With mobile computing, software-as-a-service (SaaS), and now remote working moving the focus of IT security away from the traditional perimeter, this article takes a brief look at what a ‘Zero Trust’ approach is and how it can help.

More Complex Security Demands

The belief among many IT security experts is that a traditional perimeter-based security approach may no longer be enough to cope with the more complex IT security requirements that a widening scope of computing and threats have brought.  Additional authentication strategies are now needed.

First

The term ‘Zero Trust’ in relation to IT security was first used back in 2010 in a report by analyst firm Forrester when it was noted that there had been a big increase in the number of enterprises using the public cloud and that the security ‘perimeter’ was changing.

Zero Trust

The Zero Trust approach to IT Security (as highlighted by James Walsh of Fieldfisher) has the following characteristics:

– It is a data-centric model i.e., protecting data from both internal and external threats rather than just relying on the old ‘castle and moat’ style perimeter security (address and location layer).

– It works on the understanding that although as many precautions are being taken as possible, the modern reality is that is not a case of “if” an attacker gets through, but “when”.

– Rather than the old “trust, but verify” approach, the Zero Trust approach is “never trust, always verify” i.e., trust is never granted implicitly but must be continually evaluated / all network traffic and nodes are considered untrustworthy until proven otherwise.  This means that any device must pass authentication and security policy checks to access any corporate resources.  It also means controlling this access only to the extent required.

– Zero Trust is not simply an approach. For it to work effectively, it requires compatible and connected policies, practices, software, and hardware that can create a whole, secure Zero Trust ecosystem.

Managing

In managing the device, user, and trust level, the Zero Trust approach uses:

– Managing the monitoring and compliance of all endpoint devices (understanding the threats), including BYOD (Bring Your Own Devices), through unified endpoint management.

– Having one single sign-on point (SSO) where a single version of a user ID meets a single-entry point where the user credentials must be fully validated before accessing the business systems, as well as logging access in and out of the system.

– Multifactor authentication (MFA) being used to establish a user’s credentials and using a single factor is no longer an option. MFA could include a security key, biometrics, a trusted device, and more.

Benefits

Some of the main benefits of Zero Trust include:

– Administrators can get an accurate inventory of infrastructure (i.e. which users, data, apps, and services are present) in the corporate infrastructure. This contributes to performance planning as well as security.

– The monitoring and alerting gives a better ability to quickly detect and respond to cybersecurity threats. Examples of tools used for monitoring in a Zero Trust framework include security information and event management systems (SIEM) for centralised logging capabilities and IT infrastructure threat detection and response tools.

– Improved user experience thanks to (for example) single sign-on (SSO) limiting the number of passwords needed and requiring a user to authenticate only once to gain access to everything they need.

– Reducing the potential for gaps in the security infrastructure thanks to a universal security policy that is created once and then implemented from end to end throughout the organisation.

– Making it easier and more flexible to move apps, data and services because with Zero Trust, app and data security policies are centrally managed and automation tools migrate the policies where they are required.

Components of a Zero Trust System

An example of the components of what is required for a Zero Trust network, in this case, NIST (US Government), include:

– A policy engine (PE) and policy administrator (PA) at the centre (in tandem or as part of the same software) to decide whether machines or web traffic are safe and granting or revoking access. The PE uses external data sources to help make its decisions.

The policy engine uses external data sources data that can include:

– Continuous diagnostic and mitigation (CDM) systems – providing information about (for example) the current security state, updating of a device’s OS and security software and more.

– Industry (and organisational) compliance checks.

– Threat intelligence feeds (e.g. about blacklists and malware).

– Activity logs that could flag up a potential risk.

– Data access policies for each individual and asset.

– Public key infrastructure (PKI) to validate certificates.

– Security information and event management (SIEM) systems. These provide security-related data that can also be used to improve the whole Zero Trust system.

– Other Zero Trust frameworks can use adaptations to existing technologies, e.g. device sandboxing, a device/agent gateway model, micro-segmentation, and more.

Challenges to Implementing Zero Trust

As with any big change in a company/organisation, moving over to Zero Trust has its challenges which include:

– Any legacy apps, tools and resources that are currently part of network and enterprise operations but aren’t easy to integrate with a Zero Trust system.

