Posted on

Reflections from DSEI – Secure Comms are gaining ground

Back from DSEI, and time for reflection on our first face to face, in the real world event in nearly two years. A lot has changed, and not just pandemic-related working patterns.  Since we were last at DSEI there has been a sea change in perception about the necessity for secure communications.  There is a growing understanding of why people need controlled, secure apps for business/work/official comms and why consumer grade apps, like WhatsApp (and others) are simply not suitable.  This article in the New York Post is the latest in a string of news stories on why WhatsApp is not as private and secure as Facebook would have us believe: https://nypost.com/2021/09/07/facebook-reads-and-shares-whatsapp-private-messages-report/

As the world reopens for business it needs trusted communications across untrusted networks

Talking to a wide range of people at DSEI has confirmed what we believed to be the case from many conversations we’ve had in recent months.  While working from home people have been using tools like Teams and Zoom, which they are now used to. Organisations know that such tools are not really secure enough, but they’ve mitigated a lot of the risk with processes and additional technology, because while people are working from home, the network is a known entity, even if not totally trusted.

However, as the world starts to open up once more, people are moving to hybrid and remote working, which means a return to airport lounges, coffee shops, shared offices, and anywhere that there is a WiFi connection.  Working from a myriad of different locations also means a return to dynamic untrusted and unknown networks in a landscape where threats have evolved and perpetrators are two years more savvy.

Unlike the start of the pandemic, where lockdown was sudden and IT departments scrambled to keep staff productive by any means possible, the return to more normal working can be planned, which means ensuring people have the appropriate tools for the job.  This includes a professional, enterprise-suitable, secure comms solution.

Armour Comms has the answer

Working with our strategic partners at Qinetiq, Amiosec, Bittium and Samsung, Armour Comms is able to provide a broad range of solutions suitable for many different use cases including those with higher assurance requirements.

One of our customers is currently deploying Armour Mobile across several operational and office areas to replace the use of consumer grade apps.  Our NATO approved solution now includes unique Secure Push technology from Bittium, allowing secure and battery efficient signalling of Armour Mobile calls and messages via classified networks without requiring connectivity to the public internet. This ensures that voice and video conversations, and the associated files and attachments stay completely private, no matter how hostile the environment, all the while providing a user experience to match consumer-grade apps.

On show for the first time was Unity by Armour, which works in conjunction with Armour Mobile to provide secure video conferencing calls (pre-defined or on-the-fly), screen sharing and integration with secure chat groups. The extension to our offerings enabling secure collaboration was extremely well received highlighting the growing requirement for enterprise secure video conferencing. In addition to our existing one-to-one secure audio and video calling Unity by Armour provides picture in picture and multiple screens, and offers a familiar video conferencing interface, making it easy and intuitive to use. Available with a choice of hosting options, which includes on-premises installation, communities are controlled by invitation-only, increasing security and guarding against ‘zoom-bombing’.

For more information about the importance of Secure Conferencing view our podcast on the topic here: https://youtu.be/Mrj9iaPedSI

Secure-by-default communications to power productive collaboration

The importance of a good user experience can’t be overstated. If secure solutions are difficult to use, clunky and irksome, people will simply resort to other less secure methods often via un-managed and unsecure ‘shadow IT’.  A secure comms app needs to be easy enough to use for everyday business communications allowing users to be productive and collaborate without friction. People don’t want to differentiate between what should be a ‘secure call’ and a conversation that can be had over ‘normal’ channels, and nor should they have to.  Armour Comms solves the conundrum of a secure-by-default comms application that is still easy to use and quick to deploy at scale.

Contact us today for a trial 

Posted on

Safety Detectives: Q & A With Armour Communications

Safety Detectives: Please share your company background, how you got started, and your mission?

Armour Communications: Armour Communications was founded in 2015, by directors David Holman and Andy Lilly. They recognized that there was a need for more robust mobile communications solutions for enterprises. All organizations, in every sector, of every size, both public sector and commercial, have sensitive data to protect. (Examples of these are: intellectual property, price lists, customer lists, formulae, commercial agreements, merger/acquisition/valuation data, personally sensitive/identifiable information, information relating to personal or national security)…

Click here to read the full interview:  https://www.safetydetectives.com/blog/qa-with-armour-communications/

 

Posted on

GDPR and Mobile Comms

How compliant is your organisation?

