sales@net-ctrl.com
01473 281 211

Net-Ctrl Blog

Ruckus Launch R730 – The First IOT and LTE ready 802.11AX Access Point

July 18th, 2018

Ruckus Networks, an ARRIS company, today announced the Ruckus R730, the industry’s first IoT- and LTE-ready, 802.11ax wireless access point (AP). The high-capacity, 12 spatial-stream R730 works in concert with the new Ruckus Ultra-High Density Technology Suite to smoothly deliver high-resolution, latency-sensitive video in ultra-high density user environments such as stadiums, train stations and schools. In addition, the R730 complies with both the new WPA3™ security protocol and Wi-Fi™ Enhanced Open for more secure connections on public networks.

Worldwide data and video traffic is growing at double-digit rates, driven by an increase in connected devices. ABI Research predicts that Wi-Fi device shipments will grow to nearly 35 billion by 2022. Data and video traffic also will surge due to increased per-device data consumption driven by applications like 4K video streaming, virtual and augmented reality and live-stream gaming.

“Ruckus customers and partners demand more when it comes to their networks,” said Ian Whiting, president of Ruckus Networks. “We have a long history of delivering products and technologies that go beyond the current state-of-the-art to meet the world’s most demanding network requirements while driving down the cost-per-connection. Ruckus R730 and Ruckus Ultra-High Density Technology Suite are the latest examples.”

The congestion of people, devices and bandwidth-hungry apps makes for challenges that current wireless tech cannot handle. Adding to the complexity of this environment are diversifying device categories and apps, such as instant messaging, IoT control messages and voice-over-Wi-Fi.

“Real-world use cases are bumping up against the limits of existing Wi-Fi standards, and the need for 802.11ax to address a wide variety of heterogeneous, high-density scenarios is clear,” said Chris DePuy, founder and technology analyst at 650 Group. “Ruckus has already differentiated itself in the realm of network consolidation. With this launch, Ruckus is reinforcing that by setting the stage for converged Wi-Fi, IoT and LTE deployments.”

802.11ax: More connections and bandwidth, higher QoS

The new 802.11ax standard was designed for high-density connectivity, with the ability to support up to a four-fold capacity increase over its 802.11ac Wave 2 predecessor. With 802.11ax, multiple APs used in dense device environments are collectively able to deliver required quality-of-service (QoS) to more clients with more diverse usage profiles due to the use of orthogonal frequency-division multiple access (OFDMA) and multi-user multiple-in multiple-out (MU-MIMO) technologies.

Delivering expected service levels in ultra-high-density environments

Increased end-user expectations and application QoS requirements pose unique difficulties to network designers. Locations such as stadiums, public venues, train stations, and schools in which video content and applications are central to the curriculum, are representative examples. The R730, supporting eight spatial streams on 5 GHz and four spatial streams on 2.4 GHz, is better able to address those expectations through increased capacity, improved coverage and performance.

“Train stations are especially challenging Wi-Fi environments due to spikes in client count each time passengers exit a train,” said Tetsuo Mukai, general manager, KDDI. “We challenged Ruckus to help us improve the in-station experience for subscribers with devices that were already on the network when the train arrives, and Ruckus came back with a solution that dramatically reduced the impact of these transient client events on affected subscribers, minimizing throughput degradation and shortening recovery time.”

The Ruckus Ultra-High Density Technology Suite addresses these challenges using techniques that go beyond the 802.11ax standard, including:

  • Airtime decongestion—Increases average client throughput in heavily congested environments by using patent-pending techniques to reduce unnecessary management traffic.
  • Transient client management—Maintains throughput levels for priority clients in high transient-client environments such as rail stations by using patent-pending techniques to delay AP association with low-priority transient clients.
  • BeamFlex™+ antennas—Patented technology improves AP coverage and capacity by continuously optimizing antenna patterns on a per-device, per-packet basis.

“At Golden 1 Center, we’re committed to delivering the best fan experience in the industry. One of the ways we deliver value to our fans is to build a network that enables live streaming during the games. This is incredibly challenging to do in a venue like ours with as many live-streaming fans as we have,” said Ryan Montoya, chief technology officer, Sacramento Kings. “Ruckus was up to the challenge and demonstrated to us several innovative features that let us squeeze the most out of our available spectrum, ensuring no connections are dropped and that adequate bandwidth is available for anyone that wants to live-stream the game.”

Converging IoT access networks

The R730 includes embedded Bluetooth Low Energy (BLE) and Zigbee radios and can be augmented with Ruckus IoT modules to support additional physical layer protocols such as LoRa. Using the Ruckus IoT controller, these separate networks and the IoT endpoints associated with them, can be managed, coordinated and connected to IoT cloud services as part a single, converged IoT access network.

Preparing for private LTE

The R730 accommodates modular Ruckus OpenG™ LTE APs operating in the U.S. Citizens Broadband Radio Service (CBRS) 3.5 GHz band, enabling existing Wi-Fi APs to provide LTE service. Using modular or stand-alone LTE APs, organizations will be able to build their own private LTE networks to improve the quality of indoor cellular service within their facilities.

Making users safer at home, in the office and in public

The R730 will implement the next-generation WPA3 wireless security protocol and Wi-Fi Enhanced Open. Users with compatible devices will benefit from significant security enhancements, including:

  • Protection against brute-force dictionary attacks through use of a new key exchange protocol known as a simultaneous authentication of equals handshake.
  • Protection against traffic-sniffing attacks common to unauthenticated networks associated with public venues.

Getting the most out of your 802.11ax deployment

The 802.11ax standard and the R730 offer a step-function increase in over-the-air throughput. To make the best use of that new capacity, network designers need to optimize the wired access infrastructure to support it, while minimizing upgrade costs. Ruckus helps network designers by:

  • Offering two switches—the entry-level ICX 7150 Z-series and the ICX 7650—that meet the increased power-over-Ethernet (PoE) requirements of the R730;
  • Providing the access port capacity needed to support multi-gigabit throughput on the ICX 7650 Z-series—with up to 24 auto-sensing 1/2.5/5/10 gigabit Ethernet (GbE) ports—and the 100 gigabit-per-second (Gbps) uplink capacity required for ultra-high-density deployments;
  • Enabling them to replace APs without extensive network redesign by using the adaptive Wi-Fi cell sizing feature included in the Ultra-High-Density Technology Suite.

“Many of our customers have future-proofed their networks with the Ruckus ICX 7650 switches, in anticipation of the upcoming 802.11ax access points,” said Don Gulling, president and CEO of Verteks Consulting. “The launch of the R730 enables us to quickly get these APs into the hands of our customers that serve high-density Wi-Fi deployments such as stadiums, auditoriums and large public venues. These APs and switches will provide our customers with what they need to meet next-generation demands.”

Availability

The R730 will be generally available this calendar quarter. The Ultra-High Density Technology Suite is available now for use with all Ruckus APs.

View the original press release at ruckuswireless.com.

Johnson Control Releases CEM Systems AC2000 v10

July 17th, 2018

Johnson Controls, announces the release of CEM Systems AC2000 v10.0, which offers users a new modernised look and feel along with new features such as enhanced enterprise capabilities that increase the performance and scope of the AC2000 access control system suite from CEM Systems.

CEM Systems AC2000 v10.0 workstation client applications have been restyled with a modern, clean and intuitive interface. The restyle has focused on the user experience with improvements to all visual elements of the applications. Operators are now able to select their preferred theme (light or dark) to run their AC2000 Workstation Client applications in.

A major feature of AC2000 v10.0 is the enhancements to the AC2000 Enterprise offering for AC2000, AC2000 Lite and AC2000 Airport editions. The enhanced enterprise system provides superior centralized access control and monitoring capability where wide geographical distribution occurs, or where departmental or business unit separation is necessary. The new architecture improves device configuration, reporting, alarm processing and personnel management across multiple site locations.

A business or organization can scale its single site AC2000 access control system to a multi-site enterprise solution, while at the same unifying policy requirements and reducing administrative and operational costs. Each business unit can be administered at a local and/or centralized level. Other features of AC2000 v10.0 include new visitor escort functionality to ensure visitors are not left unaccompanied around secured areas, and unrestricted AC2000 Authorization levels to reduce configuration times for users and user groups.

Building on the range of ID scanner integrations, AC2000 now offers a new interface to SnapShell ID and passport scanner.

Find out more about the CEM Systems Access Control solution and contact our team on 01473 281 211, or submit a contact form.

View the original release by CEM Systems.

5 technologies that will help kill usernames and passwords

July 17th, 2018

We’ve all struggled to remember a complicated username and password combinations when trying to access an online account. According to a Dashline Inbox Scan study, the average user has at least 90 online accounts and with every account comes to a new password to remember. To make their digital life simpler, 89 per cent of people use the same one or two passwords for everything.

Managing several digital identities using usernames and passwords is not something our brains are wired to do. And it also presents a huge security threat – insecure passwords caused an estimated 80% of breaches, according to a 2017 report from Verizon.

No doubt, passwords aren’t the best authentication solution in the digital age. But how can digital technologies help us address this issue? With huge strides being made in digital authentication technologies, and biometrics, in particular, the end of the password could soon be a reality. Keep reading to find out which 5 technologies can help us kill passwords.

1. Physiologic Biometrics

In a previous post, we discussed how biometrics are already helping solve the all-important issue of a “unique identifier”, replacing the username/password combination, while keeping the user experience simple and secure at the same time.

Biometrics refers to the individual’s unique physiological characteristics such as facial recognition, fingerprint authentication, iris scan and DNA. It can be used to automatically identify and authenticate individuals, s and such authentication methods have become the norm for accessing devices like smartphones, smart speakers and tablets. They’ve also been deployed by many eGovernment service providers and financial institutions and in other aspects of our lives including driving our cars or accessing our homes!

2. Behavioural Biometrics

Going forward, behavioural biometrics are becoming a very good alternative for secure authentication, when combined with other authentication methods. As described by IBIA, behavioural biometrics measure the unique patterns which characterize our daily activities. Yes, that’s right, the way we type, walk, our heartbeats, brain waves, and many others, can all be captured in a digital signature that is unique to the individual.

Technologies based on machine-learning algorithms can help build out a rich, multi-dimensional profile of each individual customer. Such technologies are currently used in law enforcement and border control and combined with context-based signals like geolocation, they provide a very personalised and silent authentication method.

3. Artificial Intelligence

Just as insurance companies use data to predict accidents, or retailers to figure out the optimal time to target consumers with a personalised promotion, user authentication could rely on similar data analytics. Machine learning can be used to collect a combination of patterns in data related to log-in times, locations and device footprints. The goal is to spot normal versus abnormal user behaviour and change access accordingly.

This will be based on the concept of adaptive authentication, by assigning a risk score and adjusting the level of access the user gets, based on the actions they are performing and the assurance level of the user’s authentication method.

This type of technology is in its early stages of development, although conversations around context-based and risk-based authentication have already become very popular.

4. Two-factor (2FA) or Multi-Factor Authentication

These systems have been in use for a while now, and end users have become accustomed to adding an extra layer of security for certain type of transactions. It relies on the user acknowledging control of a confirmed communication channel, such as an email address, a text message or an authentication app.

Several service providers, especially those in eGovernment, are using a text message sent to the number on record with containing a one-time password (OTP) valid for one login session or transaction on a digital device. However, there are certain risks associated with using OTP, that’s why it’s best they are always used in combination with other forms of authentication like biometric authentication.

5. Mobile Identity

As we’ve discussed in a previous blog, with so many people using digital devices to communicate and access data, services and transact, the new challenge to ensure the success of this digital economy relies on knowing who you transact with.

Mobile trusted digital identities can be the answer as they provide the means to collect all end-user attributes and enable seamless authentication all through the mobile device. Mobile enables the combination of identity documents, physical and behavioural biometrics and user information as geolocation, device numbers and other attributes.

While everyone is talking about how we should kill passwords, the fact is the average person has at least 90 online accounts associated with their email address and use the same password to access them, and that number is growing every year.

Usernames and passwords will continue to be used for authentication in 2018, but the widespread adoption of scalable technologies will help eliminate this hassle over the coming years. End-user adoption of biometric technologies will drive the movement towards seamless and convenient digital experiences while reinforcing security and privacy.

New UK NCSC Guidelines Urge Use of Multi-Factor Authentication and Single Sign-On Solutions

July 10th, 2018

A couple of weeks ago, the UK National Cyber Security Centre, a part of the British intelligence and security organization GCHQ, published guidelines for enterprise information security leaders on how they can implement multi-factor authentication to thwart breaches and unauthorized access to online accounts. The guidelines cover both consumer authentication to online services, such as banking and retail sites, as well as employee authentication, such as when accessing enterprise VPNs and cloud-based apps.

The guidelines are timely with marketing and data aggregation firm, Exactis, making the headlines for failing to secure a database with 340 million records of American adults and businesses that include “phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person’s children.” In response to the deluge of personal information compromised, some are calling for stricter regulations around privacy in the US, comparable to those required by GDPR, which requires users to provide their explicit consent to online services to collect this type of data.

So what does the UK National Cyber Security Center (UK NCSC) advise IT leaders and administrators to do? We’ve recapped the main points below.

Consider Multi-Factor Authentication an Enterprise Essential

Traditionally, passwords were used to authenticate users to a single all-encompassing entry point in the form of access to the enterprise network.

Since enterprises today use a large number of cloud-based applications and virtual private networks to enable collaboration and remote work arrangements, the enterprise firewall no longer provides sufficient protection.

In effect, all access becomes remote access – in the cloud or remotely to on-premises resources. In either case, authentication becomes the central ‘decision point’ for granting or denying access to a user – be they legitimate or a hacker.

The problem with relying on passwords is that they are famously inadequate for protecting against leaked user databases, phishing attacks and password spraying. This is where multi-factor authentication, or MFA, comes into the picture.

When to Use Multi-Factor Authentication

Due to social engineering, e.g. phishing, and machine-guessable passwords, organizations are advised to:

  • Choose cloud and web services that offer MFA, and be wary of the risk of using web services that offer only single-factor authentication
  • Apply MFA for all web and cloud-based resources
  • Secure IT administrator accounts with MFA

Common Implementations of Multi-Factor Authentication

What are some common, effective implementations of MFA?

