In this blog, we look at how taking a Zero Trust approach to developing and provisioning apps can help to prevent security breaches.
Guest blog from Simon Minton, Global Cyber Security Advisor at Cisco
The security threat of using apps
Sharing meeting notes. Processing customer transactions. Logging expenses. Signing contracts. More and more business processes are getting the app treatment. And that means more and more data is being exposed to potential security threats.
How businesses are using the cloud
To ensure apps deliver on stakeholders’ agility and efficiency expectations, organisations are increasingly using the cloud to provision functionality to users both in the workplace and beyond. Apps aren’t just being provisioned via the cloud; they are being developed in the cloud too – and that introduces another layer of complexity and risk.
Cloud-native development enables organisations to build and update apps quickly. But the speed at which apps evolve can result in security being overlooked – especially as organisations increasingly bring application development back in-house due to its strategic and competitive importance.
Join the DevSecOps revolution
The need to balance security with agility has given rise to a new operating model in the app development world. DevSecOps isn’t just about adopting new processes and tools; it’s about adopting a new mindset in which everyone in the app lifecycle is responsible for security – whether they are a developer, a business stakeholder or a user.
What is DevSecOps?
DevSecOps shifts security from a bolt-on activity late in the process of application development, when much of the architecture has already been defined, to a fundamental part of the design, build and continuous delivery.
In order for DevSecOps principles to take root in an organisation, developers need to be encouraged to take ownership of security, much like they are incentivised to develop metrics around application availability and performance.
Reducing the impact of data breaches when using apps
Most data breaches occur from two interlinking scenarios; an exploitation of either the application itself and/or exploitation of the infrastructure hosting the application. Several recent high profile breaches occurred because of a misconfiguration of the supporting cloud infrastructure. The shared security model adopted by all cloud providers puts the onus on its customers to ensure that cloud services are properly configured.
Ensuring developers and IT security teams work together to proactively remediate misconfigurations in an application or infrastructure can help to reduce the impact from an incident or breach. Data analytics will be increasingly important for both teams when pinpointing application and cloud misconfigurations as well as malicious activity.
Monitoring solutions that leverage machine learning and behavioural modelling can provide visibility of activity not only on the network but also within the development environment and across cloud resources – which can act as an early warning of a potential security breach on an app or within the broader ecosystem.
For example, Cisco Stealthwatch collects and analyses network and cloud telemetry and correlates threat behaviours seen locally within the enterprise with those seen globally to detect anomalies that might be malicious.
To trust or not to trust?
Advanced threat detection solutions can also help to identify policy violations and misconfigured cloud assets that could compromise the future security of an app. But visibility into potential app vulnerabilities needs to go one step further.
With internal and external developers increasingly using internet-based open source elements, such as software libraries, to accelerate time-to-market, apps have become a patchwork of unseen – and often unknown – components. All of which could introduce unexpected risks and dependencies.
Around 80% of an enterprise application is created using open source software libraries downloaded from the internet. Organisations often have very limited understanding of the risks inherent in these libraries or lack the policies needed to remediate known vulnerabilities.
Adopting a Zero Trust approach to app development
By adopting a Zero Trust approach (where everything must be validated before it can be trusted) to app development, organisations will be able to identify potential security flaws much earlier. This will not only save time and money but also avoid reputational damage.
A Zero Trust approach can also be extended beyond the development stage to the entire lifecycle of the app. Users and devices accessing apps also need to be regularly validated to ensure they are not trying to launch an attack or steal data.
By getting smarter about how they provision and develop apps from the cloud, organisations will be able to protect thousands of employees and customers and provide a richer and safer app experience.
Whether it’s plastic containers or software licences, we all need to find ways to make the most of the resources we already have.
A new business requirement shouldn’t automatically trigger a new IT investment. This is particularly true within the networking and security arena where costs and complexity increase with every new purchase.
Instead of constantly expanding the security management portfolio, organisations need to start thinking about rationalising and integrating it. According to Cisco, 82% of companies want an integrated security portfolio but very few are achieving it.
Computacenter and Cisco are working together to help change this. As more IT providers move to an evergreen world with rolling releases and bundled packages, it’s getting harder for CIOs and their teams to stay up to date. As a result, features are not used, integrations are not leveraged, and opportunities are not exploited.
Making the switch
Let’s take an example. The Cisco Digital Network Architecture (DNA) subscription provides organisations with a new way of purchasing Cisco Catalyst 9K switches, which form the foundation of the modern intent-based network. But there’s a lot more to the software subscription than just the switches. And these added extras can make all the difference to the efficacy of security and networking operations in a digital age.
