Posted on

Replacing WhatsApp for Business?

Here’s some points you should consider

Chat apps in business have become akin to SMS in the late 1990s.  For those of you that don’t remember, SMS was clunky to use, and really only ever intended to be used by geeky, techie types. However, that didn’t stop it taking off with mass adoption, including by business people.   In much the same way, chat apps are not designed for professional use, but somehow, they have infiltrated many workplaces, bringing with them various security and data privacy issues.

Getting the Genie back in the bottle

So what can you do about it?  Some organisations have gone so far as to ban the use of WhatsApp[i]. However, much like getting the genie back in the bottle, once people have experienced the ease of use of these consumer chat apps, it’s difficult to stop their use.  The trick is to give your staff something even better than WhatsApp.  By better we mean, with extra, enterprise-grade functions which the user will love, and far stronger security, which is imperative for the business.

What are the alternatives?

There are quite a few free-to-use alternatives, the best of which is widely accepted as Signal. However, Signal suffers from some of the same drawbacks as WhatsApp.  The issues are:

  • In order to use the app, users must register with their GSM/Mobile number. It is relatively easy to spoof a mobile number, which means that users cannot be certain who they are communicating with
  • All users are in a single group, so that anyone can call anyone else. Groups or communities of users cannot be managed centrally.
  • The app is managed in the US – so metadata leaves sovereign shores.

 

Like Signal – only better

SigNet by Armour®, as the name suggests, is based on Signal which is internationally recognised as the most secure consumer app.  We’ve taken all the best bits and packaged them up with extra features and an easier to use interface to provide an enterprise-ready solution.

By enterprise-ready we mean:

You can have an on-premises or cloud hosted instance.  The cloud version uses the Armour secure-cloud, which is UK based – so your data and meta data never leaves sovereign UK shores. You have complete control of your data.

Contact lists or communities can be managed centrally.  New users must be invited by central admin, and approved before they can join.  That means that your users know exactly who they are communicating with – no spoof users with stolen identities.

No requirement to use a mobile phone number. With Armour you only need a unique identifying code – it doesn’t need to be a mobile number.  This is an extra layer of security that can keep business and personal communications separate even on the same device, and which also keeps users’ personal details private.

Full enterprise functionality.  Including voice calls, text/chat, video, and attachments – all of which are managed inside the app, stay inside the app, and are completely encrypted.

Scalable, fast provisioning for new users. We use secure, one-time use, QR codes to get new users up and running with the minimum of fuss. Great for users, and the IT department.

Enhanced User Interface. Designed with the user experience in mind, intuitive and easy to use, especially for those upgrading from WhatsApp.

Professional support services. We provide both phone and email support, that is UK-based.

Fully GDPR compliant. All data is kept within the app, and no contact information is shared.

 

Benefits of a really secure communications app

SigNet helps to get the WhatsApp genie back in the bottle. Providing employees with an enterprise-grade communications app improves security and protects sensitive business information such as intellectual property (product specs, price lists, formulae, recipes, patents), customer information, and contact details.  It also helps to avoid embarrassing data breaches which can damage reputation, and perhaps a less obvious benefit, employees are encouraged to take data security more seriously. The very act of using a special app for business communications is a reminder to be careful and take cyber security seriously.

Act Fast

If your business managers need to communicate about any kind of sensitive information that, if divulged, could put your business in jeopardy, or provide commercial advantage to competitors, contact us today, and have the security of SigNet by Armour up and running in your organisation within minutes.

sales@armourcomms.com

[i]   Germany’s data chief tells ministries WhatsApp is a no-go: https://www.dw.com/en/germanys-data-chief-tells-ministries-whatsapp-is-a-no-go/a-53474413

Posted on

Elements of User Experience

 

In a world where there’s an app for just about everything, how can enterprise systems, designed for a serious business purpose engage in the same way as their consumer-grade cousins?

Business apps now need to do what they say they will and in doing so, they must delight the user. Ideally, security products should be so easy and intuitive that users have no reason to use anything else – so avoiding workarounds, a key tenet of good cybersecurity.

