Generative AI (GenAI): Security

Generative AI (GenAI): Security

Generative artificial intelligence (generative AI) is a new buzzword across the industries. Generative AI is an artificial intelligence technology that can produce various types of content, including text, imagery, audio, and synthetic data.

All organizations are investing large amounts of their budget in GenAI technology. Recently Amazon completed a $4 billion investment in generative AI development. As per a recent study barely scratching the Generative AI use case and opportunity.

Before implementing any Generative AI solution make sure you completely understand the organization’s business problem to implement Gen AI solution, because any generative AI solution takes a lot of money, time, and brain power.

Evolution of LLMs

Generative AI has just blown up within the last year or two years, but it has been around for decades. Generative AI is based on large language models (LLM).  LLM has been evolving for a while technically five to ten years approx. All companies (like AWS, Microsoft, and Open AI) are presenting their standard based on their business requirements. Here is the evolution story of LLMs & GenAI.

AI Attacks

There are four types of AI attacks.

  1. Poisoning – This AI attack can lead to the loss of reputation and capital. This is a classic example of thrill-seekers and hacktivists injecting malicious content which subsequently disrupts the retraining process.
  2. Inference – This AI attack can result in the leakage of sensitive information. This attack aims to probe the machine learning model with different input data and weigh the output.
  3. Evasion – This AI attack can harm physical safety. This type of attack is usually carried out by Hacktivists aiming to get the product of a competitive company down and has the potential to seriously harm the physical safety of people.
  4. Extraction – This AI attack can lead to insider threats or cybercriminals. Based on this the attacker can extract the original model and create a stolen model to find evasion cases and fool the original model.

Type of AI Malware

  • Black Mamba – Black Mamba utilizes a benign executable that reaches out to a high-reputation API (OpenAI) at runtime, so it can return synthesized, malicious code needed to steal an infected user’s keystrokes. It has the below properties.
    • ChatGPT Polymorphic Malware
    • Dynamically Generates Code
    • Unique Malware code
  • Deep Locker – The Deep Locker class of malware stands in stark contrast to existing evasion techniques used by malware seen in the wild. It hides its malicious payload in benign carrier applications, such as video conference software, to avoid detection by most antivirus and malware scanners. It has the below properties.
    • Targeted identification
    • Logic detonation Mechanism
    • Facial and voice recognition
  • MalGAN – Generative Adversarial Networks serve as the foundation of Malware GAN and are used to create synthetic malware samples. For Mal-GAN’s complex design to function, it is made up of three essential parts: the generator, substitute detector, and malware detection system based on machine learning. It has the below properties.
    • Generative Adversarial Malware
    • Bypass ML-based Detections
    • Feed-forward Neural Networks

AI Security Threats

  • Deepfake Attacks
  • Mapping and Stealing AI Models
  • Spear Phishing (Deep Phishing)
  • Advanced Persistent Threats (APTs)
  • DDoS and Scanning of the Internet.
  • Data poisoning AI Models
  • PassGAN and MalGAN
  • Auto Generation of Exploit code
  • Ransom Negotiation Automation
  • Social Engineering

AI Security Defense Strategy

As we learned in AI several AI malware and threats are impacting different parts of the AI ecosystem. Our AI must be smart enough that it detects its threats and mitigates risk. ML-based malware detectors detect risk and generate insights into its severity. Here are a few approaches should implement to protect your AI systems.

  • Intelligent Automation
    • Automated response and Mitigation
    • Indicators of Compromise (IOCs) extraction and correlation
    • Behavioral and anomaly detection
  • Precision Approach
    • High Accuracy and Precision
    • Identify, Understand, and Neutralize
    • Prioritize Risk
  • Define the Area for defense
    • Identify the most vulnerable area.
    • Apply a broad spectrum of defense.
    • System resiliency

AI involvement in security

  • Malware detection – AI systems help prevent phishing, malware, and other malicious activities, ensuring a high-security posture and analyzing any unusual behavior.
  • Breach risk prediction – Identify the most vulnerable system and protect against any data leak.
  • Prioritize critical defense – AI-powered risk analysis can produce incident summaries for high-fidelity alerts and automate incident responses, accelerating alert investigations.
  • Correlating attack patterns – AI models can help balance security with user experience by analyzing the risk of each login attempt and verifying users through behavioral data, simplifying access for verified users
  • Adaptive response – AI model automated response and generate an alert if the system identifies any threats. This creates the first layer of security defense.
  • Applied Machine learning – AI models are self-train. If models identify any new risk pattern apply new security models to all protected systems.

