Friday, December 6, 2013

Encryption 101: Back to basics

Jack Hammond
Junior Developer
Egress Software Technologies Ltd.
Having introduced the concept of encryption in my last blog post through the PlayFair Cipher, I’m now going to look at a few of the oldest known ciphers, which demonstrate the fundamentals of encryption.

At the most basic level, encryption is primarily about providing two properties:
  • Confusion – The relationship between the plaintext (input) and the ciphertext (output) should be as difficult as possible to figure out, thus making the key difficult to crack
  • Diffusion – Any changes to the plaintext, even just a single letter, should produce wide, sweeping changes to the resulting ciphertext

A brief history

Encryption has been used for thousands of years – for example, there are reported cases dating back to 2,500BC of hieroglyphs being altered in Ancient Egypt to conceal information. In 500BC, meanwhile, Rabbis hid information using the Atbash cipher – a very simplistic cipher in the sense that it simply reverses the alphabet, so ‘A’ becomes ‘Z’, ‘B’ becomes ‘Y’, and so on.

Plaintext: ‘This message has been encrypted using the Atbash cipher’

Ciphertext: ‘Gsrh nvhhztv szh yvvm vmxibkgvw fhrmt gsv Zgyzhs xrksvi’

While these ciphers wouldn’t take long to crack with today’s technology, they demonstrate encryption in a very basic form, providing a solid foundation for a better understanding of the subject.

The cipher of a Roman Emperor

Julius Caesar is perhaps one of the most famous Roman Emperors – however what people may not know is that he has a cipher named after him: The Caesar cipher.

Like the Atbash cipher, the Caesar cipher has a very simple method of encryption. However, while the Atbash cipher only allows the use of a single ‘key’ (‘A’ will always encrypt to ‘Z’, ‘B’ will always encrypt to ‘Y’, etc), meaning that if someone knows a document has been encrypted using the cipher, it would be fairly trivial for them to decrypt it; the Caesar cipher provides 25 different ‘keys’. How? Well, it’s what’s known as a substitution cipher or, more specifically, a simple substitution cipher.

The Caesar cipher uses the alphabet and a numerical offset to encrypt data, hence the 25 possible ‘keys’ (you can’t have 26, as if you moved a letter 26 times, it would ultimately end up back in its starting position and break the encryption).

With this in mind, let’s take a look at a simple example that will use the key of ‘3’ to encrypt the letter ‘E’ to its corresponding ciphertext letter.

Letter shifting

It is generally accepted that encryption is done by shifting all the letters to the right (positive shift) and decryption is done by shifting all the letters to the left (negative shift), with ‘Z’ looping back round to ‘A’. Of course there is no steadfast rule, and you’re free to encrypt and decrypt in any way you like!

Plaintext
A
B
C
D
E
F
G
H
I









Ciphertext
D
E
F
G
H
I
J
K
L

Looking at the example above, we can see that if the letter ‘E’ is encrypted by the Caesar cipher with a 3 shift, then it will encrypt to the letter ‘H’. To decrypt this, we simply use a -3 shift.

Some more examples

So, now we know how the Caesar cipher works, let’s look at encrypting a whole sentence:


Plaintext alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ

Example 1

Shift: 1

Ciphertext alphabet: BCDEFGHIJKLMNOPQRSTUVWXYZA

Ciphertext message: J DBNF, J TBX, J DPORVFSFE.

Example 2

Shift: 10

Ciphertext alphabet: KLMNOPQRSTUVWXYZABCDEFGHIJ

Ciphertext message: S MKWO, S CKG, S MYXAEOBON.

Weaknesses in the cipher

Look at the two examples above, do you notice anything about them? Specifically, the letter ‘I’ is quite revealing.

As you’ve probably noticed, the letter ‘I’ is always encrypted to the same letter: on the 1 shift, ‘I’ always becomes ‘J’; on the 10 shift, ‘I’ always becomes ‘S’. This repetition means the Caesar cipher is vulnerable to one cryptanalysis method known as Letter Frequency Analysis – working out what a letter could be by how often it appears.

Every sentence tells a story

Within the English language, certain letters appear in sentences more often than others do. Using this knowledge, we can 'brute force' a Caesar cipher and get the original message, even if we don't know the key - although this involves some patience, of course!




The above graph shows the usual distribution of letters, otherwise known as letter frequency. By comparing the frequency of letters in some ciphertext, it can give clues to the key used to encrypt it, and we can then try that to see what it decrypts to, adjusting the number of letters shifted up or down accordingly, until we find a solution that reads like a normal English sentence.

These early examples prove just how far back in history encryption has its roots, and while they’re clearly very simple to crack by today’s standards, they demonstrate well the principles of encryption. Moreover, with every new algorithm invented, complexity and difficulty levels increased nearly exponentially – up to the point where currently ciphers are being designed that use the fundamentallaws of physics to provide a near perfect form of encryption… In theory at least!

Your turn to crack the code (try these at your desk!)

