Adopting cloud technologies is something that many organisations have struggled with, and these difficulties have been caused in no small part by large amounts of pre-existing technical debt. Legacy applications and physical infrastructure have, in many cases, become a millstone around the necks of companies who want to capitalise on the economic and transformational benefits of the cloud, leading to long migration roadmaps.

This is a challenge in and of itself, but as companies race to embrace the cloud, it’s imperative to ensure they don’t repeat the same mistakes that caused these headaches in the first place. Companies have often found themselves locked into expensive and inflexible relationships with vendors, and while this is less of an issue with the cloud than with on-premise systems, it has by no means disappeared altogether.

There are ways to mitigate the risk of cloud vendor lock-in, however, and the most important factor is proper planning. Planning is always the first phase of any cloud migration, and it’s vital to ensure that before you even open an account with a cloud provider, you’ve worked out all your application dependencies, compatibility requirements and budgets. You can then assess which cloud providers meet those needs, making it easier to identify an alternative provider to move to in the future.

Businesses should also take a long, hard look at which services they actually need to move to the cloud. Contrary to some popular wisdom, not every application and service is necessarily better off being run in the cloud. Establishing what does and doesn’t need to be migrated can save time and money later on, both in the initial migration process and potentially subsequent ones if those workloads are repatriated to on-premise systems.

Organisations should be mindful of contract lengths, too. Long lease terms on physical infrastructure are one of the biggest impediments to organisations’ cloud migrations, and although many cloud services will offer discounts on the price of longer contract lengths, this also contributes towards those same lock-in issues that you’re trying to avoid.

It’s important to remember that you can design and set up most elements of your public cloud infrastructure without spending a single penny, and you should do this as early as possible. Although public cloud providers market themselves on their ability to get up and running very quickly, mature organisations that want to undertake a comprehensive cloud deployment will quickly find that setting this up, along with all the associated account structures, security and compliance frameworks, will quickly eat up unexpectedly large amounts of time.

“None of this costs any money in terms of consumption,” says Lee Wynne, CDW’s public cloud architecture practice lead. “You can build out a well-architected multi-account AWS or Azure design, you can do all your billing strategy, and you can design and provision all your platform architecture and it costs you no money. There are no cloud consumption costs at all to do that; you have to know what you are doing but it won’t cost you a penny. So when you’re ready, when that urgent project comes along, and they go ‘yeah, we need to spin this up in Azure or AWS, or GCP ASAP’, then you’re ready to go. Nobody’s waiting for anything, it’s just done and dusted, a big tick in the box for your IT services. There’s nothing dependent on this from a project perspective, no cost assessments, no buzzwords about machine learning and AI strategies, no politics.

“Now, when it comes to thinking about vendor lock-in you start thinking ‘well, should I just be doing this for one platform? Or should I do it for all of them?’, because it’s the same. That strategy is the same across AWS, Azure or Google Cloud. They all have the same thing: a multi-account structure and a platform architecture, all can be designed and configured with no consumption so it’s not too difficult to do that for all of them. And then all of a sudden, you’ve got a little bit more choice and bit more flexibility about where you choose to deploy certain elements. The only complexity is how you set up network comms between them, if that even needs to happen.”

Designing your workloads and applications in such a way that they can be deployed across multiple clouds from the outset makes jumping ship to a new provider much easier, and it also has the added bonus of making them much leaner and more portable in general.

Vendors themselves have even started warming to the idea of customers deploying across multiple providers, and multi-cloud tools and functionalities are becoming increasingly common. VMware, for example, has been rapidly expanding its portfolio of multi-cloud management tools and has recently announced its plans to incorporate Kubernetes management tools into vSphere, making multi-cloud workload management even simpler. Microsoft has also got in on the trend, announcing earlier this year that Azure Cost Management will also help customers manage their AWS spending.

Another important consideration is the tools that you use to build and run your apps. Most organisations will likely construct their apps using open source (or at the very least widely supported) programming languages, but once those applications are in the cloud, it’s very easy to end up accidentally bolting additional compatibility requirements onto them.