– Regulations are currently running behind the implementation of many Zero Trust systems and these will need to change.

– Achieving visibility and control in a network is a big challenge and many organisations don’t have a comprehensive view and are, therefore, still vulnerable through unpatched devices or users with too many privileges.  In the shorter term, a hybrid approach to Zero Trust is likely to lead the way to full implementation.

Examples

Examples of Zero Trust (ZT) security models in action include:

– The US federal government now operates a Zero Trust model.

– Cloud service provider Akamai Technologies (US) – to let employees securely access internal applications but keep end-user devices off the corporate network entirely.

Big Increase In Zero Trust Budgets – Especially Since The Pandemic

The results of a recent poll of more than 600 global security leaders, revealed in a report by Okta show that 90 percent of companies are now working on a Zero Trust initiative, up from 41 percent a year ago and that 82 percent of businesses in Europe have increased their budgets for Zero Trust.  The report also notes that the pandemic has made companies “more security conscious”, thereby motivating them to adopt zero trust.

Big Business For The Future

The large number of companies now adopting Zero Trust is reflected in the results of a new study conducted by Grand View Research Inc, which shows that the Zero Trust security market will be worth $59.43 billion by 2028, which represents a compound annual growth rate of 15 percent!

Resources and Links

Here are some links to a few useful resources and guides for Zero Trust IT security:

Microsoft’s guide to Zero Trust and Zero Trust principles: https://www.microsoft.com/en-gb/security/business/zero-trust

The National Cyber Security Centre’s guide to Zero Trust architecture design principles: https://www.ncsc.gov.uk/collection/zero-trust-architecture

A Zero Trust security cheat sheet: https://www.techrepublic.com/article/zero-trust-security-a-cheat-sheet/.

McAfee’s guide to Zero Trust architecture: https://www.mcafee.com/enterprise/en-gb/security-awareness/cloud/what-is-zero-trust.html

How to implement Zero Trust with real-life examples: https://searchsecurity.techtarget.com/feature/How-to-implement-zero-trust-security-from-people-who-did-it.

What Does This Mean For Your Business?

It is clear that mobile computing, the pace of technological change, the digital transformation, and massive increase in remote-working (fuelled by the pandemic), not to mention soaring cyber-crime figures have highlighted the need for a data-centred approach and a move away from the ‘moat and castle’ view of IT security.  Another good reason to opt for the Zero Trust approach is as a way of having a much better chance of avoiding the cost of a breach.  Not surprisingly, Zero Trust entered the European security market in 2019 and IT and Security Risk professionals as well as many businesses and organisations are now seeing it as the natural and practical way forward, hence the huge increase in businesses working on a Zero Trust initiative in the last year.

If you need to search just one domain for a particular search term, here’s how to use Google to do just that:

– Go to Google.com.

– Enter site: www.website.com search term into the search box e.g., site:bbc.co.uk painting.

– Refine your search.

In this article, we look at what data science is, and what is driving its growth and value to businesses and organisations worldwide.

Data Science

Data science uses multiple disciplines, scientific methods, and processes (e.g. domain expertise, programming skills, data engineering, data preparation, data mining, predictive analytics, machine learning, data visualisation, and knowledge of mathematics and statistics, and more) as well as algorithms and systems to extract knowledge and insights from structured and unstructured data. Data science also apples knowledge and actionable insights from data so that the insights gained can add value and create actionable plans for companies and other organisations.

Vast Amounts of Data Generated and Collected

We now live in a data-driven society with more data being generated than ever before, with most of the data generated in only the last few years. It has been estimated that more than 2.5 quintillion bytes of data are generated every day.  The IDC predicts that by 2025, the total (and constantly growing) amount of digital data created worldwide be 163 zettabytes. Data science and the skills of data scientists have enabled companies to use this data to find new opportunities, make better “data-driven decisions”, and turn the insights from the data into added value and competitive advantage.