  1. Using a key of ‘7’, encrypt the following phrase:
    • Rome was not built in a day  
    • Answer:  Yvtl dhz uva ibpsa pu h khf)
  2. Using a key of ‘15’ encrypt the following phrase:
    • Experience is the teacher of all things
    • Answer: Tmetgxtcrt xh iwt itprwtg du paa iwxcvh)
  3. The following phrase has been encrypted using a key of ‘20’, decrypt it:
    • Cz sio gomn vlyue nby fuq, xi cn ni mycty jiqyl: ch uff inbyl wumym ivmylpy cn. 
    • Answer: If you must break the law, do it to seize power: in all other cases observe it)

Further Reading

If this has post has piqued your interest in cryptography, it may be worth looking at some of the topics below:
  • Avalanche Principle; An advancement on the fundamental Diffusion property of encryption
  • ROT-13; A special form of Caesar that acts as its own mathematical inverse. The aspect of the mathematical inverse will become more prominent with modern-day ciphers such as RSA

Wednesday, November 20, 2013

The UK IT Industry Awards 2013: A night to remember

Rebecca Bailey
Senior PR & Marketing Executive
Egress Software Technologies Ltd.
Informally dubbed the ‘Oscars of the IT world’, the UK IT Industry Awards celebrate best practice, innovation and excellence, and form the gold standard of achievement for any organisation within the IT sector. Unsurprisingly, then, emotions were running high for the Egress team last Wednesday, when our bid to be named Cloud Provider of the Year culminated at the Battersea Park Events Arena, London. 

Celebrating 40 years of IT

The lavish awards ceremony, put together by the Chartered Institute of IT (BCS) and Computing Magazine, provided a fitting backdrop for leading individuals and organisations from across the sector to champion the endeavours and innovation that, as BCS Group Chief Executive Officer David Clarke explained, not only “provides best practice now but next practice very soon”.

As sponsors of the event, the Egress Team began the evening in the VIP Lounge with a champagne and canapé reception, before we took our seats alongside the other 1,300 guests to be formally welcomed by David, as well as Editor of Computing Stuart Sumner. The pair recognised both the calibre and the volume of entries for this year’s awards, before Stuart introduced an infographic celebrating 40 years of IT. The subsequent spectacular gala dinner was followed by Comedian and TV Host Jimmy Carr’s appearance on stage.

After a short round of stand-up – in which Jimmy played upon the common perceptions and misconceptions of the IT industry – the true business of the evening began.

Cloud Provider of the Year

As one of the last categories to be announced, the Egress Team had quite a wait before hearing about our success. However, entertainment was provided by Jimmy Carr’s quick wit and the good humour of those presenting the awards – including Egress CEO Tony Pepper. Arriving onstage to Jimmy quipping that his name would be well-suited to a mafia boss, Tony put on his best New York accent to greet the comedian.

Before long, however, the moment of truth was upon us. Our table sat in nervous silence, only to erupt in cheering as our logo appeared onscreen and we were awarded ‘Cloud Provider of the Year’.

Reflecting on our achievement, Tony commented: “The way the awards are judged is one reason they are held in such high regard by the industry. Rather than just an online form with a restrictive word count, BCS and Computing Magazine give every finalist the chance to present in person, which means you can explain in detail the work you are doing and justify why you think you deserve to win.

“For Egress, this meant we could demonstrate what an amazing year 2013 has been for us, with revenue growth of over 400% and a 95% increase in customers. This success is based in our fundamental belief in continued investment into product innovation and leading-edge technology.”

The rest of the evening was spent toasting our success, as well as that of the other winners and those acknowledged as highly commended. Egress partners and clients were amongst those recognised for their excellence on the night, most notably Softcat, who were awarded ‘Large Supplier or Major VAR of the Year’ and the London Borough of Hackney for ‘IT Project Demonstrating Most Effective Use of Collaborative Technology’. Similarly, Network Rail received the award for 'Innovative Mobile App of the Year', in the category co-judged by Egress’ Dan Hoy.

True to Egress form, we had a fantastic night of celebration and are proudly displaying our newest trophy in our London office - however, we're also already planning how to return bigger and better in 2014!

Wednesday, November 6, 2013

European data protection reform proposals: What does the latest development reveal?

Rebecca Bailey
Senior PR & Marketing Executive
Egress Software Technologies Ltd.
The value of EU citizens’ data is predicted to increase to €1trillion by 2020, and as the extent of international intelligence efforts have demonstrated, it is a much-coveted commodity. Consequently, legislation must keep pace with digital development to offer comprehensive data protection – a sentiment recently reflected in the European Parliament.

Late last month, an overwhelming majority of the European Parliament’s Committee for Civil Liberties, Justice and Home Affairs (LIBE) backed reforms to the European Data Protection Act. Speaking ahead of the vote, President of the European Commission José Barroso summed up all that the reform hoped to achieve, declaring: “We need to combine the digital agenda with a better framework for protection of data and privacy rights. Trust in the data-driven economy has to be restored not only for the needed confidence but also for its potential impact on growth.”

Although the reform has yet to be debated, and agreed upon, by the European Commission, Parliament and Council, these recent developments offer interesting insight into the future of the European data protection landscape.

