan, Sago Mini Jinja's Garden, and Potion Punch 2+. True Skate+ is a skateboarding simulation game with realistic physics. You can flick a virtual skateboard with your fingers to perform various tricks. Cozy Caravan is a kid-friendly, single-player game in which you navigate a caravan through picturesque landscapes, helping communities along the way. Sago Mini Jinga's Garden is another kid-friendly game in which you plant gardens, harvest ingredients, and explore the open world at your own pace. Potion Punch 2+ tasks you with mixing powerful potions. Apple Arcade is a subscription service that provides access to hundreds of games across the iPhone, iPad, Mac, Apple TV, and Apple Vision Pro. All of the games are free of ads and in-app purchases. In the U.S., Apple Arcade costs $6.99 per month, and it is also bundled with other Apple services in all Apple One plans. Apple Arcade can be accessed through the App Store and Apple Games apps.Tag: Apple Arcade This article, "Apple Arcade Adding These Four Games in January" first appeared on MacRumors.com Discuss this article in our forums View the full article

Fairphone updates its repair over-the-ear headphones with new drivers.View the full article

American AI giants are backing a new effort to establish open standards for building agentic software and tools.View the full article

The Reds look to put the Mo Salah fallout aside as they go in search of a win at the San Siro.View the full article

Meta's Facebook redesign elevates Marketplace, refreshes profiles, and aims to win back Gen Z users.View the full article

Google is deploying a second AI model to monitor its Gemini-powered Chrome browsing agent after acknowledging the agent could be tricked into taking unauthorized actions through prompt injection attacks. “We’re introducing a user alignment critic where the agent’s actions are vetted by a separate model that is isolated from untrusted content,” the company said in a blog post about the addition. If the critic determines an action doesn’t match what the user asked for, it blocks the action, Google said. “The primary new threat facing all agentic browsers is indirect prompt injection,” Chrome security engineer Nathan Parker wrote in the post, describing a situation where an agent is prompted to process information that then seeks to modify the initial prompt. The Gemini-powered browsing agent, launched in September and currently in preview, can navigate websites, click buttons, and fill forms while users are logged into email, banking, and corporate systems. Malicious instructions hidden in web pages, iframes, or user-generated content could “cause the agent to take unwanted actions such as initiating financial transactions or exfiltrating sensitive data,” Parker wrote. That’s where the user alignment critic comes in: The second model reviews each proposed action before Chrome executes it, acting as what Parker called “a powerful, extra layer of defense against both goal-hijacking and data exfiltration.” Why prompt injection is hard to stop Prompt injection has emerged as the top vulnerability in AI systems over the past year. OWASP found it in 73% of production AI deployments it assessed in 2024, ranking it the number one risk in its list of threats to large language model applications. The UK’s National Cyber Security Centre warned Sunday that prompt injection attacks may never be fully mitigated because LLMs can’t reliably distinguish between instructions and data. The agency called it a “confused deputy” vulnerability, where a trusted system is tricked into performing actions on behalf of an untrusted party. Researchers have already demonstrated the threat. In January, attackers embedded instructions in a document that caused an enterprise AI system to leak business intelligence and disable its own safety filters. Security firm AppOmni disclosed last month that ServiceNow’s AI agents could be manipulated through instructions hidden in form fields, with one agent recruiting others to perform unauthorized actions. For Chrome, the stakes are particularly high. A compromised browsing agent would have the user’s full privileges on any logged-in site, potentially bypassing the browser’s site isolation protections that normally prevent websites from accessing each other’s data. Google’s two-model defense To address these risks, Google’s solution splits the work between two AI models. The main Gemini model reads web content and decides what actions to take. The user alignment critic sees only metadata about proposed actions, not the web content that might contain malicious instructions. “This component is architected to see only metadata about the proposed action and not any unfiltered untrustworthy web content, thus ensuring it cannot be poisoned directly from the web,” Parker wrote in the blog. When the critic rejects an action, it provides feedback to the planning model to reformulate its approach. The architecture is based on existing security research, drawing from what’s known as the dual-LLM pattern and CaMeL research from Google DeepMind, according to the blog post. Google is also limiting which websites the agent can interact with through what it calls “origin sets.” The system maintains lists of sites the agent can read from and sites where it can take actions like clicking or typing. A gating function, isolated from untrusted content, determines which sites are relevant to each task. The company acknowledged this first implementation is basic. “We will tune the gating functions and other aspects of this system to reduce unnecessary friction while improving security,” Parker wrote. Beyond the user alignment critic and origin controls, Chrome will require user confirmation before the browsing agent navigates to banking or medical sites, uses saved passwords through Google Password Manager, or completes purchases, according to the blog post. The browsing agent has no direct access to stored passwords. A classifier runs in parallel checking for prompt injection attempts as the agent works. Google has built automated red-teaming systems generating malicious test sites, prioritizing attacks delivered through user-generated content on social media and advertising networks. Grappling with an unsolved problem The prompt injection challenge isn’t unique to Chrome. OpenAI has called it “a frontier, challenging research problem” for its ChatGPT agent features and expects attackers to invest significant resources in these techniques. Gartner has gone one step further and advised enterprises to block AI browsers in their systems. The research firm warned that AI-powered browsing agents could expose corporate data and credentials to prompt injection attacks. The NCSC took a similar position, urging organizations to assume AI systems will be attacked and to limit their access and privileges accordingly. The agency said organizations should manage risk through design rather than expecting technical fixes to eliminate the problem. Chrome’s agent features are optional and remain in preview, the blog post said. This article first appeared on Computerworld. View the full article