“For example, AWS has CodeStar and Azure has Azure DevOps, and they have a lot of native tools in their ecosystem that you can use to wrap around your source code, test and deployment pipelines,” Wynne points out. “Then you become reliant on it; it becomes part of your DevOps process, and then it becomes part of your culture, and it becomes part of your team. So over time, you can easily end up locked into one of those cloud platforms, if you consume a lot of their native services around your source code, and you begin to extend it further into proprietary database services such as Google Firebase, Azure Cosmos and AWS Aurora and serverless monitoring and debugging tools.”

Vendor lock-in remains a major problem for many IT departments, and it can be just as much of a risk when it comes to the cloud. With thorough planning, good design and careful monitoring, however, it is possible to architect your cloud estate in a way that minimises the chance of your organisation repeating the same woes of time gone by. For businesses that want to ensure they’re implementing the right cloud strategies and designing their platforms in the most flexible way possible, CDW is an ideal partner for planning and orchestrating your cloud migration, bringing years of experience and unparalleled cloud expertise to bear on your business challenges.

Get in touch with a CDW Account Director and ask for details on CloudCare® JumpStart or CloudPlan. Visit uk.cdw.com

Microsoft has outlined a set of ambitious plans to remove more carbon from the atmosphere than it emits by the end of the decade.

By 2030, Microsoft is aiming to be ‘carbon negative’, in that the carbon it removes from the atmosphere outweighs the carbon emitted, including the activity of its wider supply chain.

This is in addition to a $1 billion climate fund to accelerate research and development into carbon reduction, capture and removal technology that doesn’t already exist today.

Moreover, Microsoft wants to continue the trend of lowering emissions while increasing carbon removal so that by 2050 it will, on paper, have removed all the carbon it has emitted since its foundation in 1975.

“While the world will need to reach net-zero, those of us who can afford to move faster and go further should do so,” said Microsoft president Brad Smith.

“We recognize that progress requires not just a bold goal but a detailed plan. As described below, we are launching today an aggressive program to cut our carbon emissions by more than half by 2030, both for our direct emissions and for our entire supply and value chain.

“While we at Microsoft have worked hard to be “carbon neutral” since 2012, our recent work has led us to conclude that this is an area where we’re far better served by humility than pride. And we believe this is true not only for ourselves, but for every business and organization on the planet.”

The industry stalwart is the latest in a string of companies, including Amazon and HP, to enter an arms race geared on reducing carbon footprints and embracing cleaner and greener technologies.

Amazon, for example, has pledged to be carbon neutral by 2040, while Google Cloud hit its 100% renewable energy goal in April 2018, powering its data centres and offices from renewable sources, including solar and wind. Salesforce, similarly, achieved net-zero greenhouse gas emissions the previous year.

HP, on the other hand, has committed to releasing routine sustainability reports that track its progress in its aims to reduce its carbon footprint. It has started to build many of its products with sustainability in mind, including the forthcoming HP Elite Dragonfly business 2-in-1.

Microsoft says it can achieve its own “aggressive” set of targets by first investing in nature-based initiatives, such as planting trees, with the goal of shifting to technology-based programmes when they become more viable.

The wider strategy, however, encompasses a set of smaller goals that Microsoft hopes to hit along the way to achieving its major targets for 2030 and 2050.

By 2025, for instance, Microsoft is hoping to shift to a 100% supply of renewable energy, while aiming to fully electrify its global campus operations vehicle fleet by 2030.

The firm is hoping to implement new procurement processes and tools to incentivise its suppliers to reduce their carbon emissions too, with these pencilled in for July 2021. For customers, meanwhile, Microsoft will roll out a sustainability calculator and dashboard that estimates emissions from Azure services.

Google’s parent company Alphabet has become the fourth US tech company to reach a market value of $1 trillion (£765 billion), ending trading at $1,451.70 per share on Thursday.

It will hold a quarterly conference to discuss Q4 and 2019 financial results on 3 February but Wall Street Analysts are expecting it to report revenue of $46.9 billion – up 20% year-on-year.

