NCSC 7 Principles for Secure Communications
There are seven principles defined by NCSC, and they are:
Principles 1-4, Part 1: Click Here
Principles 5-7, Part 2: Click Here
Armour Comms has published a podcast explaining the differences between CPA and ISO27001. It can be viewed here:
https://www.youtube.com/watch?v=4v9aojG3EeQ&feature=youtu.be
Replacing WhatsApp? Advice from NCSC
What exactly should you be looking for?
When considering a secure communications solution for your organisation there are a lot of different options. Not least of these are free-to-use consumer grade apps. Without vigilance these apps can seep into business use without any oversight from the organisation, often because employees use the apps for personal life and they seem like an expedient way to communicate. These apps claim end to end encryption, but do they really meet the needs of an enterprise? And what extra do paid-for Enterprise solutions offer?
As we’ve point out many times before, there is much more to security than just encryption – this is an important point made by the UK National Cyber Security Centre (NCSC). It has published a document ‘Secure communications principles’ highlighting key points for secure communications. As usual, NCSC has done an excellent job of laying out the potential hazards – and how to avoid them – in an easy-to-read form. Here is an outline of those principles and why they are important.
NCSC 7 Principles for Secure Communications
There are seven principles defined by NCSC, and they are:
Protect Data in Transit
At some point, your communications are very likely to travel over the public internet, which is by its nature an untrusted network. You don’t control it, so you can’t trust it. If not well protected, data travelling over an untrusted network can be tampered with, or people may be able to eavesdrop on your conversations and exchanges.
Another issue is messages being sent to the wrong person. This could be because you mistyped their address, or someone has spoofed or stolen an identity. This means that you could think you are interacting with a trusted colleague, when in fact a hacker has misappropriated their account. You could be tricked into giving sensitive, valuable information, or downloading malware.
Protect network nodes with access to sensitive data
A node is a connection point inside a network that can receive, send, create, or store data. Each node requires you to provide some form of identification to receive access. As your message travels across the network and passes through these nodes, if it has any unencrypted data, it may be accessed by the nodes. While the communication within the message may be encrypted by the app, your metadata may not be.
Another key point to consider is that encrypted messages rely on an encryption key to encrypt and decrypt. The key needs to be shared with the recipient for them to read the message, so there needs to be some form of key management system. If someone were to get hold of the key, they could read the message. If someone could get into the key management system, that would undermine the trust of the communications system, and you wouldn’t necessarily know that this had happened until it was too late, and that sensitive information had been compromised.
Protect user access to the service
As alluded to earlier, when you communicate with a trusted colleague, you assume that it is them. However, if their account is hacked, you may not be communicating with who you think you are*. For this reason, strong user authentication is an important part of a communications system.
If your colleagues are using their own phones for business use, i.e. an unmanaged device, there is also the danger that details such as user credentials and historic communications content are processed and stored without being encrypted. Therefore, if someone else gains access to that device/phone, information could be compromised. This is another reason for strong access control authentication (for example, fingerprint scan or password).
*In case the risk here isn’t clear, this is the ‘messaging app’ analogy to Business Email Compromise (BEC) which the FBI’s 2020 Internet Crime Report https://www.fbi.gov/news/pressrel/press-releases/fbi-releases-the-internet-crime-complaint-center-2020-internet-crime-report-including-covid-19-scam-statistics indicated cost $1.8B last year, more than the total costs of confidence fraud, ransomware, identity theft and several other categories all added together!
Ensure secure audit of communications is provided
For those working in regulated industries (financial services and health, for example) it is important that all communications can be audited (i.e. recorded and stored). However, this is not as easy as it sounds. The communications content must be kept secure, and there needs to be tight controls around who can access the content, when and why. This level of access would be highly desirable to criminals. Consumer grade apps certainly do not provide this level of service and some may even monitor your content for advertising or other purposes.
Allow administrators to securely manage users and systems
All IT service desks know that if users are allowed to administer their own accounts you end up with anarchy. For a secure communications system to remain secure, it must be properly managed. This means controlling who can join, and who can communicate with which groups. In contrast, consumer apps allow anyone to join – which could include hackers, criminals, and disgruntled ex-employees – and then to contact anyone else on the system.
Controlling who is admitted to the system provides a level of trust, that you know who you are communicating with, and that should someone leave the organisation, their account is disabled.
Use metadata only for its necessary purpose
Put simply metadata is the ‘who’, ‘where’, ‘when’, and ‘how’ of the communication. It reveals information about the user, for example, who is talking to who, which in certain cases can be useful even if a malicious actor doesn’t know what they are saying.