As well as providing organisation with access to software-driven rather than hardware-centric switches, the premier subscription also includes tools for managing security policies, detecting security threats, automating processes, configuring networks and generating actionable insights.
It’s hardly surprising then that the Catalyst 9K switches have been one of the fastest-selling new products in Cisco’s history: more than 1,100 customers signed up in the first quarter of availability. Eventually, it will become the standard platform for intent-based networking.
Although organisations have been quick to onboard the switches, the supporting software is still being under-utilised. As a result, CIOs often unnecessarily invest in additional point solutions or continue to use legacy tools that are no longer fit for purpose. They will also be missing out on the latest threat intelligence; the Catalyst 9K premier subscription enables CIOs to leverage the full power of Cisco Talos, which helps to protects people, data, and infrastructure assets.
Unlocking greater value
Computacenter has access to 10 Customer Success Managers – many of whom are Cisco Certified Internetwork Experts – who help organisations unlock the full potential of their technology investments.
We work with CIOs and their teams to drive greater value and enable business success. We share knowledge. We pinpoint existing resources that could be leveraged more effectively. We organise demonstrations and proof of concepts. And we flag potential new investments and integrations.
The shift to evergreen solutions and software subscriptions involves operational, cultural and financial change. Adapting to this new landscape while also delivering digital initiatives is a big ask for already stretched IT teams. But the quicker organisations can adapt, the quicker they can leverage the benefits.
Instead of fulfilling new requirements with new purchases, organisations will become accustomed to checking their existing IT entitlements and assets first. This will not only save money but also prevent the IT landscape from becoming even more cluttered. Maximising what we have today makes for a better tomorrow.
Iain Mobberley, a new member of the Computacenter family, reflects back on the past seven months he has been with the company.
So this will be my first blog since joining Computacenter UK to drive our Public Cloud go-to-market in July 2018. What a seven months that has been.
I have just returned from our Group Kick Off which was in Berlin. Anyone that has experienced this either at Computacenter or at other business will understand just how exhausting a few days that can be. This was both a celebration of the company’s performance during FY18 and a look forward to the financial year that we have just started.
This was also about recognition of outstanding performances from team members and business units across 2018. The anticipation of the individuals with regards their individual recognition is somewhat unprecedented. To all that received recognition, I congratulate you. It should of course not go unmentioned that this is almost singularly focussed at the ‘front end ‘of our business. The leadership, the sellers, the marketeers, the partner managers, the technologists and the partners. There is a vast staff within the business that of course ‘makes it all happen’. My focus here though is the part of the business I work in, the part I have very quickly grown to love.
Why? Well that is a very simple answer; there is great leadership, a fantastic culture which works in partnership internally and externally whether it be with our customers or our suppliers.
This has led me to think back to when I was looking for a new role back in 2018. Almost a year ago I was starting to think about what I wanted to do next. There is a huge amount of choice. I took time to identify what was important to me. I was looking for brand in the market, great people, culture and a sense of strong leadership. Oh, and scale! Well, I can confirm all of that is present in Computacenter and more.
Now, I believe that two of the hardest things to get right within a business are culture and leadership. Lots of businesses talk about guiding principles, they often talk about culture, often leaders state their aims but in reality, culture and leadership come from the top. This is exemplified by Mike Norris, Computacenter’s Group CEO. It cascades very quickly through a seasoned group leadership team to a set of country managers that reflect this, embrace it, and provide a huge amount of energy to the business and its employees. One of my original conversations at interview with the UK & Ireland MD, Neil Hall (@NeilHall75), was about culture, fit and leadership. I do not think in the history of my employment I have often witnessed these principles being exhibited by so many. Not just Mike, Neil or others, but by every individual within the organisation. It is quite staggering. It is not that every individual is a leader per se, but every single person reflects a fantastic set of values within the business and reflects them in everything that they do.
There are too many highlights to call out from the last couple of days, but I thought it worth identifying a few; three to be precise.
The first was during the UK&I Country session where we were joined by new colleagues from CC America (more later). It was quite brilliant, to see Lizee Butler for her first time take to the ‘big stage’, in front of a large audience and then to talk with so much passion about people, equality, respect and to open our eyes to always be fair and considerate in everything we do was just amazing.
The second was the story that Kevin James (@K22KJJ) our Group Commercial Officer told on the second day about our partnership with Dell Technologies. Wow! The story was described in the very traditional Computacenter way. However, the compelling thing that clearly came through was leadership and partnership. A joint desire to make a success of something which at the very start looked to be built on slightly rocky foundations. The determination of a team of people to achieve great heights was clear. Our customers now benefit hugely from this strong partnership and long may that continue.
