Category Archives: Trustmarque

81% of CIOs believe legacy systems are having negative impact on business

racing horses starting a raceResearch from Trustmarque has highlighted 81% of CIOs believe legacy infrastructures are having a negative impact on the IT department’s productivity levels.

The report stated the majority of CIOs see the legacy systems as a drain on IT resources and 86% believe IT management has become more complex over the last five years, owing to the fact teams have to juggle between the impact of cloud and mobile, as well as delivering on legacy systems. Due to the increased number of SLA’s and an increasingly diverse number of vendors to support both new and legacy technologies, 58% are struggling to deliver a consistent level of IT across the business.

“Providing comprehensive, consistent IT support in today’s complex IT world is a huge challenge for CIOs. It’s unsurprising many are finding IT management a growing burden,” said Mike Henson, Director, Cloud and Managed Services, Trustmarque. “Particularly where there is a lot of legacy technology, CIOs have an important decision to make – whether to continue to support legacy IT, or explore migration to the cloud – where support costs can be considerably lower.

“Today, IT might be easier to use than ever, but it’s also much more complex to manage and support. The business IT model has shifted, digital experiences are high on the agenda, along with a desire to consume rather than build IT. This shift has caused considerable strain on CIOs’ time, resources and budgets.”

While cloud could now be seen as a priority throughout the industry, the majority of businesses are having to navigate a number of transformation projects to implement the technology. In reality, very few companies are in a position to deliver a Greenfield cloud proposition within their organization, leading to complications in managing the co-existence of cloud and legacy, as the report indicates.

One are which this is seemingly having a direct impact is on innovation. As IT complexity has increased, the report indicates the number of ‘tickets’ being raised throughout the business has also increased. This in turn keeps IT employees focused on operational tasks (“keeping the lights on”) as opposed to focusing on implementation of new technologies to support digital transformation projects. 77% of the CIOs questioned in the survey confirmed one of their top priorities was to reduce the proportion of internal resource devoted to operational IT, freeing team members up to invest more time in transformational IT projects.

“In today’s increasingly connected world, business IT is unpredictable – changing to reflect varied business needs and the ways in which modern employees want to work,” said Henson. “Many CIOs struggle to balance the need to run business IT as usual, while at the same time delivering innovative new services to demanding users. Clearly, CIOs recognise the growing need for continued innovation within their organisation – but also recognise that a lack of internal resources and skills can hamper this ambition.”

Although general consensus throughout the industry is leaning towards cloud penetrating the mainstream marketplace, it is unlikely we’ll see cloud and other emerging technologies as the default until resource can be effectively moved away from operational IT. A number of different businesses have stated the need to transform to remain competitive in the marketplace, thought the report does imply these projects are unlikely to succeed until the idea of IT as simply a support function is removed from the business mind-set.

The top three cloud security myths: BUSTED

a safe place to workThe rise in global cyber-attacks and the subsequent high-profile press coverage, understandably makes businesses question the security of cloud. After all, the dangers of hosting anything in an environment where data loss or system failure events are attributed to an outside source are magnified. As a result, many CIOs are also still struggling to identify and implement the cloud services most suitable for their business. In fact, research finds over three quarters (79%) of CIOs find it a challenge to balance the productivity needs of employees against potential security threats. Moreover, 84% of CIOs worry cloud causes them to lose control over IT.

But is cloud really more vulnerable than any other infrastructure? And how can organisations mitigate any risk they encounter? The reality is that all systems have vulnerabilities that can be exploited, whether on-premise, in the cloud or a hybrid of the two. It’s safe to say that people fear what they don’t understand – and with cloud becoming increasingly complex, it’s not surprising that there are so many myths attached to it. It’s time to clear up some of these myths.

Myth 1: Cloud technology is still in its infancy and therefore inherently insecure

Cloud has been around for much longer than we often think and can be traced as far back as the 1970’s. The rapid pace of cloud development, coupled with an awakening realisation of what cloud can do for businesses, has thrust it into the limelight in recent years.

The biggest issue CIOs have with cloud is their increasing distance from the physical technology involved. Indeed, many CIO’s feel that if they cannot walk into a data centre and see comforting lights flashing on the hardware, then it is beyond their reach. As a result, many organisations overlook instrumentation in the cloud, so don’t look at the data or systems they put there in the same way they would if it were on a physical machine. Organisations then forget to apply their own security standards, as they would in their own environment, and it is this complacency that gives rise to risk and exposure.

