Xpertex Achieves ISO9001:2015 Registration

Xpertex Press Release 16 August 2019

UK based Cyber & Information Security specialist company Xpertex has been registered as ISO9001:2015 approved for quality management systems applying to the provision of advisory services relating to information security.

Xpertex has been at the forefront of IT security services in complex and highly sensitive projects for well over a decade. Serving both government and commercial customers, these have benefited significantly from employing the best practices that Xpertex has helped to refine and which now form aspects of information security standards ISO27001 and Cyber Essentials.

Dr. Marcus Naraidoo, Non-Executive Director of Xpertex, said: “Our ISO9001 certification is a major milestone for Xpertex and comes in just behind our recent placement on G-Cloud 11, the latest iteration of the pan-government digital procurement framework. This quality management success reflects the efforts and commitment of the Xpertex team and gives our clients clear assurance of our focus on high quality, measurable and independently audited business management processes. We are delighted with this outcome.”

About Xpertex

Formed in 2006, Xpertex has helped clients in defence, financial services, education, retail, central and local government deal with secure IT project delivery and highly complex cyber and information security challenges. Today, its core business streams are Cyber & Information Security, Secure Product Fulfilment, and Secure Government.

Technology and vendor agnostic, we can efficiently provide information security services for organisations large and small, that are robust, flexible and effective. Our focus always starts with an organisation’s human factors, in other words, its people, culture and processes, to which we then create the appropriate technology fit.

Xpertex builds long term relationships with customers, acting as a trusted advisor. We immerse ourselves in your business and add value with an up-front in-depth analysis of your requirements, to provide sustainable and strategic solutions, quickly and flexibly.

About ISO9001

ISO 9001 certification is a global Quality Management System standard for all types and sizes of organisations. It is increasingly both formally required by clients doing business with its suppliers, as well as by companies themselves seeking to become more structured, efficient and openly assessed as such by ISO 9001 assessment bodies.

The process of registration encompasses the entire business and is not restricted to senior management or a quality team’s activities. Success in achieving ISO 9001 certification requires an organisation’s operating policies and processes to be proven as sharply relevant and in use by the whole business, as well as being of genuine benefit to customers.

Xpertex’s Application to G-Cloud 11 Successful

Xpertex Press Release | 2 July 2019

Xpertex’s Application to G-Cloud 11 Successful

After a rigorous, competitive application and selection process, cyber and information security advisory service company Xpertex has been awarded a place in the Cloud Support category on G-Cloud 11, the latest iteration of the pan-government digital procurement framework.

Having been previously awarded places on earlier stages of G-Cloud in previous years, Xpertex is delighted to continue its reach across the UK public sector using this efficient and streamlined platform for contracting digital services.

Marcus Trott, Director of Xpertex, said: “Our confirmed place on the new G-Cloud 11 government framework is of huge significance to Xpertex. Not only is it a validation of our ongoing hard work for our public sector customers, but it also continues to lead the way ahead for the business. We have been expanding our public sector business significantly year-on-year for well over a decade now and G-Cloud has been an important part of this.”

About Xpertex

Formed in 2006, Xpertex has helped clients in defence, financial services, education, retail, central and local government deal with secure IT project delivery and highly complex cyber and information security challenges.

Technology and vendor agnostic, we can efficiently provide information security services for organisations large and small, that are robust, flexible and effective. Our focus always starts with an organisation’s human factors, in other words its people, culture and processes, to which we then fit the most appropriate technology.

We build long term relationships with our customers, acting as a trusted advisor. We immerse ourselves in your business and add value with an up-front in-depth analysis of your requirements, to provide sustainable and strategic solutions, quickly and flexibly.

About G-Cloud

The G-Cloud framework is an agreement between the government and cloud-based service suppliers and is part of the Government’s digital marketplace. The service was first established in 2012.
G-Cloud facilitates quicker, easier and cost saving procurement of cloud-based services, be they for cloud hosting, cloud software and cloud support, by offering pre-defined terms & conditions for use between public sector buyers and listed suppliers and removes the need to run a full tender or competition procurement process.

For more information see: https://www.gov.uk/guidance/the-g-cloud-framework-on-the-digital-marketplace

Cyber Essentials Plus Accreditation

Xpertex is pleased to confirm that we have received our annual Cyber Essentials Plus accreditation (March 2019). Cyber Essentials and Cyber Essentials PLUS are a simple but effective, UK Government backed scheme that is used to protect organisations against a wide range of the common cyber attacks.