  • Remember me on this device – Device fingerprinting is used by many services such as Google and LinkedIn as an additional authentication factor. Logins from an unregistered device could prompt the user for additional authentication.
  • Requiring MFA at every access attempt – Most applicable to high-impact services, such as webmail and online banking accounts.
  • Stepping up authentication during high-risk activities – For example when transferring money online or changing a password.
  • Stepping up authentication based on high-risk behaviours – Such as logging in from an unusual geographic location.

Common Authentication Factors

Regardless of the type of device being used, UK NCSC recommends implementing Single Sign-On to provide a smooth experience for end-users. Single Sign-On solutions eliminate the need to re-authenticate separately to each application, enabling users to access all their apps after logging in just once. Where SSO is unavailable or costly to implement, such as on mobile devices, a solution providing a good UX should once again be preferred.

So what are the authentication factors available to secure access to enterprise or consumer resources? The UK NCSC mentions these:

  • Managed devices – These could be protected using digital PKI certificates, or an embedded secure element that cannot be removed, among others. Additionally, IT leaders can choose to enable access to resources only when that access originates from the enterprise network or VPN.
  • Using mobile-as-a-token – This includes one-time passcode apps (OTP apps) generating OTPs as well as single-tap push authentication.
  • Hardware tokens – These include FIDO tokens, PKI Smart cards with PIN-protection (require a PIN to unlock the smart card and authenticate), OTP key fobs, chip-and-pin (EMV) card readers used in banking and backup codes designed to use as a default when the usual 2nd factor is not available.
  • Out-of-band – This includes out-of-band delivery of a one-time passcode via email, SMS text messages and phone calls.

Other recommendations for the successful implementation of MFA include the logging and reporting of failed and successful access attempts—functionality which is key to post-event forensics and demonstrating compliance. The UK NCSC also advises deploying user self-service portals, to let users report or resolve numerous issues on their own.

Looking to revamp your Identity and Access Management strategy? Learn about Gemalto’s identity-as-a-service or join a 30-minute live demo webinar of SafeNet Trusted Access. Alternatively, call the Net-Ctrl team on 01473 281 211, or submit a contact form.

View the original article at Gemalto.com.

Is the CIA protecting the World Cup in Russia?

July 5th, 2018


The 2018 FIFA World Cup is expected to be the largest yet, with fans from all over the world watching. When it comes to TV audiences, the games are expected to be watched by 3.4 billion fans from 200 countries, which is nearly half the total world population. Not only is the World Cup available to view worldwide through a variety of broadcasting platforms, but smart technologies are now increasingly used by the fans to watch the games and interact with their favourite players. In fact, a survey by GlobalWebIndex found that 47% of the online population plans to watch the games online, and a quarter of millennials have declared they’d follow the tournament on their smartphone or tablet.

And if this doesn’t give you enough hint about the scale of the event, here are some more numbers:

  • 12 hosting stadiums requiring good IT infrastructures
  • More than 5,000 media representatives present at the games
  • 36 participating teams, 736 players and 99 referees
  • 17,040 people from 112 countries in the volunteer’s team

High profile sporting events like the FIFA 2018 World Cup could provide many opportunities for hackers to target not just consumers and their smart devices, but also stadiums’ infrastructure, such as grid power and lightning among others. Cyber criminals often use these large gatherings of people and technology to steal personal information or harvest users’ credentials for financial gain, among other malicious activities.

Digital threats likely to be seen at the World Cup

While attacks at previous major sporting events have focused on ticket scams, and availability of IT services and personal data, there are now more substantial cyber threats to stadium operations, infrastructure, broadcasting and participants and visitors to the games. For example, the 2012 London Summer Games were hit by a DDoS attack on broadcast operations and power systems seeking to limit viewer access to live broadcasts; fortunately, it had limited success. In response to similar threats, the South Korean government and Pyeongchang organising committee invested around £850,000 into cybersecurity measures for the 2018 Winter Games.

Individuals taking part in the matches, either organisers or fans, could become targets to hackers in various ways. The most popular scams could include spam emails about winning tickets in the FIFA lottery and fake websites. Hackers could also create duplicates of bank websites and popular tourist sites, such as Booking.com and Airbnb, and use them to gain access to the users’ banking information. Below, we’ve listed a few of the most common ways in which the personal details, devices and services availability for all present at the football games could be compromised:

Protecting the World Cup: the CIA pillars for digital security

In order for organisers of such sports events to protect everyone involved, they need to rely on cybersecurity strategies that protect the three main pillars that underpin connected devices and services: Confidentiality; Integrity; and Availability (CIA). This means that connected devices and the services associated with them should factor:

  • Confidentiality: ensuring that devices, systems or data are not accessed by unauthorised parties
  • Integrity: ensuring that no data can be manipulated or tampered with
  • Availability: ensuring that attendees can connect whenever, and to whoever, they need to

The table below illustrates how the 3 CIA pillars reflect the World Cup digital environment, including different threats that can be associated with each of those.

Ensuring Confidentiality, Integrity and Availability

Major sporting events like the 2018 FIFA World Cup require months of preparation that include evaluation of risks and mitigation based on different scenarios.

Simple measures for fans and visitors such as switching off the Wi-Fi and Bluetooth connections of devices when not in use, using a credit card to pay for online goods and services, updating the software of devices, and using strong PINs and passwords can all help.

But here are a few security principles that major sport events, organizers should always follow to ensure confidentiality, integrity and availability:

  • Create strong IDs for connected devices and services – ensuring Trusted Digital Identities could be a good way forward
  • Encrypt sensitive data at all stages as it moves from devices, gateways or cloud servers. This will protect against data tampering or data theft.
  • Implement strong authentication processes, to securely store credentials and ensure only authorized individuals, entities or devices have access to sensitive data and services
  • Ensure remote software and security updates capabilities, with access credential management. This will ensure the best performance for connected devices, block devices/services access or allow to come back to a safe security status, whenever needed if a threat is considered.
  • Create redundant systems and databases for the recovery of disaster case scenarios
  • Install monitoring and intrusion prevention systems to detect anomalies and be alerted before issues arise

Increased connectivity, both among the public and global infrastructures, makes the 2018 World Cup a prime target for digital threats. Luckily, now going into its final stages, one of the most significant global sports event hasn’t been intruded by major cyberattacks. But these last couple of weeks are also the most important ones for all parties involved, therefore digital security prevails at all costs.

If you would like to someone about your security measures, please submit a form through our Contact Page, or call the team on 01473 281 211.

Read the original blog post at Gemalto.com.

When Prince Harry Met Access Management

June 29th, 2018

With the wedding of Harry and Meghan behind us, the media is engaging viewers with other world events and we are back to our day to day lives. While security professionals are busy preventing enterprise identity theft vulnerabilities and cybercriminals are on the lookout for their next credential heist, the rest have put Buckingham Palace on the back burner. What is the connection?

Take a moment to think about the logistics surrounding the wedding on May 19, 2018: Thousands of reporters were present, and yet many details were not announced until days before – or even the actual day of the wedding, with particular protection around the secrets about Meghan’s dress, manufacturer and designer.

It turns out that the dress was designed by Givenchy, a brand that Duchess Markle had been a fan of for many years. Apparently, part of the secret of keeping the dress a surprise involved two small teams who signed nondisclosure agreements and then undertook their activities at private workspaces in Paris and in London. Miraculously, the secret dress stayed under wraps until the actual day of the wedding.


Sample Confidential Wedding Dress Policy in Access Management Solution

Web access management for secure collaboration?

Were the email messages sent and received by the designers and garment workers encrypted? Which employees of Givenchy had access to which applications and which credentials did they need to access the designs? Were the nondisclosure agreements signed physically or digitally; were they authenticated and stored over the internet? Which Royal Family staff and Givenchy personnel had access to the mockups and revisions?

Hard to confine digital data

While the interworking of Givenchy and the Royal Family network will remain privileged, it seems that part of the reason for the success of the secret was that the work was confined to locations which were secured physically. However, this is not always possible while working on designs of a global nature. Industries today no longer work in physical isolation. Their work environment has become increasingly complex due to the globalisation of markets, the distance between industrial partners, suppliers and codesigns methodology involving remote workers.

Cloud-based collaboration requires identity and access management

What’s more, the fashion industry and other global enterprises often collaborate on Computer Aided Design (CAD) software alongside cloud-based applications, such as Box, Dropbox, Adobe Creative Suite and Office 365. These are just some of the applications that can help organizations transfer large files, exchange email and even work simultaneously on the same online platform. In addition, enterprises require reports that provide visibility into login attempts into their ecosystem. An identity and access management solution as a service (IDaaS) can help fashion enterprises or governmental institutions ensure that only the right person receives the right information at the right time, without endangering the enterprise or its end customers.

Access Management Fashionable

The following are tips for a fashion company seeking to establish an access management strategy to suit working within and across diverse locations with multiple providers, suppliers and privileged staff:

Tidy up your groups

Make sure that your user groups are neatly defined in your Active Directory or other user store. This will make it easy to set up group-based policies. For example, designers should be associated with the designer’s group, and likewise for your Marketing, Finance, Sales, etc.

Establish a single sign-on baseline, aka, a global policy. Depending on your security concerns, you may want to have a high or low-security threshold for launching a single sign-on session. You may want to deny all access by default, or alternatively, grant access on the condition that users launch an SSO session after performing strong multi-factor authentication.

Determine which scenarios or resources require extra security

Not all apps require the same level of security. By listing the resources or conditions that require special care, you can match risk policies to user needs, without sacrificing the convenience of single sign-on. For example, you may want to step up security—after launching a single sign-on session—for applications that store new haute-couture designs. Or, you may want to ensure that anyone accessing applications from outside the office does so providing an additional form of authentication (e.g. one-time passcode, PKI smart card etc.).

Set up policies to demonstrate regulatory compliance

Need to ensure GDPR compliance? Or perhaps PCI DSS? By setting up a policy dedicated to that regulatory mandate, you will be able to easily meet compliance audits. A GDPR policy, for example, could include all the apps that store EU citizen data, the user groups that should have access to that information, and the user access controls you want to enforce. For example, requiring only a password within the office, while enforcing multi-factor security for anyone working remotely or anyone working as a temporary contractor.

Keep scalability in mind

Looking to add an additional app to your fashion arsenal? Keep in mind that protocols such as SAML and OpenID Connect will help you provide that convenient user single sign-on experience. If your prospective solution supports those standards, that will be one less obstacle to productivity and chic.

From outsourced workers to the most restricted and privileged personnel, the fashion industry can be assured that the seams of their cloud-based applications are as secure as their physical hems.

Ready to design secure, yet convenient access management for your enterprise? Start with your first stitches by downloading the Matching Risk Policies to User Needs Fact Sheet or register for free to watch our demo of SafeNet Trusted Access.

View the original article at Gemalto.com.

Bridging the digital divide with connected school buses

June 27th, 2018

It may be 2018, but millions of low-income American households with school-age children still don’t have access to a broadband internet connection. This preventable digital divide has created a “homework gap,” with students from low-income families often finding it difficult to complete their school assignments without a reliable and fast internet connection.

Equipping school buses with Wi-Fi is one way to help students achieve digital equity and enable them to more easily complete their homework in a timely manner. As Keith Krueger, the CEO of Consortium for School Networking (CoSN) notes, Wi-Fi can be used to transform school buses into study halls. “This is today’s civil right – ensuring that all students have access to equal educational opportunity in a digital world,” he says.

Indeed, connected school buses will enable students to access their PowerSchool or other learning management

system (LMS) – while on the road – to check grades and school assignments, read class bulletins and email their teachers. Students can also access Google Classroom (or Google Docs) to view, edit and download/upload homework. In addition to providing broadband during the commute to and from school, connected school buses can benefit students traveling to extracurricular activities, such as sports events. Because missed study hours are often made up at home after practice or games, a Wi-Fi-equipped bus can help students get to sleep on time.

Since U.S. students spend approximately 520 million school days on buses each year, the idea of enabling connected school buses has caught the attention of numerous companies and organizations. For example, Google is working with educators to install Wi-Fi on buses across multiple school districts, including Caldwell County (North Carolina), Berkeley County (South Carolina) and the Deer Trail School District in Colorado. Ultimately, Google plans to provide service to 70 buses in 16 districts – primarily in rural areas where children often have long commutes and may lack high-speed broadband at home.

All aboard the Wi-Fi-enabled school bus

Wi-Fi-equipped school buses can also help bolster passenger safety by transmitting real-time data from a range of smart cameras, sensors and GPS units. According to Curbed, a number of school districts have begun embracing various forms of connected technology on buses, such as GPS units in Boston and RFID-enabled badges attached to student backpacks in Cincinnati. Nevertheless, Jennifer O’Neal Schiess, a principal at Bellwether Education Partners, emphasizes that in an era of Tesla and Uber, school bus technology has barely budged forward, with only a third of school districts tracking their vehicles using GPS. Moreover, Mega Bus and other touring coaches routinely offer free Wi-Fi for multiple devices, along with air conditioning and power plugs. It is clearly time for school buses to do the same. “Innovation that’s permeated the transportation world hasn’t [yet] permeated the educational world,” says Schiess.

In addition to helping to improve passenger security, parked smart school buses can double as mobile Wi-Fi hotspots – offering underserved communities reliable broadband access when the vehicle is not being used to transport students. Similarly, Wi-Fi on smart school buses can be used at local parks, or off-campus school-sponsored events such as fund-raising events in parking lots and community cultural events in open areas.

Creating rolling classrooms with the Ruckus M510 Access Point (AP)

Whether in the classroom or a rolling study hall, we believe a reliable wireless network that scales to accommodate an evolving digital learning environment is the cornerstone of a solid educational foundation. This is precisely why the Ruckus M510 Access Point (AP) is designed to provide mobile Wi-Fi with LTE backhaul, thereby enabling expanded coverage and redundancy for students on smart school buses in rural areas.