The physical roots of resilience Five years ago, at 2 a.m., I stood in a data center aisle watching a core switch lose a power supply. The room was cold, the fans loud and the alert light blinked amber. Within four seconds, the backup unit took over. Not a single packet dropped. That seamless, silent shift captured the essence of networking redundancy at its best: automatic, invisible and flawless. It was the kind of moment engineers live for — a quiet victory in the dark. Today, that same principle faces relentless pressure. Networks have outgrown physical racks and now span hybrid clouds, edge nodes, SD-WAN overlays, API gateways and micro-segmented virtual fabrics. Redundancy no longer means just extra hardware or twin fiber links. It demands survival against misconfigured routing policies, regional DNS outages, zero-day exploits in router firmware and cascading failures triggered by human error or supply chain compromise. The landscape has evolved dramatically, but the core lessons — built on discipline, foresight and trust — endure. My journey began with physical infrastructure, back when reliability was measured in cables and chassis. Every server connected through dual paths, with link aggregation bundles split across two top-of-rack switches, each uplinked to separate core routers over distinct fiber routes. I once spent an entire weekend labeling cables with color-coded heat shrink: red for primary, blue for backup. It was meticulous, almost meditative work. When a technician accidentally kicked a patch cord loose during a floor tile replacement, traffic shifted in under 200 milliseconds. No alarms triggered. No user complaints. The monitoring dashboard stayed green. That reliability felt like muscle memory: predictable, testable and deeply tangible. It was redundancy you could touch, trace and trust. Cloud complexity and policy traps Networks, however, no longer stay confined to racks. They live in routing tables, BGP sessions, cloud control planes and software-defined overlays. Many organizations rush to multi-region cloud setups, believing geographic distance alone guarantees resilience. It does not. Last year, I oversaw a global e-commerce platform with active-passive failover across two regions. Health checks withdrew prefixes from the primary if latency crossed 80 ms. During a routine maintenance window, a junior engineer mistyped a BGP community tag. Instead of marking one subnet, the change blocked the entire backup path with a no-export rule. Traffic surged onto an already saturated primary link, pushing packet loss to 11 percent. The backup route was healthy, advertising correctly and fully reachable — yet policy prevented its use. We corrected the error in six minutes, but customers felt the impact for nearly 40. The takeaway was stark: redundancy without aligned policies is mere decoration, expensive and useless when it matters most. This mirrors the 2024 Cloudflare 1.1.1.1 hijack incident caused by a leaked border gateway (BGP) route. As cloud environments grow, consistency becomes harder to maintain. A small template tweak in one availability zone can cascade across regions if copied unchecked, turning intended protection into widespread failure. Teams now manage configurations like code, with versioning, peer reviews, staged testing and automation to enforce uniformity. Tools like infrastructure-as-code pipelines, policy engines and drift detection systems are no longer optional — they are the new standard for scalable resilience. SD-WAN extends these challenges to branch locations, linking multiple internet paths for fluid failover and intelligent, application-aware routing. It promises simplicity and agility. Yet a single carrier firmware update can degrade performance everywhere, even when links remain active. I’ve seen MTU mismatches, encryption mismatches and path preference bugs ripple through hundreds of sites in minutes. Phased rollouts, strict change policies and gradual deployment rings prevent blanket disruption. The same discipline applies at the edge, where devices in retail stores, warehouses or remote clinics depend on local backups for speed and continuity. A rushed firmware push can erase that safety net across all units, forcing field teams to restore from USB drives or mobile hotspots. Careful staging, rollback plans and on-site recovery kits are now part of every deployment checklist. Routing mistakes and DNS breakdowns lurk as quiet, persistent risks. One errant rule