Author: armour

Armour Mobile in use at the MoD

Recently the UK Government published Industry Security Notice 2022/04 Secure by Design Requirements, which informs the UK Defence Supply Base of the Secure by Design policy and approach which has been set out to ensure cyber secure delivery of capabilities for the MoD.

Before we outline just how closely Armour complies, we address the issue; What is the difference between Secure by Design and Secure by Default?  The National Cyber Security Centre (NCSC) uses both terms in different contexts.

Secure by Design

Broadly speaking, Secure by Design means that software products and services are designed to be secure from the ground up.  Every layer is considered from a security and privacy standpoint and starts with a robust architecture design.  Secure by Design incorporates strategies such as forcing patterns of behaviour, for example, strong authentication, and the use of best practice protocols such as least privilege access.

More specifically, Secure by Design is part of the Government’s National Cyber Security Strategy. The Department for Digital, Culture, Media & Sport (DCMS) and the NCSC conducted a review into how to improve the cyber security of consumer Internet of Things (IoT) products and associated services, and as a result published various documents regarding the security of smart devices.

Secure by Default

Secure by Default builds on the premise of Secure by Design.  According to NCSC Secure by Default is about taking a holistic approach to solving security problems at the root cause rather than treating the symptoms. It covers the long-term technical effort to ensure that the right security attributes are built into software and hardware. As well as ensuring that security is considered at every stage when developing products and services, it also includes ensuring that products are delivered to the end-user in such a way that the default settings enforce good security practices, while balancing usability with security. After all, if a product is too difficult to use, people will simply find a workaround, meaning that security ends up being compromised anyway.

Secure by Default principles prescribed by NCSC are:

• • • security should be built into products from the beginning, it can’t be added in later;
    • security should be added to treat the root cause of a problem, not its symptoms;
    • security is never a goal in and of itself, it is a process – and it must continue throughout the lifetime of the product;
    • security should never compromise usability – products need to be secure enough, then maximise usability;
    • security should not require extensive configuration to work, and should just work reliably where implemented;
    • security should constantly evolve to meet and defeat the latest threats – new security features should take longer to defeat than they take to build;
    • security through obscurity should be avoided;
    • security should not require specific technical understanding or non-obvious behaviour from the user.

Armour Mobile complies with Secure by Design AND Secure by Default

At Armour Comms we have been working with NCSC since our inception a number of years ago to ensure that our products are designed with Best Practice security protocols in place. Our initial products were CPA certified to demonstrate they adhered to these security principles; when that scheme finished (for all products with the exception of smart meters) we focused on ISO27001 and Cyber Essentials Plus certification as externally audited proof of our strong security practices.

Our products are approved for use up to OFFICIAL-SENSITIVE, NATO Restricted and for Higher Assurance requirements and are already deployed at these levels. Our innovative developers work hard to deliver products that strike the balance between providing a user experience that mimics consumer-grade apps, while delivering the security credentials required for higher assurance use.  Armour Mobile is in use in many Government departments as well as having been deployed for numerous use cases across the MoD.

Armour Mobile and MoD Secure by Design Requirements

One of the key principles within the ISN 2022/04 Secure by Design Requirements is to Define Security Controls, and within that, the requirement is that: “Existing processes, knowledge, standards and technologies should be identified, assessed and reused where possible to avoid duplication of effort.”  With this in mind, and our track record of working with NCSC and the MoD, Armour Mobile is the obvious choice for any secure comms requirement within the Defence sector.

For a more detailed look at the NCSC Secure by Default principles read our blog: The future of NCSC Technical Assurance: https://www2s.armourcomms.com/2022/01/25/the-future-of-ncsc-technical-assurance/  and for more information about the NCSC Secure by Default principles please read: https://www.ncsc.gov.uk/information/secure-default

Watch this space for future articles describing in more detail how Armour Mobile meets the Secure by Design requirements.

We are delighted to announce that Unity by Armour has been shortlisted for an SC Award for Best Communications Security Solution.

Unity is the third Armour product to be a finalist, and it is the 5^th year in a row that we have been shortlisted.  Armour Mobile won the award for Best Mobile Security Solution in 2019 and SigNet and Armour Mobile were Highly Commended in the same category in 2021.

Enterprise Conferencing that’s more secure and easier to use

Unity by Armour® delivers secure conferencing in an easy-to-use app for mobile and desktop use, with enterprise security features not provided by free-to-use consumer products including a choice of cloud or on-premises installation to ensure data sovereignty. Unity is available in several configurations to ensure the level of security matches the sensitivity of the conversation. Unity combats the issue of ghost callers that may eavesdrop on sensitive conversations by highlighting to all users whether a participant has joined the call via an app, or securely via a browser –browser options often increase vulnerabilities.

Unity extends the Armour ecosystem by working in conjunction with Armour Mobile to provide pre-defined or on-the-fly secure video conferencing, screen sharing and integration with secure chat groups and interconnectivity with trusted unified communications systems.

Unity delivers picture-in-picture and multiple screens, and offers a familiar video conferencing interface, making it easy and intuitive to use.