Zero Trust API Security Architect

The cybersecurity threat landscape has changed dramatically in the last couple of years. Every day new kinds of threats are coming and impacting the organization’s business. Infosec/Security teams have always had challenges with this new threat to find the root cause and mitigate these risks.

To mitigate and overcome these constant/real-time threats and risks, the security fraternity introduces Zero Trust Architecture (ZTA) Or Zero Trust Strategy (ZTS).  ZTA is not a product or application, but it is a concept and practice to mitigate any risk for your organization.

What is ZTA/ZTS?

Zero Trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by continuously validating for security configuration and posture before being granted or keeping access to applications and data across users and their associated devices. All entities are untrusted by default; least privilege access is enforced; and comprehensive security monitoring is implemented.

Here are the basic properties for ZTA/ZTS

  • Default deny
  • Access by policy only
  • For data, workloads, users, devices
  • Least privilege access
  • Security monitoring
  • Risk-based verification

How API implement ZTA/ZTS?

API Security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs). In API security we establish certain rules and processes to mitigate security risks.  These rules and processes are around Zero trust architecture or strategy. Here are a few basic strategies in API security to implement ZTA.

  1. All API communications are secured regardless of network location – This risk can be mitigated by ensuring all communication happens over an encrypted communication channel (TLS) and implementing a proper Cross-Origin Resource Sharing (CORS) policy. The endpoint for API needs to be exposed through the HTTPS protocol.
  2. All API endpoints are authenticated regardless of their environments (Prod, QA, Dev) — By default, all APIs need to be authenticated and authorized using username/password, JSON Web Token (JWT), OAuth, OpenID Connect, or third-party services.
  3. All API resources are protected and restricted to all users by default — Running multiple versions of an API requires additional management resources from the API provider and expands the attack surface. As per ZTA, make sure all API versions and their resources are restricted if it is not used by the user. Always validate and properly sanitize data received from integrated APIs before using it.
  4. Access to API resources is determined by dynamic policy including the client identity, application/service, and the requesting asset – Any API requires resources such as network bandwidth, CPU, memory, and storage. It is easy to exploit these resources by simple API calls or multiple concurrent requests. According to Zero Trust Architect, all APIs must implement API policies like:
    • Client identity (ClientID/Client-Secret)
    • Execution timeouts (Rate limiting)
    • Maximum allowable memory
    • Maximum number of file descriptors
    • Maximum number of processes
    • Maximum upload file size
  5. Implement or configure API monitoring posture and API Alert system — API monitoring helps identify and resolve performance issues as well as security vulnerability issues before they negatively impact users, which can impact user experience. The alert system notifies the operation team to mitigate risk quickly.
  6. Continuous API security risk assessments – Continuous risk assessments help the Infosec/Security team identify any security risk gap. By conducting the security risk assessments, organizations establish a baseline of cybersecurity measurements, and such baselines could be referenced to or compared against future results to improve overall cyber posture and resiliency further and demonstrate progress. A Free Security assessments tool VAT is available to mitigate any security risk for your organization.

https://www.vanrish.com/secassessment/

Organizations that have adopted the Zero Trust API model, see trust as fundamental to creating a positive, low-friction work culture for their clients and empowering the organization at all levels. Many of our Vanrish Technology clients, we worked with have many of the technologies in place that can be leveraged toward full Zero Trust architect model adoption.

API Security

Modern-day APIs are the building block for integration and application for any organization. Every day organizations are using APIs to unlock new features and enable innovation. From banks, retail, and transportation to IoT, autonomous vehicles, and smart cities, APIs are a critical part of modern mobile, SaaS, and web applications and can be found in customer-facing, partner-facing, and internal applications.

Organizations are exposing sensitive data, such as Personally Identifiable Information (PII) through APIs, and because of this have increasingly become a target for attackers. Due to this organizations are concerned about their API security & compliance. API Security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs). According to the Open Web Application Security Project (OWASP) 2023, these API threats are categorized into 10 different categories

  1. Broken Object Level Authorization (BOLA) – Object-level authorization is an access control mechanism that is usually implemented at the code level to validate that a user can only access the objects that they should have permission to access.
    Comparing the user ID of the current session (e.g. by extracting it from the JWT token) with the vulnerable ID parameter isn’t a sufficient solution to solve Broken Object Level Authorization (BOLA).