The Ruckus M510 AP also features 802.11ac Wave 2 with BeamFlex+ antennas – and supports 2×2:2 spatial streams along with MU-MIMO. This allows the M510 to deliver high coverage efficiency and sustained downlink throughput of up to 150 Mbps (when using the LTE backhaul). Moreover, the M510 AP can be centrally managed with other Ruckus APs, thereby simplifying operations and eliminating the need for a separate mobile hotspot management system.

Interested in learning more about how you can help bridge the digital divide by transforming school buses into rolling classrooms? Contact Net-Ctrl on 01473 281 211, email sales@net-ctrl.com or submit a contact form.

View the original release by Richard Nedwich at the Ruckus Room.

Ruckus SmartZone: The First Network Controller-Based System for Wired and Wireless

June 19th, 2018

Network complexity has significantly increased in recent years. Consequently, operators, managed service providers (MSPs) and large enterprises are finding it more challenging than ever to control network administrative costs.

To reduce overhead, these organisations are clamoring for an all-in-one solution that securely streamlines the control and management of multiple IT elements within the network. In addition, MSPs offering networking-as-a-service (NaaS) demand a solution that offers architectural flexibility and scalability to address heterogeneous, multi-tiered tenancy requirements, along with hybrid data, control and management topologies to support a myriad of service offerings.

These organisations also need a lineup of network business intelligence (BI) features, such as advanced reporting and detailed analytics, along with intuitive user interfaces (UIs) and custom data-rich dashboards with streaming (open) API support. In addition, operators require their own management tier, as well as administrative tiers for direct customers or multiple tiers of administration offered via downstream smaller MSPs.

Simplifying converged network management

Today, Ruckus is announcing the availability of SmartZone™ network controllers – newly enhanced versions of its SmartZone WLAN controllers – powered by the latest release of its SmartZoneOS software. SmartZone network controllers include physical and virtual appliances designed for operators, managed service providers and mid-to-large sized enterprises.

First introduced in 2015, SmartZoneOS-powered controllers combine scalability, tiered multi-tenancy, architectural flexibility and extensive APIs into a single centrally-managed console. These capabilities enable operators to implement complex, multi-tier and as-a-service business models using their own management applications.

They also allow organisations to manage subscriber data traffic on a massive scale and integrate traffic flows and network data into existing network architectures. SmartZone network controllers further enable enterprises to simplify network management through consolidation and use of built-in troubleshooting and analytics tools. SmartZone provides a multi-language user interface (UI) that powers a data-rich dashboard for health and traffic analytics and visual troubleshooting tools. It should be noted that SmartZone is deployed in thousands of enterprises – and in more than 200 service provider networks on five continents.

Enabling networking-as-a-service

The SmartZoneOS reduces the need for complex command line interface (CLI) gymnastics by providing open, well-documented RESTful application programming interfaces (APIs) that allow IT to easily invoke SmartZone functions and configurations, enabling error-free automation. In addition, streaming APIs help IT to monitor – in near real-time – the full array of Ruckus network data, statistics and alarms, thereby facilitating the easy creation of customised, information-dense dashboards and reports within their own applications.

Moreover, SmartZone network controllers simplify the creation of consistent network access policies across a wired and wireless network – with tailored firmware/software updates throughout the network to ensure trackable version control and accurate (version-specific) reporting. SmartZoneOS 5 includes an automated switch discovery feature and supports switch restoration to the last configuration point in time.

Additional SmartZone network controller features include:

  • Switch registration, authentication, backup and restore capabilities
  • Supports adaptive band balancing, load balancing, airtime fairness, hotspot and guest services, as well as capacity-based admission control
  • Supports hierarchical switch groups, network health monitoring, alarms and port status
  • Support for switch traffic statistics, LLDP neighbors, stand-alone and stacking
  • Rogue AP detection and mitigation, URL filtering, automated enhanced client security/DPSK, two-factor authentication and isolation white list
  • Easy PCI readiness and geo-redundancy capabilities
  • Data-plane flexibility for hybrid data routing topologies
  • Tunnel traffic routing to multiple third-party gateways
  • Service provider support for tiered SLA offerings
  • Multi-tiered tenancy architecture for segmented operating domains, admin boundaries and profile isolation

To recap, Ruckus’ new SmartZone network controllers – which support up to 450K devices – are an all-in-one solution for operators, managed service providers and mid-to-large sized enterprises seeking to simplify managing both wired and wireless networks through a single console – and offer networking-as-a-service that supports customisable tenant-view dashboards built from a comprehensive set of RESTful and streaming APIs.

View the original press release from Ruckus.

Ruckus Unleashed is now faster, stronger and easier

June 12th, 2018

Ruckus has rolled out their Zero Touch Mesh feature as part of the latest Ruckus Unleashed 200.6 update. The update enhances our pre-existing SmartMesh wireless meshing technology which is designed to dynamically create self-forming, self-healing mesh networks.

SmartMesh makes it simple to blanket every corner of your space with reliable Wi-Fi coverage – while eliminating the need for cumbersome radio planning and expensive cabling to every access point (AP). Now with Zero Touch Mesh, you can skip the mesh configuration priming process – as Mesh APs already installed in their permanent locations will auto-discover, auto-provision and auto-form a mesh network securely without priming. This means you can set up your entire Wi-Fi network in a few simple steps, whether using a mobile device or browser.

In fact, Ruckus recently hosted an Unleashed AP configuration competition during an event. All participating contestants successfully configured their respective APs in under two minutes. This puts into perspective the ease of installing Unleashed APs. With Zero Touch Mesh, the installation of an Unleashed network is dramatically simplified.

Unleashed networks can be easily managed by anyone – no expert IT staff required. You can manage Unleashed networks from anywhere in the world with the free Unleashed Mobile app. The app’s dashboard displays all the essential information about your network, while providing access to key administrative tasks and troubleshooting options.

Beyond Zero Touch Mesh, Unleashed 200.6 adds a slew of new features and enhancements to provide you with more robust control over your networks. For example, you can now define policies to restrict Wi-Fi speed for users at the application level. This is because application rate limiting and QoS traffic shaping rules can be created, along with application denial rules. Plus, all your end-point devices can be easily renamed, while your admin password can be easily reset within the Unleashed Setup Wizard.

Unleashed 200.6 also makes it easier for you to quickly troubleshoot wireless networks. With the Unleashed (browser) dashboard or mobile app, you can now precisely pinpoint technical issues, such as why the internet is down, why a specific device is unable to connect to Wi-Fi, or why an AP has rebooted.

Additional Unleashed 200.6 key features and enhancements include:

  • Expansion of the Unleashed AP portfolio with the: C110 (Wave 2 wall plate AP with built-in DOCSIS 3.0 cable modem), E510 (embedded Wave 2 outdoor AP with external BeamFlex+ antennas) and the T310 (entry-level Wave 2 outdoor AP with integrated BeamFlex+ omni or sector antennas).
  • Same WLAN support for multiple social media logins: Existing Social Media login methods (Facebook, Google, LinkedIn and Microsoft) can be used simultaneously on the same WLAN.
    WeChat WLANs: New social media WLAN type – WeChat – is now available.
  • AP Ethernet port status: The web UI displays information on AP Ethernet port status, including link status and link speed.
  • Unleashed Multi-Site Manager (UMM) Connectivity: Enables connectivity from UMM to an Unleashed Master AP behind a NAT firewall. Unleashed will initiate an SSH tunnel when the “Enable management by Unleashed Multi-Site Manager” option is selected, allowing TR-069 protocol traffic to traverse the firewall.

View the original post at The Ruckus Room.

Gemalto launches virtualised network encryption platform

June 11th, 2018

Gemalto, the world leader in digital security, today announced the launch of a new virtualised network encryption platform, SafeNet Virtual Encryptor CV1000 as part of its continued investment to address the rapidly changing data security needs of organisations worldwide.

(Gemalto will host a webinar entitled, “Network Encryption at the Flip of a Switch: Implementing Virtualised Network Encryption to Secure SD-WANs”, on June 21st at 3pm Central European Time. Click here to register.)

Today, enterprises and service providers are increasingly using network functions virtualisation (NFV) and software-defined networking (SDN) technologies to design, deploy and manage their networks and cloud-based services. These software-based technologies give organisations cost and operational benefits because they move network functions from dedicated network encryption hardware appliances to virtual servers. However, these technologies can also present additional security challenges for protecting sensitive data that runs across these networks because of their virtualised architecture.

Leveraging the proven security and performance of the hardware-based SafeNet High-Speed Encryptor family, the SafeNet Virtual Encryptor CV1000 is a hardened virtual security appliance designed to secure data in motion across both software-defined wide area networks (SD-WAN) and traditional networks. Developed by Gemalto’s high-speed encryption partner, Senetas (ASX:SEN), the SafeNet Virtual Encryptor CV1000 can encrypt data in motion at data-rates up to 5 Gbps.

“More and more organisations are embracing the advantages of virtualised networks to deliver cost-effective scalability, flexibility and network management to the network edge. Consequently, network services require trusted virtualised encryption for optimum data security,” said Todd Moore, senior vice president of Encryption Products at Gemalto. “Gemalto’s launch of a virtualised network encryption platform redefines network data security by providing the crypto-agility required to ensure sensitive data and transmissions remain secure, regardless of network design.”

Transforming the network encryption market, SafeNet High-Speed Encryptors are the first to offer Transport Independent Mode, which enables organisations to encrypt data across mixed high-speed WAN links (Layers 2, 3 and 4). Organisations can now be assured that they are getting the best performance and secure encryption, regardless of the network layer. This feature is currently available for the SafeNet Virtual Encryptor CV1000, and will be available for the hardware-based SafeNet High-Speed Encryptors later this year.

“As organisations increasingly embrace cloud-based applications and their use of multiple network types from Ethernet to MPLS, Senetas and Gemalto are ahead of the curve in providing seamless concurrent multi-layer network traffic encryption to ensure the best in network security and performance available today,” said Andrew Wilson, CEO of Senetas.

Key Features and Benefits of the SafeNet Virtual Encryptor CV1000 include:

  • Virtualised Network Functionality reduces dependence on dedicated network encryption hardware appliances for both enterprises and network operators.
  • Reduced Cost of Ownership makes the SafeNet Virtual Encryptor CV1000 up to 10 times more affordable than hardware-based appliances.
  • Rapid Deployment and Scalability enables organisations to spin up a virtual machine to protect data across the network rather than having to physically deploy hardware at each end point.
  • Crypto-Agile Encryption Across All Network Layers with Transport Independent Mode, providing the ability to encrypt traffic across Layers 2, 3 and 4 with optimised performance and robust encryption, including support for custom algorithms.
  • Combined Encryption Key Management option, integrates with SafeNet KeySecure for enhanced key lifecycle management.

Supporting Resources

View the original article by Gemalto.

Net-Ctrl Blog - mobile

Ruckus Launch R730 – The First IOT and LTE ready 802.11AX Access Point

July 18th, 2018

Ruckus Networks, an ARRIS company, today announced the Ruckus R730, the industry’s first IoT- and LTE-ready, 802.11ax wireless access point (AP). The high-capacity, 12 spatial-stream R730 works in concert with the new Ruckus Ultra-High Density Technology Suite to smoothly deliver high-resolution, latency-sensitive video in ultra-high density user environments such as stadiums, train stations and schools. In addition, the R730 complies with both the new WPA3™ security protocol and Wi-Fi™ Enhanced Open for more secure connections on public networks.

Worldwide data and video traffic is growing at double-digit rates, driven by an increase in connected devices. ABI Research predicts that Wi-Fi device shipments will grow to nearly 35 billion by 2022. Data and video traffic also will surge due to increased per-device data consumption driven by applications like 4K video streaming, virtual and augmented reality and live-stream gaming.

“Ruckus customers and partners demand more when it comes to their networks,” said Ian Whiting, president of Ruckus Networks. “We have a long history of delivering products and technologies that go beyond the current state-of-the-art to meet the world’s most demanding network requirements while driving down the cost-per-connection. Ruckus R730 and Ruckus Ultra-High Density Technology Suite are the latest examples.”

The congestion of people, devices and bandwidth-hungry apps makes for challenges that current wireless tech cannot handle. Adding to the complexity of this environment are diversifying device categories and apps, such as instant messaging, IoT control messages and voice-over-Wi-Fi.

“Real-world use cases are bumping up against the limits of existing Wi-Fi standards, and the need for 802.11ax to address a wide variety of heterogeneous, high-density scenarios is clear,” said Chris DePuy, founder and technology analyst at 650 Group. “Ruckus has already differentiated itself in the realm of network consolidation. With this launch, Ruckus is reinforcing that by setting the stage for converged Wi-Fi, IoT and LTE deployments.”

802.11ax: More connections and bandwidth, higher QoS

The new 802.11ax standard was designed for high-density connectivity, with the ability to support up to a four-fold capacity increase over its 802.11ac Wave 2 predecessor. With 802.11ax, multiple APs used in dense device environments are collectively able to deliver required quality-of-service (QoS) to more clients with more diverse usage profiles due to the use of orthogonal frequency-division multiple access (OFDMA) and multi-user multiple-in multiple-out (MU-MIMO) technologies.

Delivering expected service levels in ultra-high-density environments

Increased end-user expectations and application QoS requirements pose unique difficulties to network designers. Locations such as stadiums, public venues, train stations, and schools in which video content and applications are central to the curriculum, are representative examples. The R730, supporting eight spatial streams on 5 GHz and four spatial streams on 2.4 GHz, is better able to address those expectations through increased capacity, improved coverage and performance.

“Train stations are especially challenging Wi-Fi environments due to spikes in client count each time passengers exit a train,” said Tetsuo Mukai, general manager, KDDI. “We challenged Ruckus to help us improve the in-station experience for subscribers with devices that were already on the network when the train arrives, and Ruckus came back with a solution that dramatically reduced the impact of these transient client events on affected subscribers, minimizing throughput degradation and shortening recovery time.”