If your organisation needs a conferencing tool with enterprise capabilities and security credentials to match, call us today to find out more

Tel: +44(0)20 36 37 38 01

Managing corporate data on Bring Your Own Devices (BYOD) has been a thorny issue for years. Businesses and employees alike appreciate the convenience of people using their own devices, and in fact, the organisation probably doesn’t have much choice in the matter without taking draconian measures. However, protecting sensitive information that finds its way onto unmanaged devices can open organisations up to risk of industrial espionage and even threaten national security, quite apart from more mundane, but nevertheless serious data protection regulatory issues (GDPR being the most obvious).

Athletes advised to use burner phones for security reasons

To add to those threats, if people travel abroad they may find their devices compromised by lapses in local security. A recent case in point was athletes and teams taking part in the Winter Olympics in China. Many governments advised people to take burner phones and hire laptops once there, rather than risk their own devices becoming compromised. Full story here: https://www.bbc.co.uk/news/world-asia-china-60034013

Burner phones create additional security issues

This raises an important point, that of the additional complexity posed by the use of burner phones.  Typically they are bought in country, used and disposed of prior to return. These phones, usually Android, for cost reasons, should be considered unsafe because their provenance cannot be certain. Using apps on such phones can create undue risk and uncertainty as they may have been ‘jailbroken’ (modified to remove restrictions imposed by the manufacturer, to allow the installation of unauthorised software) or contain potentially malicious apps from local carriers or distributors.

Managing BYOD without MDM

True BYOD devices that are owned by the employee create a different challenge. Employees do not like the fact that their employer might wish to take control of their personal device with a Mobile Device Management (MDM) solution, and so have the ability to restrict the use of the capability of the device e.g. disable the camera. However, the concerns around corporate data being held on a device that is not owned or controlled by the business must still be addressed – something that Armour can do without the need for a full MDM solution.

How Armour helps

Armour Mobile and SigNet by Armour provide a mobile comms solution that completely isolates the communications and any associated data, metadata or files (attachments such as documents, images, video clips). All data is encrypted and secured within the app protecting contacts, messages and attachments from malware on the device or if the device is lost or stolen. The ultimate goal is to minimise the organisation’s risk by reducing the residual data held on the device. Armour’s products are Secure By Design, for example technology in the app requires sole use of the microphone ensuring rogue apps are not ‘listening’ in to voice or video calls.

In addition, before the app can be used, the Armour software checks to see if the device has been jailbroken, if so, the user will not be able to use the Armour app.

Armour provides its own viewers for certain types of attachments, so as not to share information with the operating system or third-party viewers, and preventing the user from sharing the attachment (and its sensitive information) outside of the Armour app, thus avoiding the potential for data leakage.

To avoid the use of the public internet and untrusted, insecure networks, the Armour apps can be installed in a variety of ways. Depending on the specific use case requirements this can include via SD card or via a completely closed VPN network (using additional technology from Armour technology partners).

Armour Mobile and SigNet also include many security features within the app to protect against data leakage.  This includes the Message Burn and Disappearing Messages features, where the sender of a message can set it to automatically delete at a set time, either after it has been read, or after it has been sent.  This feature can be deployed as a standard setting across chat groups or communities of users.

In the coming months we will deliver the capability to remote wipe any data held within the Armour app on devices that have been lost, stolen or otherwise compromised and in addition will have the ability to centrally control the length of time messages are available to be accessed on phones.

For more information about how Armour can help you to ensure secure communications even when using BYOD devices, contact us today: sales@armourcomms.com

Cyber Essentials Plus 

As a cyber security vendor, and an advocate for a Secure by Design approach to developing products and services, we believe that validation by independent third parties is an important process, and one that generates many benefits, not just for ourselves but our customers too.  We are committed to continually improving our internal processes to ensure that they are of the highest quality and stand up to external scrutiny.  We are therefore delighted to announce that we have now achieved Cyber Essentials Plus certification for our whole organisation.

Cyber Essentials is a government backed scheme that helps organisations to protect themselves from a whole range of cyber attacks. There are two levels of certification:

Cyber Essentials, which is a self assessment framework (which we’ve held since 2017)

Cyber Essentials Plus, the higher level of certification which includes additional external technical verification.

More details here: https://www.ncsc.gov.uk/cyberessentials/overview.

We undertook this extra level of certification to provide additional peace of mind to our customers that our internal standards of cyber security comply with industry best practice. In submitting to a thorough and rigorous external verification, we also received feedback, which is a highly valuable part of the process.

Cyber Essentials Plus (CE+) certification is completed annually, and as such, demonstrates our continual commitment to ensure our processes are constantly evolving and improving.  CE+ complements our ISO27001 certification – a proven methodology for ensuring processes are security focused – achieved in March 2021.

Secure by Default is in our DNA

At Armour, Secure by Design and Secure by Default principles are in our very DNA.  We’ve been working with the NCSC for many years to ensure that our products conform to the appropriate industry standards, and are designed with the end user in mind. If a security product isn’t easy to use, then it isn’t a security product (because the end user will simply find something that is easy to use instead).

Cyber Essentials Plus is the latest milestone in our mission to demonstrate that we practice what we preach – our internal processes have been validated as cyber secure. This focus on external certification fosters a cyber-aware environment for our employees so that they are able to deliver great products that are Secure by Design, directly address the real-world challenges of secure communications, and that people enjoy using.

For more about Secure by Default, Secure by Design and the NCSC’s Principles Based Assurance read our blog: The Future of Technical Assurance