The last was from our Group CEO. The essence of the organisation encapsulates his passion, determination and ability to celebrate when appropriate and steer and lead when needed. The way he commanded respect during the formal sessions and celebrated through the team in the celebration sessions was something to behold.
So lastly, I said I would mention @ComputacenterUS . This part of our business is relatively new. Here are a group of individuals that seem like-minded, passionate and seemingly have embraced everything that is Computacenter. It is astonishing that parts of this business have only been with us since the last quarter of FY18 following the acquisition of FusionStorm. It was hugely interesting to see how the business as a whole has welcomed the new employees to the business but for me the hand of friendship extended by the UK team to help accelerate the partnership and culture seems to be a key to success.
So why write this short blog post and why at this time? The answer is simple really; the decision to join a business can be a daunting prospect, at any level. The questions asked are often: am I a good fit? Is the business a good fit for me? Can I be successful? Well, after seven months I find that Computacenter is everything it claims to be and more. If you are considering a change in employment and important values to you are #celebration #leadership #culture and #partnership then look no further than Computacenter.
Iain is Director for Sales Development, Platform & Hybrid IT at Computacenter UK.
Every year, WorldSkills International and The United Nations recognise the 15th of July as World Youth Skills Day (WYSD). Designed to raise awareness on the importance of technical, vocational education, and training, WYSD works towards reducing unemployment and underemployment among youths across the globe.
Ahead of WYSD 2017, we spoke to Martin Pickering, Apprentice Program Manager at Computacenter, and current apprentice Zach Kirk-Gray, 1st Line Support Analyst, about the importance of promoting vocational training, and the benefits to businesses and apprentices alike.
Why should companies invest in technical and vocational education?
For businesses, vocational education is a way to invest in the company culture from the offset. “With apprentices, it really gives us the opportunity to grow grass-roots, technical staff, using the Computacenter brand. This not only gives young people a foot in the door, but at the same time allows companies to fill the gaps that they are finding in their operations” says Martin.
“Some legacy technologies are slowly becoming difficult to employ against, such as mainframes launched in the 70’s and 80’s. The 40 years of service that these technologies have are now bringing the initial starters of that generation towards the end of their careers, and businesses need to realise the value of bringing young blood back into their organisation.
“Not only this, but the youth of today are digital natives, and are also at a stage in their lives when they are really tuned into learning and are extremely flexible with their talents. It’s here that we can start to use the younger generation to really get stuck in and learn about new technologies, such as cloud adoption, and use them as the next generation in an area that can often be very expensive to train staff in, and difficult for older members of staff to be trained on.”
Zach agrees that learning on the job is one of the best things about his apprenticeship: “It’s great to learn with the technologies. Vocational training is important to me because you really have a hands-on experience all the time, and get a lot of face-time with experts in those fields.
“At college, I was only really studying theory, which I felt wasn’t going to help me later in my life, and I found it difficult to learn just looking at books. Going for a practical apprenticeship has been absolutely brilliant.”
Why is it important to offer this type of training to today’s youth?
“Apprenticeship programs are not just about delivering a group of young adults to a team and getting them to do low skilled work,” continues Martin. “This for me is about creating opportunity.”
“I class the apprenticeship as a golden ticket. At Computacenter, we heavily invest the time of our technology experts into developing our analyst apprentices technically, but we also look at soft skills to develop them in the business world. This is an extremely important part of offering training to today’s youth, as many come straight out of college or school without any experience of working in a formal business environment. Even those who leave university with a degree are still under-experienced in the real-world applications of their skills.
“So, not only is vocational training important for their area of expertise, but also to develop their skills outside of technical delivery so that they are transferrable to any role they might hold in the future.
“My hope is that we create the opportunity for them to look back in years to come and see that Computacenter helped them achieve their goals.
How are apprentices valuable to Computacenter?
Martin can’t help but sing their praises: “Apprentices are fantastic and come with a great attitude towards learning. We spend the first three months of the program training them, and they are able to take in all the information like sponges and can retain more than mature analysts that have been in the business world for years – it’s really amazing. Following this, they can then deliver and fill any gaps in the business with attrition at a lower cost.
“When speaking to customers, talking about investing in apprentices is always good news. My hopes are that more businesses realise the value of apprentices, and that more young people become aware of the benefits of vocational education themselves. Perhaps one day one of our apprentices will become the mentors of new programs to come.”
Finally, Zach agrees with promoting apprenticeships to young people, and why they should start considering this educational path: “Being an apprentice gives you the opportunities in life and trains you up to progress through the company, with hands-on training and mentorship. If I was to give any advice to young people deciding which path to take, I’d tell them to definitely go for an apprenticeship.