The Ruckus Ultra-High Density Technology Suite addresses these challenges using techniques that go beyond the 802.11ax standard, including:

  • Airtime decongestion—Increases average client throughput in heavily congested environments by using patent-pending techniques to reduce unnecessary management traffic.
  • Transient client management—Maintains throughput levels for priority clients in high transient-client environments such as rail stations by using patent-pending techniques to delay AP association with low-priority transient clients.
  • BeamFlex™+ antennas—Patented technology improves AP coverage and capacity by continuously optimizing antenna patterns on a per-device, per-packet basis.

“At Golden 1 Center, we’re committed to delivering the best fan experience in the industry. One of the ways we deliver value to our fans is to build a network that enables live streaming during the games. This is incredibly challenging to do in a venue like ours with as many live-streaming fans as we have,” said Ryan Montoya, chief technology officer, Sacramento Kings. “Ruckus was up to the challenge and demonstrated to us several innovative features that let us squeeze the most out of our available spectrum, ensuring no connections are dropped and that adequate bandwidth is available for anyone that wants to live-stream the game.”

Converging IoT access networks

The R730 includes embedded Bluetooth Low Energy (BLE) and Zigbee radios and can be augmented with Ruckus IoT modules to support additional physical layer protocols such as LoRa. Using the Ruckus IoT controller, these separate networks and the IoT endpoints associated with them, can be managed, coordinated and connected to IoT cloud services as part a single, converged IoT access network.

Preparing for private LTE

The R730 accommodates modular Ruckus OpenG™ LTE APs operating in the U.S. Citizens Broadband Radio Service (CBRS) 3.5 GHz band, enabling existing Wi-Fi APs to provide LTE service. Using modular or stand-alone LTE APs, organizations will be able to build their own private LTE networks to improve the quality of indoor cellular service within their facilities.

Making users safer at home, in the office and in public

The R730 will implement the next-generation WPA3 wireless security protocol and Wi-Fi Enhanced Open. Users with compatible devices will benefit from significant security enhancements, including:

  • Protection against brute-force dictionary attacks through use of a new key exchange protocol known as a simultaneous authentication of equals handshake.
  • Protection against traffic-sniffing attacks common to unauthenticated networks associated with public venues.

Getting the most out of your 802.11ax deployment

The 802.11ax standard and the R730 offer a step-function increase in over-the-air throughput. To make the best use of that new capacity, network designers need to optimize the wired access infrastructure to support it, while minimizing upgrade costs. Ruckus helps network designers by:

  • Offering two switches—the entry-level ICX 7150 Z-series and the ICX 7650—that meet the increased power-over-Ethernet (PoE) requirements of the R730;
  • Providing the access port capacity needed to support multi-gigabit throughput on the ICX 7650 Z-series—with up to 24 auto-sensing 1/2.5/5/10 gigabit Ethernet (GbE) ports—and the 100 gigabit-per-second (Gbps) uplink capacity required for ultra-high-density deployments;
  • Enabling them to replace APs without extensive network redesign by using the adaptive Wi-Fi cell sizing feature included in the Ultra-High-Density Technology Suite.

“Many of our customers have future-proofed their networks with the Ruckus ICX 7650 switches, in anticipation of the upcoming 802.11ax access points,” said Don Gulling, president and CEO of Verteks Consulting. “The launch of the R730 enables us to quickly get these APs into the hands of our customers that serve high-density Wi-Fi deployments such as stadiums, auditoriums and large public venues. These APs and switches will provide our customers with what they need to meet next-generation demands.”

Availability

The R730 will be generally available this calendar quarter. The Ultra-High Density Technology Suite is available now for use with all Ruckus APs.

View the original press release at ruckuswireless.com.

Johnson Control Releases CEM Systems AC2000 v10

July 17th, 2018

Johnson Controls, announces the release of CEM Systems AC2000 v10.0, which offers users a new modernised look and feel along with new features such as enhanced enterprise capabilities that increase the performance and scope of the AC2000 access control system suite from CEM Systems.

CEM Systems AC2000 v10.0 workstation client applications have been restyled with a modern, clean and intuitive interface. The restyle has focused on the user experience with improvements to all visual elements of the applications. Operators are now able to select their preferred theme (light or dark) to run their AC2000 Workstation Client applications in.

A major feature of AC2000 v10.0 is the enhancements to the AC2000 Enterprise offering for AC2000, AC2000 Lite and AC2000 Airport editions. The enhanced enterprise system provides superior centralized access control and monitoring capability where wide geographical distribution occurs, or where departmental or business unit separation is necessary. The new architecture improves device configuration, reporting, alarm processing and personnel management across multiple site locations.

A business or organization can scale its single site AC2000 access control system to a multi-site enterprise solution, while at the same unifying policy requirements and reducing administrative and operational costs. Each business unit can be administered at a local and/or centralized level. Other features of AC2000 v10.0 include new visitor escort functionality to ensure visitors are not left unaccompanied around secured areas, and unrestricted AC2000 Authorization levels to reduce configuration times for users and user groups.

Building on the range of ID scanner integrations, AC2000 now offers a new interface to SnapShell ID and passport scanner.

Find out more about the CEM Systems Access Control solution and contact our team on 01473 281 211, or submit a contact form.

View the original release by CEM Systems.

5 technologies that will help kill usernames and passwords

July 17th, 2018

We’ve all struggled to remember a complicated username and password combinations when trying to access an online account. According to a Dashline Inbox Scan study, the average user has at least 90 online accounts and with every account comes to a new password to remember. To make their digital life simpler, 89 per cent of people use the same one or two passwords for everything.

Managing several digital identities using usernames and passwords is not something our brains are wired to do. And it also presents a huge security threat – insecure passwords caused an estimated 80% of breaches, according to a 2017 report from Verizon.

No doubt, passwords aren’t the best authentication solution in the digital age. But how can digital technologies help us address this issue? With huge strides being made in digital authentication technologies, and biometrics, in particular, the end of the password could soon be a reality. Keep reading to find out which 5 technologies can help us kill passwords.

1. Physiologic Biometrics

In a previous post, we discussed how biometrics are already helping solve the all-important issue of a “unique identifier”, replacing the username/password combination, while keeping the user experience simple and secure at the same time.

Biometrics refers to the individual’s unique physiological characteristics such as facial recognition, fingerprint authentication, iris scan and DNA. It can be used to automatically identify and authenticate individuals, s and such authentication methods have become the norm for accessing devices like smartphones, smart speakers and tablets. They’ve also been deployed by many eGovernment service providers and financial institutions and in other aspects of our lives including driving our cars or accessing our homes!

2. Behavioural Biometrics

Going forward, behavioural biometrics are becoming a very good alternative for secure authentication, when combined with other authentication methods. As described by IBIA, behavioural biometrics measure the unique patterns which characterize our daily activities. Yes, that’s right, the way we type, walk, our heartbeats, brain waves, and many others, can all be captured in a digital signature that is unique to the individual.

Technologies based on machine-learning algorithms can help build out a rich, multi-dimensional profile of each individual customer. Such technologies are currently used in law enforcement and border control and combined with context-based signals like geolocation, they provide a very personalised and silent authentication method.

3. Artificial Intelligence

Just as insurance companies use data to predict accidents, or retailers to figure out the optimal time to target consumers with a personalised promotion, user authentication could rely on similar data analytics. Machine learning can be used to collect a combination of patterns in data related to log-in times, locations and device footprints. The goal is to spot normal versus abnormal user behaviour and change access accordingly.

This will be based on the concept of adaptive authentication, by assigning a risk score and adjusting the level of access the user gets, based on the actions they are performing and the assurance level of the user’s authentication method.

This type of technology is in its early stages of development, although conversations around context-based and risk-based authentication have already become very popular.

4. Two-factor (2FA) or Multi-Factor Authentication

These systems have been in use for a while now, and end users have become accustomed to adding an extra layer of security for certain type of transactions. It relies on the user acknowledging control of a confirmed communication channel, such as an email address, a text message or an authentication app.

Several service providers, especially those in eGovernment, are using a text message sent to the number on record with containing a one-time password (OTP) valid for one login session or transaction on a digital device. However, there are certain risks associated with using OTP, that’s why it’s best they are always used in combination with other forms of authentication like biometric authentication.

5. Mobile Identity

As we’ve discussed in a previous blog, with so many people using digital devices to communicate and access data, services and transact, the new challenge to ensure the success of this digital economy relies on knowing who you transact with.

Mobile trusted digital identities can be the answer as they provide the means to collect all end-user attributes and enable seamless authentication all through the mobile device. Mobile enables the combination of identity documents, physical and behavioural biometrics and user information as geolocation, device numbers and other attributes.

While everyone is talking about how we should kill passwords, the fact is the average person has at least 90 online accounts associated with their email address and use the same password to access them, and that number is growing every year.

Usernames and passwords will continue to be used for authentication in 2018, but the widespread adoption of scalable technologies will help eliminate this hassle over the coming years. End-user adoption of biometric technologies will drive the movement towards seamless and convenient digital experiences while reinforcing security and privacy.

New UK NCSC Guidelines Urge Use of Multi-Factor Authentication and Single Sign-On Solutions

July 10th, 2018

A couple of weeks ago, the UK National Cyber Security Centre, a part of the British intelligence and security organization GCHQ, published guidelines for enterprise information security leaders on how they can implement multi-factor authentication to thwart breaches and unauthorized access to online accounts. The guidelines cover both consumer authentication to online services, such as banking and retail sites, as well as employee authentication, such as when accessing enterprise VPNs and cloud-based apps.

The guidelines are timely with marketing and data aggregation firm, Exactis, making the headlines for failing to secure a database with 340 million records of American adults and businesses that include “phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person’s children.” In response to the deluge of personal information compromised, some are calling for stricter regulations around privacy in the US, comparable to those required by GDPR, which requires users to provide their explicit consent to online services to collect this type of data.

So what does the UK National Cyber Security Center (UK NCSC) advise IT leaders and administrators to do? We’ve recapped the main points below.

Consider Multi-Factor Authentication an Enterprise Essential

Traditionally, passwords were used to authenticate users to a single all-encompassing entry point in the form of access to the enterprise network.

Since enterprises today use a large number of cloud-based applications and virtual private networks to enable collaboration and remote work arrangements, the enterprise firewall no longer provides sufficient protection.

In effect, all access becomes remote access – in the cloud or remotely to on-premises resources. In either case, authentication becomes the central ‘decision point’ for granting or denying access to a user – be they legitimate or a hacker.

The problem with relying on passwords is that they are famously inadequate for protecting against leaked user databases, phishing attacks and password spraying. This is where multi-factor authentication, or MFA, comes into the picture.

When to Use Multi-Factor Authentication

Due to social engineering, e.g. phishing, and machine-guessable passwords, organizations are advised to:

  • Choose cloud and web services that offer MFA, and be wary of the risk of using web services that offer only single-factor authentication
  • Apply MFA for all web and cloud-based resources
  • Secure IT administrator accounts with MFA

Common Implementations of Multi-Factor Authentication

What are some common, effective implementations of MFA?

  • Remember me on this device – Device fingerprinting is used by many services such as Google and LinkedIn as an additional authentication factor. Logins from an unregistered device could prompt the user for additional authentication.
  • Requiring MFA at every access attempt – Most applicable to high-impact services, such as webmail and online banking accounts.
  • Stepping up authentication during high-risk activities – For example when transferring money online or changing a password.
  • Stepping up authentication based on high-risk behaviours – Such as logging in from an unusual geographic location.

Common Authentication Factors

Regardless of the type of device being used, UK NCSC recommends implementing Single Sign-On to provide a smooth experience for end-users. Single Sign-On solutions eliminate the need to re-authenticate separately to each application, enabling users to access all their apps after logging in just once. Where SSO is unavailable or costly to implement, such as on mobile devices, a solution providing a good UX should once again be preferred.

So what are the authentication factors available to secure access to enterprise or consumer resources? The UK NCSC mentions these:

  • Managed devices – These could be protected using digital PKI certificates, or an embedded secure element that cannot be removed, among others. Additionally, IT leaders can choose to enable access to resources only when that access originates from the enterprise network or VPN.
  • Using mobile-as-a-token – This includes one-time passcode apps (OTP apps) generating OTPs as well as single-tap push authentication.
  • Hardware tokens – These include FIDO tokens, PKI Smart cards with PIN-protection (require a PIN to unlock the smart card and authenticate), OTP key fobs, chip-and-pin (EMV) card readers used in banking and backup codes designed to use as a default when the usual 2nd factor is not available.
  • Out-of-band – This includes out-of-band delivery of a one-time passcode via email, SMS text messages and phone calls.

Other recommendations for the successful implementation of MFA include the logging and reporting of failed and successful access attempts—functionality which is key to post-event forensics and demonstrating compliance. The UK NCSC also advises deploying user self-service portals, to let users report or resolve numerous issues on their own.

Looking to revamp your Identity and Access Management strategy? Learn about Gemalto’s identity-as-a-service or join a 30-minute live demo webinar of SafeNet Trusted Access. Alternatively, call the Net-Ctrl team on 01473 281 211, or submit a contact form.

View the original article at Gemalto.com.

Is the CIA protecting the World Cup in Russia?

July 5th, 2018


The 2018 FIFA World Cup is expected to be the largest yet, with fans from all over the world watching. When it comes to TV audiences, the games are expected to be watched by 3.4 billion fans from 200 countries, which is nearly half the total world population. Not only is the World Cup available to view worldwide through a variety of broadcasting platforms, but smart technologies are now increasingly used by the fans to watch the games and interact with their favourite players. In fact, a survey by GlobalWebIndex found that 47% of the online population plans to watch the games online, and a quarter of millennials have declared they’d follow the tournament on their smartphone or tablet.

And if this doesn’t give you enough hint about the scale of the event, here are some more numbers:

  • 12 hosting stadiums requiring good IT infrastructures
  • More than 5,000 media representatives present at the games
  • 36 participating teams, 736 players and 99 referees
  • 17,040 people from 112 countries in the volunteer’s team

High profile sporting events like the FIFA 2018 World Cup could provide many opportunities for hackers to target not just consumers and their smart devices, but also stadiums’ infrastructure, such as grid power and lightning among others. Cyber criminals often use these large gatherings of people and technology to steal personal information or harvest users’ credentials for financial gain, among other malicious activities.