Alphabet is now part of a US tech elite with Apple, Amazon and Microsoft all having reached the $1 trillion market cap over the past two years. The iPhone maker was the first to surpass the mark in August 2018 with Amazon hitting it a month later. Microsoft was the third company, doing so in April 2019.

Like Amazon and Microsoft, revenues from its cloud ventures are believed to have heavily contributed to Alphabet’s overall growth, with the Google Cloud Platform doubling it’s revenue run rate to £2 billion per quarter between February 2018 and July 2019, according to CNBC.

Cloud, Google’s Play app store and Google’s hardware division have all been key drivers for the company, according to its earnings report. In Q3 of 2019, revenue from these segments of the business increase 39% year-on-year.

Sundar Pichai’s recent promotion to CEO of Alphabet has also helped to increase optimism among stockholders, according to Pivotal Research Group analyst Michael Levine.

“We are incrementally more constructive about what we perceive as multiple ways to get paid under the recently appointed Pichai regime,” Levine wrote, as reported by Markets Insider. His evaluation is reportedly based on an estimate of Alphabet’s 2021 EBITDA (earnings before interest, tax, depreciation and amortization).

Pichai took over as CEO of both Alphabet and Google after co-founders Larry Page and Sergey Brin stepped down in December. The change of leadership offers “the most optionality for multiple expansion for the stock we have seen in years,” according to Levine, who also sighted Thomas Kurian‘s helm of Google’s cloud business as a positive sign.

Sales of hardware for cloud infrastructure slid slightly over the past year as part of overall weaker sales in IT, according to IDC, but they still exceeded spending on non-cloud infrastructure for the second time ever.

The analyst firm said cloud IT infrastructure spending declined for the second quarter in a row in the third quarter of 2019, down 1.8% from the same period last year.

While public cloud infrastructure declined 3.7% on the year, that segment is still worth $11.9 billion in quarterly sales. And while sales for public cloud dropped versus the same period last year, they were up by 24% from the quarter before.

“As the overall segment is generally trending up, it tends to be more volatile quarterly as a significant part of the public cloud IT segment is represented by a few hyperscale service providers,” IDC reported, adding that public cloud makes up most of the spending.

With such volatile quarterly figures, it’s easier to look at the market on an annual basis, and IDC noted public cloud IT infrastructure had stable growth since the analyst firm began tracking the segment. “In [the third quarter of 2019], vendor revenues from private cloud environments increased 3.2% year over year, reaching nearly $5 billion. IDC expects spending in this segment to grow 7.2% year over year in 2019 to $21.4 billion,” the company predicted.

IDC splits infrastructure into three areas: ethernet switches, compute platforms, and storage. While compute will remain the largest segment for cloud infrastructure spending, it’s expected to see growth of just 3% in 2019, while storage will be flat. The Ethernet switches segment is predicted to climb 11% on the year.

IDC said that the IT infrastructure industry was reaching the point where cloud will outstrip spending on traditional, non-cloud systems. Up until this last quarter, cloud spending topped non-cloud only once, back in the third quarter of 2018. In the last quarter, cloud hardware spending topped 53%.

“However, for the full year 2019, spending on cloud IT infrastructure is expected to stay just below the 50% mark at 49.8%,” IDC added. “This year is expected to become the tipping point with spending on cloud IT infrastructure staying in the 50+% range.”

IDC forecasts traditional infrastructure will make up 42% of sales by 2023, down from 52% in 2018. That’s in part due to spending on traditional environments declining, with IDC predicting it to fall by 5.3% over 2019.

“This share loss and the growing share of cloud environments in overall spending on IT infrastructure is common across all regions,” added IDC. “While the industry overall is moving toward greater use of cloud, there are certain types of workloads and business practices, and sometimes end user inertia, which keep demand for traditional dedicated IT infrastructure afloat.”

Spend management software provider Compleat Software has expanded its relationship with Sage, adding a new integration between iCompleat and Sage Intacct.

Designed to streamline the accounts payable process, the expanded relationship will see the firm market and sell its AI-powered iCompleat Buy to Pay service on the Sage Intacct Marketplace.