    For example, any API providing a listing of all school revenue based on the school’s name of any county could be a security threat like this API endpoint: /county/{schoolName}/revenues.
    Hacker simply manipulates {schoolName} in the above endpoint’s school name to get all revenue details for all schools.

    To mitigate this risk Use the authorization mechanism to check if the logged-in user has access to perform the requested action on the record in every function that uses an input from the client to access a record in the database.
  2. Broken Authentication – API authentication is very vulnerable and an easy target for attackers. Attackers can gain complete control of other users’ accounts in the system, read their personal data, and perform sensitive actions on their behalf.

    API authentication flow and process need to be well protected and “Forgot password / reset password” should be treated the same way as authentication mechanisms. Make sure you know all possible flows to authentication to API (Mobile/Web/any link) and it gets well protected with authentication.
  3. Broken Object Property Level Authorization – When authorizing a user to access an object using an API endpoint, It is very important to validate that the user has permission to access the specific or all object properties.
    An API endpoint is considered as vulnerable if :
    • The API endpoint exposes properties of an object that are considered sensitive and should not be read by the user.
    • The API endpoint allows a user to change, add/or delete the value of a sensitive object’s property which the user should not be able to access.

      When you are exposing any API endpoint, always make sure that the user has access to the object’s properties you expose and avoid using any generic methods like to_json() and to_string().
  4. Unrestricted Resource Consumption – Enabling any API request, requires resources such as network bandwidth, CPU, memory, and storage. These resources have limited bandwidth and money associated with these resources.

    It is easy to exploit these resources by simple API calls or multiple concurrent requests. An API is vulnerable if at least one of the following limits is missing or set inappropriately.
    • Execution timeouts
    • Maximum allowable memory
    • Maximum number of file descriptors
    • Maximum number of processes
    • Maximum upload file size
    • Number of operations to perform in a single API client request (e.g. GraphQL batching)
    • Number of records per page to return in a single request-response
    • Third-party service providers’ spending limit
  5. Broken Function Level Authorization If any of the administrative API flows like delete, update, or create expose to unauthorized users it will be an easily vulnerable API endpoint. The best way to find broken function level authorization issues is to perform a deep analysis of the authorization mechanism while keeping in mind the user hierarchy, different roles or groups in the application, and asking the following questions:
    • Can a regular user access the administrative endpoint?
    • Can a user perform sensitive actions (e.g. creation, modification, or deletion) that they should not have access to by simply changing the HTTP method (e.g. from GET to DELETE)?
    • Can a user from Group X access a function that should be exposed only to users from Group Y, by simply guessing the endpoint URL and parameters?

      To mitigate this risk, the enforcement mechanism(s) must deny all access by default, requiring explicit grants to specific roles for access to every function.
  6. Unrestricted Access to Sensitive Business Flows — When you create an API endpoint some endpoints are more sensitive and critical than others. It is very important to understand which API endpoint and business flow you are exposing to the customer. Any restricted business flow exposed to clients can harm your business. In general, technical impact is not very severe but business impact might hurt your company’s credibility.

    For example, if your company offers a discount for one customer 20% and another customer 30% through API, if the first customer knows this discount variation, it will impact the credibility of the company as well as revenue loss.
    The mitigation planning should be done in two layers:
    • Business – identify the business flows that might harm the business if they are excessively used.
    • Engineering – choose the right protection mechanisms to mitigate the business risk.
  7. Server-Side Request Forgery – Server-Side Request Forgery (SSRF) vulnerability occurs when you are consuming remote APIs and resources without validating the remote endpoint or user-supplied URL. SSRF enables attackers to force the application to send formatted requests to an unknown destination even if protected by a firewall. Successful exploitation might lead to internal services enumeration (e.g. port scanning), information disclosure, bypassing firewalls, or other security mechanisms.

    The SSRF risk cannot be eliminated but you can mitigate these risks by isolating the resource fetching mechanism in your network, accepting media types for a given functionality, disabling HTTP redirections, Validating and sanitizing all client-supplied input data, and Using a well-tested and maintained URL parser to avoid issues caused by URL parsing inconsistencies.
  8. Security Misconfiguration — Security Misconfiguration vulnerability occurs when the latest patches are missing on the server or systems are outdated, Transport Layer Security (TLS) is missing, A Cross-Origin Resource Sharing (CORS) policy is missing, Error messages include stack traces or expose other sensitive information. Attackers often attempt to find unpatched flaws, common endpoints, services running with insecure default configurations, or unprotected files and directories to gain unauthorized access or knowledge of the system. These Security misconfigurations not only expose sensitive user data but also system details that can lead to full server compromise.