Digital threats likely to be seen at the World Cup

While attacks at previous major sporting events have focused on ticket scams, and availability of IT services and personal data, there are now more substantial cyber threats to stadium operations, infrastructure, broadcasting and participants and visitors to the games. For example, the 2012 London Summer Games were hit by a DDoS attack on broadcast operations and power systems seeking to limit viewer access to live broadcasts; fortunately, it had limited success. In response to similar threats, the South Korean government and Pyeongchang organising committee invested around £850,000 into cybersecurity measures for the 2018 Winter Games.

Individuals taking part in the matches, either organisers or fans, could become targets to hackers in various ways. The most popular scams could include spam emails about winning tickets in the FIFA lottery and fake websites. Hackers could also create duplicates of bank websites and popular tourist sites, such as Booking.com and Airbnb, and use them to gain access to the users’ banking information. Below, we’ve listed a few of the most common ways in which the personal details, devices and services availability for all present at the football games could be compromised:

Protecting the World Cup: the CIA pillars for digital security

In order for organisers of such sports events to protect everyone involved, they need to rely on cybersecurity strategies that protect the three main pillars that underpin connected devices and services: Confidentiality; Integrity; and Availability (CIA). This means that connected devices and the services associated with them should factor:

  • Confidentiality: ensuring that devices, systems or data are not accessed by unauthorised parties
  • Integrity: ensuring that no data can be manipulated or tampered with
  • Availability: ensuring that attendees can connect whenever, and to whoever, they need to

The table below illustrates how the 3 CIA pillars reflect the World Cup digital environment, including different threats that can be associated with each of those.

Ensuring Confidentiality, Integrity and Availability

Major sporting events like the 2018 FIFA World Cup require months of preparation that include evaluation of risks and mitigation based on different scenarios.

Simple measures for fans and visitors such as switching off the Wi-Fi and Bluetooth connections of devices when not in use, using a credit card to pay for online goods and services, updating the software of devices, and using strong PINs and passwords can all help.

But here are a few security principles that major sport events, organizers should always follow to ensure confidentiality, integrity and availability:

  • Create strong IDs for connected devices and services – ensuring Trusted Digital Identities could be a good way forward
  • Encrypt sensitive data at all stages as it moves from devices, gateways or cloud servers. This will protect against data tampering or data theft.
  • Implement strong authentication processes, to securely store credentials and ensure only authorized individuals, entities or devices have access to sensitive data and services
  • Ensure remote software and security updates capabilities, with access credential management. This will ensure the best performance for connected devices, block devices/services access or allow to come back to a safe security status, whenever needed if a threat is considered.
  • Create redundant systems and databases for the recovery of disaster case scenarios
  • Install monitoring and intrusion prevention systems to detect anomalies and be alerted before issues arise

Increased connectivity, both among the public and global infrastructures, makes the 2018 World Cup a prime target for digital threats. Luckily, now going into its final stages, one of the most significant global sports event hasn’t been intruded by major cyberattacks. But these last couple of weeks are also the most important ones for all parties involved, therefore digital security prevails at all costs.

If you would like to someone about your security measures, please submit a form through our Contact Page, or call the team on 01473 281 211.

Read the original blog post at Gemalto.com.

When Prince Harry Met Access Management

June 29th, 2018

With the wedding of Harry and Meghan behind us, the media is engaging viewers with other world events and we are back to our day to day lives. While security professionals are busy preventing enterprise identity theft vulnerabilities and cybercriminals are on the lookout for their next credential heist, the rest have put Buckingham Palace on the back burner. What is the connection?

Take a moment to think about the logistics surrounding the wedding on May 19, 2018: Thousands of reporters were present, and yet many details were not announced until days before – or even the actual day of the wedding, with particular protection around the secrets about Meghan’s dress, manufacturer and designer.

It turns out that the dress was designed by Givenchy, a brand that Duchess Markle had been a fan of for many years. Apparently, part of the secret of keeping the dress a surprise involved two small teams who signed nondisclosure agreements and then undertook their activities at private workspaces in Paris and in London. Miraculously, the secret dress stayed under wraps until the actual day of the wedding.


Sample Confidential Wedding Dress Policy in Access Management Solution

Web access management for secure collaboration?

Were the email messages sent and received by the designers and garment workers encrypted? Which employees of Givenchy had access to which applications and which credentials did they need to access the designs? Were the nondisclosure agreements signed physically or digitally; were they authenticated and stored over the internet? Which Royal Family staff and Givenchy personnel had access to the mockups and revisions?

Hard to confine digital data

While the interworking of Givenchy and the Royal Family network will remain privileged, it seems that part of the reason for the success of the secret was that the work was confined to locations which were secured physically. However, this is not always possible while working on designs of a global nature. Industries today no longer work in physical isolation. Their work environment has become increasingly complex due to the globalisation of markets, the distance between industrial partners, suppliers and codesigns methodology involving remote workers.

Cloud-based collaboration requires identity and access management

What’s more, the fashion industry and other global enterprises often collaborate on Computer Aided Design (CAD) software alongside cloud-based applications, such as Box, Dropbox, Adobe Creative Suite and Office 365. These are just some of the applications that can help organizations transfer large files, exchange email and even work simultaneously on the same online platform. In addition, enterprises require reports that provide visibility into login attempts into their ecosystem. An identity and access management solution as a service (IDaaS) can help fashion enterprises or governmental institutions ensure that only the right person receives the right information at the right time, without endangering the enterprise or its end customers.

Access Management Fashionable

The following are tips for a fashion company seeking to establish an access management strategy to suit working within and across diverse locations with multiple providers, suppliers and privileged staff:

Tidy up your groups

Make sure that your user groups are neatly defined in your Active Directory or other user store. This will make it easy to set up group-based policies. For example, designers should be associated with the designer’s group, and likewise for your Marketing, Finance, Sales, etc.

Establish a single sign-on baseline, aka, a global policy. Depending on your security concerns, you may want to have a high or low-security threshold for launching a single sign-on session. You may want to deny all access by default, or alternatively, grant access on the condition that users launch an SSO session after performing strong multi-factor authentication.

Determine which scenarios or resources require extra security

Not all apps require the same level of security. By listing the resources or conditions that require special care, you can match risk policies to user needs, without sacrificing the convenience of single sign-on. For example, you may want to step up security—after launching a single sign-on session—for applications that store new haute-couture designs. Or, you may want to ensure that anyone accessing applications from outside the office does so providing an additional form of authentication (e.g. one-time passcode, PKI smart card etc.).

Set up policies to demonstrate regulatory compliance

Need to ensure GDPR compliance? Or perhaps PCI DSS? By setting up a policy dedicated to that regulatory mandate, you will be able to easily meet compliance audits. A GDPR policy, for example, could include all the apps that store EU citizen data, the user groups that should have access to that information, and the user access controls you want to enforce. For example, requiring only a password within the office, while enforcing multi-factor security for anyone working remotely or anyone working as a temporary contractor.

Keep scalability in mind

Looking to add an additional app to your fashion arsenal? Keep in mind that protocols such as SAML and OpenID Connect will help you provide that convenient user single sign-on experience. If your prospective solution supports those standards, that will be one less obstacle to productivity and chic.

From outsourced workers to the most restricted and privileged personnel, the fashion industry can be assured that the seams of their cloud-based applications are as secure as their physical hems.

Ready to design secure, yet convenient access management for your enterprise? Start with your first stitches by downloading the Matching Risk Policies to User Needs Fact Sheet or register for free to watch our demo of SafeNet Trusted Access.

View the original article at Gemalto.com.

Bridging the digital divide with connected school buses

June 27th, 2018

It may be 2018, but millions of low-income American households with school-age children still don’t have access to a broadband internet connection. This preventable digital divide has created a “homework gap,” with students from low-income families often finding it difficult to complete their school assignments without a reliable and fast internet connection.

Equipping school buses with Wi-Fi is one way to help students achieve digital equity and enable them to more easily complete their homework in a timely manner. As Keith Krueger, the CEO of Consortium for School Networking (CoSN) notes, Wi-Fi can be used to transform school buses into study halls. “This is today’s civil right – ensuring that all students have access to equal educational opportunity in a digital world,” he says.

Indeed, connected school buses will enable students to access their PowerSchool or other learning management

system (LMS) – while on the road – to check grades and school assignments, read class bulletins and email their teachers. Students can also access Google Classroom (or Google Docs) to view, edit and download/upload homework. In addition to providing broadband during the commute to and from school, connected school buses can benefit students traveling to extracurricular activities, such as sports events. Because missed study hours are often made up at home after practice or games, a Wi-Fi-equipped bus can help students get to sleep on time.

Since U.S. students spend approximately 520 million school days on buses each year, the idea of enabling connected school buses has caught the attention of numerous companies and organizations. For example, Google is working with educators to install Wi-Fi on buses across multiple school districts, including Caldwell County (North Carolina), Berkeley County (South Carolina) and the Deer Trail School District in Colorado. Ultimately, Google plans to provide service to 70 buses in 16 districts – primarily in rural areas where children often have long commutes and may lack high-speed broadband at home.

All aboard the Wi-Fi-enabled school bus

Wi-Fi-equipped school buses can also help bolster passenger safety by transmitting real-time data from a range of smart cameras, sensors and GPS units. According to Curbed, a number of school districts have begun embracing various forms of connected technology on buses, such as GPS units in Boston and RFID-enabled badges attached to student backpacks in Cincinnati. Nevertheless, Jennifer O’Neal Schiess, a principal at Bellwether Education Partners, emphasizes that in an era of Tesla and Uber, school bus technology has barely budged forward, with only a third of school districts tracking their vehicles using GPS. Moreover, Mega Bus and other touring coaches routinely offer free Wi-Fi for multiple devices, along with air conditioning and power plugs. It is clearly time for school buses to do the same. “Innovation that’s permeated the transportation world hasn’t [yet] permeated the educational world,” says Schiess.

In addition to helping to improve passenger security, parked smart school buses can double as mobile Wi-Fi hotspots – offering underserved communities reliable broadband access when the vehicle is not being used to transport students. Similarly, Wi-Fi on smart school buses can be used at local parks, or off-campus school-sponsored events such as fund-raising events in parking lots and community cultural events in open areas.

Creating rolling classrooms with the Ruckus M510 Access Point (AP)

Whether in the classroom or a rolling study hall, we believe a reliable wireless network that scales to accommodate an evolving digital learning environment is the cornerstone of a solid educational foundation. This is precisely why the Ruckus M510 Access Point (AP) is designed to provide mobile Wi-Fi with LTE backhaul, thereby enabling expanded coverage and redundancy for students on smart school buses in rural areas.

The Ruckus M510 AP also features 802.11ac Wave 2 with BeamFlex+ antennas – and supports 2×2:2 spatial streams along with MU-MIMO. This allows the M510 to deliver high coverage efficiency and sustained downlink throughput of up to 150 Mbps (when using the LTE backhaul). Moreover, the M510 AP can be centrally managed with other Ruckus APs, thereby simplifying operations and eliminating the need for a separate mobile hotspot management system.

Interested in learning more about how you can help bridge the digital divide by transforming school buses into rolling classrooms? Contact Net-Ctrl on 01473 281 211, email sales@net-ctrl.com or submit a contact form.

View the original release by Richard Nedwich at the Ruckus Room.

Ruckus SmartZone: The First Network Controller-Based System for Wired and Wireless

June 19th, 2018

Network complexity has significantly increased in recent years. Consequently, operators, managed service providers (MSPs) and large enterprises are finding it more challenging than ever to control network administrative costs.

To reduce overhead, these organisations are clamoring for an all-in-one solution that securely streamlines the control and management of multiple IT elements within the network. In addition, MSPs offering networking-as-a-service (NaaS) demand a solution that offers architectural flexibility and scalability to address heterogeneous, multi-tiered tenancy requirements, along with hybrid data, control and management topologies to support a myriad of service offerings.

These organisations also need a lineup of network business intelligence (BI) features, such as advanced reporting and detailed analytics, along with intuitive user interfaces (UIs) and custom data-rich dashboards with streaming (open) API support. In addition, operators require their own management tier, as well as administrative tiers for direct customers or multiple tiers of administration offered via downstream smaller MSPs.

Simplifying converged network management

Today, Ruckus is announcing the availability of SmartZone™ network controllers – newly enhanced versions of its SmartZone WLAN controllers – powered by the latest release of its SmartZoneOS software. SmartZone network controllers include physical and virtual appliances designed for operators, managed service providers and mid-to-large sized enterprises.

First introduced in 2015, SmartZoneOS-powered controllers combine scalability, tiered multi-tenancy, architectural flexibility and extensive APIs into a single centrally-managed console. These capabilities enable operators to implement complex, multi-tier and as-a-service business models using their own management applications.

They also allow organisations to manage subscriber data traffic on a massive scale and integrate traffic flows and network data into existing network architectures. SmartZone network controllers further enable enterprises to simplify network management through consolidation and use of built-in troubleshooting and analytics tools. SmartZone provides a multi-language user interface (UI) that powers a data-rich dashboard for health and traffic analytics and visual troubleshooting tools. It should be noted that SmartZone is deployed in thousands of enterprises – and in more than 200 service provider networks on five continents.

Enabling networking-as-a-service

The SmartZoneOS reduces the need for complex command line interface (CLI) gymnastics by providing open, well-documented RESTful application programming interfaces (APIs) that allow IT to easily invoke SmartZone functions and configurations, enabling error-free automation. In addition, streaming APIs help IT to monitor – in near real-time – the full array of Ruckus network data, statistics and alarms, thereby facilitating the easy creation of customised, information-dense dashboards and reports within their own applications.

Moreover, SmartZone network controllers simplify the creation of consistent network access policies across a wired and wireless network – with tailored firmware/software updates throughout the network to ensure trackable version control and accurate (version-specific) reporting. SmartZoneOS 5 includes an automated switch discovery feature and supports switch restoration to the last configuration point in time.