When aggregated, metadata can become even more valuable and is often harvested and sold to advertisers. This is how free-to-use services monetise their users. Apart from the adverts being annoying (and creepy), it is a security risk for organisations.
Assess supply chain for trust and resilience
Do you know every element of your secure communications service and who supplies it? Can you trust every element? If your existing solution uses the public internet then you can’t know every element, and therefore you need to mitigate the risks. Another point to consider is whether the system is standards-based (and so can be supported by multiple vendors) or a proprietary system? If proprietary, what happens should that supplier go out of business or be taken over by another organisation?
A final point to think about, for a secure communications solution to be genuinely usable (in other words, there is no reason for users to circumvent the system with workarounds or “shadow IT”), can users communicate with people outside of the organisation? Any solution adopted needs to be able to talk to other secure communications systems.
The ease of use of a communications app belies the underlying complexity, so when looking for a solution that is secure enough for enterprise and business use, there is a lot to consider.
Our new technical white paper goes into each of the NCSC’s Secure Communications Principles in much more detail and explains how Armour applies these principles across our products. You can download a copy here:
Alternatively you can view our Podcast:
Part 1: Click Here
Part 2: Click Here
Total privacy, no reliance on the open-internet, rugged devices with great user experience
London, 14 April 2021: Armour Comms and Bittium have announced the availability of a NATO approved secure communications solution. The new solution which runs on Bittium’s Tough Mobile™ 2 series of ruggedised and secure smartphones ensures voice and video conversations, and the associated files and attachments, stay completely private, no matter how hostile the environment. Aimed at military, defence, law enforcement and government markets worldwide, the Bittium and Armour® Mobile product provides the same user experience as consumer-grade solutions, while keeping data in transit secure at all times via the Bittium Safe Move® Mobile VPN.
The Bittium/Armour Mobile secure comms solution provides out-of-the-box security with everything needed for rapid provisioning of end users contained within the box. Devices are provisioned using a deep-link QR code from Armour and Bittium’s Secure Suite™ device management software. This avoids the ‘weak link’ of relying on SMS messages for authentication codes, and allows the use of Armour Mobile over networks where Voice over IP (VoIP) traffic is blocked or restricted.
Sammy Loitto, Senior Vice President, Sales at Bittium commented; “Security-conscious sectors are an important market for Bittium where we supply our secure and ruggedised smartphones in a variety of options, often without any consumer-grade apps that may compromise security. The Armour Mobile software application is NATO approved, providing the ideal solution for handling data classified at NATO Restricted. Armour Mobile is easy and intuitive to use, further enhancing our joint offering.”
The award-winning Armour Mobile secure comms app is now available on Bittium Tough Mobile 2. When packaged with the Bittium Secure Suite MDM the solution provides:
David Holman, Director and co-founder of Armour Comms said; “At Armour we develop communications solutions that combine the usability of consumer-grade apps with enhanced security required by professional users. Armour Mobile is already widely used by defence and governments around the world. This new joint offering with Bittium offers absolute privacy for data and meta-data, that stays completely within the control of the organisation, on a robust smartphone.”
Secure communications supplier achieves ISO/IEC 27001:2013 in just six months
London, 30 March 2021: Armour Comms has been registered by Intertek Certification Limited as conforming to the requirements of the ISO/IEC 27001:2013 standard ensuring that security is embedded within company culture, to minimise risks from cyber threats, and to ensure resilient processes and controls. The certification covers Armour’s Information Security Management System (ISMS) which encompasses the development and delivery of Armour’s flagship products Armour® Mobile and SigNet by Armour®, and all white-labelled products. Armour Comms provides trusted, secure instant collaboration solutions for mobile devices and desktops, that are widely used in Government, military and defence sectors around the world.
David Holman, Director and co-founder of Armour Comms said; “We are delighted that the ISO27001 certification for our company management processes has been achieved at the first attempt and within the ambitious timescales that we set ourselves. This is testament to the hard work and dedication from our technical and management team, all while operating under COVID-19 lockdown conditions.
“Achieving ISO27001 provides a strong baseline for our continued development of robust security solutions, that protect sensitive data, while delivering a great user experience on standard smartphone devices and desktops – an attractive alternative to consumer-grade apps designed for business use. End-user engagement is a key component of good security solutions and an area that we will continue to focus on within our ISO27001 product design processes.”