When designing new products, the User Experience is key. What do we mean by user experience and why is it so important? Daniel Hermoso, Product Designer at Armour Comms explains.

What is User Experience?

User Experience, or UX for short, encompasses all aspects of the end-user’s interaction with a company, its services and its products. This is a more holistic way of looking at user interactions than simply through the user interface (UI). Whether by design or by default, every product or service we interact with delivers an experience to our users and end customers.

Why does it matter?

Many of us have mixed feelings about the products and services we use every day. They can either empower us to do our jobs better or leave us frustrated when they fail to meet our needs or requirements. In short, they have the ability to complicate or simplify our lives.

As alluded to above, a good UX is particularly important for security products, like the ones we develop at Armour. Not only must they do a better job in terms of data security than consumer apps, but they must match in terms of usability too.

So what makes a good user experience?

Aarron Walter in his book of Designing for Emotion, describes a hierarchy of user needs that closely mirrors Maslow’s hierarchy. In it he outlines that in order to achieve superior needs such as delight or pleasure, more foundational needs must be met first such as functionality and usability.

 

When people think about well designed products, usually they think about the aesthetics (such as the user interface). Is the product pleasing to look at or does it feel good to the touch? Yet designing products with user experience in mind means looking much deeper, beyond the aesthetics, at the hierarchy of user needs.

Functional

It starts with function, the need solve a problem. A beautiful product that fails meet basic user needs is not viable. Sometimes this is forgotten and can cause issues as product teams invest a lot of time and effort building something nobody wants to use.

Reliable

Second, the product must be reliable. Can we count on it to deliver the actions or service that our users are expecting? Does it consistently perform well. This is important because it builds trust with customers and improves user engagement.

Usable

Usability is key because it assesses how easy products are to use. It aims to remove all barriers that prevent efficient human-computer interactions. The product and services need to be easy to learn, easy to use and easy to remember.

Pleasurable

In a highly competitive market, it’s no longer enough to design products that simply meet the basic utility needs. It’s critical to design a purposeful and memorable experience that people will enjoy.

Having recently watched the Great British Bake Off, I like to think of the user experience in the same way that the bakes are judged. You can always tell which bakes failed during the process solely from having a look at them. However to truly distinguish, the best from the rest you have to understand the process. What ingredients were used and every step it took achieve the outcome. Only by tasting the bake can the judges distinguish the true masterpiece.

In much the same way, only by applying UX principles to product design, where a foundation of function, reliability, and usability are achieved, can we expect to deliver a truly delightful experience to the user. As they say, the proof of the pudding is in the eating!

Armour Comms has published a podcast explaining the Elements of User Experience which you can view here :

Posted on

Armour Comms wins Queen’s Award for Enterprise: International Trade 2021

Cyber-security firm wins highest industry accolade for Secure Communications technology

London, 29 April 2021: Armour Comms, a supplier of UK Government and NATO approved solutions for secure communications including voice, video, messaging and data, has been awarded a prestigious Queen’s Award for Enterprise: International Trade 2021. The award was made for outstanding short term growth in overseas sales over the last three years.

Established in 2015, Armour Comms is one of only 112 organisations nationally to be recognised with an acclaimed Queen’s Award for Enterprise: International Trade this year. Armour Comms technology provides the convenience and usability of consumer-grade apps, with enterprise and government grade security features required by professional users to protect sensitive information and maintain privacy. Armour technology provides a highly secure mobile communications platform where every element of data, including meta-data, can be controlled.

David Holman, Director and co-founder of Armour Comms said; “The whole team at Armour are honoured to have been selected for a Queen’s Award and I know our many customers around the world will share our excitement at this recognition. It is the highlight for us of a busy 12 month period where many organisations moved to remote working and therefore required more robust security for their home workers.

“During the pandemic cyberattacks have increased significantly, generating an awareness that security for mobile workers is incredibly important because it presents such a large attack surface. By combining the usability of consumer-grade apps with enhanced security required for business use our products provide the assurance required when sharing sensitive information of all kinds and maintaining privacy, even in the most challenging of environments.”

Armour Comms supplies the secure communications solutions of choice for governments, banks, defence and law enforcement, financial services, legal and healthcare organisations, as well as family offices, ultra-high nett worth individuals and journalists operating in unfriendly regimes.