Additional SmartZone network controller features include:

  • Switch registration, authentication, backup and restore capabilities
  • Supports adaptive band balancing, load balancing, airtime fairness, hotspot and guest services, as well as capacity-based admission control
  • Supports hierarchical switch groups, network health monitoring, alarms and port status
  • Support for switch traffic statistics, LLDP neighbors, stand-alone and stacking
  • Rogue AP detection and mitigation, URL filtering, automated enhanced client security/DPSK, two-factor authentication and isolation white list
  • Easy PCI readiness and geo-redundancy capabilities
  • Data-plane flexibility for hybrid data routing topologies
  • Tunnel traffic routing to multiple third-party gateways
  • Service provider support for tiered SLA offerings
  • Multi-tiered tenancy architecture for segmented operating domains, admin boundaries and profile isolation

To recap, Ruckus’ new SmartZone network controllers – which support up to 450K devices – are an all-in-one solution for operators, managed service providers and mid-to-large sized enterprises seeking to simplify managing both wired and wireless networks through a single console – and offer networking-as-a-service that supports customisable tenant-view dashboards built from a comprehensive set of RESTful and streaming APIs.

View the original press release from Ruckus.

Ruckus Unleashed is now faster, stronger and easier

June 12th, 2018

Ruckus has rolled out their Zero Touch Mesh feature as part of the latest Ruckus Unleashed 200.6 update. The update enhances our pre-existing SmartMesh wireless meshing technology which is designed to dynamically create self-forming, self-healing mesh networks.

SmartMesh makes it simple to blanket every corner of your space with reliable Wi-Fi coverage – while eliminating the need for cumbersome radio planning and expensive cabling to every access point (AP). Now with Zero Touch Mesh, you can skip the mesh configuration priming process – as Mesh APs already installed in their permanent locations will auto-discover, auto-provision and auto-form a mesh network securely without priming. This means you can set up your entire Wi-Fi network in a few simple steps, whether using a mobile device or browser.

In fact, Ruckus recently hosted an Unleashed AP configuration competition during an event. All participating contestants successfully configured their respective APs in under two minutes. This puts into perspective the ease of installing Unleashed APs. With Zero Touch Mesh, the installation of an Unleashed network is dramatically simplified.

Unleashed networks can be easily managed by anyone – no expert IT staff required. You can manage Unleashed networks from anywhere in the world with the free Unleashed Mobile app. The app’s dashboard displays all the essential information about your network, while providing access to key administrative tasks and troubleshooting options.

Beyond Zero Touch Mesh, Unleashed 200.6 adds a slew of new features and enhancements to provide you with more robust control over your networks. For example, you can now define policies to restrict Wi-Fi speed for users at the application level. This is because application rate limiting and QoS traffic shaping rules can be created, along with application denial rules. Plus, all your end-point devices can be easily renamed, while your admin password can be easily reset within the Unleashed Setup Wizard.

Unleashed 200.6 also makes it easier for you to quickly troubleshoot wireless networks. With the Unleashed (browser) dashboard or mobile app, you can now precisely pinpoint technical issues, such as why the internet is down, why a specific device is unable to connect to Wi-Fi, or why an AP has rebooted.

Additional Unleashed 200.6 key features and enhancements include:

  • Expansion of the Unleashed AP portfolio with the: C110 (Wave 2 wall plate AP with built-in DOCSIS 3.0 cable modem), E510 (embedded Wave 2 outdoor AP with external BeamFlex+ antennas) and the T310 (entry-level Wave 2 outdoor AP with integrated BeamFlex+ omni or sector antennas).
  • Same WLAN support for multiple social media logins: Existing Social Media login methods (Facebook, Google, LinkedIn and Microsoft) can be used simultaneously on the same WLAN.
    WeChat WLANs: New social media WLAN type – WeChat – is now available.
  • AP Ethernet port status: The web UI displays information on AP Ethernet port status, including link status and link speed.
  • Unleashed Multi-Site Manager (UMM) Connectivity: Enables connectivity from UMM to an Unleashed Master AP behind a NAT firewall. Unleashed will initiate an SSH tunnel when the “Enable management by Unleashed Multi-Site Manager” option is selected, allowing TR-069 protocol traffic to traverse the firewall.

View the original post at The Ruckus Room.

Gemalto launches virtualised network encryption platform

June 11th, 2018

Gemalto, the world leader in digital security, today announced the launch of a new virtualised network encryption platform, SafeNet Virtual Encryptor CV1000 as part of its continued investment to address the rapidly changing data security needs of organisations worldwide.

(Gemalto will host a webinar entitled, “Network Encryption at the Flip of a Switch: Implementing Virtualised Network Encryption to Secure SD-WANs”, on June 21st at 3pm Central European Time. Click here to register.)

Today, enterprises and service providers are increasingly using network functions virtualisation (NFV) and software-defined networking (SDN) technologies to design, deploy and manage their networks and cloud-based services. These software-based technologies give organisations cost and operational benefits because they move network functions from dedicated network encryption hardware appliances to virtual servers. However, these technologies can also present additional security challenges for protecting sensitive data that runs across these networks because of their virtualised architecture.

Leveraging the proven security and performance of the hardware-based SafeNet High-Speed Encryptor family, the SafeNet Virtual Encryptor CV1000 is a hardened virtual security appliance designed to secure data in motion across both software-defined wide area networks (SD-WAN) and traditional networks. Developed by Gemalto’s high-speed encryption partner, Senetas (ASX:SEN), the SafeNet Virtual Encryptor CV1000 can encrypt data in motion at data-rates up to 5 Gbps.

“More and more organisations are embracing the advantages of virtualised networks to deliver cost-effective scalability, flexibility and network management to the network edge. Consequently, network services require trusted virtualised encryption for optimum data security,” said Todd Moore, senior vice president of Encryption Products at Gemalto. “Gemalto’s launch of a virtualised network encryption platform redefines network data security by providing the crypto-agility required to ensure sensitive data and transmissions remain secure, regardless of network design.”

Transforming the network encryption market, SafeNet High-Speed Encryptors are the first to offer Transport Independent Mode, which enables organisations to encrypt data across mixed high-speed WAN links (Layers 2, 3 and 4). Organisations can now be assured that they are getting the best performance and secure encryption, regardless of the network layer. This feature is currently available for the SafeNet Virtual Encryptor CV1000, and will be available for the hardware-based SafeNet High-Speed Encryptors later this year.

“As organisations increasingly embrace cloud-based applications and their use of multiple network types from Ethernet to MPLS, Senetas and Gemalto are ahead of the curve in providing seamless concurrent multi-layer network traffic encryption to ensure the best in network security and performance available today,” said Andrew Wilson, CEO of Senetas.

Key Features and Benefits of the SafeNet Virtual Encryptor CV1000 include:

  • Virtualised Network Functionality reduces dependence on dedicated network encryption hardware appliances for both enterprises and network operators.
  • Reduced Cost of Ownership makes the SafeNet Virtual Encryptor CV1000 up to 10 times more affordable than hardware-based appliances.
  • Rapid Deployment and Scalability enables organisations to spin up a virtual machine to protect data across the network rather than having to physically deploy hardware at each end point.
  • Crypto-Agile Encryption Across All Network Layers with Transport Independent Mode, providing the ability to encrypt traffic across Layers 2, 3 and 4 with optimised performance and robust encryption, including support for custom algorithms.
  • Combined Encryption Key Management option, integrates with SafeNet KeySecure for enhanced key lifecycle management.

Supporting Resources

View the original article by Gemalto.

Net-Ctrl Blog

Ruckus Launch R730 – The First IOT and LTE ready 802.11AX Access Point

July 18th, 2018

Ruckus Networks, an ARRIS company, today announced the Ruckus R730, the industry’s first IoT- and LTE-ready, 802.11ax wireless access point (AP). The high-capacity, 12 spatial-stream R730 works in concert with the new Ruckus Ultra-High Density Technology Suite to smoothly deliver high-resolution, latency-sensitive video in ultra-high density user environments such as stadiums, train stations and schools. In addition, the R730 complies with both the new WPA3™ security protocol and Wi-Fi™ Enhanced Open for more secure connections on public networks.

Worldwide data and video traffic is growing at double-digit rates, driven by an increase in connected devices. ABI Research predicts that Wi-Fi device shipments will grow to nearly 35 billion by 2022. Data and video traffic also will surge due to increased per-device data consumption driven by applications like 4K video streaming, virtual and augmented reality and live-stream gaming.

“Ruckus customers and partners demand more when it comes to their networks,” said Ian Whiting, president of Ruckus Networks. “We have a long history of delivering products and technologies that go beyond the current state-of-the-art to meet the world’s most demanding network requirements while driving down the cost-per-connection. Ruckus R730 and Ruckus Ultra-High Density Technology Suite are the latest examples.”

The congestion of people, devices and bandwidth-hungry apps makes for challenges that current wireless tech cannot handle. Adding to the complexity of this environment are diversifying device categories and apps, such as instant messaging, IoT control messages and voice-over-Wi-Fi.

“Real-world use cases are bumping up against the limits of existing Wi-Fi standards, and the need for 802.11ax to address a wide variety of heterogeneous, high-density scenarios is clear,” said Chris DePuy, founder and technology analyst at 650 Group. “Ruckus has already differentiated itself in the realm of network consolidation. With this launch, Ruckus is reinforcing that by setting the stage for converged Wi-Fi, IoT and LTE deployments.”

802.11ax: More connections and bandwidth, higher QoS

The new 802.11ax standard was designed for high-density connectivity, with the ability to support up to a four-fold capacity increase over its 802.11ac Wave 2 predecessor. With 802.11ax, multiple APs used in dense device environments are collectively able to deliver required quality-of-service (QoS) to more clients with more diverse usage profiles due to the use of orthogonal frequency-division multiple access (OFDMA) and multi-user multiple-in multiple-out (MU-MIMO) technologies.

Delivering expected service levels in ultra-high-density environments

Increased end-user expectations and application QoS requirements pose unique difficulties to network designers. Locations such as stadiums, public venues, train stations, and schools in which video content and applications are central to the curriculum, are representative examples. The R730, supporting eight spatial streams on 5 GHz and four spatial streams on 2.4 GHz, is better able to address those expectations through increased capacity, improved coverage and performance.

“Train stations are especially challenging Wi-Fi environments due to spikes in client count each time passengers exit a train,” said Tetsuo Mukai, general manager, KDDI. “We challenged Ruckus to help us improve the in-station experience for subscribers with devices that were already on the network when the train arrives, and Ruckus came back with a solution that dramatically reduced the impact of these transient client events on affected subscribers, minimizing throughput degradation and shortening recovery time.”

The Ruckus Ultra-High Density Technology Suite addresses these challenges using techniques that go beyond the 802.11ax standard, including:

  • Airtime decongestion—Increases average client throughput in heavily congested environments by using patent-pending techniques to reduce unnecessary management traffic.
  • Transient client management—Maintains throughput levels for priority clients in high transient-client environments such as rail stations by using patent-pending techniques to delay AP association with low-priority transient clients.
  • BeamFlex™+ antennas—Patented technology improves AP coverage and capacity by continuously optimizing antenna patterns on a per-device, per-packet basis.

“At Golden 1 Center, we’re committed to delivering the best fan experience in the industry. One of the ways we deliver value to our fans is to build a network that enables live streaming during the games. This is incredibly challenging to do in a venue like ours with as many live-streaming fans as we have,” said Ryan Montoya, chief technology officer, Sacramento Kings. “Ruckus was up to the challenge and demonstrated to us several innovative features that let us squeeze the most out of our available spectrum, ensuring no connections are dropped and that adequate bandwidth is available for anyone that wants to live-stream the game.”

Converging IoT access networks

The R730 includes embedded Bluetooth Low Energy (BLE) and Zigbee radios and can be augmented with Ruckus IoT modules to support additional physical layer protocols such as LoRa. Using the Ruckus IoT controller, these separate networks and the IoT endpoints associated with them, can be managed, coordinated and connected to IoT cloud services as part a single, converged IoT access network.

Preparing for private LTE

The R730 accommodates modular Ruckus OpenG™ LTE APs operating in the U.S. Citizens Broadband Radio Service (CBRS) 3.5 GHz band, enabling existing Wi-Fi APs to provide LTE service. Using modular or stand-alone LTE APs, organizations will be able to build their own private LTE networks to improve the quality of indoor cellular service within their facilities.

Making users safer at home, in the office and in public

The R730 will implement the next-generation WPA3 wireless security protocol and Wi-Fi Enhanced Open. Users with compatible devices will benefit from significant security enhancements, including:

  • Protection against brute-force dictionary attacks through use of a new key exchange protocol known as a simultaneous authentication of equals handshake.
  • Protection against traffic-sniffing attacks common to unauthenticated networks associated with public venues.

Getting the most out of your 802.11ax deployment

The 802.11ax standard and the R730 offer a step-function increase in over-the-air throughput. To make the best use of that new capacity, network designers need to optimize the wired access infrastructure to support it, while minimizing upgrade costs. Ruckus helps network designers by:

  • Offering two switches—the entry-level ICX 7150 Z-series and the ICX 7650—that meet the increased power-over-Ethernet (PoE) requirements of the R730;
  • Providing the access port capacity needed to support multi-gigabit throughput on the ICX 7650 Z-series—with up to 24 auto-sensing 1/2.5/5/10 gigabit Ethernet (GbE) ports—and the 100 gigabit-per-second (Gbps) uplink capacity required for ultra-high-density deployments;
  • Enabling them to replace APs without extensive network redesign by using the adaptive Wi-Fi cell sizing feature included in the Ultra-High-Density Technology Suite.

“Many of our customers have future-proofed their networks with the Ruckus ICX 7650 switches, in anticipation of the upcoming 802.11ax access points,” said Don Gulling, president and CEO of Verteks Consulting. “The launch of the R730 enables us to quickly get these APs into the hands of our customers that serve high-density Wi-Fi deployments such as stadiums, auditoriums and large public venues. These APs and switches will provide our customers with what they need to meet next-generation demands.”

Availability

The R730 will be generally available this calendar quarter. The Ultra-High Density Technology Suite is available now for use with all Ruckus APs.

View the original press release at ruckuswireless.com.