The Cyber Essentials scheme addresses the most common Internet-based threats to cyber security — particularly, attacks that use widely available tools and demand little skill such as hacking, phishing and password guessing. The scheme also helps organisations to protect the confidentiality, integrity and availability of data stored on devices which connect to the Internet.

Marcus Trott, Head of Professional Services at Xpertex, commented, “As a specialist cyber security consulting company, it is important that we practice what we preach. Attaining Cyber Essentials accreditation is a clear statement that we demonstrate best practices. Achieving Cyber Essentials PLUS also gives our customers and partners the assurance that when they work with Xpertex, we really can be trusted.”

Xpertex provide a range of consulting services related to attaining cyber essentials, cyber security, data loss prevention, social engineering and phishing, Infrastructure security hardening and major incident management/resolution.

More information

Xpertex Cyber Services: https://xpertex.com/cyber-security/

Security in the cloud

In the third blog on our series on ‘cloud’ technologies, our Head of Cyber Information Services, Chris Cobb, points out some key threats and considerations that need to be considered by individuals and organisations.

Security in the cloud

The data centres and facilities that we rely upon to deliver services and applications all have to interface with the wider internet. There are now very few ‘air gapped’ platforms that are wholly disconnected. The challenge for cloud service architects and designers is really about how to build security in from the beginning of the design process.  The next security measure is to  establish good baseline management and to ensure that configurations and patching are in good order and well documented.

Some of the issues and treatments we have seen can readily be treated. We set out a few key factors below for consideration.

Malware

Threats: Malware can introduce problems such as data loss, loss of control of devices, operational disruption.

Counter Measures:

  • Host and network-based anti-malware applications deployed to specific hosts and virtualised systems.
  • Staff Training on how malware is introduced.
  • Continuous monitoring of network traffic and baseline configurations.
  • Regular updates and patching including the introduction of new VM process and at boot cycles where possible.

Internal and Insider

Threats: The result of accidental or malicious configuration from internal staff or contractors with access to critical systems.

Counter Measures:

  • Additional Back ground checks on privileged users.
  • Solid workflows for regular processes, including separation of duties and least privilege.
  • Active surveillance and monitoring systems, both physical and electronic.
  • Obfuscation and policy management of critical data.
  • Egress monitoring.

External Attackers

Threats: Hacking – financial gain, hacktivism, political goals, perceived grievances, etc.  These threat vectors manifest themselves in many forms including denial of service (DDOS), compliance and regulatory breaches, data loss and reputational damage.

Counter Measures:

  • Hardening of systems, devices, hypervisors, virtual machines, with solid baseline configurations.
  • Good change controls practices.
  • Use of strong access control mechanisms and cloud access security brokers.
  • Up to date threat intelligence information.

‘Man in the Middle’ attacks

Threats: Eaves-dropping of data transmissions that can modify, control or access data during transit for malicious purposes (affecting integrity of data).

Counter Measures:

  • Encrypt data in transit.
  • Encrypt authentication activity.
  • Use secure session technologies.

Social Engineering

Threats: User password reset is common in cloud or remote systems. Social engineering can also exploit social media sites and online profiles. Attacks of this nature are reliant on communication systems but are also highly distributable. This approach flourishes in cloud and internet facing systems, data and people.

Counter Measures:

  • Training of staff and administrators to identify these types of attack.
  • Use of incentive programmes to encourage good staff behaviours.

Theft/Loss of User Access Devices, computers or mobile platforms

Threats: Remote access to cloud solutions introduces concept like Bring Your Own Device (BYOD) for flexibility but can increase data loss risk. Theft of these devices leads to unauthorised access to cloud systems and data. Having a mixed portfolio of tools and platforms that are largely user-specified needs a security framework in place to maximise flexibility (for users) whilst harden the IT platform.

Counter Measures:

  • End-point encryption.
  • Strict physical access control.
  • Limited USB functionality.
  • Comprehensive inventory of devices approved and otherwise.
  • Comprehensive assets monitoring.
  • Remote ‘wipe’ and ‘kill’ capabilities.

Whilst the above lists are not a full list of threats and counter measures for cloud environments, it is intended to inform the users and generate sensible discussion about security posture, threats and exposure. As an IT security focused company, we come across a range of threats and mitigations that our clients encounter. We have used the Cyber Essentials and ISO27001 frameworks to guide our customers and we would be more than happy to field your enquiries and concerns on any of the items we have cited. For further information on our products and services please refer to the security pages on the Xpertex site.

Beyond the Cloud

In the second of our series of posts on cloud technology, Xpertex founder and CTO, Joel Sweeney, shares his views.