ISO/IEC 27001 details requirements for establishing, implementing, maintaining and continually improving an information security management system – the aim of which is to help organisations make the information assets they hold more secure. It requires that management:
Dr. Andy Lilly, CTO and co-founder of Armour Comms added; “At Armour we have a strong track record in compliance with industry standards. We have previously completed CPA and NATO certifications, and Armour Mobile uses the NCSC’s MIKEY SAKKE protocols. Achieving ISO27001 certification demonstrates our continued holistic approach to security, throughout the entire lifecycle of our products which will ultimately benefit all customers, across all product lines.”
Armour Comms has published a podcast explaining the differences between CPA and ISO27001. It can be viewed here:
https://www.youtube.com/watch?v=4v9aojG3EeQ&feature=youtu.be
ISO27001 and CPA certification – Apples and Bananas
Comparing ISO27001 and CPA is like comparing apples with bananas. They are both recognised industry standards associated with cybersecurity in much the same way that apples and bananas are both fruit, but they are designed to do different things. In a nutshell, CPA certifies an individual product and ISO27001 certifies a whole company covering all of its processes and procedures around information security, and the way that it develops its products.
At Armour we are well qualified to talk about both ISO27001 and CPA as we have achieved both. Here is an explanation of each, with plus and minus points for both.
What is CPA
Commercial Product Assurance (CPA) was a scheme introduced in 2014 by CESG, the UK’s National Technical Authority for Information Assurance which is now part of the National Cyber Security Centre (NCSC). It was launched to coincide with the replacement of the Government Protective Marking Scheme (GPMS) by the Government Security Classifications Policy (GSCP) where data is categorised into just three levels of classification for UK information assets, OFFICIAL, SECRET and TOP SECRET (<uhttps://www.gov.uk/government/publications/government-security-classifications). The three classifications didn’t give quite enough granularity so a ‘handling caveat’ of OFFICIAL-SENSITIVE was also introduced for the subset of OFFICIAL information that required additional protection (https://www.gov.uk/guidance/official-sensitive-data-and-it).
For the CPA scheme, the NCSC sets a series of standards which independent test laboratories use to assess products for their suitability to handle OFFICIAL data. (Formally, SECRET use required High Grade products assessed using the even more costly CAPS process https://www.ncsc.gov.uk/information/products-cesg-assisted-products-service). The CPA standards are published so that both the companies and potential purchasers of the products can see the requirements against which testing has been performed.
In other words, CPA certification confirms that the product does what the vendor says it does, giving a level of assurance for purchasing organisations, that they know what they are buying, and that it does what they think it does. The more experienced (cynical) among you will know that this is not always a forgone conclusion in the world of software.
What is ISO27001
ISO27001 is an international standard specific to Information Security Management, originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013 and again for European markets in 2017. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organisations make the information assets they hold more secure. Organisations that meet the standards are audited by an independent body and certified as such.
ISO/IEC 27001 requires that management:
Comparing ISO 27001 and CPA
The main limitation of the CPA scheme is that it is product based, so only ever relates to an individual product. If that product is updated, for example, to introduce new features and benefits, or simply to run on a newer version of hardware, it needs to be re-assessed (and CPA also requires a full re-certification every 2 years). This is costly and time-consuming. It makes it difficult for vendors to keep pace with the rapid pace of technology (particularly in the mobile space) and reduces the choice for purchasers.
ISO27001 is not product specific, therefore does not provide the very specific assurance offered by CPA certification. However, it does provide a more holistic approach to information security and ensures that organisations are managing the processes within their declared scope. For Armour, this means the entirety of our product development, delivery and support operations as well as all supporting aspects of the company (finance, HR, etc.) follow security best practices. (The scope is important – some suppliers only certify a subset of their processes/operations.) This provides purchasers with broad confidence that products and services delivered by ISO 27001-certified organisations should be secure and – just as importantly – that they will be updated over time to mitigate new security concerns.
Both CPA and ISO27001 are expensive and time consuming for the vendor, however they do demonstrate a certain commitment to providing quality products that comply with recognised industry standards.
And why is all of this important?
NCSC is discontinuing the CPA scheme for all products with the exception of smart meters. At the moment there is no replacement scheme, causing a dilemma for security conscious organisations that would normally opt for a CPA certified solution. How can they be assured that any new solutions they use to handle classified data are suitable and up to the job?
This is where we believe ISO27001 is becoming increasingly important. ISO27001 covers much more than simply IT, and certainly more than a single product, making it significantly different to CPA, but in many ways, we believe better. In essence, with ISO27001, the processes and controls within the company or organisation are assessed and certified, meaning that any and all products developed will have been done so using tried and tested means. This enables a more flexible approach for the vendor and purchaser alike. Under ISO27001 it is much easier for products to be updated to keep pace with rapidly changing technology and security threat landscape.