can dead-end traffic and even solid backups stay idle if policies block them. Robust prefix filters, route validation and RPKI enforcement keep paths safe. Likewise, DNS backups must operate independently — free of shared anycast IPs, providers or control planes — to avoid joint collapse. Security checks, DNSSEC and diverse resolver strategies strengthen failover. These are not add-ons; they are foundational to modern network hygiene. Anticipating the inevitable: Pre-mortem and defense in depth The next outage is already taking shape, hidden until the first alert. It might hide in a supply chain flaw inside a trusted IOS-XR patch, quietly altering routes worldwide. Or it could stem from a single flawed intent policy in an ACI fabric, isolating entire application layers with surgical precision. External forces like wildfires, floods or geopolitical events can force data center evacuations, knocking out power grids and delaying generators for hours. The 2021 Fastly global outage — triggered by one valid config change exposing a hidden bug — shows how fast a CDN can collapse. These scenarios are not speculation; they are probabilities waiting to strike, each with its own failure signature. Experience reframes the question. Failure is inevitable in infrastructure work. What matters is how it unfolds, how precisely and whether the design anticipates that exact failure mode. Resilience now means shaping failure’s impact, not stopping it. This mindset demands a new ritual: the pre-mortem. In every design review, we assume total failure at peak load. We trace dependencies — transit providers, certificate authorities, undersea cables, even physical access roads. We hunt for shared fate: two “diverse” carriers in the same conduit, a single control plane for multi-region DNS or a vendor update applied globally without validation. Each discovery triggers action: a new peer, a policy rewrite, a satellite link or a dark fiber lease. AWS recommends pre-mortems in its Reliability Pillar. Two years ago, I sat in a dim network operations center at 3 a.m., cold coffee forgotten, as one BGP update spread chaos via a global transit provider. A peer leaked a default route with lower preference, sucking outbound traffic into oblivion. The backup path was fully functional, yet our policy still favored the tainted route. For 17 minutes, half the internet vanished for users. Customers raged. Executives demanded answers. A swift prefix filter fixed it, but the lesson lingered: redundancy requires not just a second path, but intelligence to choose it wisely and reject the wrong one. That night, I rewrote our change process: no routing policy touches production without simulation, peer review and automated testing. Observability unifies the picture. A consolidated view of logs, traffic flows, performance metrics and control plane health spots weakening paths before collapse, enabling fixes before users notice. Cost tensions persist. Leaders crave full redundancy yet settle for cheaper, correlated links that fail together. Genuine resilience needs true separation, geographic distance and sometimes higher budgets, all justified by the disruptions avoided. A $50,000 cross-connect can prevent a $2 million outage. The math is simple. Automation now manages routine failovers, sensing issues and shifting traffic instantly so engineers tackle root causes, not manual switches. The next disruption looms from software bugs, policy slips, physical cuts or zero-day attacks. Effective planning means expecting breakdown, mapping vulnerabilities and scripting clear recovery. In a recent breach, an attacker tried hijacking core routing via a compromised jump host. Layered defenses — RPKI, prefix filters and automated session resets — contained it. Users saw only a 40 ms blip. Redundancy had matured from spare cables into a dynamic blend of security, automation and vigilance. The foundational principles hold: remove single points of failure, secure real separation, automate responses and monitor relentlessly. The scale has ballooned — from patch panels to cloud regions, from local switches to global routes — but the mission stays constant: keep data moving regardless of obstacles. Outages will come. They always do. But with redundancy woven into a tested, trusted and adaptable network, their sting will fade and the packets will keep flowing. This article is published as part of the Foundry Expert Contributor Network. Want to join? View the full article