This short video explains how the Armour technology works: https://www.youtube.com/watch?v=lufP-IUckhE

Posted on

NCSC – 7 Principles for Secure Communications explained

NCSC 7 Principles for Secure Communications

There are seven principles defined by NCSC, and they are:

  1. Protect Data in transit
  2. Protect network nodes with access to sensitive data
  3. Protect user access to the service
  4. Ensure secure audit of communications is provided
  5. Allow administrators to securely manage users and systems
  6. Use metadata only for its necessary purpose
  7. Assess supply chain for trust and resilience

Principles 1-4, Part 1: Click Here

Principles 5-7, Part 2: Click Here

Posted on

Replacing WhatsApp? Advice from NCSC

Replacing WhatsApp? Advice from NCSC

What exactly should you be looking for?

When considering a secure communications solution for your organisation there are a lot of different options.  Not least of these are free-to-use consumer grade apps.  Without vigilance these apps can seep into business use without any oversight from the organisation, often because employees use the apps for personal life and they seem like an expedient way to communicate.  These apps claim end to end encryption, but do they really meet the needs of an enterprise?  And what extra do paid-for Enterprise solutions offer?

As we’ve point out many times before, there is much more to security than just encryption – this is an important point made by the UK National Cyber Security Centre (NCSC).  It has published a document ‘Secure communications principles’ highlighting key points for secure communications.  As usual, NCSC has done an excellent job of laying out the potential hazards – and how to avoid them – in an easy-to-read form.  Here is an outline of those principles and why they are important.

NCSC 7 Principles for Secure Communications

There are seven principles defined by NCSC, and they are:

  1. Protect Data in transit
  2. Protect network nodes with access to sensitive data
  3. Protect user access to the service
  4. Ensure secure audit of communications is provided
  5. Allow administrators to securely manage users and systems
  6. Use metadata only for its necessary purpose
  7. Assess supply chain for trust and resilience

 

Protect Data in Transit

At some point, your communications are very likely to travel over the public internet, which is by its nature an untrusted network.  You don’t control it, so you can’t trust it. If not well protected, data travelling over an untrusted network can be tampered with, or people may be able to eavesdrop on your conversations and exchanges.

Another issue is messages being sent to the wrong person. This could be because you mistyped their address, or someone has spoofed or stolen an identity.  This means that you could think you are interacting with a trusted colleague, when in fact a hacker has misappropriated their account. You could be tricked into giving sensitive, valuable information, or downloading malware.

Protect network nodes with access to sensitive data

A node is a connection point inside a network that can receive, send, create, or store data. Each node requires you to provide some form of identification to receive access.  As your message travels across the network and passes through these nodes, if it has any unencrypted data, it may be accessed by the nodes. While the communication within the message may be encrypted by the app, your metadata may not be.

Another key point to consider is that encrypted messages rely on an encryption key to encrypt and decrypt. The key needs to be shared with the recipient for them to read the message, so there needs to be some form of key management system. If someone were to get hold of the key, they could read the message. If someone could get into the key management system, that would undermine the trust of the communications system, and you wouldn’t necessarily know that this had happened until it was too late, and that sensitive information had been compromised.

Protect user access to the service

As alluded to earlier, when you communicate with a trusted colleague, you assume that it is them. However, if their account is hacked, you may not be communicating with who you think you are*.  For this reason, strong user authentication is an important part of a communications system.

If your colleagues are using their own phones for business use, i.e. an unmanaged device, there is also the danger that details such as user credentials and historic communications content are processed and stored without being encrypted. Therefore, if someone else gains access to that device/phone, information could be compromised. This is another reason for strong access control authentication (for example, fingerprint scan or password).

*In case the risk here isn’t clear, this is the ‘messaging app’ analogy to Business Email Compromise (BEC) which the FBI’s 2020 Internet Crime Report https://www.fbi.gov/news/pressrel/press-releases/fbi-releases-the-internet-crime-complaint-center-2020-internet-crime-report-including-covid-19-scam-statistics  indicated cost $1.8B last year, more than the total costs of confidence fraud, ransomware, identity theft and several other categories all added together!