GDPR may have slipped from the headlines, and now be seen simply as ‘job done’ in many organisations. However, with the widespread adoption of remote working due to the pandemic, some aspects of data security may have slipped as people revert to less than optimal practices. It is worth remembering that the penalties for infringement can be costly with a maximum fine of EU20m or 4% of annual global turnover, whichever is the greater.

Data Privacy is a worthy goal

GDPR legislation should not be viewed merely as a compliance requirement. There is very real value in protecting privacy given that personal data is so highly sought after by criminals, and its loss can be devasting for the individual concerned. Protecting personal data is a worthy goal in its own right. If people in your organisation are using consumer-grade apps for business communications then you may be contravening GDPR regulations.

As an example as we cover in our Replacing WhatsApp for Business? blog, WhatsApp should not be used for business communications – it expressly says so in its Ts & Cs. Apart from this, you should keep in mind these points when assessing what data might be shared using an app that your organisation does not control:

  • What type of data is being shared using mobile apps? Is it personally identifiable, like HR or payroll data?
  • Has consent been given for the data to be shared, such as business contacts whose details are then distributed via mobile phone apps?
  • Can you control where the data might end up? Can you stop it being forwarded to an unauthorised user or location? Do you know where the servers are located that will store the data?
  • Can you control who might see the data?
  • Can the data be deleted once it is no longer required?

If you are unsure about any of these points, then it is worth taking a closer look at the apps in use in your organisation, and safe-guarding your business by moving to an Enterprise-grade secure communications app.

Enterprise-grade alternatives from Armour Comms

Armour Comms provides a range of solutions, and the knowledge and experience to curate a suitable service to meet exact requirements. Armour Comms solutions are specifically designed to provide enterprise-ready capabilities, including gateways into existing unified communications systems, for professional customers including governments, financial and legal businesses, defence organisations and high net worth individuals.

Armour Mobile – available for iOS, Android and Windows Desktop, hosted on the Armour Secure Cloud, or as an on-premises solution. Based on NCSC and NATO approved MIKEY-SAKKE protocols, the Armour Mobile app is downloadable from app stores, and benefits from both central administration and quick-and-easy provisioning of new users.

Armour Recall – is now available as an additional module for Armour Mobile users for on-premises deployments and provides secure, centralised audit of all text, audio and message attachments. While designed for organisations in regulated industries such as financial services, legal, pharmaceutical and medical, Recall audit capabilities can be useful for many other security conscious organisations that need to be able to prove who said what, to whom, and when.

SigNet by Armour – an alternative to Armour Mobile for specific use case requirements, using AES 256-bit encryption technology. Available as a hosted or an on-premises solution, SigNet too is downloadable from the app stores, centrally administered, and quick and easy to provision new users.

All Armour products are designed with the end user in mind, to deliver a highly usable experience that surpasses free-to-use apps, with enterprise features and security baked in.

For more information on how Armour Comms can help your organisation to secure personal and sensitive data held on business mobile devices, contact us today.

 

Armour Comms has published a podcast explaining GDPR and its impact on Mobile Communications which you can view here:

https://youtu.be/kI7qyzXR0-U

Posted on

Replacing WhatsApp for Business?

Here’s some points you should consider

Chat apps in business have become akin to SMS in the late 1990s.  For those of you that don’t remember, SMS was clunky to use, and really only ever intended to be used by geeky, techie types. However, that didn’t stop it taking off with mass adoption, including by business people.   In much the same way, chat apps are not designed for professional use, but somehow, they have infiltrated many workplaces, bringing with them various security and data privacy issues.

Getting the Genie back in the bottle

So what can you do about it?  Some organisations have gone so far as to ban the use of WhatsApp[i]. However, much like getting the genie back in the bottle, once people have experienced the ease of use of these consumer chat apps, it’s difficult to stop their use.  The trick is to give your staff something even better than WhatsApp.  By better we mean, with extra, enterprise-grade functions which the user will love, and far stronger security, which is imperative for the business.

What are the alternatives?

There are quite a few free-to-use alternatives, the best of which is widely accepted as Signal. However, Signal suffers from some of the same drawbacks as WhatsApp.  The issues are:

  • In order to use the app, users must register with their GSM/Mobile number. It is relatively easy to spoof a mobile number, which means that users cannot be certain who they are communicating with
  • All users are in a single group, so that anyone can call anyone else. Groups or communities of users cannot be managed centrally.
  • The app is managed in the US – so metadata leaves sovereign shores.

