When The World Stops, Your Organisation Shouldn't
Business Continuity isn’t a term to describe dealing with a short-term disaster anymore, but something that needs to be baked into long-term business plans.
*Transcript from cloudThings Membership Sector Digital Conference
Thankfully, Business Continuity is a pretty theoretical subject for most, even if it’s something that technically falls under your remit within the organisation. Even those working in the IT security sector would probably say it’s rare your Business Continuity plan is ever needed. Before 2020 that was…
We currently have over two billion people globally, either living in or slowly emerging from, lockdown.
Business Continuity has never been more important.
That’s why I thought I’d start off by discussing how cloudThing made a seamless transition to a remote working model during the coronavirus crisis whilst still delivering to its customers.
Hopefully, you’ll get some insights that will be applicable to your organisations own Business Continuity plan, in particular how you can continue to offer support to both your staff, your members, your volunteers or your donors with a staff that’s all working whilst geographically scattered.
Business Continuity isn’t a term to describe dealing with a short-term disaster anymore, but something that needs to be baked into long-term business plans – Tony Leary – cloudThing Principal Architect
The Challenges Of Remote Working
So… the challenges of remote working…
A lot of (if not most) of the challenges associated with remote working will come down to one thing… Your organisations architecture.
If you’ve a fairly traditional/high security architecture in place it’ll likely be very centralised with all the traffic from your remote workers flowing back through a VPN.
That may be purely for security reasons, but it may also be because the lines of business apps your users need are only available within that environment. Centralising things that way though creates bottlenecks which can then causes issues with your bandwidth. It could be you’re sharing bandwidth with both members and staff, with the same internet service being used for lots of different things.
If you find yourself in a situation where you need to rapidly increase your bandwidth though you may find it rather difficult.
It tends to be something you can either upgrade really quickly because the capacity is already there in your connection (taking maybe a day or two) or it could take months because you might need a completely new set up.
Even if increasing your bandwidth isn’t a problem it may be that the systems you use have some inherent limits.
Some of those limits can be dealt with through additional licenses but most Firewalls or VPN gateways like that tend to have an inbuilt limit that can’t be overcome without it being completely replaced.
Another challenge to successful Remote Working is security.
Security is obviously a vital part of any organisation, but many had to take a more flexible approach during lockdown. If you go down the of route making compromises from a security perspective however it needs to be done knowingly, in the right way and for the right reasons.
One example is that of staff using their own devices to work… how did your architecture support/facilitate this?
Another issue, and one that often gets taken for granted is communication.
However, a sudden switch to Remote Working can really throw up issues here. Many modern phone systems have increasingly become remotely enabled, but that’s often not the case in an organisation yet to start or not very far down, their Digital Transformation journey.
Even if the foundation of the phone service is remotely enabled there tends to be functions lay on top of that such as a switchboard or contact centres.
So, for a successful switch to Remote Working all these things need to be empowered to work in remote locations.
The final problem to be considered for successful Remote Working is personal… the human aspect of it.
Or in other words, your organisations culture.
When I pulled this all together, I’d only been with cloudThing for seven or so weeks and started during the middle of lockdown, but I have to say that that, for me at least, that really highlighted the importance of an organisations culture.
Culture isn’t just something you can ‘do’ once and move on. It needs to be nurtured and sustained and that has to start with the induction process.
As I say, I’m still pretty new, so feel uniquely qualified to speak about this, and I’m happy to say that I received a lot more than the half days’ worth of Health, Safety and security training you might normally expect when starting somewhere new.
In fact, seven weeks in and I was still only in the middle of my induction process as every single person is inducted into every single part of the business.
If you work in sales, you’ll get the software engineering induction and vice versa. I think what’s really great about that approach is that it stops those data/knowledge/culture silos from ever starting in the first place.
Everyone understands what other parts of the business is doing (and more importantly why they’re doing it) and I think that’s invaluable for an organisations ongoing culture.
Video is something I think is important to an organisation that’s either chosen to or been forced into a Remote Working model. Being able to see and interact with people on a face to face basis, I feel, is vital for a sense of ‘team’.
I’ve worked in a variety of places where video capability was there but never used, culturally it just wasn’t the norm, whereas at cloudThing it is, which has been really useful to getting to know and connecting with people on a personal level… much more so than an email!
Something that’s particularly useful for ‘bedding’ in a culture is writing it down… cloudThing have done that with our Principals.
We’re obviously a software engineering company so a lot of our Principals will speak to that but not all.
I’m a security guy at heart so no.3, ‘Governance Is Good’, is a personal favourite of mine.