First things first, there is no ‘cloud’ (singular). There are probably thousands, if not millions of them.

The term cloud’ is now embedded in common parlance and no longer the preserve of IT professionals. From schoolchildren discussing ‘cloud’ on the bus as the place they store their school work and photographs, to business people discussing (with varying levels of understanding) their organisations’ ‘cloud migration’ projects, it seems that the cloud is everywhere, which I guess is the point.

The term ‘cloud’ is well-documented but there are two very simple soundbites that I think sum it up perfectly; “the cloud is simply someone else’s computer”, or (my favourite) “every cloud has a tin lining”.

Both statements reflect that fact that the cloud is not ‘magic’, but simply provides the fundamental platform for data processing (application, compute and storage) at scale. This scale applies to both economies and computational power; at face value the cloud is cheap and provides access to seemingly infinite processing power that is consumed and paid for on demand.

Large corporations tend to use the market leaders in cloud services, such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud platform to host their business services and applications. The attraction for businesses is that they can typically expect to reduce both capital and operational expenditure, as they no longer need to invest in their own on-premise computer hardware (servers) and will therefore need fewer skilled IT resources within the organisation. Additional benefits are that cloud platforms are kept up to date (software bugs and security updated are applied regularly) and are highly resilient to failure, so this added complexity and operational effort are completely devolved to the cloud provider.

Other popular uses for cloud technology include Software as a Service (SaaS) which is basically a set of implementations of a particular application or services, e.g. data backup (Veeam), Customer Relationship Management (CRM, Salesforce) and data storage (DropBox).

So having set the scene, where next?

What lies beyond?

As cloud technology has become more prevalent and matured beyond the more traditional Social Media, Business Application and compute/storage use-cases, there has been a steady increase in new and ever more innovative ways to leverage the benefits that the cloud brings.

Within the Xpertex Network and Infrastructure Security (NIS) business unit, our technology partners have used the cloud platforms to deliver the functionality of their products as a distributed service, instead of the more traditional on premise appliance approach.

Examples of this include Libra ESVA enterprise email security or iboss security components, both of which have full functionality in their cloud instances. In both cases, the move to the cloud has actually improved security for customers, as they prevent any suspicious emails or malware (respectively) from entering the customer environment in a more consistent and holistic manner. This aides data use and improves risk management.

In some cases vendors have gone even further and created “Cloud Laboratories” to use a distributed platform to deliver entirely new features or capabilities.

  • Sonicwall use Cloud technology to improve Cyber Security: Sonicwall Capture Cloud (uses functionality within their widely-deployed firewall devices that allows them to act as security “sensors”. If these devices detect any new, suspicious traffic (also known as zero-day) they perform some internal analysis and then report that centrally to the Cloud-hosted Capture Labs repository for the benefit of all. A good example of using the cloud to gather what is essentially crowd-sourced information of potential threats.
  • Juniper Networks use cloud technology to reduce the risk of managing and implementing complex network changes and upgrades: Juniper Networks’ VLabs currently available as BETA – which means that it is undergoing final testing. This simple idea provides real benefit to network designers and engineers, as it allows them to (re)design and build virtual network systems in the cloud, without the risks of affecting live, operational networks. A secondary benefit is educational as the vLabs can be used to improve knowledge of features and functions that may not be used on the corporate networks that they manage and maintain.

These examples bring to life how a cloud approach can yield benefits at scale. At Xpertex we pride ourselves on understanding the technology landscape and fitting the right solution to the requirements. We are more than happy to discuss how these, and our other partner products can be utilised in your organisation.

Links

Libra ESVA https://www.libraesva.com

iboss https://www.iboss.com

Sonicwall https://www.sonicwall.com/en-us/lp/capture-cloud-platform

Juniper https://jlabs.juniper.net/vlabs/

I wonder lonely about cloud – or what Cloud IT means to us at Xpertex

When we mention the term ‘cloud’ or ‘cloud based IT’, we can often gloss over what this actually means, and what the ramifications are of using technology platforms that are ‘out of sight’. The impact and considerations on people, process, performance and cost are all things that drive decision makers and budget holders to turn to cloud computing. However, this does not mean that the expertise and skills needed to turn data in to decision points and business drivers are going to be simplified or reduced. Quite the opposite is more likely to be the case for many.
In the first of a number of blog posts, Marcus Trott sets out his thoughts on what cloud can mean from a skills and professional services position.