Lady Justice On The Old Bailey, LondonMyth 2: Physical security keeps data safe

It is a common misconception that having data stored on premise and on your own servers is the best form of protection. However, the location of data is not the only factor to consider. The greatest form of defence you can deploy with cloud is a combination of strict access rights, diligent data stewardship and strong governance.

Common security mistakes include not performing full due diligence on the cloud provider and assuming that the provider will be taking care of all security issues. In addition, it is still common for organisations to not take into account the physical location of a cloud environment and the legal ramifications of storing data in a different country. Indeed, a recent European Court of Justice ruling found the Safe Harbour accord was invalid as it failed to adequately protect EU data from US government surveillance. Cloud providers rushed to assure customers they were dealing with the situation, but the main takeaway from this is to not believe that a cloud provider will write security policy for you – organisations need to take ownership.

Myth 3: Cloud security is the provider’s responsibility

All of the major public clouds have multiple certifications (ISO27001, ISO27018, ENISA IAF, FIPS140-2, HIPAA, PCI-DSS) attained by proving they have controls to ensure data integrity.

Security CCTV camera in office buildingThe real risk comes when organisations blindly park data, thinking that security is just implicit. Unless the data is protected with encryption, firewalls, access lists etc., organisations remain vulnerable. The majority of cloud exposures can in fact be traced back to a failure in policy or controls not being applied correctly – look at the TalkTalk hack for example, and consider the alternate outcome had the database been encrypted.

Education and ownership is the future

The speed at which cloud is evolving can understandably cause a few teething problems. But it is the responsibility of providers and clients alike to take ownership of their own elements and apply security policies which are right for their business, their risk profile and the data which they hold. As with any technological change, many interested parties quickly jumped on the cloud bandwagon. But the allure of a technology can inhibit a lack of critical thinking, and the broader view of choosing the right application at the right cost, with appropriate security to mitigate risk, is lost. Remember, the cloud is not inherently secure and given the fact it stands to underpin enterprise operations for years to come, it’s worth approaching it not as a bandwagon but as an important part of enterprise infrastructure.

Written by Mark Ebden, Strategic Consultant, Trustmarque

Natural Resources Wales extends cloud ERP relationship with Trustmarque

CloudSystem integrator Trustmarque has announced it will continue it work with Natural Resources Wales, focusing on disaster recovery, and application and infrastructure support.

The agreement, which has now been in place for two years, was initially launched to help Natural Resources Wales simplify its IT estate following the merger of the three different bodies. Natural Resources Wales was brought about through the merger of Countryside Council for Wales, Environment Agency Wales, and the Forestry Commission Wales, all of which operated on different ERP systems.

“The creation of Natural Resources Wales resulted in a complex and disparate IT estate, and over the past two years Trustmarque has helped us effectively simplify it,” said Paul Subacchi, Head of Business Support Services at Natural Resources Wales. “Our ERP system is absolutely critical to the organisation, enabling us to become more efficient and offer greater self-service functionality to our employees.  Cloud is a significant part of our IT strategy, so we need a platform that is available, resilient, flexible and secure to deliver our ERP system.”

Initially projects focused on consolidating all ERP systems it was using for finance and HR onto a single platform, delivered through a combination of cloud, on premise and managed services. Trustmarque will now deliver Natural Resources Wales’ sole ERP system as a private cloud service, as well as creating a self-service portal, MyNRW, for the organizations 2000 employees.

Security was an important consideration for Natural Resources Wales, as Trustmarque has to continually demonstrate that it meets minimum security requirements set forward by G-Cloud. The requirements range from encryption to protect consumer data transiting networks, Trustmarque staff security screening and consumer separation, as well as ensuring that its own supply chain meets the same standards.

“The work we have done with NRW throughout our collaboration is testament to Trustmarque’s end-to-end IT service capabilities and our expertise in delivering cloud services,” said Mike Henson, Cloud and Managed Services Director at Trustmarque. “By selecting the Trustmarque Cloud, Natural Resources Wales is now able to realise the benefits of its Unit 4 ERP system via a secure and robust platform.

“We’ve also removed the potential ‘headache’ that software licensing can cause, allowing Natural Resources Wales to focus on its core business without any compliance concerns. We see our continuing partnership with Natural Resources Wales as an important and valuable digital transformation programme, and look forward to our future work together.”