One continent, one law: data protection in Europe

It is hoped that the legislation will replace a ‘patchwork’ of national laws with one, pan-European law that, ultimately, will make it simpler and cheaper to conduct business in the EU by becoming a one-stop-shop for data protection. To this end, last month's vote introduced and enhanced several concepts of the initial proposal, and will shape the way that data protection is carried out throughout the EU (find a full summary of the changes here):
  • Data transfers to non-EU countries – Coming in direct response to the data surveillance activities revealed earlier this year, should a third country request a company disclose personal information, firms will have to seek authorisation from their national data protection authority before transferring the data, as well as inform the individual(s)
  • Data Protection Officers – It will become mandatory for companies with more than 5,000 client contacts per year to appoint a Data Protection Officer
  • Right to erasure – Individuals will be able to request data controllers erase personal information – and firms will also have to forward this request onto other organisations where data are replicated
  • Explicit consent – Where processing is based on explicit consent, organisations will have to obtain clear permission from the data subject (who can withdraw their consent at any time) before processing personal information
  • Profiling – Profiling will only be allowed subject to a person’s consent, when provided by law or when needed to pursue a contract
  • Sanctions – Fines of up to €100m or 5% of annual worldwide turnover (whichever is greater) will be levied against companies found in breach of data protection rules

A breakthrough for European data protection

Satisfying the requirements of 28 member states has meant that it’s been a long road to even reach this point, and although critics have pointed out that vague wording could cause loopholes, the progress has been championed in the European Parliament as a “breakthrough” and a ‘clearsignal [that] data protection is made in Europe’.

The strength of this support must galvanise organisations in the UK, and the rest of Europe, to engage directly with the data protection reform. Thanks to its extensive aims, the impacts of the reform will be far reaching, meaning that every organisation will have to be aware of what will, or won’t, change for them.

Although there is some speculation as to whether the reform will be introduced in 2015 or 2016 (or even later), and it is likely that further amendments will be made before a final version is agreed, staying abreast of developments and remaining responsive now will put organisations in a better position to cope with the changing data protection landscape.

Tuesday, October 29, 2013

What is the government doing to protect my data? Recent ICO fine is a wake-up call for us all

Daniel Hoy
UK Marketing Manager
Egress Software Technologies Ltd.
Last week, the latest Information Commissioner’s Office (ICO) fine hit the headlines – and for those of you who don’t follow the data security news as closely as I do, it was a big one! The Ministry of Justice, no less, was fined £140,000 due to a serious data breach that saw the details of prisoners at Cardiff Prison (all 1,182 of them) emailed incorrectly to three of the inmates’ families. The details included names, ethnicity, addresses and release dates – and as an internal investigation discovered, the same mistake had been made twice previously.

So concerned was the prison, they sent a member of staff accompanied by the police to the homes of each recipient to ensure the information had been properly deleted.

In isolation this story is worrying enough, but when you visit the ICO news pages you realise that this is just one of many similar incidents across the Public Sector, involving everyone from NHS trusts all the way to local authorities. This raises the following questions:

  1. What steps are being taken to protect data shared outside of government networks in order to prevent these breaches?  
  2. Is the government really protecting me and my data?

Facilitating the information security debate

Egress Software Technologies recently hosted an IL3 Certification Briefing in the Tower of London, partly to raise awareness of our status as the only UK Government CPA Foundation Grade certified email encryption product, but also to facilitate debate between government departments on the topic of secure data exchange.

Having attended the event, there is no doubting the appetite from within government to resolve the issue of how to share sensitive information with third parties that sit outside existing accredited networks, such as GCSX, NHSmail and CJSM.

Egress Switch offers part of the solution, as a spokesperson from CESG explained: “Egress’ innovative technology and commitment to demonstrating that it meets CESG’s standards means that the end-user has confidence that they are selecting an email encryption product that has been approved by CESG and is capable of protecting their organisation and the data they share from external threats.”

No easy answer

But the debate runs deeper than simply which email encryption solution to invest in. What became apparent when CESG representatives Geoff Eden (Deputy Technical Director) and Jon Lawrence (Technical Director) presented on the new Cabinet Office Classification Scheme and the CPA landscape, was the confusion and misunderstanding that seems to exist amongst the audience when it comes to sharing information outside of government. My colleague Tony Pepper presented on this topic at Infosecurity Europe 2013 in April, and again the feedback and questions posed were very similar.

Education, therefore, clearly has a part to play in this debate. Only when you combine effective technology solutions with end-user understanding of the steps that are needed to protect sensitive information, can you truly ensure you have a comprehensive data protection policy in place.

At Egress, we feel our technology offers this platform; working alongside CESG and other government bodies, the educational piece now needs to follow!

Monday, October 21, 2013

Will going paperless improve data security?

Natalie-Kym Vinnicombe
Business Development Manager
Egress Software Technologies Ltd.
Since as early as the 2nd century AD, paper has been used as the transport mechanism for information; but in today’s digital world, are the days of paper numbered?

The notion of ‘going paperless’ has hit the headlines through Health Secretary Jeremy Hunt’s ambitions for a ‘paperless NHS’ by 2018. This has got me thinking about the positives this approach could bring – although there are plenty of critics to his plans as well. Aside from the environmental benefits of going paperless (in the US and Canada alone, pulp mills are the third largest industrial polluter), there is a strong business case behind it.

What’s the value of going paperless?