The move becomes the third integration between the two companies, following previous Sage 50 and Sage 500 additions, and forms part of Compleat’s plans to expand internationally in places such as North America and Australia.

“The simplicity, rapid deployment, increased levels of automation, and cost savings achieved when buying online makes iCompleat an asset for every business,” said Annabel Sim, VP of global sales at Compleat. “This expanded partnership will help our solution to stand out and be successfully adopted in the USA and Australia, in addition to the success achieved in the UK already.”

Initially focused on North America, Sage’s Intacct integrated services repository was recently launched in the UK and Australia and is the first and only preferred financial management service of the American Institute of Certified Public Accountants (AICPA).

Compleat’s software is the first accounts payable automation add-on with a built-in online buying service available on the platform. Its latest product allows users to make Amazon Business purchases from iCompleat, enabling automated invoice matching with simple product ordering tasks.

Through AI and machine learning, the software automates the cycle of buying, invoice capture and approval processes. This increases accounts payable efficiency, the firm said, and eliminates the risk of fraud by providing full visibility and control of company spend.

“We continue to add powerful solutions to the Sage Intacct Marketplace,” commented Eileen Wiens, VP of business development for Sage Intacct. “Sage Intacct customers can now benefit from the built-in online buying functionality and Compleat’s partnership with Amazon Business which takes the Buy to Pay software functionality to a whole new level of automation and end convenience.”

Up to 100 million is being poured into researchers and small businesses as part of public sector efforts to invest in emerging technologies like artificial intelligence (AI).

The government’s Future Leaders Fellowships scheme will receive 78 million to be invested in 78 researchers to work on scientific and technological discoveries.

The remaining 20 million will be allocated to universities to support small businesses in rapidly-growing industries including AI, but also areas like clean growth and agri-food.

The 20 University Enterprise Zones (UEZs) will provide specialist support to small businesses and raise the level of knowledge-sharing between academics and entrepreneurs through frequent collaborations.

Through these UEZs, startups and small businesses will be given the facilities and expertise to help take their ideas through from a concept into the production and marketing stages.

These programmes will run across the UK in cities like Exeter, Falmouth, and Durham, not just London, with the government hoping this regional diversity will lead to several improvements to local economies.

These packages are part of the government’s UK Research and Innovation (UKRI) programme, which has seen various sums allocated to boosting aspects of tech growth in recent months.

The NHS, for example, this month received 69.5 million to fund four projects that involve developing therapies and technologies to treat genetic mutations that predicate life-threatening conditions like cancer and arthritis.

The UKRI programme even funded three R&D projects in Bristol with a 50,000 round of investment in March this year.

“UKRI is committed to creating modern research and innovation careers and our Future Leaders Fellowships aim to support and retain the most talented people, including those with flexible career paths,” said UKRI chief executive Professor Sir Mark Walport.

“These 20 University Enterprise Zones funded by Research England will be important focal points for collaboration in business-friendly environments, driving innovation and delivering benefits that will be felt across economies at the local, regional and national scale.”

The largest recipient of the 20 million UEZ fund is the University of Southampton, which will use a 1.5 million boost to fund the Future Towns Innovation Hub.

Other prominent projects include Oxford Brookes’ 1.2 million AI & Data Analysis Incubator, and Lancaster University’s Secure Digitisation UEZ.

Blockchain is an advanced way of logging and protecting data and changes to a decentralised database that makes it difficult to manipulate. It’s the technology that underpins digital currencies, such as Bitcoin, and helps to protect against double-spending and hyperinflation in banking. It’s even used to achieve automated supply chain management in manufacturing.

Blockchain is a type of distributed ledger, one that operates as a public platform of data records that isn’t “owned” by any individual. It allows people to exchange information in real-time, with that information changing hands multiple times at once, all while being verified to ensure changes are legitimate.

Blockchain is among the most experimental and emerging technologies around given the sheer amount of moving parts needed to ensure the information is correct at all times, wherever it resides. There’s also a pressing need to ensure it’s accurate, and that everybody can access the same information as each other.