What these Principals really do is codify cloudThings culture whilst educating and empowering people about how the company should operate and what’s expected of them… but also what those people can expect from their colleagues.
For example, we as a company are ISO9001 and ISO27000 qualified. They’re quality standards we certify to but they’re not just logos that are there for a tender or to show on the website; they’re fully integrated into cloudThings day to day operations and in my view that’s great from a risk management perspective.
Having those governances locked in as Principles makes for a mature risk awareness, meaning an organisation knows its own risk appetite as well its obligations to its customers.
That feeds back into cloudThings twenty-nine principles, which I see almost as ‘mini mottos’ for every employee to work to and I’d encourage any organisation to document their own if they’re looking to grow a particular culture; something that’s especially helpful if your employees are working remotely from around the country, or even around the globe.
The most important thing about these principals though is that they’re not set in stone.
The very last one, ‘There’s No Perfect Rules’, again empowers staff to question these principles…
Are they right?
Do we need more?
Do we need less?
Obviously it’s not all about culture though. We still need tools to help us deliver really cool solutions to our clients.
So a key takeaway I’d like to get across here is that even if the tools we use aren’t Cloud-Native they’re always Cloud-Capable as a minimum.
And that’s the key to cloudThings approach to Business Continuity (the clue was in the name of this article).
Having everything in the Cloud means that we can keep working wherever we are or whatever may happen as there’s no geographical reliance, meaning our customers can keep coming to us and accessing all the Cloud Based solutions we’ve built for them no matter what happens in the real world.
Some of you have probably seen an example of the above graphic before, usually called the Shared Responsibility Model.
I show it here, in reference to our topic of Business Continuity, as it’s really useful for highlighting where the demarcation is with Cloud Platforms.
I’m aware some IT managers shy away from the cloud as they may feel they’re giving away too much power or responsibility but in reality, what a digital transformation represents is moving from an on-premises environment. It means you as a customer don’t have to manage everything to the nth degree anymore.
Towards the right you get Software- as-a-Service (SaaS), which is a stack that’s managed by the Cloud Service Provider.
However, rather than being worried about that, it should be seen as a freedom for an organisation as companies like Microsoft spends enormous amount of money on running these services issue free.
They’ve got probably more certifications than most organisations could ever hope to achieve for these platforms, and so from my perspective, as a security person, I see massive security benefits, as well as operationally, having far less for an organisation to really worry about, meaning you can focus on things that drive actual ROI.
And I guess just carrying on that that security theme, looking through my security lens, this is a bar chart that looks at how platforms or operating systems are attacked and the things that attackers do when/if they do gain access.
You can clearly see the CSP’s and Office 365 have a very low attack surface and that really does speak to how well these platforms are controlled.
I guess an important point to note here is that if you decided to use Microsoft Azure, which has a very low number on the above graph, if you picked up Windows and decided to install it inside Azure you’d actually end up stacking those things on top of each other, so you’re not gaining necessarily from doing that, you’re probably going to bump up your finger to three hundred, and that’s one of the reasons in cloud thing why we prefer to stick to Platform-as-a-Service, which is that sort of low plateau of cloud providers, as well as SaaS products.
Just because the attack surface and therefore the management required is so much more reduced. I’m looking at one of these just in details, so this is for 365 and the link links on the previous slide to might.
Continuing with Cyber Criminals and attackers, what they’ll really be doing is trying to move through these columns.
So on the left is their initial access and on the right is their final objective.
The key takeaway in this diagram though is on the left, the way they get in.
And really, it’s all around accounts and actually the word here is identity. For anyone in the cloud that’s the battleground for security.
Circling back to that shared responsibility model I mentioned, this is a good example of where cloud providers will actually step in, over those demarcations if they see a spike in usage as CSP’s are really good at detecting that type of abnormal behaviour.
Multi-Factor Authentication & Cloud Security
As identity is so central to cloud-based security the most important factor becomes controlling that access. Which means multi factor authentication.
Something you know, something you have and something you are.
- Something You Know – Passwords is the traditional step taken here
- Something You Have – Increasingly the standard is becoming our mobile phones
- Something You Are – Generally this is biometrics, like your face, a scan of your eye, a fingerprint etc.
More recently another security measure has been added to the three traditional factors and now we have Where You Are as well.
Where Are You could be an office network, or it could be the GPS location taken from a phone. It works using a concept of Geofencing, so access can/will be denied to a device if it’s detected somewhere you don’t want/expect it to be.
And then finally, the last of the new security measures is Something You Do. This measure uses Artificial Intelligence to learn your behaviours, the times you normally log in and out and then make a decision as to whether there’s something abnormal going on and if entry to the system or device should be denied.
Cloud Identity In Practise
This next graphic is from Microsoft and brings all these things together.
They combine all five concepts or signals which, as a company cloudThing can build polices around.
For example, take the user & location, device, and application signals. Using tools Microsoft have provided, we can construct security policies around them.
We can say where users should be logging in from… here is fine, but here is not for instance or which devices are ok to use. So, it might be set that you might only be able to access certain devices using corporate equipment, but not their own equipment.
Then in the bottom right is the ‘secret source’ that you get solely from Microsoft, constantly assessing risk in real-time.
What they do is analyse signals from across their entire infrastructure and customer base, (that’s currently about 8.2 trillion a day).
Those signals allow them to calculate very accurate probabilities of what’s going on. This puts Microsoft in an excellent position to instantly detect new and emerging attacks or threats
And just a final slide on Identity within Security to tie all these concepts together.
I don’t think anyone’s going to be surprised to see where password is (apart from the fact I maybe should’ve put it lower down and possibly far further left).
Here at cloudThing though, we like to operate in that top left quadrant in terms using passwords with multi-authentication factors. We also use Windows Hello to log in to our work devices which is a biometric login and I currently couldn’t tell you what my password is because I never use it!
I don’t have to… The system knows who I am.
Password-less authentication on the right is truly just going without passwords and not using them at all and that I think that should be a future objective for all organisations.
So back tools…
As a Microsoft Gold Partner no one should be surprised to know that we use the full range of the Microsoft Suite.
Microsoft 365 (formerly Office 365) which is Outlook, SharePoint, the usual suspects for Office apps, but also Microsoft Teams.
Now that I’m going to talk a bit more about because for cloudThing, Teams is a really foundational platform for our culture.
Now you may have seen products like Skype in the past or other video conferencing software but Teams is quite a bit different from all of them.
It brings together things like chat and calling, which you might have had from Skype for business, but it layers it all with the concept of ‘teams’, which you can see on this column of Microsoft Teams on the left…
These can be based on your corporate environment or whatever different departments but then within them you can create different channels and we use this as part business tool part intranet and part social as well. We really do put everything into Teams and one of its key strengths is that around files. But, what teams is doing is it’s providing a really great abstraction to SharePoint. I’ve used SharePoint for years but making it useful and pretty well can take a lot of development effort. Microsoft Teams, as a default, really gives a structure to SharePoint and importantly, as this is all a Microsoft product and I guess importantly the security model we’ve been discussing is baked in already. All of the different teams that I can see in the various channels, all the content… that’s all bound by Active Directory and the policies that you’d create anyway for other parts of your business. My single identity that I use for Outlook etc still applies here too.
And somewhat interestingly, I found this research from Microsoft back in 2017.
You can see email and face to face interactions drop off from the Boomers on the left to the Gen Z’s on the right. In terms of preference, the younger you are, the less you want to send emails and well, and apparently the less you want talk to people face to face as well. And then on the right (not surprisingly) there’s a reverse of that trend, which is towards more modern communications with online video, chat etc.
The takeaway here is about preference.
It may be that older people prefer to do face to face and prefer email but if an organisation has a tool in place to facilitate both then it will get used.
The danger these graphs show is that if you’re in an environment that has a fragmented approach to communication, whether it’s email or chat or social media etc. then you’re going to be creating knowledge new silos.
You might have silo’s anyway, but based on your structural organisation but you might also be creating others based on demographics without ever realising it.
In part that’s really what Microsoft Teams is trying to solve.
Microsoft Teams diagram is about commonality across the generations. The unofficial tagline here might almost be ‘you can please most of the people most of the time’ although don’t ever expect Microsoft to use that).
The benefit of Teams is that you’re centralising a lot of this type of collaboration and communication that might previously have been spread around lots of disparate apps.
The really great thing about Teams though is that rather than it just being this static app that you use, it’s extensible. At the moment I think there’s over 450 different apps you can integrate into Teams you can also develop your own, which is something cloudThing has done for many of our clients.
For example, if you wanted to use something like Webex, you could.
So, I’ve talked about the culture, I’ve talked about the technology we have and the key technology to both is Teams.
It’s that combination of having our data in SharePoint alongside the chat, the voice and the video, how easy collaboration is and how it really does support the transparency that we want across the organisation… Something I feel really benefits us as a company and certainly could benefit your organisation too.