Giving employees the cloud they want

Business are taking the wrong approach to their cloud policies

Business are taking the wrong approach to their cloud policies

There is an old joke about the politician who is so convinced she is right when she goes against public opinion, that she states, “It’s not that we have the wrong policies, it’s that we have the wrong type of voters!” The foolishness of such an attitude is obvious and yet, when it comes to mandating business cloud usage, some companies are still trying to live by a similar motto despite large amounts of research to the contrary.

Cloud usage has grown rapidly in the UK, with adoption rates shooting up over 60% in the last four years, according to the latest figures from Vanson Bourne. This reflects the increasing digitalisation of business and society and the role cloud has in delivering that.  Yet, there is an ongoing problem with a lack of clarity and understanding around cloud policies and decision making within enterprises at all levels. This is only natural, as there is bound to be confusion when the IT department and the rest of the company have differing conceptions about what the cloud policy is and what it should be. Unfortunately, this confusion can create serious security issues, leaving IT departments stuck between a rock and a hard place.

Who is right? The answer is, unsurprisingly, both!  Increasingly non-IT decision makers and end-users are best placed to determine the value of new services to the business; but IT departments have long experience and expertise in the challenges of technology adoption and the implications for corporate data security and risk.

Cloud policy? What cloud policy?

Recent research from Trustmarque found that more than half (56 per cent) of office workers said their organisation didn’t have a cloud usage policy, while a further 28 per cent didn’t even know if one was in operation. Despite not knowing their employer’s cloud policy, nearly 1 in 2 office workers (46 per cent) said they still used cloud applications at work. Furthermore, 1 in 5 cloud users admitted to uploading sensitive company information to file sharing and personal cloud storage applications.

When employees aren’t sure how to behave in the cloud and companies don’t know what information employees are disseminating online, the question of a security breach becomes one of when, not if. Moreover, with 40 per cent of cloud users admitting to knowingly using cloud applications that haven’t been sanctioned or provided by IT, it is equally clear that employee behaviour isn’t about to change. Therefore, company policies must change instead – which often is easier said than done. On the one hand, cloud applications are helping increase productivity for many enterprises, and on the other, the behaviour of some staff is unquestionably risky. The challenge is maintaining an IT environment that supports employees’ changing working practices, but at the same time is highly secure.

By ignoring cloud policies, employees are also contributing to cloud sprawl. More than one quarter of cloud users (27 per cent), said they had downloaded cloud applications they no longer use. The sheer number and variety of cloud applications being used by employees’ means costs can quickly spiral out of control. This provides another catch-22 situation for CIOs seeking balance, as they look to keep costs down, ensure information security and empower employees to use the applications needed to work productively.

The road to bad security is paved with good intentions

The critical finding from the research is that employees know what they are doing is not sanctioned by their organisation and still engage in that behaviour. However, it’s important to recognise that this is generally not due to malicious intent, but rather because they see the potential benefits for themselves or their organisation and security restrictions mean their productivity is hampered – so employees look for a way around those barriers.

It is not in the interest of any business to constrain the impulse of employees to try and be more efficient. Instead, businesses should be looking for the best way to channel that instinct while improving security. There is a real opportunity for those businesses that can marry the desires of employees to use cloud productively, but with the appropriate security precautions in place, to get the very best out of cloud for the enterprise.

Stop restricting and start empowering

The ideal solution for companies is to move towards an integrated cloud adoption/security lifecycle that links measurement, risk/benefit assessment and policy creation, policy enforcement, education and app promotion, so that there is a positive feedback loop reinforcing both cloud adoption and good security practices.  This means an organisation will gain visibility into employees’ activity in the cloud so that they can allow their favourite applications to be used, while blocking specific risky activity. This is far more effective than a blanket ban as it doesn’t compromise the productive instincts of employees, but instead encourages good behaviour and promotes risk-aware adoption. In order for this change to be effected, IT departments need to alter their mind set and become the brokers of services such as cloud, rather than the builder of constricting systems. If organisations can empower their users by for example, providing cloud-enabled self-service, single sign-on and improved identity lifecycle management, they can simultaneously simplify adoption and reduce risk.

Ignorance of cloud policies among staff significantly raises the possibility of data loss, account hijacking and other cloud-related security threats. Yet since the motivation is, by and large, the desire to be productive rather than malicious, companies need to find a way to blend productivity and security instead of having them square off against each other. It is only through gaining visibility into cloud usage behaviour that companies can get the best of both worlds.

Written by James Butler, chief technology officer, Trustmarque