Drivers of Data Generation and Collection

The key drivers of data generation and collection include:

– The growth of the world’s internet population.  For example, just before the pandemic in 2020 (the pandemic has boosted Internet growth further) the internet had reached 59 percent of the world’s population (i.e 4.57 billion people with web access), a 3 percent increase from the previous year (DOMO), with 4.2 billion active on mobile and 3.81 billion using social media (social media companies are the biggest collectors of personal data).

– The growth of artificial intelligence (AI) and AI becoming more accessible to (and affordable for) businesses.  AI enables vast amounts of data to be analysed and insights to be found much more quickly and efficiently than ever before. Data scientists and their use of technologies and tools, such as AI, have enabled businesses to tackle and get value from their ‘big data’ (i.e. vast amounts of data they’ve collected) that’s proven too much of a challenge to tackle before.

– The growth of technical innovations like 5G wireless technology, making data collection and application easier and enabling further growth of the  Internet of Things (IoT) e.g. wearables, sensors, monitors, and scanners to collect information on a single network, thereby providing more data for data scientists to work with. In 2020 it was estimated that the number of IoT devices was thought to be anywhere between 30 and 50 billion worldwide which could generate more than 4 zettabytes of data in one year.

– The continuing rise of mobile technology has meant the growth of apps, most of which collect data.

– An accessible international marketplace due to the rise of the Internet and communications technology growth.

The Value of Data Scientists

Given that we are in a data-driven society, data science is now at the forefront of what some have called the fourth industrial revolution.  This is the reason why, as far back as 2012, the Harvard Business Review suggested that being a data scientist is the “sexiest job of the 21st century”.

The value of Data Scientists to companies and organisations is based on the fact that they can use their understanding of multiple scientific and technical disciplines to:

– Analyse data sets to produce actionable plans which, because they are based upon real-world data (i.e. data-driven) can be more successful.

– Use programming, machine learning, risk analysis, and research skills, to help make data comprehensible for everyone else on a team / present key data in a way that others can understand. This enables the value of other team members to be unlocked as they can make more informed and directed decisions and suggestions that help create value-adding and cost-reducing solutions and opportunities.

– Improve business processes to make operations and marketing more efficient and effective.

– Improve marketing by using data insights to increase data-driven personalisation and help businesses to take advantage of (and navigate) important patterns in business trends.

– Ask the right questions and identify data sources and their value, both of which are vital platforms on which to build business decisions.

– Help to set global data security standards.

Data Science and AI

Although artificial intelligence is a tool that can help to power data science operations, data science is not totally dependent on AI.  A data scientist uses their skills to make decisions about extract value from data, but they also need machine learning algorithms to help with and to speed up that process.

Examples

Examples of how data scientists have can positively impact industries include:

– Saving lives and improving processes and outcomes in the healthcare industry (30 percent of the world’s warehoused data is from the medical arena) e.g. developing AI-powered diagnosis models for cardiologists.

– Using data to innovate and improve safety and performance in the transport industry e.g., feeding into the development of autonomous vehicles (cars and aircraft).

– Using data analytics software to help with supply chain management e.g., FoodService Co. using a data-driven dashboard to save labour-hours and inventory reconciliation.

What Does This Mean For Your Business?

In our data-driven society, the data collected by businesses can hold insights that can be a source of value creation, reduced costs, innovation, and competitive advantage. Data scientists have the skills to unlock that value by using multiple disciplines and tools to spot patterns and trends that feed into the improvement of products and services, operations, and marketing. These insights can be transformative, and this explains why data science is a growing field that has become so valuable in all industries over such a short space of time.

In this article, we take a brief look at Business Process Management (BPM), how it works, and how it can add value.

What Is Business Process Management (BPM)?

BPM is also referred to as business process improvement (BPI), business process re-engineering, continual improvement process (CIP), and process improvement. BPM is the ongoing, continuous practice or discipline of improving and controlling the processes of the business using analysis and modelling.

Types

There are different types of BPM including document-centric (built-around a core, particular document), human-centric BPM (humans decide what happens after each step in the process), and Integration-centric BPM (based around the integration of different software systems).

Why?

The goals of BPM should be to keep improving business processes to keep them in alignment with the goals of the business as the business and the business environment evolve. This will help to:

– Enable strategic clarity.