Data resides in a limited number of “blocks” that together make up a “chain”, hence the name Blockchain. Any data sent or received over the chain of data blocks can be viewed by any person, at any time. Any changes to the chain are confirmed and uploaded at the same time as well. Because it doesn’t reside in a single location, however, such as a database or server, it means it’s incredibly difficult to disrupt or hack; this would require every single node supporting the network to be compromised at the same time.

Although originally developed for digital currencies, businesses are now seeing the benefits of implementing forms of distributed ledgers in their own organisations, particularly to protect secure data in environments such as hospitals or by estate agents to secure property purchases.

New use cases

No-one really knows who invented Blockchain. Its initial research paper was published under the name ‘Satoshi Nakamoto‘, the same person attributed to the creation of Bitcoin but it’s likely that the name on the paper was a pseudonym for a group of people who all had a hand in the technology’s development.

Blockchain solved the problem of ‘double spending’, recording what transactions had taken place on the network and preventing users from using the same digital token more than once. It also presented the opportunity for the currency to be decentralised, so governments and other authorities were not required to regulate or oversee it, making it a completely free, global currency.

However, the idea of having a distributed ledger that is not owned by anyone clearly has benefits. For one, it’s super-secure because no one owns the original file and it can be updated without the threat of hack.

It also means data even the most sensitive information such as that related to personal identities, medical information and insurance records can be stored in a place that can be made accessible by all parties in a way that’s trusted.

Now that the technology has been in the public domain for a good few years, companies are finding innovative ways of deploying it. There are, for example, a slew of cannabis startups using blockchain to get a head start in an emerging industry. Most recently, startup TruTrace Technologies partnered with auditing firm Deloitte to track cannabis using blockchain technology, according to Proactive Investors.

The system tracks the drug from seed to sale in order for customers and retailers to know the history of the product as it passes through the supply and consumption chain. 

The rise of blocks

Blockchain relies on blocks of data connected in a chain, as its autonym name suggests. The chain is cryptographically secured and distributed among those that want to change or tweak parts using a network. As the chain evolves, new blocks are added and the person or node that adds that block is solely responsible for authorising it and ensuring it’s correct.

What’s unique about blockchain technologies is that none of the blocks can be changed or removed after being added – a reason to ensure it’s definitely correct or accurate before adding to the chain.

The way blockchains are created makes them perfect for highly regulated industries that need to have a paper trail of changes. Because it’s tamper-proof, the financial sector is one of the industries taking the technology seriously and it was created for Bitcoin for exactly this reason.

Bitcoin miners add the blocks, acting as nodes in a huge peer-to-peer (P2P) network. Everyone works together to validate transactions, without changing anything in the chain. Because every block is linked together in a chain, nothing can be changed without breaking the chain and to change anything, it would need every person who’s ever added a block to change their additions – an impossible task when so many people are using a single network. 

Not all blockchains are built the same, and the time it takes to process blocks of transactions can vary. Given the nature of buying and selling, cryptocurrency blockchains tend to be the quickest examples. The Ethereum blockchain, which supports the Ether cryptocurrency as well as countless other industry projects, is able to process transactions in around 15 seconds, whereas Bitcoin’s network generally takes around 15 minutes.

More affordable and efficient

Blockchain networks can operate through multiple computers across the world, sometimes thousands, in an open P2P configuration. There is no centralised database or server, and because of this users, or nodes, can organise and audit information quicker and more effectively. But the time taken to verify information does scale with the size of the network.

There are benefits to the nature of blockchain networks, with implications for privacy and security. For instance, the fact the data is not stored in any one location means it is difficult, if not impossible, to hack these networks and steal any data, or shut them down. They are also able to withstand the risk of outages, as all nodes would have to be individually taken down for the blockchain to be knocked offline.

Cooperation and collaboration is normally at the heart of most blockchain networks too, with the various users operating under a shared goal. For example, users in the financial services sector would be working to building a safer and more secure method for storing and processing transaction information. While a physical file room may have once been a fixture of such operations, a blockchain network can enable one to transmit data far quicker, and more accurately.