The company could introduce a new Legion laptop with a screen that rolls out horizontally in a few weeks at CES 2026 in Las Vegas.View the full article

Protect your property with the best security cameras on the market -- tried and test by CNET's security experts.View the full article

Amazon upgrades Alexa+ with new shopping tools, turning Echo screens into hubs for orders, deals, and gift buying.View the full article

Google will compete with Meta with its own line of AI-powered smart glasses.View the full article

These safes protect your valuables, plus offer a bunch of smart features for better control and management.View the full article

The European Commission is investigating Google over its AI summaries.View the full article

The latest is Microsoft's largest investment in Asia.View the full article

In an internal memo seen by TechCrunch, VSCO's CEO Eric Wittman said the company's consumer business had declined more than expected, and some of its new growth initiatives didn't yield the expected results.View the full article

India has given OpenAI, Google, and other AI firms 30 days to respond to its proposed royalty system for training on copyrighted content.View the full article

AI companies are bullish on the tech's productivity, but replacing the judgment and care of human workers is a whole different ballgame.View the full article

Four distinct threat activity clusters have been observed leveraging a malware loader known as CastleLoader, strengthening the previous assessment that the tool is offered to other threat actors under a malware-as-a-service (MaaS) model. The threat actor behind CastleLoader has been assigned the name GrayBravo by Recorded Future's Insikt Group, which was previously tracking it as TAG-150.View the full article

This time, you can take a hi-def arrow to the knee while you're on the go.View the full article

The two companies are launching the Accenture Anthropic Business Group to bring Anthropic's AI to Accenture's employees. View the full article

Pebble founder Eric Migicovsky's next big product is a memory-recording ring that works with phones and Pebble watches. But here's the catch: It doesn't recharge, and you can't replace the battery, either.View the full article

After rebooting the Pebble smartwatch, founder Eric Migicovsky is expanding his company's device lineup with a new smart wearable: an AI-powered smart ring known as Index 01. Named for the finger where the ring is meant to be worn, the new $75 ring is not meant to be a competitor to the always-on, always-listening AI devices, like the AI pendant Friend, but instead offers a way to record quick notes and reminders with a press of a button on the ring's side. AI only comes into play via the open source, speech-to-text, and AI models that run locally on your smartphone, via the open source Pebble mobile app. That is, if the Ring's button is not being pressed, it's not recording. (And this is a press-and-hold gesture, too, which means you can't start the ring's recording and then let go to surreptitiously record a conversation.) You can wear the stainless steel ring while in the shower, washing hands, doing dishes, or in the rain, but you would have to take it off for other water-related activities, like swimming. At launch, it's water-resistant to 1 meter. The ring is also not a fitness tracker or sleep monitor. It doesn't record details about your heart rate or health. And it's not there to be your AI friend. "I'm not trying to build some AI assistant thing," Migicovsky told TechCrunch in an interview. "I build things that solve one main problem, and they solve it really well," he explains. "I think of [the ring] as external memory for my brain...that's what this is. It's always with you." Plus, the ring has been designed to be highly reliable and privacy-preserving, he says, as all your thoughts are stored on your phone, not in the cloud. There is no subscription. Migicovsky has been wearing the ring for three months now and says he cannot imagine going back to a world where he doesn't always have a memory device with him. "The problem is that, during the day, I get ideas or I remember something, and if I don't write it down that second, I forget it," he says. The ring solves this problem, he adds, without becoming another device you need to charge. "The battery lasts for years," Migicovsky claims. Technically, the ring is said to support roughly 12 to 14 hours of recording. On average, the founder says he uses it 10-20 times per day to record 3-6 second thoughts. At that rate, he'll get about two years of usage. When the ring's battery dies, you can ship it back to the company for recycling. When using Index, you can record up to five minutes of audio, which can be saved to the ring and synced to your phone later. This makes sense for recording briefer, personal thoughts and notes, even when you don't have your phone handy, but it wouldn't work for recording a longer chat, like a presentation, meeting, or in-person interview of some kind. The ring also supports 99+ languages and has a bit of on-device memory, in case you're not in Bluetooth range of your device, where the recording is ultimately saved and transcribed. (The raw audio is retained, too, in case the speech-to-text is garbled due to loud background noise). If you own a Pebble smartwatch or one from another brand, your recorded thought can even appear on the watch's screen so you can verify it's correct. The ring works with Pebble's mobile app, which offers notes and reminders, but can optionally integrate with your phone's calendaring system, too, or other apps, like Notion. And the ring's software is open source, which makes it hackable by the community, the founder points out. Because of its open nature, the ring's button is already programmable. In addition to the press-and-hold gesture, you can program the ring to do other things with a single or double press, like play or pause your music or control the shutter on your phone's camera. You could use it to send a message through the universal chat app Beeper, which Migicovsky also created, or you could add your own voice actions via MCP. A new approach to hardware Migicovsky acknowledges that hardware can be difficult to get right -- as the previous exit of Pebble to Fitbit showed. (Fitbit, too, was later acquired by Google in 2021). "I didn't earn any money during Pebble -- we exited, but it was not a great exit," Migicovsky admits. This year, however, he decided to reboot the Pebble project after Google open sourced the PebbleOS, which opened up the door to new hardware. With his new company, Core Devices, Migicovsky plans to do things differently. Still, the founder doesn't regret his previous choices, he clarifies. "I wouldn't have gone back and changed anything. I loved what we built. I loved what we did. I love the company that we built, but it's not the only way to build a company," he told TechCrunch. " And, speaking as an ex-YC partner, there are -- there's a time and a place for building a venture-backed startup. Some companies are phenomenal when they raise money and build a big team, and I tried that...I think what I'm doing now is trying an alternative path, which is [to] start from profitability," he says. The new company is a small team of five, self-funded, and focused on sustainability. So far, Core Devices has shipped the Pebble 2 Duo smartwatch with a black-and-white display. Its first run sold out, and the company is now preparing to ship the upgraded version, the Pebble Time 2. The newer device, which has seen 25,000 pre-orders, is a stainless steel watch with a larger, color e-ink screen. As for the Index 01, the ring's pre-order offer ends in March 2026. After that, the price increases to $99. It currently comes in silver, polished gold, and matte black and works with iOS and Android devices. Customers can select from eight ring sizes and three colors.View the full article