    Security misconfiguration risk can be mitigated by a repeating hardening process leading to fast and easy deployment, ensuring all communication happens over an encrypted communication channel (TLS), and implementing a proper Cross-Origin Resource Sharing (CORS) policy.
  9. Improper Inventory Management — It is important for organizations not only to have a good understanding and visibility of their own APIs and API endpoints but also how the APIs are storing or sharing data with external third parties. Multiple versions of APIs need to be properly managed, secure, patched and well-documented. Hackers usually get unauthorized access through old API versions or endpoints left running unpatched and using weaker security. requirements.
    Improper Inventory Management security vulnerability can be mitigated by documenting all hosted APIs for all environments (Prod or Non-Prod), Generating documentation automatically by adopting open standards and avoiding using production data with non-production API deployments.
  10. Unsafe Consumption of APIs — Unsafe Consumption of APIs vulnerability occurs when your developers tend to adopt weaker security standards, for instance, in regard to input validation, sanitization, URL redirections and not implementing timeouts for interactions with third-party services.
    This vulnerability can be mitigated by implementing proper data validation, and schema validation. Ensuring all API interaction happens on secured communication channels like TLS. Maintain an allowlist of well-known locations integrated APIs may redirect yours to do not blindly follow redirects.

Why Airlines Need Digital Transformation

When the Wright brothers flew their first plane they never imagined that after 100 years this industry will be one of the biggest and most complex. Initially Airlines were a part of luxury transportation but nowadays it is a necessity for most. Every day thousands of airplanes are flying and millions of passengers are reaching their destination.

To streamline the whole process, all departments of airlines should work synchronously and efficiently. There are a lot of variables involved to execute one task efficiently with a very little margin for error. The airline industry is the best example of machines and humans working together in harmony, which allows tasks to be completed quickly and accurately without any errors. The Airline’s biggest challenge is finding ways to reduce costs while still providing quality service.

Airline industries need to put forward the best process in place in order to remain competitive and profitable. All processes, including, operational structure, route network, fleet size, and pricing strategy need to be digitized and transparent to compete against their competitors and continue to be cost-effective.

Successful Adoption of Digital Transformation is the key to success to Airlines business.

Digital transformation allows Airlines to enable data efficiently and securely. It also helps in reducing the cost of operation and increases the efficiency.

Here are few area where Digital Transformation is helping Airlines to work efficiently and cost-effective .

Market & Partner Data – The Covid pandemic was a big disruption for the Airline market. Tracking and monitoring real-time Covid data after the pandemic is very important in managing your operation efficiently. Airlines work with their partner to get Market Data, Events, Weather, Traveler In-Flux, Reviews, and External Traveler Information for their operation. Integration with partner data is very important to get contextual insights for airlines.

Travel  Data – To run the airline industry efficiently their passenger System of Record needs to integrate efficiently. Those system are not limited to  Passenger service system (PSS),Computer reservation system ( CRS), Global distribution system (GDS), Enterprise Resource Planning (ERP), Traveler Profile, Fare, Schedule, Availability, Preferences, Assets, and Distribution with Offers & Orders (NDC).

Intent & Sentiment Data – Social Media Platform is one of the invaluable tools for airlines to stay ahead of their competitors. By leveraging Sentiment & Intent Behavior analysis on social media platforms, airlines can better understand passenger preferences and tailor services accordingly. This helps the Airlines build customer loyalty and increase profits over time.

Customer & Services Data – Managing historical customer and service data help airlines to get their customer sentiment and preference. These data includes Demographic and Identity Data, Profile, Cases Contact Center History, and Service Interactions data. This data helps airlines to understand passenger preference and provide better service. 

Marketing & Loyalty – Digital Transformation combining predictive analytics and human-centric design to create a more personalized experience to drive growth in loyalty, satisfaction and incremental revenue. It also helps in marketing to track Campaign Metrics, Digital Footprint, Experiential Targeting, Audience Segmentation, Digital Marketplace. 

Devices & Location Data – Airlines operation depends on IoT Sensor Data, Telemetry, Mobile, Voice, Geolocation, Location-Based data. This Intelligence based data is revolutionizing procurement through real time decision making. Allow the operational team to know the exact location of goods at any given time.