 

Like Signal – only better

SigNet by Armour®, as the name suggests, is based on Signal which is internationally recognised as the most secure consumer app.  We’ve taken all the best bits and packaged them up with extra features and an easier to use interface to provide an enterprise-ready solution.

By enterprise-ready we mean:

You can have an on-premises or cloud hosted instance.  The cloud version uses the Armour secure-cloud, which is UK based – so your data and meta data never leaves sovereign UK shores. You have complete control of your data.

Contact lists or communities can be managed centrally.  New users must be invited by central admin, and approved before they can join.  That means that your users know exactly who they are communicating with – no spoof users with stolen identities.

No requirement to use a mobile phone number. With Armour you only need a unique identifying code – it doesn’t need to be a mobile number.  This is an extra layer of security that can keep business and personal communications separate even on the same device, and which also keeps users’ personal details private.

Full enterprise functionality.  Including voice calls, text/chat, video, and attachments – all of which are managed inside the app, stay inside the app, and are completely encrypted.

Scalable, fast provisioning for new users. We use secure, one-time use, QR codes to get new users up and running with the minimum of fuss. Great for users, and the IT department.

Enhanced User Interface. Designed with the user experience in mind, intuitive and easy to use, especially for those upgrading from WhatsApp.

Professional support services. We provide both phone and email support, that is UK-based.

Fully GDPR compliant. All data is kept within the app, and no contact information is shared.

 

Benefits of a really secure communications app

SigNet helps to get the WhatsApp genie back in the bottle. Providing employees with an enterprise-grade communications app improves security and protects sensitive business information such as intellectual property (product specs, price lists, formulae, recipes, patents), customer information, and contact details.  It also helps to avoid embarrassing data breaches which can damage reputation, and perhaps a less obvious benefit, employees are encouraged to take data security more seriously. The very act of using a special app for business communications is a reminder to be careful and take cyber security seriously.

Act Fast

If your business managers need to communicate about any kind of sensitive information that, if divulged, could put your business in jeopardy, or provide commercial advantage to competitors, contact us today, and have the security of SigNet by Armour up and running in your organisation within minutes.

sales@armourcomms.com

[i]   Germany’s data chief tells ministries WhatsApp is a no-go: https://www.dw.com/en/germanys-data-chief-tells-ministries-whatsapp-is-a-no-go/a-53474413

Posted on

Replacing WhatsApp? Advice from NCSC

Replacing WhatsApp? Advice from NCSC

What exactly should you be looking for?

When considering a secure communications solution for your organisation there are a lot of different options.  Not least of these are free-to-use consumer grade apps.  Without vigilance these apps can seep into business use without any oversight from the organisation, often because employees use the apps for personal life and they seem like an expedient way to communicate.  These apps claim end to end encryption, but do they really meet the needs of an enterprise?  And what extra do paid-for Enterprise solutions offer?

As we’ve point out many times before, there is much more to security than just encryption – this is an important point made by the UK National Cyber Security Centre (NCSC).  It has published a document ‘Secure communications principles’ highlighting key points for secure communications.  As usual, NCSC has done an excellent job of laying out the potential hazards – and how to avoid them – in an easy-to-read form.  Here is an outline of those principles and why they are important.

NCSC 7 Principles for Secure Communications

There are seven principles defined by NCSC, and they are:

  1. Protect Data in transit
  2. Protect network nodes with access to sensitive data
  3. Protect user access to the service
  4. Ensure secure audit of communications is provided
  5. Allow administrators to securely manage users and systems
  6. Use metadata only for its necessary purpose
  7. Assess supply chain for trust and resilience

 

Protect Data in Transit

At some point, your communications are very likely to travel over the public internet, which is by its nature an untrusted network.  You don’t control it, so you can’t trust it. If not well protected, data travelling over an untrusted network can be tampered with, or people may be able to eavesdrop on your conversations and exchanges.

Another issue is messages being sent to the wrong person. This could be because you mistyped their address, or someone has spoofed or stolen an identity.  This means that you could think you are interacting with a trusted colleague, when in fact a hacker has misappropriated their account. You could be tricked into giving sensitive, valuable information, or downloading malware.

Protect network nodes with access to sensitive data

A node is a connection point inside a network that can receive, send, create, or store data. Each node requires you to provide some form of identification to receive access.  As your message travels across the network and passes through these nodes, if it has any unencrypted data, it may be accessed by the nodes. While the communication within the message may be encrypted by the app, your metadata may not be.