Ensure secure audit of communications is provided

For those working in regulated industries (financial services and health, for example) it is important that all communications can be audited (i.e. recorded and stored). However, this is not as easy as it sounds. The communications content must be kept secure, and there needs to be tight controls around who can access the content, when and why. This level of access would be highly desirable to criminals. Consumer grade apps certainly do not provide this level of service and some may even monitor your content for advertising or other purposes.

Allow administrators to securely manage users and systems

All IT service desks know that if users are allowed to administer their own accounts you end up with anarchy. For a secure communications system to remain secure, it must be properly managed. This means controlling who can join, and who can communicate with which groups. In contrast, consumer apps allow anyone to join – which could include hackers, criminals, and disgruntled ex-employees – and then to contact anyone else on the system.

Controlling who is admitted to the system provides a level of trust, that you know who you are communicating with, and that should someone leave the organisation, their account is disabled.

Use metadata only for its necessary purpose

Put simply metadata is the ‘who’, ‘where’, ‘when’, and ‘how’ of the communication. It reveals information about the user, for example, who is talking to who, which in certain cases can be useful even if a malicious actor doesn’t know what they are saying.

When aggregated, metadata can become even more valuable and is often harvested and sold to advertisers.  This is how free-to-use services monetise their users. Apart from the adverts being annoying (and creepy), it is a security risk for organisations.

Assess supply chain for trust and resilience

Do you know every element of your secure communications service and who supplies it?  Can you trust every element? If your existing solution uses the public internet then you can’t know every element, and therefore you need to mitigate the risks.  Another point to consider is whether the system is standards-based (and so can be supported by multiple vendors) or a proprietary system?  If proprietary, what happens should that supplier go out of business or be taken over by another organisation?

A final point to think about, for a secure communications solution to be genuinely usable (in other words, there is no reason for users to circumvent the system with workarounds or “shadow IT”), can users communicate with people outside of the organisation?  Any solution adopted needs to be able to talk to other secure communications systems.

The ease of use of a communications app belies the underlying complexity, so when looking for a solution that is secure enough for enterprise and business use, there is a lot to consider.

Our new technical white paper goes into each of the NCSC’s Secure Communications Principles in much more detail and explains how Armour applies these principles across our products.  You can download a copy here:

 

Alternatively you can view our Podcast:

Part 1: Click Here

Part 2: Click Here

Posted on

Armour Comms announce certified Secure Communications with Bittium

Total privacy, no reliance on the open-internet, rugged devices with great user experience

London, 14 April 2021: Armour Comms and Bittium have announced the availability of a NATO approved secure communications solution. The new solution which runs on Bittium’s Tough Mobile™ 2 series of ruggedised and secure smartphones ensures voice and video conversations, and the associated files and attachments, stay completely private, no matter how hostile the environment. Aimed at military, defence, law enforcement and government markets worldwide, the Bittium and Armour® Mobile product provides the same user experience as consumer-grade solutions, while keeping data in transit secure at all times via the Bittium Safe Move® Mobile VPN.

The Bittium/Armour Mobile secure comms solution provides out-of-the-box security with everything needed for rapid provisioning of end users contained within the box. Devices are provisioned using a deep-link QR code from Armour and Bittium’s Secure Suite™ device management software. This avoids the ‘weak link’ of relying on SMS messages for authentication codes, and allows the use of Armour Mobile over networks where Voice over IP (VoIP) traffic is blocked or restricted.

Sammy Loitto, Senior Vice President, Sales at Bittium commented; “Security-conscious sectors are an important market for Bittium where we supply our secure and ruggedised smartphones in a variety of options, often without any consumer-grade apps that may compromise security. The Armour Mobile software application is NATO approved, providing the ideal solution for handling data classified at NATO Restricted. Armour Mobile is easy and intuitive to use, further enhancing our joint offering.”

