Category: Blog

Team building, Innovation and Accelerated Development

We recently ran our first ever Hackathon, with some great results.

The idea was to encourage innovation and creativity by getting everyone in the office, sorting people into teams and getting them to tackle a variety of challenges.

Team Building

After two years of working from home and then hybrid working, we’re rarely all in the office together.  The first aim was to foster team spirits and remind everyone they’re all part of the same great company, so we mixed people up! This meant they were collaborating closely with colleagues they wouldn’t necessarily work with directly. We included everyone – so sales and customer-facing roles as well – to help ensure a focus on customer experience and generate a fresh perspective. For new employees, this was a great way to get to know their colleagues.

Product focus

Each team was set a task which would ultimately help with accelerating development across the product range.  The teams were looking at areas including improved encryption, our Unity video conferencing system, automated Chatbots, Broadcasts/Alerts and System Metrics.  Each team delivered a packet of work that will be used within future product developments.

Fun, Fun, Fun

Throughout the day, there were competitions and on-the-spot prizes and awards. We also asked people what they liked best about working at Armour. As you can imagine, the responses were many and varied.  Here are some of the responses that we received:

• Working with the latest cyber security technology
• Getting to work with some interesting customers
• Helping to protect national security
• Working on difficult problems
• Working on Government contracts
• Helping in the fight against cyber crime
• Knowing that people’s lives may depend on our tech (people working in hostile regimes, etc.)
• Great camaraderie
• Crap coffee, but we can get takeout!

 

The first day included pizza and we finished the second day with a buffet and drinks at a local pub.

We are delighted to announce that Armour Comms has been selected for the ‘Scale’ stream of the Cyber Runway accelerator.

Now, in its second year, Cyber Runway is the largest government-backed cyber start-up accelerator in the UK. It is delivered by Plexal in association with Deloitte and the Centre for Secure Information Technologies (CSIT), and is funded by the Department for Digital, Culture, Media and Sport (DCMS). The accelerator is part of the government’s mission of making the UK a responsible and democratic cyber power, as laid out in its National Cyber Strategy 2022. https://www.gov.uk/government/publications/national-cyber-strategy-2022/national-cyber-security-strategy-2022

Cyber minister Julia Lopez stated: “We are backing businesses on the frontline defending the UK against cyber threats. Our investment in these innovative British startups helps create skilled jobs and a more diverse workforce, which strengthens our national security as well as our booming tech industry.”

David Holman, Director and Co-founder of Armour Comms said: “Armour will take part in the Cyber Runway Scale stream which is for the UK’s fast-growth cyber start-ups and scale-ups. Our inclusion in this prestigious accelerator programme is testament to our continued commitment to developing highly usable solutions that protect mobile communications. We use different technologies to provide innovative solutions including NCSC approved and Signal-based for a range of business use cases.”

“Having secured contracts with some of the largest government departments in recent years, we are now expecting to enter a phase of accelerated growth.  The in-person and virtual mentoring, technical product development support and connections to investors and enterprises that the Cyber Runway offers will be instrumental in helping us to achieve our growth goals and aspirations.”

Are you storing up trouble today for a future when hackers have access to quantum computing and new decryption capabilities? Bad actors could be harvesting securely encrypted data today, as an investment for when quantum computing enables them to decrypt it and use it in the future. That’s why organisations should be identifying the risks now and another reason why keeping the doors firmly locked against today’s cyber attacks is vital.

Widely used public-key encryption systems, which rely on mathematics that even today’s fastest computers find impossible to solve, ensure websites, messages and data stay secure from unwelcome third parties. However, with quantum computing on the horizon, there is the very real possibility that some types of encryption could be cracked wide open in a matter of hours in the not too distant future.

The very different technology used by quantum computers, could solve the maths problems used for some of today’s encryption systems so much more quickly than current computers, that it would allow hackers to easily defeat current security capabilities. While you may think you have lots more pressing issues to think about now and worries about future cyber hacking can surely be placed on the pile marked ‘Fix tomorrow… or the next day’. Unfortunately that’s not the case.

Are you creating problems for the future?