The scope for blockchain to reduce the risks of fraud, and allow for more affordable financial processes, is greater too – with many systems such as these, albeit in their infancy, already producing some results. Santander, for example, earlier this year rolled out a blockchain technology based on Ripple that could accelerate payments across borders.

Public vs private

Much like the field of cloud computing, the function and implementation of blockchain can vary significantly depending on whether it’s designed to be public or private. The primary distinction between these types comes down to who can access a system.

Public

Public blockchains operate a shared network that allows anyone to maintain the ledger and participate in the execution of blockchain protocol – in other words, authorise the creation of blocks. It’s essential for services such as Bitcoin, which operates the largest public blockchain, as it needs to encourage as many users as possible to its ledger to ensure the currency grows.

Public blockchains are considered entirely decentralised, but in order to maintain trust, they typically employ economic incentives, such as cryptocurrencies, and cryptographic verification. This verification process requires every user, or ‘node’, to solve increasingly complex and resource-intensive problems known as a ‘proof of work’, in order to stay in sync.

This means public blockchains often require immense computational power to maintain the ledger, which only worsens as more nodes are added, and predicting how much that will increase is difficult. Given the number of voices in the community, it’s also incredibly difficult to reach a consensus on any technical changes to a public blockchain – as demonstrated by Bitcoin’s two recent hard forks.

Private

Private blockchains are arguably the antithesis of what the technology was originally designed for. Instead of a decentralised, open ledger, a private blockchain is entirely centralised, maintained by nodes belonging to a single organisation or entity.

It’s a novel design tweak that has allowed the technology to flourish within those organisations looking for the same streamlined transactions afforded by public blockchains, only with highly restricted access. As there are fewer participants on the network, transactions are normally cheaper and verified far quicker on private chains, and fixes to faults or network upgrades can be implemented almost immediately.

In order to share the data stored on a private chain, they often operate using a permission-based system, in which node participants are able to grant read access to external parties, such as auditors or regulators looking to check the inner workings of a company.

Unfortunately, as there are fewer nodes maintaining the blockchain, it can’t offer the same high levels of security afforded by decentralised chains.

Consortium

‘Consortium’ is best described as the ‘hybrid cloud’ of blockchain. It provides the robust controls and ‘high trust’ transactions of private blockchains, only without being confined to the oversight of a single entity.

It sits somewhere in the middle. Although they provide the same limited access and high efficiency afforded by private blockchains, dedicated nodes are set aside to be controlled by external companies or agents, instead of having only read access under a private blockchain.

The easiest way to understand how it differs is to think of consortium blockchains as the equivalent of a council group – with each member having responsibility for maintaining the blockchain, and each having permissions to give read access.

Given its collaborative design, it’s a perfect solution for supporting the work of government committees or industry action groups where a number of companies may come together to tackle an issue – whether that be industries working to combat climate change or maintaining a shared ledger to support the work of the United Nations.

Blockchain vs Distributed Ledger Technology

The term blockchain’ is often deployed to refer to a host of similar yet different technologies, and is often falsely used to refer to any decentralised distributed database. Blockchain is, in reality, only one form of the emerging distributed ledger technology (DLT).

DLT is a form of technology comparable to a database but distributed across multiple physical sites and locations, regardless of how near or far from one another. The purpose of such a phenomenon is to avoid having to rely on a centralised storage system or the need for a middle-man, like a network, to authorise and record changes to the records. When changes are requested, the lack of a centralised system means approval is demanded from all notes across a DLT network.

This concept is being adopted by businesses and organisations at a fast pace, and across various industries. This is not just an innovation developed and taken up by tech companies, but sectors like manufacturing and finance.

There are a number of formats in which DLT arises, but the central idea of a diversity of control is at the heart of all of these. One form of distributed ledger, for example, allows data to be stored on separate nodes, such as banking records beginning with each letter of the alphabet dispersed among different locations Rather than replicated to each area, like in a database as we’ve always known, the data is spread across parts of a network.