When sending a document, there are several elements to consider:
  • Operational costs – such as the physical costs of paper, envelopes, printing, etc, as well as transport costs like stamps and couriers
  • Efficiency costs – how long will it take to get data from one place to another? Will this slow down operations and processes already in place? Would minimising this timescale make a business more efficient and therefore more profitable?
  • Security – once the data has left your control, you have minimal influence over whether it will reach the intended recipient in one piece and unread, or what the recipient will do with it in terms of sharing it with other people or losing it

Being an IT security company, this final element is where Egress’ main interests lie (although, obviously, we’re keen to improve efficiency and reduce costs for our customers as well). And when looking at paper as a way of sharing confidential data, there are many security concerns that can be raised.

What about data security?

The truth of the matter is, as soon as it’s in the post, there isn’t really any way of securing or controlling that data any longer, in addition to no visibility.

So, let’s take a closer look at this.

An admin assistant in Office A needs to send a sensitive document to a specific person at Office B. They either arrange a courier or send the package via post, and it is then delivered to Person B, who takes a read.

While this might seem like a simple scenario, there are endless possibilities that can put that data at risk, including:
  • Admin errors – the wrong address could have been supplied or it was accidentally written down incorrectly. Or the admin assistant could have spilt their morning coffee over it, and a letter intended for Newcastle-under-Lyme is suddenly heading towards Newcastle-upon-Tyne
  • Physical security – my first concern is: How safe is an envelope? Certainly not as safe as a padlock or AES256 bit encryption. You simply use opposable thumbs and – voila! – the document is open. Does it fill you with confidence to know even a monkey can manage that? (I know some clever clogs will be thinking monkeys can’t read, but…) Further, while sending documents via registered post increases physical security slightly, it is costly and inefficient to do so.
  • The recipient’s behaviour – so, accepting that everything thus far has gone well (the document has been delivered, unopened, to the recipient), what happens next? Well, the truth of the matter is, I don’t know – and neither will you! You have to hope that your local MP doesn’t dump it in a bin or it doesn’t fallout of a police vehicle. You have to hope that no-one leaves it on a train or in a café, that it isn’t stolensold or sent on to everyone in the local area… The list is endless! 

Data loss and breaches can damage business reputation, as well as cause untold stress to the individuals involved. That being the case, my question is: How can you choose to share sensitive information by essentially crossing your fingers and relying on a bit of luck that it will not only reach the intended recipient, but that their behaviour isn’t going to land you with a fine from the Information Commissioner’s Office of up to £500K? It seems like a lot of responsibility to hand over to every third party you do business with on a daily basis, but this is how many organisations still behave. We may have developed the technological resources to support electronic communication, but many still live in a world of paper.

I don’t think we can be blamed for wanting to hold on to what we know – and we’ve relied on paper for almost 2,000 years! As a secret sci-fi geek, I was mortified by the fact that Captain Jean-Luc Picard read classic books on a mechanism that looked surprisingly like a Tablet device (although once someone buys you an eReader for Christmas, you finally realise it makes sense). However, the benefits of going paperless can’t be denied – with the appropriate mechanisms in place, not only will security be improved, but financial overheads will be reduced and efficiency increased. 

Friday, October 4, 2013

Encryption 101: The Playfair Cypher

Jack Hammond
Junior Developer
Egress Software Technologies Ltd.
Films such as Disney’s National Treasure would have us believe that encryption is confined to professors and academics, or that it is the stomping ground of computer whizzes who sit staring at a screen, watching line upon line of code stream past them until a big message flashes up saying that they have ‘cracked the code’.

In reality, encryption is a fascinating art that spans thousands of years and has the addictive property that the more you learn, the more you want to apply it.

Given that I opened this post mentioning the film National Treasure, I think it’s only apt that we start with the cipher that was made famous in the film: the Playfair Cipher, which was created by Charles Wheatstone in approximately 1854.


Grasping the encryption basics

The fundamentals of the Playfair cipher are fairly straight forward:

  • Pick a keyword that does not have any repeated letters
  • Draw a 5x5 square
  • Write the keyword along the top, moving on to the second line if you need to
  • With that done, add in the rest of the alphabet, skipping the letters that are already in the keyword, and putting I and J in the same cell (since there are 25 cells but 26 letters, it is common practise to place these two letters together)
So for example, if I set the keyword as ‘KEYWORD’, then my completed square would look like this:


With our square laid out, now we can begin the fun part of encrypting a message of our choosing. Just as with constructing our square, there are a few steps that need to be taken to prepare the string of text for encryption. For the purpose of this exercise, I’ll be using the following phrase:
‘The lazy hippo likes to burp’

  • Divide the phrase up into pairs of letters;
    • Th el az yh ip po li ke st ob ur px
    • As you can see here, I’ve added an ‘x’ to the end of the phrase, which is done if there’s an odd number of letters or the same letter forming one pair (so ‘tree’ would become ‘tr ex ex’)
  • Next we take each pair in turn, and depending on the location of the letters in the square, we do one of several things: (original letters are highlighted in purple, and blue ones are encrypted letters)
    •  If the letters are in the same column: Take the letter immediately below the source letter. If the letter is on the very bottom row, just wrap round and continue down from the top row

'YH' is encrypted to 'AP'

  • If they are in the same row: Take the letter immediately to the right of the source letter. If the letter is in the very right-hand column, just wrap round and continue on from the left-hand column.