“I know people that have gone to university, but when they come out the other side they feel like they don’t have the practical knowledge or business acumen to really go out and get that foot in the door. With an apprenticeship, you’re already on your way.”
Are you a UK tech start-up? Win a place at TechUK’s Annual Dinner & connect with tech industry movers & shakers!
Computacenter and Dell-EMC are sponsoring this year’s TechUK’s Annual Dinner, which will take place on the evening of Wednesday 19th July 2017.
Senior figures from across the UK tech industry, including government and civil services, will gather to network and celebrate the achievements of our industry. Attendees will hear thought-provoking speeches from the likes of Rt Hon Karen Bradley MP, Secretary of State for Culture, Media and Sport, and Laura Kuenssberg, Political Editor, BBC, before enjoying an open discussion over a three-course meal.
Leading tech executives across the industry were in attendance last year, with three quarters of attendees at either Managing Director level, or above. Media attendees from the Daily Telegraph, Bloomberg and Computer Weekly were also out in full force.
Computacenter is offering one lucky UK tech start-up the opportunity to attend this prestigious event, and get in front of some of the UK’s most senior tech leaders.
To win your place at the event, all you have to do is tweet @Computacenter, using the hashtag #techUKAD17 describing your UK tech start-up in four words, beginning with T, E, C and H.
The winner will be chosen at random.
The competition is open from Monday 26th June 2017 – Friday 7th July 2017, so get your thinking caps on before it’s too late.
Please see below for the full Terms & Conditions.
Terms and conditions
- The promoter is: Computacenter plc whose registered office is at Computacenter House, Blackfriars Rd, London SE1 8HL.
- The competition is open to residents of the United Kingdom that are employed by a UK based technology start-up company, except employees of Computacenter plc and their close relatives, and anyone otherwise connected with the organisation or judging of the competition.
- There is no entry fee and no purchase necessary to enter this competition.
- By entering this competition, an entrant is indicating his/her agreement to be bound by these terms and conditions.
- Only one entry will be accepted per person. Multiple entries from the same person will be disqualified.
- Closing date for entry will be 7th July 2017. After this date no further entries to the competition will be permitted or accepted.
- No responsibility can be accepted for entries not received for whatever reason.
- The rules of the competition and how to enter are as follows:
Tweet @Computacenter, using the hashtag #techUKAD17, describing your UK tech start-up in four words, beginning with T, E, C and H
- The promoter reserves the right to cancel or amend the competition and these terms and conditions without notice in the event of a catastrophe outside of its control, or any actual or anticipated breach of any applicable law or regulation or any other event outside of the promoter’s control. Any changes to the competition will be notified to entrants as soon as possible by the promoter.
- The promoter is not responsible for inaccurate prize details supplied to any entrant by any third party connected with this competition.
- The prize is as follows: One ticket for the techUK 2017 annual dinner
- The prize is as stated and no cash or other alternatives will be offered. The prizes are not transferable.
- Winners will be chosen by random.
- The winner will be notified by DM on Twitter within 7 days of the closing date. If the winner cannot be contacted or does not claim the prize within 7 days of notification, we reserve the right to withdraw the prize from the winner and pick a replacement winner.
- The promoter will notify the winner when and where the prize can be collected/is delivered.
- The promoter’s decision in respect of all matters to do with the competition will be final and no correspondence will be entered into.
- By entering this competition, an entrant is indicating his/her agreement to be bound by these terms and conditions.
- The competition and these terms and conditions will be governed by English law and any disputes will be subject to the exclusive jurisdiction of the courts of England.
- The winner agrees to the use of his/her name and image in any publicity material, as well as their entry. Any personal data relating to the winner or any other entrants will be used solely in accordance with current UK data protection legislation and will not be disclosed to a third party without the entrant’s prior consent.
- Entry into the competition will be deemed as acceptance of these terms and conditions.
How did you find Computacenter Hungary?
I found Computacenter Hungary from social media advertising and also at the same time via a recruitment agency. I started work here in January this year.
When was your interview, and how did it go?
I had two rounds of interview, and the first one was a Telepresence inteview with my line manager, who is in the United Kingdome. The interview was thorough and I gained a good impression about the company, and the department. My second round interview was with the group Finance Director, who came here to conduct personal interviews and I seem to remember the interview was long and in some depth, but a great conversation and helped me develop a more complete picture of the company and the role. I think the job offer then come quite soon after – in fact it was just before Christmas, so great timing in fact!
What is your opininon about the recruitment process? Would you recommend anything to improve?