These are the big impact of digital transformation in airlines industries

  • Quicker time to market
  • Smooth Transitioning
  • Enhanced Business Agility
  • Reduce cost
  • Innovate and drive operational excellence   

Security for Critical Data

When organization is migrating to digital transformation, data security is a big concern. Digital transformation impacts every aspect of business operation and execution. The volume of data that any organization creates, manipulates, and stores digitally is growing, and that drives a greater need for data governance. Large volume of data security is the biggest challenge for any organization for their entire data lifecycle. 

Data security is a process to protect sensitive data from unauthorized access, corruption, or theft  during the entire data lifecycle.

Here are a few steps to mitigate data risk and implement data security.

  • Event Monitoring
  • Data Detection
  • Data Encryption
  • Data Audit Trail

Event Monitoring – This activity includes Prevention, mitigation, and monitoring threats to sensitive data.

  • Monitor user activity – Know who is accessing data from where with real-time event streaming and min 3-6 months of event history.
  • Prevent and mitigate threats – Define and  build Transaction Security policies using declarative conditions or code to prevent and mitigate threats.
  • Drive adoption and performance – Analyze user behavior to enable security training for organization and find security bottlenecks to improve user experience.
  • Event Log Files – Create event log file for rich visibility into your org for security, adoption and performance purposes

Data Detection –  Find and classify the sensitive data quickly and mitigate data risk. 

  • Monitor Data Classification Coverage – Determine which data in your organization have been categorized versus uncategorized. High sensitive data needs to be secure properly. Label data appropriately to manage data security.

Data Encryption – Encrypt sensitive data at rest while preserving business functionality.

  • Encrypt data and maintain functionality – Protect data and attachments while data search, lookups, transportation and storage.
  • Key Management – Data encryption key management is very important to secure organization data. It includes control and authorization of data encryption keys.
  • Policy Management – Data policy management is defining and managing rules or procedures for accessing data. It allows individuals to follow certain processes to access data during storing or transit.. 

Data Audit Trail – It allows strengthening data integrity for an extended period. This strengthening data integrity process enables compliance and gains insights.

  • Data History – Store data as long as you can use this historical data for audit Trail or delete if you do not need this data.
  • Data retention policy – Data retention policy defines what data or how long this historical data needs to be stored for audit. Based on sensitivity of data you can archive from 3-6 months or more.
  • Insight of data – Create insight and dashboard for data audit transparency. It allows any organization to track any compliance or data security issue.

AIR India Deal: Catalyst for Aviation Industries

The COVID-19 pandemic caused total disruption in the airline industry. The aviation sector struggled to survive, with 80 percent of flights canceled during the pandemic. Whole travel & hospitality industries were struggling with pandemic slowdown. Before the revival from pandemic Russia-Ukraine war affected the aviation industries. Oil and maintenance price increased which reduced profit margin for aviation sector. So many routes got canceled or restructured airline routing. On top of that, Airlines canceled thousands of flights as a massive winter storm and bitter cold swept the U.S., which directly impacted airlines revenue. Remote work is also impacting aviation industries. Most company travel related work reduces tremendously and it is directly impacting aviation industries.

This disruption directly impacted airlines manufacturers and supporting industries. Aviation Modernization getting impacted with these aviation disruption. Budget cuts are also slowing down digital transformation of airlines industries. Aviation industry leaders were expecting recovery would be very long and it would change forever.

But in the economic slowdown and pandemic affected aviation industries, Air India deal with Boeing and Airbus came with new hope for aviation industries. This deal will help to re-energize and rejuvenate whole aviation industries. This deal is going to impact at least 3 continents and will generate millions of job opportunities. This will help to stop the economic slowdown and restart the economic engine. Air India is going to buy 460 aircraft from two main aircraft manufacturers. This is the 2nd largest aircraft order in the history of global aviation. It is called the mother of all deals in aircraft industries. Total list price for these deals are approx. 80 billion dollars. These deals are splitted between two aircraft manufacturers, Boeing and Airbus. Boeing is providing a total 220 aircraft and Airbus will deliver 240 aircrafts. This mega deal is so huge that it is elevating India’s image and putting India as a bright spot in the whole world economy.

Now lets see how this deal is going to affect the Aircraft Manufacturer, Airlines and Airport sector.