The problem is that bad actors taking a long term view could harvest encrypted data today and keep it untouched until they have the decryption capabilities provided by quantum computing sometime in the future. In 5 or 10 years time a lot of current data will be out of date, and its exposure could be mildly embarrassing, however, there will be plenty of data that is still pertinent. Plans of infrastructure and system designs, financial, personnel and medical records all have long term value with the possibility for enabling criminals to cause mayhem, damage and fraud well into the future. And while data flows grow exponentially each year, and data storage is not infinite, intelligent adversaries will pick and choose what encrypted data is worth keeping.

Leaving the door open to cyber attacks today could be storing up catastrophic problems and even existential threats for decades to come. What’s worse is that you might not even know that your data has been breached as the perpetrators could take no immediately visible actions, lulling you into a false sense of security.

Creating new protections for the quantum age

In July, 2022 the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) announced that it had chosen the first group of encryption tools designed to protect against assaults utilising the power of future quantum computers. These emerged from a call out in 2016 to the world’s academic and commercial cryptographers to devise encryption methods that could resist future attacks. 82 entries from 25 countries were submitted. Four winning methods and a further four backup approaches were selected.

The CRYSTALS-Kyber algorithm was selected for general encryption, such as that used when accessing secure websites. NIST has selected three further algorithms: CRYSTALS-Dilithium, FALCON and SPHINCS+ for digital signatures, which are needed to verify identities during digital transactions or to sign documents remotely. More details on the algorithms and the selection processes are detailed on the NIST website.

Combatting the ‘harvest today, decrypt tomorrow’ attacks

It’s comforting to know that the likes of NIST are working to secure our futures, but cyber criminals, with plans to harvest data now then decrypt it in the future using the enhanced power of quantum computers, are effectively attacking your communications and systems today. With these sort of evolving threats to the cyber landscape, it is vital to apply the most stringent cyber security standards and methods currently available. With this in mind, it’s good practice to work with companies (such as Armour) who have a long term, vested interest, in protecting their customers, and who have a holistic view of security, from “secure by design” to “secure by default”.

When quantum computing is with us, it’s likely that a hybrid approach to encryption will be best. Instead of replacing existing encryption, retaining the currently used algorithms and topping these up with quantum age methods will deliver the highest levels of protection. Investments in today’s security and encryption will pay double dividends – protection from data harvesting today and as part of a belt and braces approach in the future.

For more information on how best to encrypt your data today, watch our short podcast on the differences between AES128 v AES256 bit encryption: https://www.armourcomms.com/2021/02/15/aes128-and-aes-256-encryption-v-quantum-computing/

 

Useful Links:

• NIST announcement: https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms

NIST algorithm selections: https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions

What is Kubernetes and why is the new Armour Core server-side platform based on it.

When IT pros start talking about containers, the term Kubernetes, or K8s, is often mentioned. Initially released in 2015, Kubernetes has only recently become more mainstream, and the latest tech speak buzz word.

But what is Kubernetes?  Why does it matter and more importantly what benefit can it deliver to your business?  Here we go under the covers of Kubernetes and explain why this platform is one of the fastest moving projects in the history of open source.

Building blocks

To understand why we need Kubernetes, we must first understand containers. A container is a unit of software that can be isolated for security or scalability, usually performing a specific task, with control over its access to the underlying OS and hardware resource. Multiple containers can be combined to build an application and because containers can be reused across different applications, new functionality can be developed more quickly.

Containers are lightweight and virtualise CPU, memory, storage and network resources at the operating system (OS) level, rather than hardware level. As containers are virtual environments that share the kernel of the host operating system, they can more easily be ported to run on a range of hardware platforms that support containerisation (compared to more traditional virtualization technologies such as Virtual Machines).

Scale and Management

Kubernetes was first developed by a team at Google and later donated to the Cloud Native Computing Foundation (CNCF). It is an open-source platform to manage containerised workloads and services. As Kubernetes is open-source, it has a vast ecosystem of contributors that find and fix bugs and vulnerabilities as well as improving and adding features and functionality.