Another key point to consider is that encrypted messages rely on an encryption key to encrypt and decrypt. The key needs to be shared with the recipient for them to read the message, so there needs to be some form of key management system. If someone were to get hold of the key, they could read the message. If someone could get into the key management system, that would undermine the trust of the communications system, and you wouldn’t necessarily know that this had happened until it was too late, and that sensitive information had been compromised.

Protect user access to the service

As alluded to earlier, when you communicate with a trusted colleague, you assume that it is them. However, if their account is hacked, you may not be communicating with who you think you are*.  For this reason, strong user authentication is an important part of a communications system.

If your colleagues are using their own phones for business use, i.e. an unmanaged device, there is also the danger that details such as user credentials and historic communications content are processed and stored without being encrypted. Therefore, if someone else gains access to that device/phone, information could be compromised. This is another reason for strong access control authentication (for example, fingerprint scan or password).

*In case the risk here isn’t clear, this is the ‘messaging app’ analogy to Business Email Compromise (BEC) which the FBI’s 2020 Internet Crime Report https://www.fbi.gov/news/pressrel/press-releases/fbi-releases-the-internet-crime-complaint-center-2020-internet-crime-report-including-covid-19-scam-statistics  indicated cost $1.8B last year, more than the total costs of confidence fraud, ransomware, identity theft and several other categories all added together!

Ensure secure audit of communications is provided

For those working in regulated industries (financial services and health, for example) it is important that all communications can be audited (i.e. recorded and stored). However, this is not as easy as it sounds. The communications content must be kept secure, and there needs to be tight controls around who can access the content, when and why. This level of access would be highly desirable to criminals. Consumer grade apps certainly do not provide this level of service and some may even monitor your content for advertising or other purposes.

Allow administrators to securely manage users and systems

All IT service desks know that if users are allowed to administer their own accounts you end up with anarchy. For a secure communications system to remain secure, it must be properly managed. This means controlling who can join, and who can communicate with which groups. In contrast, consumer apps allow anyone to join – which could include hackers, criminals, and disgruntled ex-employees – and then to contact anyone else on the system.

Controlling who is admitted to the system provides a level of trust, that you know who you are communicating with, and that should someone leave the organisation, their account is disabled.

Use metadata only for its necessary purpose

Put simply metadata is the ‘who’, ‘where’, ‘when’, and ‘how’ of the communication. It reveals information about the user, for example, who is talking to who, which in certain cases can be useful even if a malicious actor doesn’t know what they are saying.

When aggregated, metadata can become even more valuable and is often harvested and sold to advertisers.  This is how free-to-use services monetise their users. Apart from the adverts being annoying (and creepy), it is a security risk for organisations.

Assess supply chain for trust and resilience

Do you know every element of your secure communications service and who supplies it?  Can you trust every element? If your existing solution uses the public internet then you can’t know every element, and therefore you need to mitigate the risks.  Another point to consider is whether the system is standards-based (and so can be supported by multiple vendors) or a proprietary system?  If proprietary, what happens should that supplier go out of business or be taken over by another organisation?

A final point to think about, for a secure communications solution to be genuinely usable (in other words, there is no reason for users to circumvent the system with workarounds or “shadow IT”), can users communicate with people outside of the organisation?  Any solution adopted needs to be able to talk to other secure communications systems.

The ease of use of a communications app belies the underlying complexity, so when looking for a solution that is secure enough for enterprise and business use, there is a lot to consider.

Our new technical white paper goes into each of the NCSC’s Secure Communications Principles in much more detail and explains how Armour applies these principles across our products.  You can download a copy here:

 

Alternatively you can view our Podcast:

Part 1: Click Here

Part 2: Click Here

Posted on

ISO27001 and CPA certification – Apples and Bananas

ISO27001 and CPA certification – Apples and Bananas

 

Comparing ISO27001 and CPA is like comparing apples with bananas. They are both recognised industry standards associated with cybersecurity in much the same way that apples and bananas are both fruit, but they are designed to do different things.  In a nutshell, CPA certifies an individual product and ISO27001 certifies a whole company covering all of its processes and procedures around information security, and the way that it develops its products.

At Armour we are well qualified to talk about both ISO27001 and CPA as we have achieved both.  Here is an explanation of each, with plus and minus points for both.