'IL' is encrypted to 'LF'

  • If they are in different columns or rows: Draw a square round the two letters and then take the letters that are in the opposite corners but still on the same row as the original letter

'TH' is encrypted to 'VF'

Putting this together

So now that we know the basics of the Playfair cipher, we should be able to encrypt our original secret message to:

VF OG CV AP HQ SY FL EY MZ WC TD QV

As you can see, the encrypted text hides our original message quite well; however there are numerous drawbacks to the Playfair cipher, namely to do with repeated letters. The fact that the key word can’t contain repeated letters drastically shrinks the size of the key pool that can be used with this cipher, which of course impacts how long it would take a computer to crack this code (at today’s standards, this is usually several seconds up to a few minutes).

All in all, however, the Playfair cipher remains an early testament to the importance of encrypting sensitive information.

Your turn to crack the code (try these at your desk!)

  1. Using the keyword of ‘software’, encrypt the phrase below:
    • The City of London
    • (Answer: fi ba pb vt sn fm gs xf)
  2. Using the keyword of ‘horse’, encrypt the phrase below:
    • They’re coming from the east
    • (Answer: Ns sz sh br gk vn ce ei ns rz hf dy)
  3. Using the keyword ‘encrypt’, decrypt the secret code below;
    • Ao bc up oz fc ba md mc ru
    • (Answer: Charles Wheatstone)

Thursday, September 19, 2013

Is the Data Protection Act harming children?

Tony Pepper
Chief Executive Officer and Co-Founder
Egress Software Technologies Ltd.
Last week, the Data Protection Act came under fire following an article published by Secretary of State for Education Michael Gove in The Telegraph, regarding the safeguarding of children in care homes.

Gove’s article was published in response to a review after serious failings put vulnerable children and young people at risk of abuse. While much of the Education Secretary’s criticism is to be welcomed, his censure also extended to so-called ‘data protection rules’, and thereby called into question the effectiveness of the Data Protection Act. In response, Information Commissioner Christopher Graham issued a written statement and appeared on BBC Radio 4’s World at One programme in defence of the Data Protection Act, labelling it an “enabler” rather than a barrier to safeguarding children.

As the Commissioner declared, “there shouldn’t be room for confusion on anything as serious as child protection” – yet, clearly, there is. Gove detailed that the government body Ofsted was ‘prevented by “data protection” rules, “child protection” concerns and other bewildering regulations from sharing data’. Thus even when it matters most, some people evidently feel unable to share confidential information.

What does the Data Protection Act say?

The Data Protection Act states that information can be processed when this is ‘necessary for compliance with any legal obligation to which the data controller is subject’. The Information Commissioner’s Office (ICO), moreover, has gone further to explain this in their Data sharing code of practice: ‘You will need to judge whether it is still appropriate [to share data] and confirm that the safeguards still match the risk.

Thus the Data Protection Act explicitly states that data can be shared when there is a legal obligation to do so, for example in the case of children at risk of abuse. However, it also, and rightly so, calls for appropriate risk assessments and measures be taken to protect that data – because a breach of personal identifiable information brings with it a different type of threat.

Why, then, do some public sector employees feel that they cannot share confidential information, even when doing so will protect vulnerable children? Clearly there is a chronic misunderstanding of data protection law that urgently needs to be resolved. In particular, it is imperative that organisations put in place mechanisms to protect confidential information when it is shared with third parties. Employees must feel empowered to share sensitive data when necessary and confident that they can remain in control of it at all times – not afraid that they risk exposing that information to unintended recipients, which can ultimately threaten the subject’s safety, the organisation’s reputation and potentially the employee’s livelihood as well.

Unfortunately for the ICO, and despite their best efforts to dispel them, so long as these myths about the Data Protection Act pervade, they have an uphill battle to overcome ignorance and bad publicity.

Thursday, September 12, 2013

How legislation introduced by the SRA is affecting law firms

Jonathan Jongkind
Customer Service Manager
Egress Software Technologies Ltd.
Law firm risk management. If that phrase was thrown around in a conversation, you would presume the person talking knows exactly what they’re going on about – but what does ‘law firm risk management’ actually mean?

In general, risk management can be defined as evaluating, and preparing for, potential risks, making sure you have all of the bases covered should the worst come to the worst. This could mean anything from assessing risks in regard to natural disasters, to large investment projects, to data breaches – which is what I would like to primarily focus on.

Having worked in a small law firm in the past, I have an idea of how risk management works for the legal sector. This can be anything from losing a major case that a lot of time and resources had been invested in, to sending out a court bundle to the wrong address (the legal world still loves their paperwork; the printer in that office was always chugging away).

Setting the standards

Luckily, law firms are not left entirely in the dark with regards to risk management. Launched in 2007, the Solicitors Regulation Authority (SRA) is the regulatory body for all solicitors in England and Wales. Although the SRA also focus on other areas, such as setting behavioural standards for entry and ensuring these are constantly complied with, making sure that data is handled appropriately is another one of their goals.  

This is where it gets interesting for me, being both a techie and a law graduate. Recently, courts have started to accept summons sent via email, whereas before, evidence and summons were only accepted via paper. In fact, UK court summons can now even be served via Facebook! But imagine if those summons were sent to the wrong person… Although this could also happen via normal post, at least technology provides the power to prevent mistakes like these from happening in the first place.