According to Wikipedia, cloud IT provides a mix of infrastructure, platforms and packaged software, frequently ‘as a service’ (aaS). Rolling these technology building blocks in to discrete and modular offerings is good news for the likes of Amazon, Microsoft and Google. It’s also good news for consumers and end-users. When it works and when it’s secure. The drive to take out cost and offer on-demand scalability should not necessarily mean that systems and their operation become simpler or should be seen as ‘dumbed down’ computing.

As a provider of professional services to many customers, Xpertex anticipates that rather than diminish the need for skilled and experienced technical practitioners, the move to distributed and cloud computing will drive the need up. Summary statistics from a range of analysts expect cloud professional services market is expected to reach £40 billion by the end of 2023, increasing from just over £10 billion in 2017. Whatever the number may be, it is and will continue to be significant. Such statistics signal that simply using someone else’s computer won’t take away the obligations around data management and stewardship, security, business resilience and so on. In fact, it will drive people and businesses in to new challenge areas, not least due to multi-national trading and hosting of services, cross-boundary data flows and processes and the global nature of internet-based services.

Our recent announcement relating to the Digital Outcomes Specialist Framework (DOS3), supports the public-sector drive to support the ‘digitisation of services’ agenda. It also demonstrates that government and its stakeholders is serious about trading digitally (yet securely). All departments must adhere to the Cloud First approach. If you are a supplier or consumer of government services, the Cloud First agenda is an interesting one to engage with. From a professional services perspective, we spend a lot of time and effort with, and on behalf of, our customers providing the assurance that the boundaries and interfaces of systems, processes and interactions that help data flow seamlessly and quickly are secure and robust. Cloud is offering some great savings but to realise the savings there still needs to be sound design and robust implementation. Especially when some cloud services are a ‘race to the bottom’. Spend right, spend once still applies.

For professional services provision, Xpertex’s knowledge and experience of IT security practices and principles is helping the majority of our existing customers now, as they work out the balance between on-premise, hybrid and cloud. Our current engagements cover staff augmentation in to cloud migration and security hardening programmes, penetration testing and resilience measures and moves to ISO:27000 and Cyber Essentials accreditation, virtualisation, software defined networks and best practice for design, operate and run.
For more information on our professional services and service lines please refer to the following links and pages.

Xpertex wins place on UK government Digital Outcomes Specialist 3 Framework

Xpertex are pleased to announce that we have been selected as service providers for the UK Government ‘Digital Outcomes Specialist 3’ Framework, also known as DOS3.

The DOS3 framework has been developed by the Crown Commercial Service, it allows any UK public sector organisations to identify and procure technical and advisory services from a range of providers.

Xpertex are well known and highly regarded for our work with customers in technology advisory and consulting domains. Being recognised on DOS3 as a provider of services covering cyber security, data science and data engineering, development, business analysis and programme delivery is another milestone for the company.

Xpertex CEO, Joel Sweeney commented, “The demand for high quality, technology services is higher than ever. Our consultants have a deep understanding of the UK public sector and the vast majority of all of our staff hold UK government security clearances. Our ability to help our customers and focus on front-line outcomes whilst maintaining an eye on budgetary constraints is one of the reasons why we have an enduring relationship with many public sector bodies. We are looking forward to promoting our activities and our IT infrastructure and information security and cyber practices via this new route.”.

Xpertex Business Development Manager, Roland Malcolm welcomed the news further, “The G-Cloud and DOS frameworks account for over £3.5Bn of government spend annually. For a specialist technology business like Xpertex, the DOS3 framework makes our services accessible and discoverable by hundreds of organisations. We welcome the chance to compete in the market with global businesses and household names. Xpertex will be promoting our skills and services actively as we embrace this opportunity to broaden our public sector customer base.”

About the Digital Marketplace

All public sector organisations can use the Digital Marketplace to find people and technology for digital projects. These services and personnel cover:

  • cloud hosting, software and support, for example content delivery networks or accounting software
  • physical datacentre space for legacy systems
  • digital specialists, for example developers and content designers
  • digital outcomes, for example a booking system beta or an accessibility audit
  • user research participants and labs

Buying services through frameworks is faster and cheaper than entering into individual procurement contracts.

Digital Marketplace Links

Xpertex and Immuta are proud to partner, allowing Xpertex to offer Immuta solutions to the UK

Xpertex, an independent technology solutions and services provider, is excited to announce that Immuta has now signed a partnership agreement to allow Xpertex to provide Immuta solutions to customers in the UK.