What is CPA

Commercial Product Assurance (CPA) was a scheme introduced in 2014 by CESG, the UK’s National Technical Authority for Information Assurance which is now part of the National Cyber Security Centre (NCSC). It was launched to coincide with the replacement of the Government Protective Marking Scheme (GPMS) by the Government Security Classifications Policy (GSCP) where data is categorised into just three levels of classification for UK information assets, OFFICIAL, SECRET and TOP SECRET  (<uhttps://www.gov.uk/government/publications/government-security-classifications). The three classifications didn’t give quite enough granularity so a ‘handling caveat’ of OFFICIAL-SENSITIVE was also introduced for the subset of OFFICIAL information that required additional protection (https://www.gov.uk/guidance/official-sensitive-data-and-it).

For the CPA scheme, the NCSC sets a series of standards which independent test laboratories use to assess products for their suitability to handle OFFICIAL data. (Formally, SECRET use required High Grade products assessed using the even more costly CAPS process https://www.ncsc.gov.uk/information/products-cesg-assisted-products-service). The CPA standards are published so that both the companies and potential purchasers of the products can see the requirements against which testing has been performed.

In other words, CPA certification confirms that the product does what the vendor says it does, giving a level of assurance for purchasing organisations, that they know what they are buying, and that it does what they think it does. The more experienced (cynical) among you will know that this is not always a forgone conclusion in the world of software.

What is ISO27001

ISO27001 is an international standard specific to Information Security Management, originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013 and again for European markets in 2017. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organisations make the information assets they hold more secure. Organisations that meet the standards are audited by an independent body and certified as such.

ISO/IEC 27001 requires that management:

  • Initiates processes that examine the organisation’s information security assets, and assesses risks, threats, vulnerabilities and the associated possible impacts
  • Implements a series of integrated and comprehensive controls and risk management strategies that address risks to information security assets
  • Undertakes a program of continuous assessment and improvement to ensure that information security controls evolve to meet current and ongoing requirements

Comparing ISO 27001 and CPA

The main limitation of the CPA scheme is that it is product based, so only ever relates to an individual product. If that product is updated, for example, to introduce new features and benefits, or simply to run on a newer version of hardware, it needs to be re-assessed (and CPA also requires a full re-certification every 2 years). This is costly and time-consuming. It makes it difficult for vendors to keep pace with the rapid pace of technology (particularly in the mobile space) and reduces the choice for purchasers.

ISO27001 is not product specific, therefore does not provide the very specific assurance offered by CPA certification. However, it does provide a more holistic approach to information security and ensures that organisations are managing the processes within their declared scope. For Armour, this means the entirety of our product development, delivery and support operations as well as all supporting aspects of the company (finance, HR, etc.) follow security best practices. (The scope is important – some suppliers only certify a subset of their processes/operations.) This provides purchasers with broad confidence that products and services delivered by ISO 27001-certified organisations should be secure and – just as importantly – that they will be updated over time to mitigate new security concerns.

Both CPA and ISO27001 are expensive and time consuming for the vendor, however they do demonstrate a certain commitment to providing quality products that comply with recognised industry standards.

And why is all of this important?

NCSC is discontinuing the CPA scheme for all products with the exception of smart meters. At the moment there is no replacement scheme, causing a dilemma for security conscious organisations that would normally opt for a CPA certified solution.  How can they be assured that any new solutions they use to handle classified data are suitable and up to the job?

This is where we believe ISO27001 is becoming increasingly important. ISO27001 covers much more than simply IT, and certainly more than a single product, making it significantly different to CPA, but in many ways, we believe better. In essence, with ISO27001, the processes and controls within the company or organisation are assessed and certified, meaning that any and all products developed will have been done so using tried and tested means. This enables a more flexible approach for the vendor and purchaser alike.  Under ISO27001 it is much easier for products to be updated to keep pace with rapidly changing technology and security threat landscape.

In the meantime we continue to work closely with NCSC with the aim of supporting whatever assurance scheme they implement to supersede CPA.

To hear our CTO Andy Lilly further discuss the differences between CPA and ISO27001 listen to our podcast here: <uhttps://www.youtube.com/watch?v=4v9aojG3EeQ&feature=youtu.be

If you or your security accreditors have any questions please get in touch. sale@armourcomms.com

Posted on

AES-128 and AES-256 encryption v Quantum Computing

How safe is your data?

A few years ago we posted a blog – AES-128 v AES-256 encryption – What’s the difference?

To date, it has been our most popular page.