Blockchain simply refers to one iteration of this form of technology, more specifically, a data structure that takes the shape of entries stored in blocks. This form of structuring data offers an element of synchronisation between parts of a network – and it’s essential for supporting innovations like Bitcoin.

Despite its success as the building block of currencies like Bitcoin, the system doesn’t necessarily need to have miners and tokens to qualify as a blockchain – the term simply refers to the structure of arranging data into blocks. Blockchains, as a result, are decentralised ledgers where data is replicated rather than distributed.

Unfortunately, the frequency at which blockchain and distributed ledger are used interchangeably has created confusion over the technology as a whole, leading many to dismiss blockchain as simply a tool for Bitcoin.

In a business environment where cybercrime continues to pose a real and present danger to businesses of all sizes, paying close attention to how data and devices are protected is now of paramount importance. As Werner Vogels, Amazon’s chief technology officer recently put it, we need to “encrypt everything”.

There has perhaps never been a more urgent time to look at encryption strategies. Government research from 2018 revealed that over two in five businesses (43%) have identified security breaches in their systems in the last 12 months. Some of the most common attacks included staff receiving fraudulent emails (75% of those breached), individuals impersonating the organisation online (28%) and viruses and malware (24%). What’s more, security breaches on average cost organisations 894 per incident over the past year.

Legacy systems such as desktop PCs and servers generally use high levels of encryption. However, mobile digital devices often use reduced levels of encrypted security, if indeed they use any encryption at all. According to Sophos, only a third of businesses encrypt the smartphones and tablets they hand out to employees.

Then there’s the cloud to consider, which has become a new battlefield in the fight against cyber crime. As cloud adoption has increased, businesses have slowly handed off the responsibility for encrypting data to service providers that are themselves becoming a favoured target for cyber criminals.

Businesses understand that their customer data, in particular, must be encrypted. Highly regulated industries, such as financial services, have long used strong encryption to meet their compliance responsibilities, with other sectors reacting to high-profile security breaches by enhancing their use of encryption tools and protocols.

For example, the payment card Industry’s Data Security Standard (PCI DSS) has strict requirements on how merchants need to employ encryption to protect stored cardholder data. The Data Protection Act 2018 and GDPR (General Data Protection Regulation) both make it mandatory that businesses take practical steps to protect customer data.

Data dispersal

However, companies are seeing that work is changing and that modern workplace practices, such as remote working, are creating new challenges when it comes to protecting data. Many businesses now operate with a highly dispersed workforce, one that still requires secure lines of communication to the office.

Some technologies have helped in this regard. Virtual private networks (VPNs) that use built-in encryption protocols are now becoming widespread, particularly across the small business community because of their relatively low cost and efficient deployment.

Yet this dispersal of employees is often a “barrier to a successful encryption strategy”, according to findings from the Ponemon Institute’s 2019 Global Encryption Trends report, with many businesses being unable to source where their sensitive data resides.

Some 69% of those surveyed said that data discovery was their biggest headache when it came to encrypting data, 42% found difficulties when first deploying new technologies, and 32% said they struggled to identify what data they should be encrypting as a priority.

For Martin Whitworth, research director of European Data Security and Privacy for IDC, businesses need to have an understanding of the application of encryption, specifically what it can and can’t do.

“It is important for all organisations to have a stance, and policy, on encryption,” says Whitworth. “However, this should not just be shelfware – it must reflect a well thought out position. In fact, one of the real benefits of developing an encryption policy is that it should drive a greater understanding of the topic, what it can do and what it can’t do.” 

He adds that even those businesses who do have encryption policies in place, these often fail to fully protect data once it has been transmitted to remote workers outside of the organisation’s firewall.

“Most small businesses are probably already using encryption – specifically encryption of data in transit, via their use of ‘secure’ web sites (SSL/TLS) and possibly VPNs for remote access,” Whitworth adds. “But they should also be seriously looking at encryption of data at rest; whether this is full disk encryption of laptops and/or smartphones to protect the sensitive data that they have.”

Despite there being an abundance of security tools available for businesses of all sizes, he believes that many of these are “off-putting to small businesses” as they are “not easy to integrate with existing applications”.