Ensuring compliance

Introduced in July 2012, section 8.5 of the SRA practice notes states that all their licensed bodies require a Compliance Officer for Legal Practice (handily shortened to COLP). These individuals are required to take reasonable steps to ensure compliance with statutory obligations, in addition to any terms or conditions. COLPs are also the bearers of bad news, as they’re obliged to take reasonable steps to record all failures to comply (classed as a ‘material breach’ or a ‘non-material breach’), as well as reporting these failures to the SRA.

Despite imposing these regulations on law practices, COLPs are left with a certain degree of leniency and flexibility, allowing them to interpret and implement the regulations in a way that will work best for their practice. I have no doubt that regulations will be tightened and definitions made clearer over time, but I suppose, much like the law, the SRA is keen to move away from a tightly regulated body to a more efficiently regulated one. The challenge for the SRA is to relay this information in a way that will not cause confusion.

Staying on top

The introduction of new technology and improved forms of communication with clients and courts is a major opportunity for law firms – if taken advantage of, it will lead to improved information security, enhanced efficiency and cost savings.

Obviously, the SRA has a key role to play in this, and their introduction of greater accountability and regulation can only be a good thing for consumers. Part of this involves creating codes of practice and regulations that increase awareness of potential risks and material breaches, drawing attention to the repercussions that can occur when due care isn’t taken. The challenge for law firms is ensuring they stay on top of these changes.

So, now you should have more of an idea of how risk management works in law firms – enjoy that after-dinner conversation with your local COLP!

Is the Cloud still white and fluffy? Examining the role of cloud computing for today’s businesses

Tony Pepper
Chief Executive Officer and Co-Founder
Egress Software Technologies Ltd.
When I first glanced at the IT Cloud landscape, it was a wonderfully picturesque scene offering fluffy, white services that promised massive benefits to any business that wanted to realise cost savings and efficiency gains.

Is this the same landscape I see today? Put simply, no.

While Cloud continues to dominate boardroom agendas, creating panic amongst senior execs, who fear that without a Cloud strategy their business is somehow falling behind the times (and their competitors), I’m sure those ‘technology laggers’ that pinned their colours to traditional on-premise models are feeling rather smug in light of the recent negative press.

Does this mean that over time Cloud services will become less popular with businesses in the Public and Private sectors? Absolutely not, to those cynics out there! It’s all part of the adoption and maturity lifecycle that every new and innovative technology must face. 

The fact is, future delivery of IT service architecture remains unchanged; however professionals and ‘prosumers’ are now increasingly aware that a risk managed approach to consuming services must be applied to both software vendors and their underlying infrastructure providers before today’s grey clouds become white and fluffy again.

Be proactive and informed - not left behind

My team spends every day speaking to customers about data security, promoting UK Government certified encryption services with roots firmly placed in the Cloud. We are fortunate to be able to map trends that start to emerge, and what’s currently coming across loud and clear is the overwhelming shift towards the usage of Active Directory Federated Services (ADFS). 

For those of you that don’t know, ADFS is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organisational boundaries. It uses a claims-based access control authorisation model to maintain application security and implement federated identity. 

In short, ADFS is designed to use on-premise Active Directory as an identity provider to enable users to interact other Web Services and SAML 2.0 compliant federation services (used by Cloud providers), leveraging their existing business username and password. 

This tells me one thing: Cloud and integration with Cloud services is actually in its ascendancy. On-premise and hosted worlds will become more aligned to the point where soon we won’t be able to clearly define what’s inside our corporate boundary and what’s fully hosted.

Laggers be warned: Your number is almost up!

Monday, August 19, 2013

Buying British: Data security in the Cloud and the effect of PRISM

Daniel Hoy
UK Marketing Manager
Egress Software Technologies Ltd.
The recent revelations leaked to the international press by whistle-blower Edward Snowden regarding the scale of the US Government’s data surveillance programme have raised major concerns about the security of information stored in the Cloud, causing some to question where this leaves our basic human rights to privacy (a subject Egress CEO Tony Pepper has previously discussed).

The latest reaction has been the closure of two high-profile secure email services, Lavabit (a former favourite of Snowden’s for sharing information securely) and Silent Circle. Their reasoning? To avoid becoming ‘complicit in crimes against the American people’. In fact, Ladar Levison, Owner and Operator of Lavabit, has declared that:
‘This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.’ (http://lavabit.com)

What does this mean for the future of Cloud-based data security?


It remains to be seen whether these latest developments have any lasting impact on Cloud security; however they do raise questions over data residency and the laws that companies and their data  fall under.

Levison’s caution to avoid companies with physical ties to the US is a thinly veiled remark about the Patriot Act. Formed in the immediate wake of 9/11, the act enables the US Government to gather information on US and non-US citizens, granting them access to all data within the country and that of sister companies based outside the States or those using US subsidiaries for data processing. Fortunately in the UK, however, the Data Protection Act comes with various caveats that offer citizens greater protection and assurance over when and why their personal information might be accessed. Of course, there is no guarantee that these laws won’t change over time, which is something that we should all remain aware of.

It’s my opinion that Snowden’s revelations will have a positive effect on Cloud security in the long term. Individuals and businesses have had their eyes opened, and arguably will proceed with much more caution in the future when choosing where to store their data, and with whom. Simply put, they need to be aware what laws can, and will, be applied to their data (including any backed up versions, which may reside in a different country), and whether these will safeguard their right to privacy.