In the meantime we continue to work closely with NCSC with the aim of supporting whatever assurance scheme they implement to supersede CPA.
To hear our CTO Andy Lilly further discuss the differences between CPA and ISO27001 listen to our podcast here: <uhttps://www.youtube.com/watch?v=4v9aojG3EeQ&feature=youtu.be
If you or your security accreditors have any questions please get in touch. sale@armourcomms.com
Working from Home requirements and increased security awareness around the dangers of consumer-grade apps fuel demand for Armour Mobile
London, 16 February 2021: Armour Comms, the leading provider of specialist, secure communications solutions, has seen continued year-on-year growth during 2020. The company has achieved an increase in license revenue with annual recurring revenue (ARR) up 28%. Having secured its first round of outside investment of £2million from external investors in late 2019, Armour made a range of key appointments across the business to fast-track product development and address new markets. Revenue generated has been evenly spread across the regions with 30% from the UK, 33% from the Middle East, and 37% from the rest of the world.
David Holman, Director and co-founder of Armour Comms commented; “2020 has been a year of continued growth for Armour, despite the pandemic. In part this has been due to an increased awareness of the security shortcomings of using consumer-grade apps, particularly as people were forced to work from home. We have also invested in our expansion with an increase in head count of 20%, mainly in development, quality assurance and customer support. We maintain a strong focus to ensure we develop solutions that are highly intuitive as well as maintaining appropriate levels of security.”
During 2020 Armour agreed terms with a number of new partners in key geographic regions and signed up several significant new customers, as well as expanding the Armour user-base in the military/defence and government sectors.
2020 also saw an increase in demand from enterprises in non-regulated industries for SigNet by Armour, a secure comms app based on Signal. SigNet, which uses AES-256 bit encryption, has been toughened with more enterprise-grade security features such as an on-premises option for total privacy (a cloud option is also available), no auditability, secure groups, allow listing features, and a much improved, highly intuitive user interface.
How safe is your data?
A few years ago we posted a blog – AES-128 v AES-256 encryption – What’s the difference?
To date, it has been our most popular page.
In answer to the question “What’s the difference”, we stated – Practically nothing!
That is because 128 bit encryption is pretty strong, and being a magnitude stronger may not make you that much more secure, given that it is rarely the encryption that is the weakest link and therefore rarely the part that gets attacked.
Since we wrote the blog, quantum computing has come closer and is now a real possibility within the next few years. For this reason, we thought it was worthwhile revisiting our blog to see if this made any practical difference between 128 and 256 bit encryption
Our CTO and co-founder Dr. Andy Lilly explains the differences in this short podcast.
Available on:
YOUTUBE: https://youtu.be/Z463jy64fwo
Signal-based secure communications app extends enterprise features to support organisations moving away from WhatsApp
London, 26 January 2021: Armour® Comms, the leading provider of specialist, secure communications solutions, has announced the availability of SigNet by Armour® v2.1, which includes new features designed specifically for enterprises. SigNet by Armour, provides secure voice, video, messaging, group chat, file attachments and MessageBurn (timed messages) with AES-256 bit encryption for iOS and Android devices, and for use with Windows 10, macOS and Linux. Based on the well respected Signal app, SigNet by Armour provides additional security features such as an on-premises option for total privacy and no auditability (as well as the choice of cloud installation), secure groups and allow listing features, and a much improved, highly intuitive user interface.
New with SigNet v2.1 is support for QR codes and deep links for one-click provisioning which streamlines on-boarding new users, and saves time and resource for IT departments.
David Holman, Director at Armour Comms commented; “SigNet by Armour has been specifically designed for use by non-regulated organisations that require enterprise-grade secure communications. SigNet provides a great user experience, with the assurance of absolute privacy for data and meta-data, that stays completely within the control of the enterprise. At a time of heightened concern about new privacy policies of consumer-grade messaging apps SigNet is a better, more secure alternative that is GDPR compliant, specifically designed for professional use.”
SigNet has a range of built-in features ideal for mitigating security threats in an enterprise environment, such as;
SigNet by Armour is available as a Software as a Service (SaaS) product hosted on Armour’s secure cloud, or as an on-premises installation, and uses a peer-to-peer key management system.
Armour Comms has published a White Paper: Why WhatsApp Is Not Suitable for the Workplace. For a copy please email: andreina@pra-ltd.co.uk,
or download from: HERE