– Keep alignment of the firm’s resources and help executives to determine how to deploy, monitor, and measure those resources.

– Increase discipline in daily operations.

– Remove bottlenecks.

– Align business functions with customer needs, thereby improving marketing.

– Reduce costs and minimise errors and risk.

BPM and RPA

Whereas Robotic Process Automation (RPA) tools let companies configure software bots to capture and interpret applications and are a way to help automate monotonous, routine, and time-consuming tasks, BPM is the overall holistic approach to optimising and automating business processes. RPA is another tool that can be used as part of a company’s BPM strategy and, therefore, BPM and RPA could be thought of as being complementary.

How To Apply BPM

BPM should be based around outcomes and the process is based around 5 steps of the BPM lifecycle which are:

1. Design. This involves a review of current business rules and arriving at desired outcomes by taking account of the views of key stakeholders and management.

2. Model.

3. Execute.

4. Monitor.

5. Optimize.

BPM tools, such as BPM software enable businesses and organisations to use a proven, systematic approach to managing and optimising their business processes. Well-designed BPM software can also help IT specialists to construct business workflows and connect different systems.

Popular BPM Software Tools

Examples of popular BPM software include:

Kissflow – A platform to optimise, manage, and track all company work.

Nintex – The Nintex Process Platform enables standardising of workflows and automation of business processes.

Processmake – Low-Code BPM Software.

Busagi – Enterprise software for Business Process Automation on a low-code development platform.

Monday.com – Enterprise BPM platform.

Process Bliss – BPM software with a drag & drop process flowchart builder.

Other examples include Wrike, Forecast.app, Quixy, Orchestly, Process Street, ProWorkflow, Studio Creatio (free), Trisotech, IBM Blueworks Live, iGrafx, K2 Platform, Kintone (good for non-proftit organisations), Novacura, OnBase by Hyland, Pipefy, and Zoho Creator.

Examples

Real examples of how BPM has been used (from Kissflow and Nintex) include:

– Softbank Telecom using BPM software to create apps to enable authorities to quickly approve requests on their mobile phones, thereby improving upon the old, slow, and disjointed process of using spreadsheets and email for all processes.

– Davenport University (in the US) using BPM to automate the three processes of student course requisitions, academic scheduling, and transport coordination, thereby improving cross-departmental coordination, and operating more efficiently than the old processes which were reliant upon paper and manual intervention.

– New Belgium Brewing Co. using BPM to help it comply with new legislation by standardising and automating how it handled privacy requests from its California customers, thereby freeing up staff time to concentrate on brewing beer.

What Does This Mean For Your Business?

Using BPM (software and tools) can provide businesses with a systematic approach to managing and optimising their business processes which essentially helps businesses to be more efficient, work smarter, save costs, reduce risk and errors, become better at what they do, and eliminate many of the problems and bottlenecks that may have been preventing them reaching their goals and unlocking their true potential. Investing in BMP can deliver real benefits, add value, and improve competitiveness while giving managers more fuel to make better decisions.

An error in the HM Courts and Tribunals Service computer system meant that 5,000+ defendants were wrongly assigned guilty pleas.

Accidental Criminal Convictions

The problem that led to 5,000+ people being wrongly given criminal convictions was an error in the computer system’s bulk amendment facility, which was used to update the cases of magistrates’ hearings that were adjourned due to the impact of the pandemic. The error meant that guilty pleas were copied onto cases that defendants were still contesting.

Where?

It has been reported that the error has affected cases related to magistrates’ courts in Westminster, Highbury, Wimbledon, Willesden, Thames, Uxbridge, Croydon, Bexley, and Bromley.

Example

As far back as last October, The Guardian newspaper questioned whether convictions on the Police National Computer were accurate after it uncovered an example of where a mistake appeared to have been made. At the time, a female defendant who had denied an offence related to a violent crime had a guilty plea entered on the PNC. This meant that she gained a criminal conviction which took her lawyers three months to correct, and led to HM Courts and Tribunal Service (HMCTS) writing to the defendant to apologise for the error.