This increased awareness can only be a good thing for UK-based companies, and specifically Egress, who offer a combination of cloud-based, hybrid and on-premise data storage solutions. Crucially, this type of flexible hosting platform gives customers choice over how and where their data is stored. Depending on their appetite for risk, and the confidentiality of the information they manage, they remain in control and have the assurance of end-to-end information security throughout the lifecycle of their data.

Governments will always need to intercept communications and access data in the interest of national security, a fact that most people can accept as long as the necessary legal and constitutional steps have been taken. 

Wednesday, August 14, 2013

Ahead in the Cloud: Remaining secure with cloud computing

Rebecca Bailey
Senior PR & Marketing Executive
Egress Software Technologies Ltd.
Championed as a revolution in computing solutions, Cloud offers benefits for organisations across all sectors; however IT heads need to be switched on to the security issues around storing and accessing data in the Cloud.

Bringing the Cloud closer to home

The term ‘cloud computing’ is somewhat deceptive. Not only does stored data reside in servers based very firmly on the ground, but the phrase is also reminiscent of fluffy balls of cotton wool floating innocently overhead. Through its very name, therefore, Cloud creates distance between organisations and their data – a false sense of security that a user’s responsibility is removed purely because data isn’t being stored on their premise.

The reality, however, is somewhat different.

In a survey carried out by PricewaterhouseCoopers, only just over half of European businesses recognised data security as a major risk of cloud computing, begging the question of how well-informed organisations are about the potential threats of using Cloud.

The Cloud Security Alliance (CSA), meanwhile, has identified the ‘NotoriousNine’ threats posed by cloud computing in 2013. Headlining this list are:

  1. Data breaches
  2. Data loss
  3. Account or service hijacking

Data breaches

Information stored in the cloud is just as susceptible to data breaches – whether malicious or caused by human error – as that stored in on-premise servers. Information storage firm Evernote is one recent example of a malicious data breach affecting users’ personal information. Although the California-based company insists that there’s no evidence to suggest that payment details or content was breached, user names, email addresses and encrypted passwords were – causing untold concern to users and reputational damage to Evernote.

Human error, meanwhile, often occurs when using Cloud to share data with others. A lack of verification processes, for example, can lead to unintended recipients being able to access information. In addition, human error can cause data breaches through inadequate control over whether a recipient can share information, either electronically or in hard copy. The ability to restrict or revoke access is invaluable when sharing highly sensitive data, stopping users from forwarding, printing or even accessing information, as required.

So, how can Cloud data breaches be prevented?

It all hinges on knowing what legislation can be applied to your data. One aspect of this is the idea of ‘data residency’: where you data is stored and what jurisdiction it subsequently falls under. Secondly, be aware of the limits of this legislation – the US Patriot Act, for example, is not only applicable to data stored in the States, but also to organisations with a parent company located in the US and those using American subsidiaries for data processing.

Before procuring Cloud services, therefore, read up on any laws that your data or company might fall under. The recent revelations from the US involving the scale of the NSA’s programme of data surveillance and use of the Patriot Act in order to obtain information have demonstrated why this is so important.

Next decide on what information will reside in the Cloud and how secure it needs to be. Ensure that you have the correct level of access control – for example, data in the Cloud can be encrypted, so as long as users remember passwords and other authentication means, the data will be secure.

When sharing data using Cloud-based services, meanwhile, it’s important to maintain control. Some solutions will only secure data in transit; however more sophisticated encryption services can ensure that it is only accessed by the intended recipient and offer full control over what they can do with it.

Data losses

While permanent loss of data can be caused by physical disasters – such as fires, floods or earthquakes – software and human error are also culprits. Consequently, a proportion of data loss is actually caused by preventable means, such as users forgetting passwords or accidental deletion by the provider.

And yet it really doesn’t matter who’s to blame – service provider or customer – the end result is the same: reputational damage and, consequently, revenue loss.

Again, preventing permanent loss of data comes back to the service level agreement and data residency. You need to know that your Cloud provider is backing up the data they’re storing, as well as where that data is backed up. You need to also contractually ensure that the backed-up data is monitored and able to be restored with just a few clicks.

Account or service hijacking

Duplicated credentials and passwords, in addition to more ‘traditional’ methods such as phishing and exploiting software vulnerabilities, all pose a risk to data stored in the Cloud. Thus cloud computing simply adds another avenue for hijack. As acknowledge by the CSA, hijackers can access information to, amongst other activities, eavesdrop on information and transactions, as well as direct customers to illegitimate websites.

However, steps can be taken to mitigate this risk.

As an organisation, prohibit the sharing of credentials between individual users, as well as with service providers. Similarly, employees should be discouraged from duplicating usernames and passwords, while further protection can be provided by multi-layer authentication, preventing one hijack leading to another elsewhere. Remember to always remain vigilant of unauthorised activity – the sooner this is detected, the sooner it can be dealt with. Finally, when engaging your cloud provider, make sure you have a full understanding of their security policies and service level agreements.

A switched-on approach

Cloud requires a more managed approach than some firms have previously taken. However, it remains one of the most cost-effective and efficient revolutions in computing – and taking a switched-on approach will realise these benefits, while also mitigating any risks to data stored in the Cloud.