Spotify will let you switch between music videos and audio at any time. View the full article

You can speak into the Pebble Index to have it remember things or set reminders, timers, and tasks. No cloud processing, no subscription, and best of all, no charging.View the full article

Vadi Fuoco – shutterstock.com NIS2 ist symbolisch für das Kernproblem europäischer Richtlinien und Verordnungen: Sie erzeugen unnötigen Papierkrieg und entfalten ihre Wirkung zu selten. Sei es das Lieferkettengesetz, die DSGVO‑Folgenabschätzungen oder das IT‑Sicherheitsgesetz – sie haben gemeinsam, dass Unternehmen gigantische Dokumentationsberge produzieren müssen. Diese erhöhen weder die tatsächliche Sicherheit, noch sind sie realistisch prüfbar. Compliant ist in der Regel derjenige, der eine umfangreiche Dokumentation aller Prozesse und regelmäßigen Prüfungen vorlegen kann. Diese sind zumeist so ausführlich, dass ihre Erstellung bereits nahezu unzumutbare Aufwände verursacht und ihre manuelle Prüfung praktisch unmöglich wird. Selbst wenn man sie prüfen würde, wären die Informationen nicht präzise genug, um echte Sicherheit zu belegen. Sicherheit gehört in die Planung In vielen Unternehmen entsteht dadurch eine absurde Praxis: Das technische Team baut funktionierende Infrastruktur und losgelöst davon schreibt ein Compliance‑Beauftragter im Nachhinein eine seitenlange Rechtfertigung, warum die Lösung angeblich sicher sei. Das ist ungefähr so, als würde Volkswagen ein Auto bauen und erst danach verfasst jemand 40 Seiten darüber, warum dieses Auto den Sicherheitsstandards entsprechen sollte. In der realen Industrie läuft es natürlich anders: Sicherheitsanforderungen fließen bereits in die Planung ein, technologische Mindeststandards sind definiert, und Qualitätsprozesse überwachen die Umsetzung automatisch. Compliance ergibt sich aus Technik – nicht aus Leitz‑Ordnern. In anderen Bereichen, wie der Steuerprüfung, hat man dieses Problem längst erkannt und die Automatisierung relevanter Prozesse gesetzlich vorgeschrieben (Stichwort: elektronische Registrierkasse, revisionssichere Buchhaltungssoftware). Das erspart ehrlichen Unternehmern nicht nur enorme manuelle Arbeit, sondern reduziert vor allem das Missbrauchsrisiko. Leider werden in Deutschland nur wenige Dinge so konsequent umgesetzt wie das Eintreiben unserer Steuern. Anders als beim Thema Steuerlast sollten Unternehmen jedoch ein intrinsisches Interesse daran haben, ihre IT‑Sicherheit korrekt zu implementieren. Das Bußgeld für einen NIS2‑Verstoß kann bis zu zehn Millionen Euro oder zwei Prozent des weltweiten Jahresumsatzes betragen. Die wirtschaftlichen Schäden erfolgreicher Cyberangriffe sind oft existenzbedrohend und summieren sich bereits heute auf dreistellige Milliardenbeträge pro Jahr. Auch wenn es nicht ausdrücklich gesetzlich vorgeschrieben ist, gibt es mittlerweile – nicht zuletzt durch AI‑gestützte Werkzeuge – die Möglichkeit, Sicherheitsprozesse und ihre vollständige Dokumentation so weit zu automatisieren, dass sich Security, Compliance und Auditierbarkeit in einem einzigen technischen Prozess vereinen lassen. Das spart nicht nur Ressourcen, sondern erhöht auch die tatsächliche Sicherheit. Wie dies im Detail aussehen kann, zeigt ein Beispiel einer SaaS‑Applikation in der Cloud. IT im Wandel: von Textdokumenten zu deklarativer Technik NIS2 verlangt im Kern drei Dinge: konkrete