Thinking about the first round, I was rejected first for the first role I have applied for, the Head of GSD, and the second one was the Head of Shared Services. I gained a positive insight to Computacenter from the first interview that prompted me to persist when the second role came along. I was happy with the recruitment process and I was introduced to the Recruitment Manager at a pre-Christmas event to talk briefly about the roles on offer. As a candidate, I felt the feedback was good and its always helpful to hear feedback whether the application is successful or not which the company did well.
How did you manage to fit in? And how do you feel yourself at Computacenter now?
I think the culture of the company is a empowering and delegating culture, and this is an environment where I work well. I think the people are very friendly, which is helped me to get estabilished. And that helps a lot.
What do you like in your current position? What are your challanges?
I think there are many opportunities for the function to develop and improve, and I think I can help to achieve that. There is a very capable and enthusiastic team, who are great to work with and an inspiration. I think the challange of developing this SSC is very interesting to work with.
What are the differences between your previous and current workplace?
I was leading an SSC before as well in Hungary. Computacenter Hungary is more recently estabilished, which gives a lot of opportunity to shape it and to make the organisation meet stakeholder expectations and grow and develop as we deliver operational results and drive business enablement. It is a fast growing company with many career opportunities, meaning there is no better time like the present to join the team at Computacenter!
Picture this – your alarm clock goes off, you reach across the bed and take a look at your phone; it’s woken you up 30 minutes early – why? Well you have a meeting at 9:30am, but your car is running low on fuel so filling up will take 15 minutes, and traffic is a little worse than normal, so it will take an extra 15 minutes to get to the meeting. Welcome to the Internet of Things (IoT) a world where your phone can play your day ahead and your fridge knows when it’s running dry and orders the groceries itself.
IoT has captured the imagination of industry visionaries and the public for some time now; devices sending and receiving data, opening the door to a futuristic world previously the stuff of science fiction.
As the cities we live in grow into digital ecosystems, the networks around us will connect every individual device, enabling billions of new data exchanges. Industries will enter a new era, from medical devices that talk directly to medical professionals, to the emergence of smart homes that manage themselves efficiently, ensuring energy usage is checked and bills paid on time.
In the workplace it’s equally easy to see the potential advantages of the connections between devices, from intelligent service desk support through to printers, computers and other devices interacting with each other to deliver tangible user and business benefits.
The service desk is a key component for businesses in the digital age, acting as a communication hub for IT issues, a reference point for technology requirements and a tool for asset visibility. Organisations must ask themselves if their current service desk has the technological capacity and capability to manage the multitude of device and operational data in an efficient manner. An intelligent service desk can be the lifeblood of IoT implementation within businesses and enable automation to be realised.
A connected printer in a business ecosystem, for example, could effectively self-serve its own peripheral needs and order its own supplies when needed. However, the management of that data, effective registration and logging of the incident, as well as notification to the financial and technical teams would not be possible without an intelligent service desk – especially when you elevate this to an enterprise scale, with possibly hundreds of connected printers or devices.
When discussing the “connected office”, IT managers will understandably raise concerns around security. The more devices that are connected, the further the periphery is pushed, increasing potential entry points there are into a network.
An intelligent service desk will enable whitelisting to be integrated into communication protocols. This is a process which gathers and groups trusted individuals and their devices into a known category. This will enable any unusual requests from either IoT enabled devices or employee requests to be automatically flagged and questioned before action or access is given.
It is in this scenario that IT managers can reap the benefits of IoT, service desk and employee synchronisation. Through the IoT device communicating with the service desk, the service desk effectively managing all end points and the employee working in tandem with the service desk software, the minimisation of internal security risks can be achieved.
While much of this sounds quite out of reach, the benefits of IoT and service desk communication are already evident today, through use cases that are currently very fluid, personalised and often driven by an imaginative use of existing and sometimes emerging technology. Peripheral IT product vending machines holding keyboards and mice, for example, allow the realisation of this relationship to be seen.
However, with so much data being transferred and the IoT still very ‘new’, there are a number of challenges, the most critical being visibility of assets connected and operating under the network.
Communication between all end points and visibility should be fundamental considerations when planning for an IoT based implementation. Intelligent service desks, that can enrich the IT support experience as well as integrate and communicate with the business ecosystem, can host the technology capability to have oversight, communication and visibility of device end points communicating with a network.
While this may appear to be a straightforward concept, often enthusiasm to implement and complexity of service desk and technology transformation has a tendency to drown out and bypass the fundamentals – leaving potential backdoors open.
To ensure that there is a holistic approach toward securing connections with the IoT, organisations must challenge all stakeholders (vendors, integrators and consultants) to apply secure IoT principles to the service desk solution and IT operational unit, right from the “drawing board” phase.