The award-winning Armour Mobile secure comms app is now available on Bittium Tough Mobile 2. When packaged with the Bittium Secure Suite MDM the solution provides:

  • User friendly design that mimics standard Android user experience, intuitive and easy to use
  • Robust, certified end-to-end encryption of all voice, video and message communications
  • Centralised location tracking (command and control)
  • Remote wipe (if a device is compromised)
  • Without Google Mobile services option with app updates from Bittium Secure Suite, no need to connect to the public internet
  • Out-of-the-Box delivery of Armour Mobile activation credentials via Bittium Secure Suite and Bittium Tough Mobile 2 secure channel ensures no interception during provisioning
  • Multi-container solution for easy separation of personal and business data
  • Use of Armour Mobile in networks where Voice over IP traffic is blocked or restricted

David Holman, Director and co-founder of Armour Comms said; “At Armour we develop communications solutions that combine the usability of consumer-grade apps with enhanced security required by professional users. Armour Mobile is already widely used by defence and governments around the world. This new joint offering with Bittium offers absolute privacy for data and meta-data, that stays completely within the control of the organisation, on a robust smartphone.”

Posted on

Armour Comms attains ISO27001 certification

Secure communications supplier achieves ISO/IEC 27001:2013 in just six months

London, 30 March 2021: Armour Comms has been registered by Intertek Certification Limited as conforming to the requirements of the ISO/IEC 27001:2013 standard ensuring  that security is embedded within company culture, to minimise risks from cyber threats, and to ensure resilient processes and controls. The certification covers Armour’s Information Security Management System (ISMS) which encompasses the development and delivery of Armour’s flagship products Armour® Mobile and SigNet by Armour®, and all white-labelled products. Armour Comms provides trusted, secure instant collaboration solutions for mobile devices and desktops, that are widely used in Government, military and defence sectors around the world.

David Holman, Director and co-founder of Armour Comms said; “We are delighted that the ISO27001 certification for our company management processes has been achieved at the first attempt and within the ambitious timescales that we set ourselves. This is testament to the hard work and dedication from our technical and management team, all while operating under COVID-19 lockdown conditions.

“Achieving ISO27001 provides a strong baseline for our continued development of robust security solutions, that protect sensitive data, while delivering a great user experience on standard smartphone devices and desktops – an attractive alternative to consumer-grade apps designed for business use. End-user engagement is a key component of good security solutions and an area that we will continue to focus on within our ISO27001 product design processes.”

ISO/IEC 27001 details requirements for establishing, implementing, maintaining and continually improving an information security management system – the aim of which is to help organisations make the information assets they hold more secure. It requires that management:

  • Initiates processes that examine the organisation’s information security assets, and assesses risks, threats, vulnerabilities and the associated possible impacts
  • Implements a series of integrated and comprehensive controls and risk management strategies that address risks to information security assets
  • Undertakes a program of continuous assessment and improvement to ensure that information security controls evolve to meet current and ongoing requirements

Dr. Andy Lilly, CTO and co-founder of Armour Comms added; “At Armour we have a strong track record in compliance with industry standards. We have previously completed CPA and NATO certifications, and Armour Mobile uses the NCSC’s MIKEY SAKKE protocols. Achieving ISO27001 certification demonstrates our continued holistic approach to security, throughout the entire lifecycle of our products which will ultimately benefit all customers, across all product lines.”

 

Armour Comms has published a podcast explaining the differences between CPA and ISO27001.  It can be viewed here:

https://www.youtube.com/watch?v=4v9aojG3EeQ&feature=youtu.be

Posted on

ISO27001 and CPA certification – Apples and Bananas

ISO27001 and CPA certification – Apples and Bananas

 

Comparing ISO27001 and CPA is like comparing apples with bananas. They are both recognised industry standards associated with cybersecurity in much the same way that apples and bananas are both fruit, but they are designed to do different things.  In a nutshell, CPA certifies an individual product and ISO27001 certifies a whole company covering all of its processes and procedures around information security, and the way that it develops its products.

At Armour we are well qualified to talk about both ISO27001 and CPA as we have achieved both.  Here is an explanation of each, with plus and minus points for both.