Immuta’s hyper-scale data management platform provides data scientists, data owners and data governance professionals with rapid, personalised data access to dramatically improve the creation, deployment and governance of machine learning and Artificial Intelligence (AI).

Immuta is the fastest way for algorithm-driven enterprises to accelerate the development and control of machine learning and advanced analytics. Immuta’s platform delivers fine-grained control and full visibility into data usage, while dynamically enforcing policies to comply with internal rules and external regulations. Immuta brings together software and people that have spent over a decade tackling the most complex and sensitive data problems in the world. Along the way, they experienced the successes, frustrations, and incredible power of data science. Immuta’s mission is to make the lives of data scientists easier so that they can do what they do best: uncover big opportunities that make an impact in the world.

Xpertex work with a range of clients across the public and private sectors acting as Trusted Advisors and Industry Experts, helping them make data effective, secure and aligned to their business needs. Marcus Trott, Xpertex COO says “With over 100 years combined experience in the IT industry, we have developed the capabilities to help our clients in defence, banking, retail, and central and local government deal with highly complex data analytic challenges.”

The products that Immuta offer perfectly complement the expertise of Xpertex and fit the evolving and increasingly complex needs of their customers. Both are delighted to join as technology partners and are excited to start to work together to solve difficult data problems for and with our customers.

More about Immuta: https://www.immuta.com | Twitter | LinkedIn

More about Xpertex: https://xpertex.comTwitter | LinkedIn

Xpertex and Balabit partner to offer world class Privileged Access Management Solutions to the UK

As of today (October 23rd) Xpertex are delighted to confirm that they are now a Balabit Gold Partner and are able to offer world class Privileged Access Management Software to the UK.

Balabit’s products help businesses reduce the risk of data breaches associated with privileged accounts. Balabit’s integrated PAM solution protects organizations in real-time from threats posed by the misuse of high risk and privileged accounts. Solutions include Privileged Session Management and Privileged Account Analytics, which together help organizations prevent, detect, and respond to cyber attacks, including both insider threats and external attacks using hi-jacked credentials.

“Balabit’s PAM technology is the perfect fit for our customers. The hacking of privileged accounts and insider threats are areas that we see becoming more of a security concern for our customers,” says Joel Sweeney, CEO at Xpertex. “By offering Balabit solutions we enable our customers to effectively analyse threats as they happen, stopping them in their tracks and preventing damage.”
Xpertex is an independent technology services provider focusing on the design, build and operation of secure networks. The skills, experience and security focus of Xpertex makes them the perfect channel reseller for Balabit. Xpertex’s knowledge of the defence and law-enforcement, public sector and commercial markets perfectly complements Balabit’s suite of products.

“The expertise of Xpertex makes them the ideal partner for the continued expansion of our partner programme. We’re delighted to be working with them to bring our PAM and Log Management solutions to new customers in the UK market” says Jane Aldwinckle, UK and BENE Channel Development Manager at Balabit.

Click here to view to full Balabit/Xpertex press release!

Xpertex shares best practice alongside the Prime Minister in The Parliamentary Review

Xpertex appears alongside Prime Minister Theresa May in the 2016/17 Parliamentary Review.

Established by former minister The Rt Hon David Curry in 2010, The Parliamentary Review’s September release is now a key fixture in the political calendar.

Xpertex features alongside the Prime Minister and a small number of outstanding organisations in a document that looks back on the year in industry and Westminster. The main aim of the Review is to showcase best practice as a learning tool to the public and private sector.

Across all policy areas, The Parliamentary Review is sent to over half a million leading policymakers. The articles in the Review act as both a blueprint for success and a template for reform.

The Prime Minister commented that ‘this year’s Parliamentary Review follows a significant year in British politics’ and this is reflected in the articles from leading journalists and best-practice representatives alike.

The PM’s former cabinet colleague, Sir Eric Pickles, who was recently appointed Chairman of the Review, said ‘it has never been more important for government to hear the views of business and the public sector in a constructive forum. It is also a vital time to share best practice and progress.’

The Parliamentary Review’s director Daniel Yossman concurred, saying ‘Xpertex and other hardworking organisations from across the country have come together to make this year’s Review possible.

Sharing knowledge and insight with both peers and government is essential work and I am delighted that this year’s Review will reach every corner of the British economy.

It’s always a real joy to hear from policymakers who tell me that something they have read in the Review has had an effect on their thinking.

It is my belief that innovation is contagious, if only it is given the platform to spread. It is the Review’s purpose to provide this platform and I am confident we are fulfilling it.’

To receive your complimentary copy of this years’ Parliamentary Review, complete the form below: