Warning to UK Public Sector about leaky Amazon Web Services

Amazon Web Services (AWS) are currently in the news for all the wrong reasons.  Their Simple Storage Servers (S3) – known as ‘buckets’ – have been successfully targeted by hackers.  The AWS servers have been found to be alarmingly leaky, enabling the new Buckhacker search engine tool to readily access unsecured sensitive data.

AWS, as one of the UK Government’s chosen cloud service providers (GOV.UK PaaS) runs from AWS in Ireland (a UK-based hosting centre is planned for 2018) and is accredited for handling personal and confidential information classified at ‘Official’ level.

Users are able to search either by ‘bucket’ name, which may typically include the name of the company or organisation using the server, or by filename. The service collects bucket names, grabs the bucket’s index page, analyses the results and stores it in a database for others to search.  There are other tools like AWSBucketDump and according to the hackers exposed buckets can also be trawled for rich pickings with a specific Google Search.

Created by anonymous hackers, a Buckhacker developer commented:  “The purpose of the project is to increase the awareness on bucket security, too many companies were [sic] hit for having wrong permissions on buckets in the last years”.

Clearly, it is in the public sector’s interests not to risk exposure of any sensitive data (theirs or the public’s) and thus a prime consideration for any public sector organisation is to scrutinise the credentials, security performance and sovereignty badge protections of their chosen cloud provider.  Public sector organisations struggle to find funding in already tight IT budgets to defend against cyber attack, but with so many different lines of attack facing them, IT managers are having to take a risk-based approach to identify where to allocate their limited funds.

Amicus ITS Director of Technology, Security & Governance JP Norman commented:   It is worth remembering that the security of the data, no matter where it resides is the responsibility of the Data Controller in each organisation. There are ways to provide security assurance in the cloud layer that conform to the basics of Cyber Essentials. Furthermore, the right partner organisation, such as Amicus ITS, can act as a cloud broker providing proven security assurance recommendations and actions to mitigate such risks.

At Amicus ITS, we are happy to challenge the status quo as we brand ourselves are the safe pair of hands for our customers.  So with any digital transformation journey we will ensure intelligent, joined up thinking to ensure our Security and Governance views chime with those of our technical architects and sales professionals.

HMRC mark U-turn on VAT for IT Managed Services

HMRC appears to have done something positive for a change in a way that will be welcome news for IT Managed Service Providers.

Last year, HMRC advised that only large system IT integrators would get a VAT refund for aggregated purchases. Public sector organisations were thus being penalised for buying standardised ‘off the shelf’ Cloud services and having to pay the full amount of VAT on purchases.  An unjust penalty where transparency and best price are being argued for by the regulators.

However, following representations to HMRC from public sector bodies which spend several billion pounds per year, happily HMRC have done a pleasing U-turn on VAT refunds. The new document published this week, ‘Contracting Out Services’ guidance, shows that cloud services are now eligible for the VAT reclaim. Hardware can be considered but only if part of a managed service bundle. The new rules also support a “disaggregated” managed IT service, where the various areas of IT such as hosting and networks are broken up into multiple suppliers.

The rules specifically state that the following services should be included in the VAT refund:

• Hosting Computing Services
• Archiving Communication Services
• Data Communications Services
• Desktop Communications Services, for example Picture Archiving Services (PACS)
• Ethernet cable/Data lines and Cloud computing

With the new G-Cloud 7 Digital Marketplace providers to be announced in November to compliment the public sector tendering frameworks, the Government’s linking of a transparent approved supplier system and joined up thinking on tax for public sector buyers will make a positive change for SMEs and their clients on tightened budgets, especially in the downtrodden NHS marketplace.  The latest sales reported for G-Cloud are £753million, with 51% in value and 60% in volume going to SMEs (defined as sub 250 employees with annual turnover not exceeding Euro 50 millions).  77% of total sales by value were through Central Government, with 23% through the Wider Public Sector.

HMRC_svg

The Week’s Technology News – 19th December 2014

IT security needs embracing in the boardroom
Talking from GCHQ headquarters this week, Minister for the Cabinet Office, Francis Maude has urged businesses to make IT security a boardroom issue.  Amicus ITS has recommended this point repeatedly in blogs this year.  Government is now urging businesses to review IT security as an integral part of strategic thinking for the Board, to ensure secure data management remains at the heart of the agenda.

With recent breaches affecting major household names both in the UK and the US, Maude warns against complacency:  “All companies, large or small, face threats from vulnerabilities on a daily basis”.

The Government’s launch of Cert UK earlier this year, created a cyber security information sharing partnership, now enabling 750 organisations to exchange information in real time on threats and vulnerabilities occurring.   Maude pointed to GCHQ data which showed that 80% of attacks were preventable, if best practice was followed.

As organisations are reflecting on 2014 with their staff at Christmas parties up and down the land, a cautionary ice cube should be travelling down the spine of any Board members whose businesses have not thought to place IT security at the forefront of their business continuity plans.  For them, January will be the time to really start pulling this into focus on the 2015 Agendas to review, consult, embrace and invest as required, to ensure the bottom line of their business is not threatened – either profitability or reputation.

Professional header image @ 1000 px

Nats on the rack for IT system failures
Thousands of travellers in UK airports were delayed last weekend due to a software problem from a faulty line of coding at the London Air Traffic Control Centre at Swanwick in Hampshire. National Air Traffic Services (Nats), which controls 200,000 m2 of airspace, reportedly had a power system failure on an internal telephone switch controlling nighttime ‘standby’ to daytime ‘live’ operation.

The partially privatised company (owned 49% by the UK Government, 41.9% by The Airline Group, 4% by Heathrow (formerly BAA)) and 5% by Nats’ employees), has been running air traffic control for commercial UK flights since 2002.

The company handled over 2.1million flights last year, carrying 220 million passengers in the UK.  Nats had problems with its IT in 2008. Additionally, the CAA criticised Nats in a report about a telephone failure which grounded 300 flights in 2013 – and flights in Southern England were delayed earlier in 2014 due to “technical problems”.

The problem software came from a package originally being developed by the US air traffic control network. When this project collapsed, it was left to Nats to work through the outstanding development to make it serviceable and raised the price of Swanwick’s delivery by £150m from an original £475m budget.  Some of the blame is said to lie with an aged IT infrastructure.  Nats CEO explains, “There are 50 different systems at Swanwick and around four million lines of code”.  Nats’  decision last year to make a significant number of its most experienced, older IT engineers redundant when these were the specialists most used to working with the older technology, will not have helped. Especially worrying with this failure is that the fault had not been seen before.  The latest incident follows accusations about a corporate failure to invest in new technology and opens Nats to an increased risk of repeated outtages in future – this despite CEO Richard Deakin’s promise that £575m was being invested over the next five years.

A CAA inquiry will now be launched to assess whether Nats has learned from its previous failures, with the risk of its licence being reviewed. It will be a bumpy ride for the UK’s Transport Secretary, Patrick McLoughlin who will be providing a full account to Parliament about what went wrong.   Clearly any organisation, whatever type, lumbered with legacy infrastructure whether hardware, software or both will see operational effectiveness and bottom line profitability suffer if the Board does not grip the bull by the horns and review and assess the best way to upgrade and secure their IT systems.

13843338_s

Microsoft and Skype attempt to eliminate the language barrier 
Back in May, during the Code Conference event, Microsoft demoed a breakthrough, upcoming feature for Skype which would let people who speak different languages talk to each other without a human translator. Users can either voice or video call each other with translations appearing in near real-time with options for spoken and sub-title like written translations.

This week Skype has opened up a preview of this new feature to Skype users who would like to give the in-development service a spin. Interested parties can go to the Skype website and register their interest. Currently the preview is limited to just English and Spanish languages with more promised coming soon. Initial reactions report – although not perfect yet – the service does exactly as you would expect, allowing two people who can’t speak the same language hold a conversation.

The business applications for an accurate auto-translator that can handle both voice and video calls are enormous. For example a single-language Service Desk could be enabled to communicate with customers worldwide without the traditional language barrier or costly multilingual employees. Skype Translator if successful will shake up the translating business even more, with the need for a dedicated human translator being brought up into question and the knowledge of knowing additional languages not being as valued as is currently.

As the technology develops and matures it is also likely we will see Skype Translator being incorporated into Microsoft’s enterprise communication tool Lync, which was recently announced to be later rebrand Skype for business, and if so, adds further reasoning for the name change decision.

The future for Skype is looking very promising and this announcement more than any so far, including the cross-compatibility of Lync and Skype makes Microsoft’s Skype acquisition in 2011 more justified than any announcement the two companies have made since. With Skype being pre-installed into Windows and tight integration with its own Microsoft account system Skype now more than ever fits very nicely into the Microsoft ecosystem.

With Microsoft’s current Mobile first, Cloud First mantra we will likely see Skype translator eventually being integrated into the Skype app for smart phones and tablets and with near real-time translations built into your phone, Microsoft may be the first to successfully smash the language barrier for all.

skype-logo-open-graph-800x420

Financial services benefiting from outside help
The financial sector has seen major changes since the start of the credit crunch in 2008.  Changes have occurred in working practice, organisational restructures, cost cutting exercises with branch closures in banking and jobs cuts with people replaced by technology as part of a digital strategy, which has seen sector employment decline by 16% since 2009.  Lloyds bank is cutting 9,000 staff as part of its digital strategy and Dutch bank ING has a similar project that will result in 1,700 staff losing their jobs.

Financial services organisations have increasingly turned towards using more third-party IT products, services and talent, as well as outsourcing their IT, which has boosted the number of workers in the IT sector.  According to an analysis by accountancy practice experts Nixon Williams, in 2009 there were 403,000 jobs in the IT sector compared to 459,000 in 2014 (12% up). In comparison, financial services jobs have fallen from 1.18m in 2009 to 986,000 today (16% down).

With the sector witnessing a major increase in automation software replacing manual roles and the rise in public expectation for truly 24×365 customer services, this places enormous pressure on financial institutions to manage such huge data volumes in highly regulated, highly secure environments and needing to resist any downtime or DDos.

Whilst traditionally the banking sector will have had huge in-house IT teams, the costs, regulations and pace of technology evolution has whetted the industry’s appetite for using third parties with expert knowledge and robust solutions.  This lies alongside the disconcerting reality of often uncomfortably large legacy IT systems that continue to create vulnerabilities whilst they remain unchanged and instead rely on being patched up, versus long term strategy and commitment to invest in new IT infrastructures with more flexible integrated systems.

Some of the larger banks are starting to think laterally by turning to third parties for IT innovation to develop and implement non-core systems and apps, involving joint ventures with other institutions or even working with start up firms.  These include Sumeet Chabria, CIO of HSBC Global Banking and Markets and Deutsche Bank who have recently set up a JV innovation project with IBM, Microsoft and Indian IT services firm HCL Technologies to improve its digital credentials.

The motivation to sharpen the pencil, starts to look clearer when recent studies such as those   from specialist retailer Bizrate Insight reveal that 72% of the public still trust banks with their details, over that of retailers.   However there is no room for complacency over ‘trust’.  Potential competition for marketshare should they move into banking could be on the horizon from established transactors Paypal and Amazon who jockey for position on the trust rankings at 48.9% and 45.4% respectively.   Tech giants Apple and Google lag further behind at 21.4% and 12.9% respectively.  Nonetheless all of these, as well as Facebook, all have systems that contain details about people and businesses and handle monetary transactions.   So the circling pirranhas angling for additional income streams and greater global dominance may include some new names in the future.

33596896_s

Public Sector changing outsourcing habits in 2014
Market watcher ISG’s north Europe President, John Keppel, reports that the UK has seen a major boost in outsourcing from the public sector in 2014. This has included small and large contracts remaining in this country, versus being awarded offshore with spending levels nearly doubling in comparison to the UK’s private sector.

This has involved some big-ticket outsourcing deals but also a lot of mid-market government business.  Annual Contract Values (ACVs) from IT outsourcing in 2014 has risen 16% across EMEA, with France’s ACV increasing by 250%, whilst the UK with its more mature outsourcing market has seen a steady increase in line with cautious post recessionary optimism.  This is seen as largely due to the complexity of services required in the UK public sector, as well as a lack of appetite just to exploit cheaper resources from offshore suppliers.  The old adage buy cheap, pay twice perhaps resonating more closely with those responsible for procurement. “The challenge for buyers will be to understand how they can get the most value from their outsourcing efforts, and to understand the real business impact,” concludes Keppel.

Director of Sales at Amicus ITS, Les Keen comments:  “With the increase in Cloud services, this presents ever greater opportunities in 2015 for IT MSPs.  Those who can demonstrate the breadth of their experience, deliver the highest levels of data security, be a true 24×365 IT provider AND respect their customer as a business partner not a number – should see the benefit of working in this sector in 2015”.

18330013_s

End of 2014
This is our last review of IT for the year and the blog staffers at Amicus ITS would like to take this opportunity to wish all our customers and everyone reading these posts, a very Happy Christmas and a peaceful New Year.   We will be back looking at the latest technology developments and worldwide IT business news once again in January.  See you in 2015.