Show Hide image


Cyber frontiers spur new controls

Michael Turner, security expert at Capgemini, explains how business can best overcome its vulnerability to technological attack

Technology’s need for security is so obvious that it is almost not worth restating, but it still goes wrong and the landscape is changing beyond recognition. Mike Turner of Capgemini explains the issues to the New Statesman.

Q. We keep hearing that the emergence of SMACT technology – Social, Mobile, Analytics, Cloud and the so-called In­ternet of Things – has changed the security landscape. Can you explain why these things are spoken about as if they were one thing?

A. It’s very easy shorthand when we discuss how cyber security has fundamentally changed.

It has changed because of the drivers around the uptake of cloud-based technologies; the adoption of mobile devices, be they smartphones or tablets; their capacity to carry social media; the move to being more mobile as a workforce; and the connection of everyday objects through the Internet of Things.

So it’s a good shorthand and those five things have shifted the paradigm from the old “fortress” mentality of the keep and the castle, with a perimeter to defend. In the modern world, it’s very difficult to define where that perimeter is. In a world of cloud services and mobile devices, many devices – such as phones, tablets and even laptops – will belong to a number of different stakeholders. Organisations may not have consciously outsourced their control but are finding that their security is now provided by cloud providers, or Apple, because it makes the iPhones the staff are using.

Q. Is there a danger that some of the smaller enterprises might get a bit complacent about this? Many seem to think that because their data is in the cloud they are automatically backed up and virus-proofed, which is true only if their cloud provider is up to scratch.

A. It’s not really complacency. Things have become so complex that it’s difficult to understand the range of issues. Before, you were faced with buying a range of services and putting them on your network. Now the integration issues as you start to adopt different technologies become quite significant. You wouldn’t have to go far to find small to medium-sized enterprises using five or six different Software as a Service (SaaS) platforms or a cloud storage provider for their data, and they may be using multiple mobile devices.

On the other hand, the sheer amount of data means there can be a lot of it in what we might call a “data lake”. One of my clients says if someone can break through their defences in such a complex environment then they probably deserve to take what they find, which is a little glib. If someone breaks through to an entire lake or reservoir of vital data they can do a great deal of damage.

Q. So, if it’s getting this complex, is outsourcing IT – and security – to a specialist company the best answer to stay safe?

A. It makes huge amounts of sense to adopt SaaS services and cloud-based services. There are huge economic arguments that articulate the benefits of those. But organisations should be looking to do that only in areas that make sense, with a good understanding of the risks that they’re adopting. At Capgemini we’re great adopters of those sorts of technologies and we provide all of those cloud-based services.

We should understand that SMACT poses significant challenges; we see that in our own business and from our customers. However, we shouldn’t be intimidated – those challenges are manageable. So my first advice to companies is not to be afraid to adopt those technologies but make sure you fully understand what you are undertaking.

It’s becoming financially prohibitive to defend all of your information on mobile devices, the cloud and your own systems. You just can’t guard every single place.

That means you need a clear view of the value of the assets you’re trying to protect. The next piece is to align fully to the business strategy. Look at identity and access management, for example: a huge topic in the security world. How do you move from the old style of enterprise, where you’d manage identities of only your own staff, to where you’re running an online business where you might be interfacing with millions of customers?

How well you manage that customer experience is likely to make the difference between whether those customers stay with you or not.

The third piece of advice is to have a clear strategy around where you’re going to adopt these technologies. One of our customers is a national logistics firm, a very large organisation dealing with identities that run into millions, and it is using 20 cloud-based services, different SaaS providers accessed by a single portal. Interacting with all of those identities from the customers whilst integrating into the enterprise system where the invoicing and billing takes place is a major integration issue.

Q That’s Identity and Access Management (IAM). What’s SQAT?

A. That’s Security, Quality and Assurance Testing – and you can interchange “security” with “software”.

One of the biggest challenges of the digital era is the rate of change in web
applications and mobile applications. Commerce is changing at such a pace that the traditional life cycle – based around large waterfall projects, very clear requirements at the start of a project and a linear life cycle – has moved into the era of agile co-development: quickly deploying it, getting it out into the field as quickly as possible.

You’ve got to position that against the scale of the adversaries. One of the biggest developing areas is actually asking how to ensure that when you release some code developed in the last few hours, it’s not immediately vulnerable to attack.

We have a range of products as a systems integrator that we’re able to bring to bear, whether it’s the static testing of the code, or automatically looking for errors – or even dynamic coding, where you’re pitching the types of threats and malicious code at a piece of code or an application to test its hardness. You also have to do it much earlier in a cost-effective way, and the only way to do that is to improve your coding quality.

The nub of it is that the rapid deployment of these technologies requires new ways of testing, new approaches; otherwise, it’s going to be too late.

Q And are there advantages to having that testing done by someone external?

A. Having a third party that hasn’t developed the code doing the testing reduces the risk and brings some assurance. Dev­elopment has to be rapid – the tooling has to be kept up to date, it has to be adapted quickly, and the adversaries are coming up with ever more novel ways of attacking applications.

If suddenly you’re deploying a .net implementation in your organisation and haven’t before, how are you suddenly going to get the skills to handle that?

Q How does an organisation like yours keep up?

A. We make sure we have access to the latest thinking, whether at the intelligence end or the technology end. So we work very closely with the national authorities; we leverage and support all of the national initiatives around cyber security. The European Union is legislating now that each country has to have a cyber-response capability, so we’ve joined those organisations, the Cyber-security Information Sharing Partnerships (CiSPs) internationally.

It’s important as a global technology company that we’re informing the debate as well as taking knowledge. At the other end of the scale, it’s important that we’re investing heavily in bringing into the company young talent – university graduates and apprentices who are not only informed, but using the technology. Incoming generations always evolve new ways of working with technology.

Q So how much of your work is managerial rather than technical? We still hear of people using weak passwords, encrypting sensitive information and then printing it out and leaving it in a hotel lobby . . .

A. That comes back to my earlier point about having a comprehensive strategy. An example related to a national airport organisation that was implementing a very aggressive, very technologically advanced identity and access management regime, technology-based, two-factored, multifaceted. A significant proportion of the effort was over change management, and that was essential because they had to focus on the people as well as the megabytes.

There’s an old adage that compliant in a technical sense doesn’t necessarily mean secure – whether you’re governed by Sarbanes-Oxley or another set of technical standards. If they’re not backed up by awareness and processes, the weak link isn’t necessarily the technical one.

For further information please visit:

Michael Turner is a security expert at Capgemini.