Aircraft Manufacturer
  1. Parts traceability for Airbus and Boeing – Boeing Aircraft parts manufacturers spread across approx. 3 North America countries and 44 US states. Similarly Airbus parts manufacturers are  spread across  approximately 10 European countries. This will lead to generating millions of jobs in these places but the big challenge is to manage part traceability and assembly of these parts. Materials management team picks and packs parts into kits to be delivered to the parts assembly working area in the aircraft factory. Create a robust system for real-time visibility of these parts for quick collaboration and decisions.
  1. Certification Compliances traceability  – Each small aircraft part is a very critical item for aircraft assembly. All these parts need to be certified with the external Federal Aviation Administration (FAA) for US and European Union Aviation Safety Agency (EASA) for European countries. Tracing and management of these certifications is one of the most important  activities for Aircraft industries. This system should be highly visible and audited for aircraft safety.
  1.  Cross Team Visibility and Collaboration –  A lot of people, both external and internal are working for one aircraft. It also involves a number of systems and processes to deliver one aircraft. People, systems and processes need to come together to deliver and maintain aircraft. This whole collaboration needs to be highly transparent and visible to deliver aircraft efficiently.
  1. Delivery and Service – Safety and documentation is a very important activity for any aircraft delivery. All steps and processes need to be properly documented and executed through respective teams. Any of these missing steps/processes  lead to delayed aircraft delivery. 
Airlines

This mega deal will generate all kinds of  job opportunities within India and across the world wherever Air India will fly. This deal will also impact the Air India system and process.  

  1. Airlines Route management – More aircraft for airlines, more robust and transparent route management system. Any of these systems delay airline operation. You also need to collaborate with your partner airlines route for high profit margin. These systems and processes need more people across the world wherever Air India airlines will fly. Digital transformation will also help to transparent the whole system and increase operational efficiency.
  1. Aircraft Maintenance and parts management –  Aircraft maintenance and part management is a big challenge for airlines. Like Air India buying more aircraft it will need a more transparent maintenance  system/tracking, people and airlines hubs. Airlines also need large hangers to maintain their aircraft. 
  1. Employee management and experience – More aircraft, more routes and more employees to manage the whole airline system. This includes more corporate employees, In flight crews and ground maintenance associates  recruitment, onboarding & retention. 
Airport 

An airport is a massive business and has many verticals on its own. An airport as not just the spaces you see, such as departure, arrivals hall, duty free, security, etc. but an airport is a complex organization with many parties coming and going, the airport, retailers, service providers on the airside, the airlines, the cargo & warehousing spaces, aircraft MRO, fueling, as well as day authorities such as air traffic control, customs for people & Cargo, security, fire & emergency services, etc.

Since Air India is increasing its fleet , It will also impact airport operation and process. It will bring more opportunities to the airport.

  1. Efficient passenger process – Airport customer service, passport control, boarding/arrival, airport gate management comes in this category. It will be heavily impacted with more flights from Air India.
  2. Airport Safety, Security and health management – With this deal, more travelers will arrive and depart from the airport. To keep airports safe and secure, airports need more resources and their system transparent. They need to enable touchless solution to create perceived security around COVID-19
  3. Baggage operation – Baggage operation and management  is also a very important process for airports. This process will also get heavily impacted with this new  Aircraft purchase.

Retail 2023: The new Trend

From the last few years COVID pandemic has changed the whole Retail business spectrum in ways we could have never imagined before. Exploring new and accelerated trends gives us an indication of how this evolution will continue into the new normal. This pandemic also leads to closure of countless stores and bankruptcy. After surviving from the pandemic, inflation is hard hitting Retail business. Supply chain is also getting impacted with the Russia-Ukraine war. Now experts are saying that the greatest risk facing global supply chains has shifted from the pandemic to the Russia-Ukraine military conflict and the geopolitical and economic uncertainties.

With all this news for Retail industries, customer expectations and habits have shifted. Customers expect engagement on values to go beyond point of purchase to creating moments of engagement across the full journey. Now retailers have been compelled to find new ways to connect with consumers in a personalized and tailored way in-store as well as online to make a more intuitive experience. Retailers are going more digitized in their approach to connect with customers.

This is how retailers are moving forward to reach a wider customer base and lure their product. 