Johnson Control Releases CEM Systems AC2000 v10

July 17th, 2018

Johnson Controls, announces the release of CEM Systems AC2000 v10.0, which offers users a new modernised look and feel along with new features such as enhanced enterprise capabilities that increase the performance and scope of the AC2000 access control system suite from CEM Systems.

CEM Systems AC2000 v10.0 workstation client applications have been restyled with a modern, clean and intuitive interface. The restyle has focused on the user experience with improvements to all visual elements of the applications. Operators are now able to select their preferred theme (light or dark) to run their AC2000 Workstation Client applications in.

A major feature of AC2000 v10.0 is the enhancements to the AC2000 Enterprise offering for AC2000, AC2000 Lite and AC2000 Airport editions. The enhanced enterprise system provides superior centralized access control and monitoring capability where wide geographical distribution occurs, or where departmental or business unit separation is necessary. The new architecture improves device configuration, reporting, alarm processing and personnel management across multiple site locations.

A business or organization can scale its single site AC2000 access control system to a multi-site enterprise solution, while at the same unifying policy requirements and reducing administrative and operational costs. Each business unit can be administered at a local and/or centralized level. Other features of AC2000 v10.0 include new visitor escort functionality to ensure visitors are not left unaccompanied around secured areas, and unrestricted AC2000 Authorization levels to reduce configuration times for users and user groups.

Building on the range of ID scanner integrations, AC2000 now offers a new interface to SnapShell ID and passport scanner.

Find out more about the CEM Systems Access Control solution and contact our team on 01473 281 211, or submit a contact form.

View the original release by CEM Systems.

5 technologies that will help kill usernames and passwords

July 17th, 2018

We’ve all struggled to remember a complicated username and password combinations when trying to access an online account. According to a Dashline Inbox Scan study, the average user has at least 90 online accounts and with every account comes to a new password to remember. To make their digital life simpler, 89 per cent of people use the same one or two passwords for everything.

Managing several digital identities using usernames and passwords is not something our brains are wired to do. And it also presents a huge security threat – insecure passwords caused an estimated 80% of breaches, according to a 2017 report from Verizon.

No doubt, passwords aren’t the best authentication solution in the digital age. But how can digital technologies help us address this issue? With huge strides being made in digital authentication technologies, and biometrics, in particular, the end of the password could soon be a reality. Keep reading to find out which 5 technologies can help us kill passwords.

1. Physiologic Biometrics

In a previous post, we discussed how biometrics are already helping solve the all-important issue of a “unique identifier”, replacing the username/password combination, while keeping the user experience simple and secure at the same time.

Biometrics refers to the individual’s unique physiological characteristics such as facial recognition, fingerprint authentication, iris scan and DNA. It can be used to automatically identify and authenticate individuals, s and such authentication methods have become the norm for accessing devices like smartphones, smart speakers and tablets. They’ve also been deployed by many eGovernment service providers and financial institutions and in other aspects of our lives including driving our cars or accessing our homes!

2. Behavioural Biometrics

Going forward, behavioural biometrics are becoming a very good alternative for secure authentication, when combined with other authentication methods. As described by IBIA, behavioural biometrics measure the unique patterns which characterize our daily activities. Yes, that’s right, the way we type, walk, our heartbeats, brain waves, and many others, can all be captured in a digital signature that is unique to the individual.

Technologies based on machine-learning algorithms can help build out a rich, multi-dimensional profile of each individual customer. Such technologies are currently used in law enforcement and border control and combined with context-based signals like geolocation, they provide a very personalised and silent authentication method.

3. Artificial Intelligence

Just as insurance companies use data to predict accidents, or retailers to figure out the optimal time to target consumers with a personalised promotion, user authentication could rely on similar data analytics. Machine learning can be used to collect a combination of patterns in data related to log-in times, locations and device footprints. The goal is to spot normal versus abnormal user behaviour and change access accordingly.

This will be based on the concept of adaptive authentication, by assigning a risk score and adjusting the level of access the user gets, based on the actions they are performing and the assurance level of the user’s authentication method.

This type of technology is in its early stages of development, although conversations around context-based and risk-based authentication have already become very popular.

4. Two-factor (2FA) or Multi-Factor Authentication

These systems have been in use for a while now, and end users have become accustomed to adding an extra layer of security for certain type of transactions. It relies on the user acknowledging control of a confirmed communication channel, such as an email address, a text message or an authentication app.

Several service providers, especially those in eGovernment, are using a text message sent to the number on record with containing a one-time password (OTP) valid for one login session or transaction on a digital device. However, there are certain risks associated with using OTP, that’s why it’s best they are always used in combination with other forms of authentication like biometric authentication.

5. Mobile Identity

As we’ve discussed in a previous blog, with so many people using digital devices to communicate and access data, services and transact, the new challenge to ensure the success of this digital economy relies on knowing who you transact with.

Mobile trusted digital identities can be the answer as they provide the means to collect all end-user attributes and enable seamless authentication all through the mobile device. Mobile enables the combination of identity documents, physical and behavioural biometrics and user information as geolocation, device numbers and other attributes.

While everyone is talking about how we should kill passwords, the fact is the average person has at least 90 online accounts associated with their email address and use the same password to access them, and that number is growing every year.

Usernames and passwords will continue to be used for authentication in 2018, but the widespread adoption of scalable technologies will help eliminate this hassle over the coming years. End-user adoption of biometric technologies will drive the movement towards seamless and convenient digital experiences while reinforcing security and privacy.

New UK NCSC Guidelines Urge Use of Multi-Factor Authentication and Single Sign-On Solutions

July 10th, 2018

A couple of weeks ago, the UK National Cyber Security Centre, a part of the British intelligence and security organization GCHQ, published guidelines for enterprise information security leaders on how they can implement multi-factor authentication to thwart breaches and unauthorized access to online accounts. The guidelines cover both consumer authentication to online services, such as banking and retail sites, as well as employee authentication, such as when accessing enterprise VPNs and cloud-based apps.

The guidelines are timely with marketing and data aggregation firm, Exactis, making the headlines for failing to secure a database with 340 million records of American adults and businesses that include “phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person’s children.” In response to the deluge of personal information compromised, some are calling for stricter regulations around privacy in the US, comparable to those required by GDPR, which requires users to provide their explicit consent to online services to collect this type of data.

So what does the UK National Cyber Security Center (UK NCSC) advise IT leaders and administrators to do? We’ve recapped the main points below.

Consider Multi-Factor Authentication an Enterprise Essential

Traditionally, passwords were used to authenticate users to a single all-encompassing entry point in the form of access to the enterprise network.

Since enterprises today use a large number of cloud-based applications and virtual private networks to enable collaboration and remote work arrangements, the enterprise firewall no longer provides sufficient protection.

In effect, all access becomes remote access – in the cloud or remotely to on-premises resources. In either case, authentication becomes the central ‘decision point’ for granting or denying access to a user – be they legitimate or a hacker.

The problem with relying on passwords is that they are famously inadequate for protecting against leaked user databases, phishing attacks and password spraying. This is where multi-factor authentication, or MFA, comes into the picture.

When to Use Multi-Factor Authentication

Due to social engineering, e.g. phishing, and machine-guessable passwords, organizations are advised to:

  • Choose cloud and web services that offer MFA, and be wary of the risk of using web services that offer only single-factor authentication
  • Apply MFA for all web and cloud-based resources
  • Secure IT administrator accounts with MFA

Common Implementations of Multi-Factor Authentication

What are some common, effective implementations of MFA?

  • Remember me on this device – Device fingerprinting is used by many services such as Google and LinkedIn as an additional authentication factor. Logins from an unregistered device could prompt the user for additional authentication.
  • Requiring MFA at every access attempt – Most applicable to high-impact services, such as webmail and online banking accounts.
  • Stepping up authentication during high-risk activities – For example when transferring money online or changing a password.
  • Stepping up authentication based on high-risk behaviours – Such as logging in from an unusual geographic location.

Common Authentication Factors

Regardless of the type of device being used, UK NCSC recommends implementing Single Sign-On to provide a smooth experience for end-users. Single Sign-On solutions eliminate the need to re-authenticate separately to each application, enabling users to access all their apps after logging in just once. Where SSO is unavailable or costly to implement, such as on mobile devices, a solution providing a good UX should once again be preferred.

So what are the authentication factors available to secure access to enterprise or consumer resources? The UK NCSC mentions these:

  • Managed devices – These could be protected using digital PKI certificates, or an embedded secure element that cannot be removed, among others. Additionally, IT leaders can choose to enable access to resources only when that access originates from the enterprise network or VPN.
  • Using mobile-as-a-token – This includes one-time passcode apps (OTP apps) generating OTPs as well as single-tap push authentication.
  • Hardware tokens – These include FIDO tokens, PKI Smart cards with PIN-protection (require a PIN to unlock the smart card and authenticate), OTP key fobs, chip-and-pin (EMV) card readers used in banking and backup codes designed to use as a default when the usual 2nd factor is not available.
  • Out-of-band – This includes out-of-band delivery of a one-time passcode via email, SMS text messages and phone calls.

Other recommendations for the successful implementation of MFA include the logging and reporting of failed and successful access attempts—functionality which is key to post-event forensics and demonstrating compliance. The UK NCSC also advises deploying user self-service portals, to let users report or resolve numerous issues on their own.

Looking to revamp your Identity and Access Management strategy? Learn about Gemalto’s identity-as-a-service or join a 30-minute live demo webinar of SafeNet Trusted Access. Alternatively, call the Net-Ctrl team on 01473 281 211, or submit a contact form.

View the original article at Gemalto.com.

Is the CIA protecting the World Cup in Russia?

July 5th, 2018


The 2018 FIFA World Cup is expected to be the largest yet, with fans from all over the world watching. When it comes to TV audiences, the games are expected to be watched by 3.4 billion fans from 200 countries, which is nearly half the total world population. Not only is the World Cup available to view worldwide through a variety of broadcasting platforms, but smart technologies are now increasingly used by the fans to watch the games and interact with their favourite players. In fact, a survey by GlobalWebIndex found that 47% of the online population plans to watch the games online, and a quarter of millennials have declared they’d follow the tournament on their smartphone or tablet.

And if this doesn’t give you enough hint about the scale of the event, here are some more numbers:

  • 12 hosting stadiums requiring good IT infrastructures
  • More than 5,000 media representatives present at the games
  • 36 participating teams, 736 players and 99 referees
  • 17,040 people from 112 countries in the volunteer’s team

High profile sporting events like the FIFA 2018 World Cup could provide many opportunities for hackers to target not just consumers and their smart devices, but also stadiums’ infrastructure, such as grid power and lightning among others. Cyber criminals often use these large gatherings of people and technology to steal personal information or harvest users’ credentials for financial gain, among other malicious activities.

Digital threats likely to be seen at the World Cup

While attacks at previous major sporting events have focused on ticket scams, and availability of IT services and personal data, there are now more substantial cyber threats to stadium operations, infrastructure, broadcasting and participants and visitors to the games. For example, the 2012 London Summer Games were hit by a DDoS attack on broadcast operations and power systems seeking to limit viewer access to live broadcasts; fortunately, it had limited success. In response to similar threats, the South Korean government and Pyeongchang organising committee invested around £850,000 into cybersecurity measures for the 2018 Winter Games.

Individuals taking part in the matches, either organisers or fans, could become targets to hackers in various ways. The most popular scams could include spam emails about winning tickets in the FIFA lottery and fake websites. Hackers could also create duplicates of bank websites and popular tourist sites, such as Booking.com and Airbnb, and use them to gain access to the users’ banking information. Below, we’ve listed a few of the most common ways in which the personal details, devices and services availability for all present at the football games could be compromised:

Protecting the World Cup: the CIA pillars for digital security

In order for organisers of such sports events to protect everyone involved, they need to rely on cybersecurity strategies that protect the three main pillars that underpin connected devices and services: Confidentiality; Integrity; and Availability (CIA). This means that connected devices and the services associated with them should factor:

  • Confidentiality: ensuring that devices, systems or data are not accessed by unauthorised parties
  • Integrity: ensuring that no data can be manipulated or tampered with
  • Availability: ensuring that attendees can connect whenever, and to whoever, they need to

The table below illustrates how the 3 CIA pillars reflect the World Cup digital environment, including different threats that can be associated with each of those.

Ensuring Confidentiality, Integrity and Availability

Major sporting events like the 2018 FIFA World Cup require months of preparation that include evaluation of risks and mitigation based on different scenarios.

Simple measures for fans and visitors such as switching off the Wi-Fi and Bluetooth connections of devices when not in use, using a credit card to pay for online goods and services, updating the software of devices, and using strong PINs and passwords can all help.

But here are a few security principles that major sport events, organizers should always follow to ensure confidentiality, integrity and availability:

  • Create strong IDs for connected devices and services – ensuring Trusted Digital Identities could be a good way forward
  • Encrypt sensitive data at all stages as it moves from devices, gateways or cloud servers. This will protect against data tampering or data theft.
  • Implement strong authentication processes, to securely store credentials and ensure only authorized individuals, entities or devices have access to sensitive data and services
  • Ensure remote software and security updates capabilities, with access credential management. This will ensure the best performance for connected devices, block devices/services access or allow to come back to a safe security status, whenever needed if a threat is considered.
  • Create redundant systems and databases for the recovery of disaster case scenarios
  • Install monitoring and intrusion prevention systems to detect anomalies and be alerted before issues arise

Increased connectivity, both among the public and global infrastructures, makes the 2018 World Cup a prime target for digital threats. Luckily, now going into its final stages, one of the most significant global sports event hasn’t been intruded by major cyberattacks. But these last couple of weeks are also the most important ones for all parties involved, therefore digital security prevails at all costs.

If you would like to someone about your security measures, please submit a form through our Contact Page, or call the team on 01473 281 211.

Read the original blog post at Gemalto.com.

When Prince Harry Met Access Management

June 29th, 2018

With the wedding of Harry and Meghan behind us, the media is engaging viewers with other world events and we are back to our day to day lives. While security professionals are busy preventing enterprise identity theft vulnerabilities and cybercriminals are on the lookout for their next credential heist, the rest have put Buckingham Palace on the back burner. What is the connection?