Investigations by HMCTS following this example revealed that 5,231 individual defendants and 55 companies had actually been affected by the computer bulk uploads error.

The ICO

The error was referred to the Information Commissioner’s Office (ICO) by the Ministry of Justice in October and it has been reported that, after a comprehensive review, the correct ‘not guilty’ pleas were restored by mid-November.

Although an HMCTS spokesperson said that the issue was “temporary” and had been “promptly resolved” with no-one receiving an incorrect verdict or sentence, the ICO has said “People have the right to expect that organisations will handle their personal information… responsibly”.

What Does This Mean For Your Business?

Under UK GDPR, businesses are expected to comply with data laws and to act responsibly with the data of customers, employees, and other stakeholders or face some serious consequences (e.g. large fines and reputational damage).  Some businesses may, therefore, feel justified in criticising the police over the errors in their computer system which could have caused problems for thousands of people and for businesses. For example, it is possible that before the error was discovered, a criminal record check by a potential employer could not only have resulted in the candidate not getting the job due to a wrongly recorded conviction but may also have robbed the business of the hiring an otherwise great candidate who may have brought considerable skills to the company. There are also, of course, the potential the emotional and social effects to consider of a person being (wrongfully) assigned a conviction to consider.

A survey by consumer watchdog Which? has revealed that almost half of adults in England are unaware of plans for their medical records to be shared with a new NHS database.

What Data Sharing?

Back in May, NHS Digital launched its plan for sharing medical data from GP records in England. As part of the General Practice Data for Planning and Research (GPDPR) scheme, GP surgeries in England can automatically upload and share the medical records of every patient in England to an NHS Digital platform, unless the person has opted out.

Original Opt-Out Date Has Passed

Although the original opting-out date of June 23 has now passed, a campaign supported by medical professionals and MPs has acquired an extension period to an (as yet) unspecified final opt-out date after it was agreed that the scheme had not been publicised enough, and also, extra time was needed to work on the necessary privacy safeguards.

Confirmed By The Which? Survey

This lack of awareness of the scheme and its implications was confirmed by recent Which? survey where only 55 percent of the 1700 people surveyed said they had heard of it, and 71 percent of them said that the NHS hadn’t publicised it well.

Why Is The Data Being Collected?

NHS Digital says that the data is being collected to support the planning and commissioning of health and care services, such as the development of health and care policy, public health monitoring and interventions, and to help with research (e.g. analysing the long-term impact of COVID-19).

What Kind of Data?

The medical record data that’s being shared under the GPDPR scheme includes your sex, ethnicity and sexual orientation, physical, mental and sexual health, and lots of other data including referrals, diagnoses, test results, medications, allergies and immunisations.

What About Insurance Company Access?

One of the big concerns of those who are aware of the scheme is whether data (that could be linked to an identity) will be shared with insurance companies. However, it has been reported that data from the scheme will not be shared with marketing or insurance companies. Also, data shared in the scheme will be anonymised, thereby replacing some possible identifiers with unique codes making it more difficult to directly link details to an identity.

Still Possible To Identify A Person

The data, however, will not be completely pseudonymised which means that although it is unlikely that anyone can be identified from the data, it is still technically possible.  For example, software could be deployed to decode the data where there is a legal reason to do so.

What Does This Mean For Your Business?

Since the pandemic and the development of vaccines, many people may be feeling more sympathetic to the need for sharing data, perhaps their own, to be used for medical research and, as such, might be less worried than before about their medical data being shared.  That said, the thought of personal medical data being shared with companies that could use it for marketing (targeting) or by insurance companies to make judgments about eligibility or ramp up premiums is a worry for many, even though there are assurances in this case that marketing and insurance companies won’t be able to do this. The fact that the scheme requires opt-out rather than opt-in and that the opt-out date has long passed with half the population knowing about the scheme at all does feel as though it is something that is being sneaked in. That said, it’s worth noting that UK’s data protection laws already allow access to data when needed for research and scientific purposes. This story is also an example to businesses of the importance of communication, transparency, and giving plenty of information in plenty of time for any important changes to terms, services, or any other factors that customers feel are important, of value, or may influence (have influenced) their decision about choosing or continuing with services.