In answer to the question “What’s the difference”, we stated – Practically nothing!

That is because 128 bit encryption is pretty strong, and being a magnitude stronger may not make you that much more secure, given that it is rarely the encryption that is the weakest link and therefore rarely the part that gets attacked.

Since we wrote the blog, quantum computing has come closer and is now a real possibility within the next few years. For this reason, we thought it was worthwhile revisiting our blog to see if this made any practical difference between 128 and 256 bit encryption

Our CTO and co-founder Dr. Andy Lilly explains the differences in this short podcast.

Available on:

YOUTUBE: https://youtu.be/Z463jy64fwo

 

Posted on

Protecting your Digital Identity – Lessons from Jeremy Vine

It’s that time of year again, when everyone is making predictions for the year ahead.  One of the key themes being cited for 2021 is Digital Identity.  To be fair, digital identities have been around since there were online systems that required passwords or authentication of some form. And it’s certainly nothing new in the cybersecurity world.

BUT, there is an increasing awareness within the population at large, that protecting your digital identity matters.

Cyberattacks have doubled this year

With many more people working from home, with more distractions (home schooling, sharing workspaces with partners for example) and with heightened levels of stress, phishers, scammers and hackers have had an exceptional 2020.  It is widely reported that cyberattacks of all forms have doubled year-on-year during 2020 as criminals took advantage of the disruption caused by the pandemic.  We are all susceptible to a clever social engineering scam, as the recent experience of broadcaster Jeremy Vine demonstrates only too well when his WhatsApp account was hacked:   https://twitter.com/thejeremyvine/status/1327076111096958978?lang=en

Early in the summer news broke of several high-profile figures that had had their Twitter accounts hacked in a Bitcoin scam, https://www.itgovernance.co.uk/blog/catches-of-the-month-phishing-scams-august-2020, including Bill Gates, Elon Musk, Kanye West, Kim Kardashian West, Barack Obama, Mike Bloomberg and US president elect Joe Biden.  Even Apple’s official Twitter account endorsed Bitcoin with a message.

At the risk of sounding like a stuck record, the greatest cyber risk to business is from people and processes (the insider threat).

The dangers of free messaging apps  – again!

The Jeremy Vine example is worrying for the ordinary person and, to his credit, he has tried to draw as much attention to just how easy it is to be sucked in.  However, it should be doubly worrying for companies that still sanction (or at least turn a blind eye to) the use of WhatsApp by employees.  Even though people may not actually be using WhatsApp, or any other form of free, consumer grade messaging app for business communications, if their personal account is hacked, every contact in their address book could be compromised.

Have a think about who is in your contact list – would you want business colleagues, people you are negotiating sensitive deals with, prospects, customers, industry bodies, government officials, your CEO, to receive a message purportedly from you, when in fact it is a criminal pretending to be you?

Apart from the potential embarrassment, what about brand value and reputation?  It doesn’t give a good impression does it?  And once your account is hacked, what about the rest of the information you have on your phone?  How confident are you to share everything that is on your phone with the rest of the world?

Keep your contacts close

Keep your friends close and your enemies closer still, goes the old adage (actually from the Godfather II, but often attributed to Sun Tzu or Niccolo Machiavelli). This is really quite relevant to how we manage our connections today. Everyone’s contact details should be treated with the same  respect, not least as it is a requirement of GDPR (which still applies after Britain has left the EU).  However, it’s not just a problem for WhatsApp and its ilk, even well respected apps such as Signal have this problem when anyone can join a group.  Or to be more precise, everyone who installs the app is automatically in the amorphous, worldwide group of users, where anyone can contact anyone else.

Business communications, and that includes contacts directories, should be compartmentalised to avoid embarrassing phishing hacks at best, and data loss motivated by industrial espionage, or state-sponsored attacks on national security at its most serious.

With Armour Mobile organisations are able to centrally manage individual groups of users as well as to apply personnel changes, keeping contact directories for everyone up to date efficiently.  Armour Mobile has its own Contacts list into which users can add other users’ contact details, as well as import Contacts files. Users from different departments or groups can communicate if they are white-listed, which can be managed centrally.  With business contacts stored within Armour Mobile, if someone’s consumer-grade messaging account is hacked, their colleagues won’t receive compromising messages, nor will they be tricked into communicating with scammers and criminals, and all that that implies.

For more information on how to protect digital identities, and sensitive business contacts, contact us HERE

Posted on

Boutique Security goes Mainstream

Armour Mobile starts to scale!