In a nutshell, Kubernetes delivers a framework to run distributed systems. It automates the deployment, scaling and management of containers. In the case of Armour Mobile, we can define how we need the platform to operate; for example if hardware fails, or if traffic load is high, Kubernetes is configured to ensure resilience without the need for manual intervention. Additionally, Kubernetes is self-healing, restarting containers that fail and killing and replacing containers that fail to respond to defined health checks.

Security by design is the ethos by which we develop all Armour solutions. Security is achieved by the way in which we use Kubernetes and processes incorporated within Armour solutions. Kubernetes allows us to set policies at a cluster-level to prevent or restrict things which we might consider a security risk.

Resilience and reliability

Kubernetes is a proven technology that allows Armour to deliver in Armour Core v5.0 a platform that is more powerful, robust, and extensible. We can deliver features such as monitoring, load balancing, and failover, high availability and much more. This makes the provision of Armour Mobile more flexible, more resilient and more reliable for our customers. Even when under load from a high volume of concurrent users or high network traffic, Kubernetes can load balance and distribute the network traffic so that the deployment is stable.

Delivered to suit your needs

Armour customers will benefit from our use of Kubernetes, whatever their current choice of deployment, be it on premises, cloud, or hybrid. Using Kubernetes has delivered an array of improvements to our existing development cycle which will benefit our on premises customers.

Kubernetes also allows for a hybrid cloud approach for customers who require it. The Armour Mobile solution can be managed using Kubernetes tools, both in-house on bare metal and in the cloud.

For more information about how Armour Comms can help your organisation to adopt a more secure approach to communications and collaborative working, contact us today.

A Maritime Use Case

Requirement

A global shipping organisation needed to communicate sensitive, commercial information in a way that kept it completely secure both in transit and at rest. Owners, executive management and executive assistants, banks. lawyers and other third parties had been using consumer-grade apps such as WhatsApp, Signal, Telegram and Viber to communicate because messages are encrypted. However, such apps can be attacked with the very real danger that user identity can be spoofed or hacked. The nature of the information being shared was such that using email was not a suitable option.

Challenge

To share commercial information, documents and instructions with trusted colleagues and partners securely, ensuring there are no unmanaged copies of information held anywhere, either printed or electronic. Conversations would be extremely difficult to trace.

Solution

SigNet by Armour®, which is secure by design, was selected for its great user experience. Strong user adoption was a key differentiator for SigNet – people found it extremely easy to use, and are using it enthusiastically.

Key Benefits

SigNet provides secure comms for voice, text, messaging, video and attachments.  However, for this maritime organisation, the app is used mostly for messaging and sending documents securely.

Increasing Security Awareness – Using SigNet has encouraged a culture of heightened security awareness amongst employees while also protecting user anonymity and privacy.

One-step provisioning – users simply download the app, and they can start using it straight away.

Strong user adoption rates – the app is so easy to use, people like it.

Anonymity and protection of privacy – users do not need to reveal their mobile number, email address or even full name in order to use the app. This particular feature is much appreciated by the ship owners who value their privacy.

Use across multiple linked devices – the same instance of the app can be installed on desktop, laptop, tablet and mobile, so that information can be shared across devices securely, without ever using email.

Desktop instance – the app is used by Executive Assistants on their PCs and laptops.  The ability to cut and paste instructions from ship owners and share with other members of the management team via SigNet improves security.

Note to Self facility – voice to text notes and reminders that are held within the app, and can be shared with linked devices.

Ultra secure sharing of information – documents for signature, instructions or commercial details are shared via SigNet, meaning that the use of email systems is completely avoided, and there is no need to print copies.

COVID-19 – the company is even using the app to enable employees to share COVID test results and vaccine details.

Results

Details of competitive commercial discussions, documents for signature, instructions from ship  owners, and even sensitive medical information can now be shared across an ultra secure platform. Documents and information shared using SigNet are not accessible by any other system. Documents no longer have to shared via an email system, which could be subject to surveillance or hacking, nor do they ever need to be printed.