At the centre of this remains the notion that 'remote access' doesn't mean 'remote responsibility'. 

Wednesday, August 7, 2013

Fax faux pas – does the Bank of Scotland ICO fine signal a harder line approach to DPA policing for the Private Sector?

Tony Pepper
Chief Executive Officer and Co-Founder
Egress Software Technologies Ltd.
Bank of Scotland (part of Lloyds Banking Group) hit the headlines earlier this week having received a £75,000 fine from the Information Commissioner’s Office (ICO) for repeatedly sending customer details to incorrect fax numbers over a three year period – despite repeated warnings.

While trying fax documentation internally, highly confidential customer information – including account and contact details, payslips, bank statements, and mortgage applications – was sent to two third party organisations. Although the first mistake was reported back in 2009, the errors continued until the ICO launched an investigation in April 2012.

"Unforgivable"

While £75,000 is the largest fine levied by the ICO against a financial company, it is a drop in the ocean compared to Lloyds Banking Group’s £1.6bn net profit for the first six months of 2013.

However, the fine is indicative of the wider ramifications that breaches to the Data Protection Act (DPA) will have for Private Sector organisations.

ICO Head of Enforcement Stephen Eckersley labelled Bank of Scotland’s behaviour as “unforgivable”, demonstrating an uncompromising position on those organisations that treat highly sensitive information recklessly. Although currently there is no legal obligation for data controllers to report data breaches, proposed changes to EU data protection legislation could alter this, in addition to which the ICO is pressing for powers to imprison those guilty of serious DPA breaches.

The tide is turning in the private sector: pressure to comply with the DPA is increasing, and implications for those who continue to flout it will only get more severe. The investigation into Bank of Scotland and the subsequent fine reveal the ICO’s unswerving commitment to upholding the DPA, as well as their ability to levy punishments against even the largest Private Sector organisations. 

Monday, July 22, 2013

Email hacking: Could you be next?

Neil Larkins
Chief Operating Officer
Egress Software Technologies Ltd.
As a self-proclaimed technologist (or maybe just an IT geek), I'm always intrigued to see how the IT security industry is evolving. Often when I’m visiting both existing and potential customers, questions come up about the future of email: Will it continue to dominate business processes? Or will it be replaced? Are the security concerns around email really as big as many industry analysts claim?

Without question, any email user is aware of, and has probably experienced, issues caused by spam and malware. No matter how good your protection is, these inbound emails will still get through the net. It is a real and present problem, if not a massive inconvenience for those targeted.

However, what about the security of outbound emails? I think it’s fair to say that the majority of people aren’t really aware of threats to the emails they send.

I’ve understood the risks posed to unsecure outbound email for a long time, with analogies like ‘plain text email is as secure as a postcard’ often banded about. Until now, however, I hadn’t heard a first-hand account about real-world threats.

A close encounter

A good friend of mine, a partner in a prestigious City law firm, called last week to ask for advice. Working in the firm’s property division, he deals with many high net worth clients on regular property purchases and sales. On this occasion, he was finalising the purchase of an apartment for a particularly important client, and using mainly email correspondence, they were on the verge of completing the transaction.

My friend then went on holiday for a couple of weeks, and on returning to the office, received a rather irate and mystifying phone call from his client, demanding to know what the urgency was for the deposit for the flat to be made. Needless to say, my friend had no idea what his client was talking about – but in getting to the bottom of the situation, he unravelled an alarming tale of attempted deception.

Shortly after my friend had gone on vacation, the email trail between him and the client had been hacked. Understanding that a large purchase transaction was imminent, the hacker was then able to impersonate my friend, jumping into the existing email chain and replying without drawing attention to himself.

The target was the large sum of money that the client would be transferring as a deposit for the property. So the hacker constructed an intricate plan to convince him that there was some urgency to have the deposit transferred to the firm’s bank account. However, the hacker supplied new details, insisting that the usual account was currently unusable as it was under investigation following suspicious activity.

The hacker continued to pressure the client to transfer the funds ASAP. Although the client thought this strange, to all purposes the correspondence appeared genuine, with the hacker understanding the intricate details of the transaction in question, as well as the emails being written in a similar style. Thus the client set the wheels in motion to transfer the money; however when informed that the process would take a couple of days, the hacker replied to again stress that it be made immediately.

It was at this point that the client smelt a rat and called my friend to enquire why the funds needed to be transferred so urgently, which is when the whole story started to unfold. Luckily in this instance, disaster was narrowly avoided and the client’s email address was immediately taken offline.

An ongoing threat

So, why do I find this story so fascinating? Well, this is the first time that I have personally witnessed a clever and targeted attack for large financial gain through email hacking.

We’ve all seen phishing emails where individuals claim to be related to ‘your Great Uncle Percy’ that advise you to immediately transfer a few thousand pounds to release your rightful inheritance; however until now, I had never seen an example of anyone intercepting and joining an existing email correspondence. Having read the emails, there are a few suspicious signs, but on the whole, they were very cleverly crafted – and the plan only fell apart due to the hacker’s impatience.

This is obviously quite worrying for anyone using plain text emails to share confidential information – and hackers like these are surely only going to improve on where they went wrong last time.

I guess the real question is: Are you confident that your email correspondence is protected from prying eyes? If not, could you be next?