  1. e-commerce Technologies – In pandemic time if your business presence was not online then you will be out of business quickly. So Retailers have increased investment in e-commerce technologies. They increased the budget for digital transformation. To get ahead of competition, they are offering a mix of digital and physical experiences ahead of their rivals. Retailers are also focusing on customer service and providing seamless service experience across messaging, web and mobile channels. Retailers are creating a cohesive and connected customer shopping journey with e-commerce and unified data across systems.
  1. Infrastructure– Retailers are upgrading their instore as well as online infrastructure. They are replacing traditional store signs with digital signs and screens to display ads and videos. They are also adding kiosks and self-checkouts within the store. This is making the shopping experience more convenient and personalized. Shoppers are in and out, without having to make small talk or wait in queues. Deployment of in-store technologies double in a year.
  1. API-first and Cloud – Retailers are focused on Composable architecture. Composable architectures are key players to  implement successful digital transformations and most engaging digital experiences. 2023 will be a year of focus for retailers to remove entirely their legacy monolithic architectures. API-first and Cloud based solutions help retailers to switch to new functionality without the need for significant investment and resources. This will reduce the incredible amount of time and cost of ownership of a fraction of legacy technologies. API-first connectivity helps customers to shop anytime, anywhere and anyhow
  1. Customer experience – Customer experience is the one the main focus for Retailers this year. The focus of customer experience is online as well as in store experience. Retailers are providing customers enhanced assisted-selling experiences through assisted Selling. They are also focusing online customers through distributed OMS (Order Management System), Omni-channel and remote Selling. Retails are preparing for next level customer experience through loyalty(customers long-term relationships), native App and AI based digital fitting room.
  1. Merchandising & Supply Chain – Retailers are providing real time tracking and inventory information to their customers. They are also providing purchase incentives to their loyal customers so that they can keep engaging customers for their products. Retailers are also focusing on upgradation of warehouse management (WMS) to fulfill in-store as well as online orders.

ChatGPT: A Intro & Company Use-Case

The internet is full of buzz about the new AI based chatbot, chatGPT. ChatGPT reminds me of the early days of  google, how google came and changed our internet search forever. We were using lycos search engine but google gave a new definition of search engine. Similarly I am seeing chatGPT is trying to define our search which is based on AI and AI models. It is coming as a new disruptive technology. Suddenly google is looking like old school.

Generative Pretrained Transformer 3 (GPT-3)  from OpenAI, is the main component for Jasper.ai and other cloud based content writing, chatbot and machine learning applications. GPT-3 was first publicly released by OpenAI on June 11, 2020.  GPT-3 is based on the concept of natural language processing (NLP) tasks and “generative pretraining”, which involves predicting the next token in a context of up to 2,048 tokens. 

GPT-3 is based on Large language models (LLMs). Large language models (LLMs) are AI tools that can read, summarize, and translate text. They can predict words and craft sentences that reflect how humans write and speak.Three popular and powerful large language models include Microsoft ’s Turing NLG, DeepMind’s Gopher, and OpenAI ’s GPT-3.

ChatGPT was first publicly released by OpenAI on November 30, 2022 based on the GPT-3 framework. Initially developed as part of the GPT-3 research program, ChatGPT was built on top of the powerful GPT-3.5 language model to specifically address natural language processing tasks that involve customer service chat interactions.

OpenAI’s Chat GPT3 has demonstrated the capability of performing professional tasks such as writing software code and preparing legal documents. It has also shown a remarkable ability to automate some of the skills of highly compensated knowledge workers in general. ChatGPT has immense potential for ecommerce customer experience automation. ChatGPT allows customers to personalized shopping and fully automated 24 x 7 customer service on-demand.

In spite of chatGPT buzzwords, ability to content writing and customer service on-demand, I am little careful to use this technology for my business. I tested a few use-cases in chatGPT. It is working fine with some simple use-case and problem solving. But as soon as I added a few more variables to my problem, the chatGPT response was not correct.

Here is screenshot from ChatGPT for my problem and solution from chatGPT

The problem shown above chatGPT directly calculated from equation and response came as 5 min.

In chatGPT’s response it is not calculating a person’s waiting time in the queue. 

So from above question right answer would be

Average Waiting Time = Average Processing Time x Utilization / (1-Utilization).

Average Waiting Time = 5 x (5/6) / (1 – 5/6) = 25 minutes

So, the correct answer is 25 minutes waiting in line. If we add the 5 minutes at the kiosk, we obtain a total of 30 minutes.

So from the above issue, I would like to highlight a few points if your company is trying to implement any ChatGPT solution.

  1. Does the ChatGPT AI model is configured based on your company use case?
  2. Do you have enough historical data to run and test AI based chatGPT LLM models?
  3. ChatGPT runs on the big model like LLM model. Big models incur a big cost, and LLM are expensive.
  4. Since ChatGPT runs on a big model (LLM), ChatGPT  needs to overcome performance constraints.

Keep an eye out for GPT-4, which may be released as early as the first half of 2023. This next generation of GPT may be better at their results and more realistic. 