At Armour we started out providing solutions to really quite specific security problems.  How to enable people that need to communicate via mobile phones to do so, in utmost privacy without danger that their conversation could be, intercepted, recorded, or hacked.

This is quite a bit more complex than it sounds, given that some parts of the mobile phone network relies on 40 year old technology, and large swathes of the internet is owned by multi-national social media companies who are far more interested in passing on their users’ details to advertisers than they are in user privacy.

What started out as a ‘boutique’ security solution for Government departments, defence contractors, specialist security services and other highly security-conscious organisations is now being adopted by a much broader user base.

We are pleased to report that Armour Mobile is no longer just the secure comms app of choice for a relatively small number of specialist individuals within organisations, Armour Mobile is now being deployed on a far wider scale.

This hasn’t happened overnight.  It’s long been our mission to bring truly secure mobile comms and collaborative working to the professional market.  With this in mind we’ve introduced some new features that make Armour Mobile more usable at scale.

Integration and Management

The integration and management elements of Armour Mobile are key aspects in any enterprise deployment. In any large organisation, be it commercial, government or not-for-profit, the number of software applications will be too many for it to be possible to manage each one individually. Learning the unique methods of getting the best out of each application would simply take too much time and so they need to be integrated into a set of industry standards to be managed efficiently.

As an example, to meet resilience and redundancy most modern software products are now using or are moving to using Kubernetes to provide automation of deployment, scaling and management for applications. Put simply, Kubernetes allows products to be handled consistently and efficiently without the need for detailed understanding of each product. We are developing Kubernetes support in our Armour Core for a future release to enable it to scale.

One-Click provisioning

One-click provisioning, as the name suggests makes it much easier for end users to get up and running with Armour Mobile, and if it’s easier to use, then users are more likely to use it, without question, or introducing workarounds that negate the inbuilt security.  With one-click provisioning there are now different ways to receive the provisioning information including a printed card, text, email with deep links or secure (one time use) QR codes.  Users simply download the App, receive the provisioning information via the preferred means, and click. For the IT department and Security Officer this means better user adoption and less chance of support calls because the process is so simple. The secure ‘one time use only’ means that disposal of this data once used is easy and removes the need for secure disposal.

Contacts Management

In response to larger customers we’ve addressed the need to be able to integrate Armour Mobile with an organisation’s existing Directory Servers (LDAP or Microsoft Active Directory).  Currently Armour Mobile has its own Contacts list into which users can add other users’ contact details, as well as import Contacts files containing multiple users’ details.  While this works well for smaller groups of users, it does mean that additions/deletions/changes don’t get automatically replicated across all users, which in larger organisations and enterprises can be a daily occurrence.

Armour Mobile Contacts Directory will enable users to more efficiently keep up to date with all the personnel changes that occur in a large organisation.  From a user experience perspective things will look very similar in that a user simply types the name, or the first part of a name, and the system will automatically reference the Contacts Directory in addition to the user’s local Contacts List looking for names matched to what has been typed. The user is given a list of search matches that can then be used to form a new message, or make a call.

Benefits of Scale

The benefits to user organisations of scaling our solutions are many and include the following:

Resilience – the ability to maintain a service 24/7 no matter what, for example, from hacking attacks or natural disaster. Resilience is measured and designed on three basic principles, Confidentiality, Integrity and Availability. Depending on which of these are most important then the design of the infrastructure and its protection can change.

Redundancy – preparing for the fact that modules of the infrastructure will fail and ensuring that when it happens another part of the infrastructure takes over (ideally this would be automatic).

Monitoring – knowing what is happening at any given time and being able to send alerts to people when certain capacities are reached, for example, so that action can be taken if required.

Logging – knowing that you have the data to decipher what has happened when something goes  wrong.  Many cyber security solutions rely heavily on logging (and monitoring) to warn of a potential attack.

Reporting – understanding who is using the solution enables organisations to ensure that everyone that should be using it for business communications, is using it. In addition, an audit module provides full audit trail capabilities for regulated industries.

In 2020 we’ve seen a huge move towards many more people working from home, outside of the usual enterprise security infrastructure. As we’ve discussed in other blogs, this has brought the use of consumer-grade apps and their suitability for use in business communications into sharp focus. As working remotely is set to become the new normal for many more workers, even after the pandemic is over, providing employees with suitably secure tools for the job is now a priority for many enterprises.