Sicherheitsmaßnahmen, Prozesse und Richtlinien zur Steuerung dieser Maßnahmen sowie belastbare Nachweise, dass sie im Alltag funktionieren. Die Prozessdokumentation – also Policies, Zuständigkeiten und Abläufe – ist für die meisten größeren Unternehmen nichts grundsätzlich Neues. ISO‑27001‑basierte Informationssicherheits-Managementsysteme (ISMS), HR‑Prozesse und Management‑Handbücher existieren oft seit Jahren. Entscheidend für NIS2 sind deshalb vor allem zwei Ebenen: die technischen Maßnahmen und die Evidenz, dass sie wirksam sind. Genau hier zeigt sich der Umbruch der letzten Jahre. Früher wurden Konzepte, Maßnahmen und Spezifikationen von Software‑ und IT‑Infrastrukturen überwiegend in Textform dokumentiert. Programmcode war zu komplex, Konfigurationen lagen verstreut in Dateien, Ticketsystemen oder im Kopf einzelner Administratoren. Im Nachgang hat man Dokumente geschrieben – häufig durch fachfremde Kollegen. Dieses Vorgehen war vor allem aus zwei Gründen problematisch: Es skaliert nicht in wachsenden, verteilten Umgebungen, und es passt nicht zu dem Ziel, technische Prozesse konsequent zu automatisieren. In modernen Systemen setzt man deshalb auf Verfahren wie Test‑ oder Behaviour‑driven Development und Infrastructure as Code (IaC), die – konsequent angewendet – textuelle Dokumentation weitgehend ersetzen. Die von NIS2 geforderten technischen Spezifikationen können direkt auf diese Artefakte referenzieren: IaC‑Definitionen legen Verschlüsselung, Netzsegmente oder Backup‑Szenarien fest, und CI/CD‑Pipelines spielen sie revisionssicher in die Produktion aus. Änderungen sind damit nicht nur technisch exakt beschrieben, sondern über Commits und Deployments auch zeitlich nachvollziehbar. Die Evidenz für Aspekte, die sich nicht vollständig deklarativ fassen lassen – etwa die Sicherheit der Software‑Supply‑Chain oder des Anwendungscodes – kann über Security‑Checks in der CI/CD‑Pipeline und eine laufende Bewertung durch SIEM‑ und CNAPP‑Systeme abgebildet werden. Wie das konkret aussehen kann, zeigt sich besonders deutlich in folgenden Bereichen: Identity & Access Management, Schwachstellenmanagement in der Software‑Supply‑Chain sowie im Monitoring, Incident Handling und Meldepflichten. Identity & Access Management: Policies as Code statt Rollen‑Excel Identity & Access Management ist eine der zentralen Säulen von NIS2. Gefordert sind nicht nur „irgendwelche“ Rollen, sondern ein Zugriffskonzept nach Need‑to‑know, Least Privilege und Separation of Duties. In der Praxis lässt sich das gut in drei Ebenen denken: bewusste Vergabe von Rechten, ein realistischer Lebenszyklus dieser Rechte – und eine Architektur, die Lateral Movement so weit wie möglich verhindert. Statt Berechtigungen in Excel, Admin‑UIs und verstreuten Wikis zu pflegen, werden Rollen und Zugriffsrechte als Policies as Code, beziehungsweise Infrastructure as Code definiert – etwa als Terraform‑Module oder JSON/YAML‑Policies in einem Git‑Repository. Alle Änderungen laufen ausschließlich über Merge Requests und werden über eine CI/CD‑Pipeline ausgerollt. Damit ist klar nachvollziehbar, wer welche Rechte geändert hat, wer das freigegeben hat und wann die Änderung produktiv gegangen ist. Die Dokumentations‑ und Nachweispflichten von NIS2 ergeben sich so direkt aus Git‑History und Pipeline‑Logs, ohne dass jemand zusätzliche Word‑Konzepte schreiben muss. Ein Rollenmodell allein ist noch