What is CPA

Commercial Product Assurance (CPA) was a scheme introduced in 2014 by CESG, the UK’s National Technical Authority for Information Assurance which is now part of the National Cyber Security Centre (NCSC). It was launched to coincide with the replacement of the Government Protective Marking Scheme (GPMS) by the Government Security Classifications Policy (GSCP) where data is categorised into just three levels of classification for UK information assets, OFFICIAL, SECRET and TOP SECRET  (<uhttps://www.gov.uk/government/publications/government-security-classifications). The three classifications didn’t give quite enough granularity so a ‘handling caveat’ of OFFICIAL-SENSITIVE was also introduced for the subset of OFFICIAL information that required additional protection (https://www.gov.uk/guidance/official-sensitive-data-and-it).

For the CPA scheme, the NCSC sets a series of standards which independent test laboratories use to assess products for their suitability to handle OFFICIAL data. (Formally, SECRET use required High Grade products assessed using the even more costly CAPS process https://www.ncsc.gov.uk/information/products-cesg-assisted-products-service). The CPA standards are published so that both the companies and potential purchasers of the products can see the requirements against which testing has been performed.

In other words, CPA certification confirms that the product does what the vendor says it does, giving a level of assurance for purchasing organisations, that they know what they are buying, and that it does what they think it does. The more experienced (cynical) among you will know that this is not always a forgone conclusion in the world of software.

What is ISO27001

ISO27001 is an international standard specific to Information Security Management, originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013 and again for European markets in 2017. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organisations make the information assets they hold more secure. Organisations that meet the standards are audited by an independent body and certified as such.

ISO/IEC 27001 requires that management:

  • Initiates processes that examine the organisation’s information security assets, and assesses risks, threats, vulnerabilities and the associated possible impacts
  • Implements a series of integrated and comprehensive controls and risk management strategies that address risks to information security assets
  • Undertakes a program of continuous assessment and improvement to ensure that information security controls evolve to meet current and ongoing requirements

Comparing ISO 27001 and CPA

The main limitation of the CPA scheme is that it is product based, so only ever relates to an individual product. If that product is updated, for example, to introduce new features and benefits, or simply to run on a newer version of hardware, it needs to be re-assessed (and CPA also requires a full re-certification every 2 years). This is costly and time-consuming. It makes it difficult for vendors to keep pace with the rapid pace of technology (particularly in the mobile space) and reduces the choice for purchasers.

ISO27001 is not product specific, therefore does not provide the very specific assurance offered by CPA certification. However, it does provide a more holistic approach to information security and ensures that organisations are managing the processes within their declared scope. For Armour, this means the entirety of our product development, delivery and support operations as well as all supporting aspects of the company (finance, HR, etc.) follow security best practices. (The scope is important – some suppliers only certify a subset of their processes/operations.) This provides purchasers with broad confidence that products and services delivered by ISO 27001-certified organisations should be secure and – just as importantly – that they will be updated over time to mitigate new security concerns.

Both CPA and ISO27001 are expensive and time consuming for the vendor, however they do demonstrate a certain commitment to providing quality products that comply with recognised industry standards.

And why is all of this important?

NCSC is discontinuing the CPA scheme for all products with the exception of smart meters. At the moment there is no replacement scheme, causing a dilemma for security conscious organisations that would normally opt for a CPA certified solution.  How can they be assured that any new solutions they use to handle classified data are suitable and up to the job?

This is where we believe ISO27001 is becoming increasingly important. ISO27001 covers much more than simply IT, and certainly more than a single product, making it significantly different to CPA, but in many ways, we believe better. In essence, with ISO27001, the processes and controls within the company or organisation are assessed and certified, meaning that any and all products developed will have been done so using tried and tested means. This enables a more flexible approach for the vendor and purchaser alike.  Under ISO27001 it is much easier for products to be updated to keep pace with rapidly changing technology and security threat landscape.

In the meantime we continue to work closely with NCSC with the aim of supporting whatever assurance scheme they implement to supersede CPA.

To hear our CTO Andy Lilly further discuss the differences between CPA and ISO27001 listen to our podcast here: <uhttps://www.youtube.com/watch?v=4v9aojG3EeQ&feature=youtu.be

If you or your security accreditors have any questions please get in touch. sale@armourcomms.com