Users’ identities are protected and privacy maintained, which is important for ship owners.  People like using SigNet, secretaries and executive assistants are able to use the solution from their desktops.  As people become more used to SigNet they are finding more reasons to use the app, including the Note to Self feature as a quick and easy way to share confidential information across devices.

Contact us today to discuss how your organisation can keep sensitive commercial communications completely private

Armour Mobile in use at the MoD

Recently the UK Government published Industry Security Notice 2022/04 Secure by Design Requirements, which informs the UK Defence Supply Base of the Secure by Design policy and approach which has been set out to ensure cyber secure delivery of capabilities for the MoD.

Before we outline just how closely Armour complies, we address the issue; What is the difference between Secure by Design and Secure by Default?  The National Cyber Security Centre (NCSC) uses both terms in different contexts.

Secure by Design

Broadly speaking, Secure by Design means that software products and services are designed to be secure from the ground up.  Every layer is considered from a security and privacy standpoint and starts with a robust architecture design.  Secure by Design incorporates strategies such as forcing patterns of behaviour, for example, strong authentication, and the use of best practice protocols such as least privilege access.

More specifically, Secure by Design is part of the Government’s National Cyber Security Strategy. The Department for Digital, Culture, Media & Sport (DCMS) and the NCSC conducted a review into how to improve the cyber security of consumer Internet of Things (IoT) products and associated services, and as a result published various documents regarding the security of smart devices.

Secure by Default

Secure by Default builds on the premise of Secure by Design.  According to NCSC Secure by Default is about taking a holistic approach to solving security problems at the root cause rather than treating the symptoms. It covers the long-term technical effort to ensure that the right security attributes are built into software and hardware. As well as ensuring that security is considered at every stage when developing products and services, it also includes ensuring that products are delivered to the end-user in such a way that the default settings enforce good security practices, while balancing usability with security. After all, if a product is too difficult to use, people will simply find a workaround, meaning that security ends up being compromised anyway.

Secure by Default principles prescribed by NCSC are:

• • • security should be built into products from the beginning, it can’t be added in later;
    • security should be added to treat the root cause of a problem, not its symptoms;
    • security is never a goal in and of itself, it is a process – and it must continue throughout the lifetime of the product;
    • security should never compromise usability – products need to be secure enough, then maximise usability;
    • security should not require extensive configuration to work, and should just work reliably where implemented;
    • security should constantly evolve to meet and defeat the latest threats – new security features should take longer to defeat than they take to build;
    • security through obscurity should be avoided;
    • security should not require specific technical understanding or non-obvious behaviour from the user.

 

Armour Mobile complies with Secure by Design AND Secure by Default

At Armour Comms we have been working with NCSC since our inception a number of years ago to ensure that our products are designed with Best Practice security protocols in place. Our initial products were CPA certified to demonstrate they adhered to these security principles; when that scheme finished (for all products with the exception of smart meters) we focused on ISO27001 and Cyber Essentials Plus certification as externally audited proof of our strong security practices.

Our products are approved for use up to OFFICIAL-SENSITIVE, NATO Restricted and for Higher Assurance requirements and are already deployed at these levels. Our innovative developers work hard to deliver products that strike the balance between providing a user experience that mimics consumer-grade apps, while delivering the security credentials required for higher assurance use.  Armour Mobile is in use in many Government departments as well as having been deployed for numerous use cases across the MoD.

Armour Mobile and MoD Secure by Design Requirements

One of the key principles within the ISN 2022/04 Secure by Design Requirements is to Define Security Controls, and within that, the requirement is that: “Existing processes, knowledge, standards and technologies should be identified, assessed and reused where possible to avoid duplication of effort.”  With this in mind, and our track record of working with NCSC and the MoD, Armour Mobile is the obvious choice for any secure comms requirement within the Defence sector.

For a more detailed look at the NCSC Secure by Default principles read our blog: The future of NCSC Technical Assurance: https://www.armourcomms.com/2022/01/25/the-future-of-ncsc-technical-assurance/  and for more information about the NCSC Secure by Default principles please read: https://www.ncsc.gov.uk/information/secure-default

Watch this space for future articles describing in more detail how Armour Mobile meets the Secure by Design requirements.