kein Least Privilege. NIS2 verlangt, dass Rechte regelmäßig überprüft und überflüssige Berechtigungen entfernt werden. In Cloud‑Umgebungen mit hunderten Accounts, Services, Pods und Functions ist das manuell kaum noch handhabbar. Hier setzen Cloud‑Identity‑Entitlement‑Management‑Systeme (CIEM) an. Sie lesen alle effektiven Berechtigungen aus der Umgebung aus, korrelieren sie mit Audit‑Logs und zeigen, welche Rechte tatsächlich genutzt werden und wo Überprivilegierung besteht. Besonders bei Non‑Human Identities (Service‑Accounts, Workloads) ist das entscheidend, weil genau hier oft sehr breite Rechte vergeben werden, die Angreifern später als Sprungbrett dienen. Einige Start-Ups bieten mittlerweile sogar CIEM-Systeme, welche mit Hilfe von AI automatisch IAM-Policies für die entsprechenden Rollen generieren können. Schwachstellenmanagement & Software‑Supply‑Chain: SBOM statt Scanner‑PDF Der zweite Block, den NIS2 und die neue Durchführungsverordnung 2024/2690 für digitale Dienste scharf stellen, ist das Schwachstellenmanagement im eigenen Code und in der Lieferkette. Gefordert sind regelmäßige Vulnerability‑Scans, Verfahren zur Bewertung und Priorisierung, fristgerechte Behandlung kritischer Schwachstellen sowie ein geregeltes Vulnerability‑Handling und – wo nötig – Coordinated Vulnerability Disclosure. Für Cloud‑ und SaaS‑Provider kommen Supply‑Chain‑Pflichten hinzu, etwa gegenüber Cloud‑, CI/CD‑ und Registry‑Dienstleistern. Im klassischen Schwachstellenmanagement werden SCA‑, SAST‑ und DAST‑Scanner einfach „über alles drüber geworfen“. Das Ergebnis sind endlose Listen an Findings, von denen ein Großteil Fehlalarme oder für das konkrete System nicht relevant ist. Diese Daten landen dann in Excel‑Tabellen oder einer Schwachstellendatenbank, in der Teams versuchen, Prioritäten zu vergeben. Gerade bei Zero‑Day‑Lücken führt das zu hektischen Ad‑hoc‑Analysen: Welche unserer Komponenten sind betroffen? Ist die Schwachstelle in unserer Architektur überhaupt ausnutzbar? Was tun wir, solange es noch keinen Patch gibt? Der moderne Ansatz ist, alle DevSecOps‑Findings in einem zentralen System zu konsolidieren. Dort fließen Ergebnisse aus SCA, SAST und DAST zusammen, werden mit Kontext aus Software Bill of Materials (SBOMs), Architektur und Exponiertheit angereichert und mit Hilfe von AI vorgefiltert. False Positives lassen sich so drastisch reduzieren, und übrig bleibt eine deutlich kleinere Menge an tatsächlich relevanten Schwachstellen, inklusive einer Einschätzung, wie kritisch sie im konkreten Setup sind. Diese verdichteten Findings können direkt in Ticketsysteme und ins SOC weitergegeben werden, wo sie wie Incidents behandelt, nachverfolgt und für NIS2‑Reports ausgewertet werden. Aus einem wuchernden Scanner‑Output wird so ein steuerbarer Prozess, der sowohl die gesetzlichen Anforderungen als auch die Realität im Betrieb abbildet. Monitoring, Incident‑Handling und Meldestelle Der dritte Bereich, in dem NIS2 schnell zum Papiertiger wird, ist die Kombination aus Monitoring, Incident Response und den neuen Meldepflichten. Die Richtlinie gibt klare Deadlines vor: Frühwarnung innerhalb von 24 Stunden, eine strukturierte Meldung nach 72 Stunden, ein Abschlussbericht nach spätestens einem Monat. Viele Organisationen reagieren darauf, indem sie neue Templates, Excel‑Listen und Meldehandbücher bauen – oft weitgehend losgelöst vom bestehenden SOC. Im