Recession: Impact in Software as a Service(SaaS) 

Global uncertainties continue to dominate headlines. Inflation is expected to reach the highest levels of ~3.5% in the US and Europe by the end of 2023. To ease inflation, Central Banks need to dampen demand, by making it expensive (for financial institutions, businesses and households) to borrow by increasing Federal Reserve interest rates . We are expecting a federal rate hike of 4.75% – 5.0% by the end of 2023. These are all data showing we are heading toward recession. The US labor market was robust last quarter but this quarter it is not very promising. Everyday we are hearing layoff news from different sectors.

IMF inflation forecast

These inflation and layoff news are impacting our tech market. Many companies have a growth challenge: They expect to get as much as 50 percent of their revenue from new businesses and products by 2026 but are not on a path that will take them there. Current economic conditions are forcing high-growth yet unprofitable tech startups to tighten their financial belts.

There are few realities, software companies are facing for their growth.

US-based Venture capitalists backed software startups slowed down – VC are very clear of high valuation and demanding that companies spend less, improve profit margin and high output. Unicorn creation also slowed in 2022 Q4. This is one of the lowest quarterly count since the first quarter of 2020.

Depressed company valuations – Private company valuations are cooling down. Over the last 4 quarters, we have seen public valuations compressing.

 Software companies have three critical revenue streams.

  1. License / Subscription Revenue – When the customer pays for the right to own and use a copy of the software/hardware product or subscribe/access  software platform
  2. software or hardware product – Customer pays for ongoing support or premium support.
  3. Cloud based licensed software – Customer pays the software provider for specific deliverables such as software implementation or technical training.

In the current world all these 3 revenue streams are shrinking. Companies are using only essential services to run their business. This is directly impacting software revenue, which is leading these companies into low valuation.

Infrastructure Maintenance –  SaaS companies are providing the software as a service. This means the customer does not have to purchase hardware to run the software—that cost is transferred to the SaaS provider. This is implying continuous software running coast. This cost is not going anywhere.So due to inflation this SaaS running cost increases tremendously.

Recession: Industry Impact

Recession prospect is certainly very scary. World over economies are contracting. The recession has had a significant impact on the global economy, leading to decreased GDP growth and an uncertain future for many industries. The IMF cut its forecast of global GDP for the year to 2.7% and for the US GDP growth forecast is 1.4% .China and India are key players for the world’s supply-chain requirement. Post COVID pandemic China is still struggling to provide supply-chain needs to the world and India is still in process to build supply-chain needs. Escalating Russia-Ukraine war and geopolitical tension is disrupting the world’s supply-chain. 

Due to all these issues,Inflation is very high across the world. The inflation rate depends on the balance between aggregate supply and aggregate demand within the economy. US inflation consumer prices rose 7% approx. in December 2022 from a year ago. Inflation driving up vendor price beyond budget expectation. The US Federal Reserve is increasing interest rates in the most aggressive way to curb this inflation. 

No industry is completely insulated from a recession, there are always opportunities within even the most impacted industries. The Impact of recession  is not equal for all kinds of industries. Most impacted industries are directly proportional to consumer sentiment, consumer basic requirement and consumer spending. Least impacted industries are not directly proportion to user sentiment and it is also supported by external system.

Here is worldwide recession industry impact index

In the above chart, most impact industries are consumer, consumer services and transportation. After COVID-19 this industry is cautiously optimistic about the return of travel and tourism. But  inflation and a volatile market are pulling these industries down. Loyalty programs are weakening between brand and customer. Recession industry impact index is average 8.5/10 approx. Hospitality and Airlines industries are trying to optimize their process to mitigate their risk. They are cutting routes, reducing flights, and, in some cases, shutting down offices to help reduce expenditures.

Retail and Manufacturing industries and also getting impacted with current inflation and escalating geopolitical tension. Clearly the industry has experienced unprecedented supply chain pressures and disruptions over the past two years; Global disruptions – such as the Russia / Ukraine war – continue to impact manufacturing supply chains, thereby increasing costs and delays. Recession industry impact index for this industry is 7.5/10 approx. Retail and Manufacturing industries are working on omni-channel commerce platforms, optimized operations, and omni-channel order orchestration and fulfillment to mitigate their risk. They are reducing overhead cost and going for digital.

The Federal/Central Government is the most recession proof industry. It needs to make ongoing investment to keep the country running. Critical infrastructure management, border, customs and immigration management are key activities the government can not ignore and reduce investment. Even in COVID-19 pandemic time influx of federal funding and ample emergency funds put state and local entities in recession-ready shape. Recession industry impact index for this industry is 1/10 approx.