“What is often missing are the skills and knowledge to implement, maintain and operate them appropriately,” adds Whitworth, something which hits small businesses the hardest.

Understanding the basics

Despite the challenge facing small businesses, it’s possible to simplify the process of encryption, provided you have a well-defined and communicated policy across your business. Data is now your business’s most precious commodity – a commodity that must be protected.

The Ponemon Institute research found that 44% of businesses performed encryption on-premise before sending data to the cloud using keys their organisation generates and manage. However, 35% of respondents perform this encryption in the cloud, with cloud providers generating and managing those keys. Some 21% of respondents are using some form of Bring Your Own Key (BYOK) approach.

Regardless of the favoured approach to encryption, there are basic steps that all businesses should be taking. “Encryption is no longer an additional expense, it’s something you can enable on most new devices,” explains Oscar Arean, technical operations manager at Databarracks.

“A password on a laptop doesn’t make the data secure. It’s relatively easy to get access to the data either on the laptop or by removing the disk itself. BitLocker is a good start on new Windows laptops, or Mac’s have FileVault. Neither are enabled by default; however, so the first and most important step is actually to enable encryption.”

David Sutton is author of Cyber Security: A practitioner’s guide, published by BCS. His advice is provided in a private capacity and doesn’t necessarily reflect the views of BCS. He believes that encryption can be turned into a fairly straight forward exercise for small businesses, but they should be aware of the added restrictions it could place on day-to-day operations.

“Most commercial encryption software is suitable (or has a product) suitable for small business use,” explains Sutton. “For file and disc encryption, there are really no cons.”

However, he adds that “for email encryption, both sender and receiver must operate the same encryption standard, which can lead to complications when dealing with other organisations who already operate different systems. On the pro side, it’s normally win-win on all types.”

How to use encryption

Having a full understanding of the data landscape across your enterprise will help you figure out what types of encryption you need. When data is at rest stored on hard drives, servers or mobile devices, for instance, file or full drive encryption should be considered.

It’s when data is in motion that encryption becomes even more vital. When data moves over your business’s network or out onto the wider internet, it must have some form of encryption. It’s likely your business has continued to expand its use of the cloud in some capacity and is probably developing hybrid cloud deployments. If that’s the case, data must be encrypted at rest as well as when it’s being transmitted.

Ramon Krikken, research VP Analyst at Gartner, tells IT Pro: “Encryption is considered a baseline control and often provides a first technical step in compliance programs. Encrypted communications, such as TLS (Transport Layer Security), provide a strong control.

“Data-at-rest encryption is more challenging,” he adds, “because the layer at which it is deployed determines how much protection it provides – it’s but a small part of a larger control set that includes monitoring and access control. In addition, encryption key management for data-at-rest encryption is a critical element, because losing the keys means losing the data.”

Of course, the quality of any encryption policy comes down to how keys are generated, applied and managed. For larger businesses, this is somewhat of an easier task despite the quantity of data that needs to be encrypted. Cryptography is often managed by in-house experts equipped with expensive hardware and software.

These resources aren’t something that’s typically available to small businesses, and investing in in-house expertise isn’t usually feasible. As a small business, you’ll likely find yourself working more closely with service providers. However, if that isn’t an option that works for you, you can call upon key management products that are provided as a service. These tend to give you more control over encryption keys, but generally, it’s more difficult to maintain full control unless you have the resources to do so.

What has become clear for all business owners is encryption must form a fundamental component of their data security policies. Where data is stored, who has access and, importantly, how data is protected when in transit and at rest, all require strong encryption protocols.

The use of mobile devices has also moved the perimeter of the security environment businesses have to manage outside of the control of their premises. Ensuring all data communications use strong encryption is now critical to meet data protection and regulatory privacy requirements.

Also, don’t forget your staff. Consistently, one of the weakest links in a security system will often be the people handling data. Ensure your business has detailed and on-going education and training to encompass the encryption tools you are using to ensure they are always correctly used and not avoided for forgotten.