Ernstfall bedeutet das: Das SOC bekämpft den Vorfall, während parallel eine „NIS2‑Taskforce“ versucht, Informationen aus Tickets, Mails und Ad‑hoc‑Chats so aufzubereiten, dass sie in ein Formular passen. Die Folge sind doppelte Arbeit, Informationsverluste und Berichte, die zwar Seiten füllen, aber wenig darüber sagen, wie gut Detection und Response tatsächlich funktionieren. In einer Cloud‑SaaS‑Umgebung bietet sich ein anderer Weg an: Statt NIS2‑Reporting als eigenes Dokumentenprojekt zu verstehen, wird ein modernes DevSecOps‑basiertes SOC aufgebaut, so dass alle sicherheitsrelevanten Signale von vornherein an einem Ort zusammenlaufen: Cloud‑Infrastruktur, CI/CD‑Pipelines, Anwendungen, IdP und IAM. Die Regeln, nach denen diese Daten korreliert, angereichert und in Incidents überführt werden, sind als Code definiert und versioniert. T Detection‑Logik (Threat Detection and Response), Schwellenwerte und Playbooks liegen im Repository und werden wie Anwendungscode über Pipelines ausgerollt. Große Teile der klassischen SOC‑Arbeit lassen sich damit automatisieren: Aus Roh‑Logs werden konsistente Incidents mit Kontext, ohne dass jemand manuell Textbausteine zusammenkopieren muss. CNAPP (Cloud-Native Application Protection Platform ) und ähnliche Plattformen übernehmen gleichzeitig Speicherung und Archivierung der Daten, sodass der Nachweis der Überwachungstätigkeit im System mitläuft, statt in gesonderten Doku‑Schleifen erzeugt zu werden. Machine‑Learning‑ und AI‑Komponenten helfen zusätzlich, False Positives zu reduzieren, ähnliche Ereignisse zu clustern und auffällige Muster hervorzuheben – das SOC konzentriert sich auf die wenigen Vorfälle, die wirklich Aufmerksamkeit brauchen. Auf Prozessebene bleiben Playbooks und Meldewege wichtig – aber schlank. Ein IR‑Playbook definiert Incident‑Klassen, Eskalationspfade und Kommunikationsregeln, inklusive der Kriterien, ab wann ein Vorfall als „NIS2‑signifikant“ gilt. Ein Meldeprozess regelt, wer die Informationen aus SOC und Fachbereichen konsolidiert und über die BSI‑Meldestelle einreicht. Die eigentliche Dokumentation entsteht auch hier im Wesentlichen automatisch: Incident‑Tickets enthalten Timeline, betroffene Services, Impact, Ursache und Maßnahmen; ein Kennzeichen „NIS2‑relevant“ und ein Meldestatus verknüpfen sie mit den externen Berichten. Aus SIEM‑ und IR‑Daten lassen sich Kennzahlen wie MTTD, MTTR oder die Zeit zwischen Detection und Erstmeldung direkt berechnen – genau die Größen, an denen sich ablesen lässt, ob NIS2 gelebter Prozess ist oder nur eine neue Schublade im Dokumentenschrank. NIS2 als Architektur‑Test, nicht nur als Doku‑Übung NIS2 zwingt Unternehmen, ihre Sicherheitsmaßnahmen, Prozesse und Nachweise explizit zu machen. Das ist unbequem – gerade für Organisationen, die bisher stark ad hoc gearbeitet haben. Ob daraus ein Papiertiger oder ein echter Sicherheitsgewinn wird, entscheidet sich aber nicht im Gesetzestext, sondern in der Architektur. Wer versucht, die Richtlinie vor allem mit Word, PowerPoint und Excel „wegzudokumentieren“, wird viel Aufwand und wenig Resilienz produzieren. Werden hingegen IdP und IAM, CI/CD‑Pipelines, SBOM‑ und Vulnerability‑Tools, SIEM und IR‑Plattform so aufgesetzt, dass sie die geforderten Controls und Nachweise quasi nebenbei liefern, bekommt man NIS2‑Compliance als Nebeneffekt einer modernen Security‑Landschaft. (jm) View the full article