Take a moment to think about the logistics surrounding the wedding on May 19, 2018: Thousands of reporters were present, and yet many details were not announced until days before – or even the actual day of the wedding, with particular protection around the secrets about Meghan’s dress, manufacturer and designer.

It turns out that the dress was designed by Givenchy, a brand that Duchess Markle had been a fan of for many years. Apparently, part of the secret of keeping the dress a surprise involved two small teams who signed nondisclosure agreements and then undertook their activities at private workspaces in Paris and in London. Miraculously, the secret dress stayed under wraps until the actual day of the wedding.


Sample Confidential Wedding Dress Policy in Access Management Solution

Web access management for secure collaboration?

Were the email messages sent and received by the designers and garment workers encrypted? Which employees of Givenchy had access to which applications and which credentials did they need to access the designs? Were the nondisclosure agreements signed physically or digitally; were they authenticated and stored over the internet? Which Royal Family staff and Givenchy personnel had access to the mockups and revisions?

Hard to confine digital data

While the interworking of Givenchy and the Royal Family network will remain privileged, it seems that part of the reason for the success of the secret was that the work was confined to locations which were secured physically. However, this is not always possible while working on designs of a global nature. Industries today no longer work in physical isolation. Their work environment has become increasingly complex due to the globalisation of markets, the distance between industrial partners, suppliers and codesigns methodology involving remote workers.

Cloud-based collaboration requires identity and access management

What’s more, the fashion industry and other global enterprises often collaborate on Computer Aided Design (CAD) software alongside cloud-based applications, such as Box, Dropbox, Adobe Creative Suite and Office 365. These are just some of the applications that can help organizations transfer large files, exchange email and even work simultaneously on the same online platform. In addition, enterprises require reports that provide visibility into login attempts into their ecosystem. An identity and access management solution as a service (IDaaS) can help fashion enterprises or governmental institutions ensure that only the right person receives the right information at the right time, without endangering the enterprise or its end customers.

Access Management Fashionable

The following are tips for a fashion company seeking to establish an access management strategy to suit working within and across diverse locations with multiple providers, suppliers and privileged staff:

Tidy up your groups

Make sure that your user groups are neatly defined in your Active Directory or other user store. This will make it easy to set up group-based policies. For example, designers should be associated with the designer’s group, and likewise for your Marketing, Finance, Sales, etc.

Establish a single sign-on baseline, aka, a global policy. Depending on your security concerns, you may want to have a high or low-security threshold for launching a single sign-on session. You may want to deny all access by default, or alternatively, grant access on the condition that users launch an SSO session after performing strong multi-factor authentication.

Determine which scenarios or resources require extra security

Not all apps require the same level of security. By listing the resources or conditions that require special care, you can match risk policies to user needs, without sacrificing the convenience of single sign-on. For example, you may want to step up security—after launching a single sign-on session—for applications that store new haute-couture designs. Or, you may want to ensure that anyone accessing applications from outside the office does so providing an additional form of authentication (e.g. one-time passcode, PKI smart card etc.).

Set up policies to demonstrate regulatory compliance

Need to ensure GDPR compliance? Or perhaps PCI DSS? By setting up a policy dedicated to that regulatory mandate, you will be able to easily meet compliance audits. A GDPR policy, for example, could include all the apps that store EU citizen data, the user groups that should have access to that information, and the user access controls you want to enforce. For example, requiring only a password within the office, while enforcing multi-factor security for anyone working remotely or anyone working as a temporary contractor.

Keep scalability in mind

Looking to add an additional app to your fashion arsenal? Keep in mind that protocols such as SAML and OpenID Connect will help you provide that convenient user single sign-on experience. If your prospective solution supports those standards, that will be one less obstacle to productivity and chic.

From outsourced workers to the most restricted and privileged personnel, the fashion industry can be assured that the seams of their cloud-based applications are as secure as their physical hems.

Ready to design secure, yet convenient access management for your enterprise? Start with your first stitches by downloading the Matching Risk Policies to User Needs Fact Sheet or register for free to watch our demo of SafeNet Trusted Access.

View the original article at Gemalto.com.

Bridging the digital divide with connected school buses

June 27th, 2018

It may be 2018, but millions of low-income American households with school-age children still don’t have access to a broadband internet connection. This preventable digital divide has created a “homework gap,” with students from low-income families often finding it difficult to complete their school assignments without a reliable and fast internet connection.

Equipping school buses with Wi-Fi is one way to help students achieve digital equity and enable them to more easily complete their homework in a timely manner. As Keith Krueger, the CEO of Consortium for School Networking (CoSN) notes, Wi-Fi can be used to transform school buses into study halls. “This is today’s civil right – ensuring that all students have access to equal educational opportunity in a digital world,” he says.

Indeed, connected school buses will enable students to access their PowerSchool or other learning management

system (LMS) – while on the road – to check grades and school assignments, read class bulletins and email their teachers. Students can also access Google Classroom (or Google Docs) to view, edit and download/upload homework. In addition to providing broadband during the commute to and from school, connected school buses can benefit students traveling to extracurricular activities, such as sports events. Because missed study hours are often made up at home after practice or games, a Wi-Fi-equipped bus can help students get to sleep on time.

Since U.S. students spend approximately 520 million school days on buses each year, the idea of enabling connected school buses has caught the attention of numerous companies and organizations. For example, Google is working with educators to install Wi-Fi on buses across multiple school districts, including Caldwell County (North Carolina), Berkeley County (South Carolina) and the Deer Trail School District in Colorado. Ultimately, Google plans to provide service to 70 buses in 16 districts – primarily in rural areas where children often have long commutes and may lack high-speed broadband at home.

All aboard the Wi-Fi-enabled school bus

Wi-Fi-equipped school buses can also help bolster passenger safety by transmitting real-time data from a range of smart cameras, sensors and GPS units. According to Curbed, a number of school districts have begun embracing various forms of connected technology on buses, such as GPS units in Boston and RFID-enabled badges attached to student backpacks in Cincinnati. Nevertheless, Jennifer O’Neal Schiess, a principal at Bellwether Education Partners, emphasizes that in an era of Tesla and Uber, school bus technology has barely budged forward, with only a third of school districts tracking their vehicles using GPS. Moreover, Mega Bus and other touring coaches routinely offer free Wi-Fi for multiple devices, along with air conditioning and power plugs. It is clearly time for school buses to do the same. “Innovation that’s permeated the transportation world hasn’t [yet] permeated the educational world,” says Schiess.

In addition to helping to improve passenger security, parked smart school buses can double as mobile Wi-Fi hotspots – offering underserved communities reliable broadband access when the vehicle is not being used to transport students. Similarly, Wi-Fi on smart school buses can be used at local parks, or off-campus school-sponsored events such as fund-raising events in parking lots and community cultural events in open areas.

Creating rolling classrooms with the Ruckus M510 Access Point (AP)

Whether in the classroom or a rolling study hall, we believe a reliable wireless network that scales to accommodate an evolving digital learning environment is the cornerstone of a solid educational foundation. This is precisely why the Ruckus M510 Access Point (AP) is designed to provide mobile Wi-Fi with LTE backhaul, thereby enabling expanded coverage and redundancy for students on smart school buses in rural areas.

The Ruckus M510 AP also features 802.11ac Wave 2 with BeamFlex+ antennas – and supports 2×2:2 spatial streams along with MU-MIMO. This allows the M510 to deliver high coverage efficiency and sustained downlink throughput of up to 150 Mbps (when using the LTE backhaul). Moreover, the M510 AP can be centrally managed with other Ruckus APs, thereby simplifying operations and eliminating the need for a separate mobile hotspot management system.

Interested in learning more about how you can help bridge the digital divide by transforming school buses into rolling classrooms? Contact Net-Ctrl on 01473 281 211, email sales@net-ctrl.com or submit a contact form.

View the original release by Richard Nedwich at the Ruckus Room.

Ruckus SmartZone: The First Network Controller-Based System for Wired and Wireless

June 19th, 2018

Network complexity has significantly increased in recent years. Consequently, operators, managed service providers (MSPs) and large enterprises are finding it more challenging than ever to control network administrative costs.

To reduce overhead, these organisations are clamoring for an all-in-one solution that securely streamlines the control and management of multiple IT elements within the network. In addition, MSPs offering networking-as-a-service (NaaS) demand a solution that offers architectural flexibility and scalability to address heterogeneous, multi-tiered tenancy requirements, along with hybrid data, control and management topologies to support a myriad of service offerings.

These organisations also need a lineup of network business intelligence (BI) features, such as advanced reporting and detailed analytics, along with intuitive user interfaces (UIs) and custom data-rich dashboards with streaming (open) API support. In addition, operators require their own management tier, as well as administrative tiers for direct customers or multiple tiers of administration offered via downstream smaller MSPs.

Simplifying converged network management

Today, Ruckus is announcing the availability of SmartZone™ network controllers – newly enhanced versions of its SmartZone WLAN controllers – powered by the latest release of its SmartZoneOS software. SmartZone network controllers include physical and virtual appliances designed for operators, managed service providers and mid-to-large sized enterprises.

First introduced in 2015, SmartZoneOS-powered controllers combine scalability, tiered multi-tenancy, architectural flexibility and extensive APIs into a single centrally-managed console. These capabilities enable operators to implement complex, multi-tier and as-a-service business models using their own management applications.

They also allow organisations to manage subscriber data traffic on a massive scale and integrate traffic flows and network data into existing network architectures. SmartZone network controllers further enable enterprises to simplify network management through consolidation and use of built-in troubleshooting and analytics tools. SmartZone provides a multi-language user interface (UI) that powers a data-rich dashboard for health and traffic analytics and visual troubleshooting tools. It should be noted that SmartZone is deployed in thousands of enterprises – and in more than 200 service provider networks on five continents.

Enabling networking-as-a-service

The SmartZoneOS reduces the need for complex command line interface (CLI) gymnastics by providing open, well-documented RESTful application programming interfaces (APIs) that allow IT to easily invoke SmartZone functions and configurations, enabling error-free automation. In addition, streaming APIs help IT to monitor – in near real-time – the full array of Ruckus network data, statistics and alarms, thereby facilitating the easy creation of customised, information-dense dashboards and reports within their own applications.

Moreover, SmartZone network controllers simplify the creation of consistent network access policies across a wired and wireless network – with tailored firmware/software updates throughout the network to ensure trackable version control and accurate (version-specific) reporting. SmartZoneOS 5 includes an automated switch discovery feature and supports switch restoration to the last configuration point in time.

Additional SmartZone network controller features include:

  • Switch registration, authentication, backup and restore capabilities
  • Supports adaptive band balancing, load balancing, airtime fairness, hotspot and guest services, as well as capacity-based admission control
  • Supports hierarchical switch groups, network health monitoring, alarms and port status
  • Support for switch traffic statistics, LLDP neighbors, stand-alone and stacking
  • Rogue AP detection and mitigation, URL filtering, automated enhanced client security/DPSK, two-factor authentication and isolation white list
  • Easy PCI readiness and geo-redundancy capabilities
  • Data-plane flexibility for hybrid data routing topologies
  • Tunnel traffic routing to multiple third-party gateways
  • Service provider support for tiered SLA offerings
  • Multi-tiered tenancy architecture for segmented operating domains, admin boundaries and profile isolation

To recap, Ruckus’ new SmartZone network controllers – which support up to 450K devices – are an all-in-one solution for operators, managed service providers and mid-to-large sized enterprises seeking to simplify managing both wired and wireless networks through a single console – and offer networking-as-a-service that supports customisable tenant-view dashboards built from a comprehensive set of RESTful and streaming APIs.

View the original press release from Ruckus.

Ruckus Unleashed is now faster, stronger and easier

June 12th, 2018

Ruckus has rolled out their Zero Touch Mesh feature as part of the latest Ruckus Unleashed 200.6 update. The update enhances our pre-existing SmartMesh wireless meshing technology which is designed to dynamically create self-forming, self-healing mesh networks.

SmartMesh makes it simple to blanket every corner of your space with reliable Wi-Fi coverage – while eliminating the need for cumbersome radio planning and expensive cabling to every access point (AP). Now with Zero Touch Mesh, you can skip the mesh configuration priming process – as Mesh APs already installed in their permanent locations will auto-discover, auto-provision and auto-form a mesh network securely without priming. This means you can set up your entire Wi-Fi network in a few simple steps, whether using a mobile device or browser.

In fact, Ruckus recently hosted an Unleashed AP configuration competition during an event. All participating contestants successfully configured their respective APs in under two minutes. This puts into perspective the ease of installing Unleashed APs. With Zero Touch Mesh, the installation of an Unleashed network is dramatically simplified.

Unleashed networks can be easily managed by anyone – no expert IT staff required. You can manage Unleashed networks from anywhere in the world with the free Unleashed Mobile app. The app’s dashboard displays all the essential information about your network, while providing access to key administrative tasks and troubleshooting options.

Beyond Zero Touch Mesh, Unleashed 200.6 adds a slew of new features and enhancements to provide you with more robust control over your networks. For example, you can now define policies to restrict Wi-Fi speed for users at the application level. This is because application rate limiting and QoS traffic shaping rules can be created, along with application denial rules. Plus, all your end-point devices can be easily renamed, while your admin password can be easily reset within the Unleashed Setup Wizard.

Unleashed 200.6 also makes it easier for you to quickly troubleshoot wireless networks. With the Unleashed (browser) dashboard or mobile app, you can now precisely pinpoint technical issues, such as why the internet is down, why a specific device is unable to connect to Wi-Fi, or why an AP has rebooted.

Additional Unleashed 200.6 key features and enhancements include:

  • Expansion of the Unleashed AP portfolio with the: C110 (Wave 2 wall plate AP with built-in DOCSIS 3.0 cable modem), E510 (embedded Wave 2 outdoor AP with external BeamFlex+ antennas) and the T310 (entry-level Wave 2 outdoor AP with integrated BeamFlex+ omni or sector antennas).
  • Same WLAN support for multiple social media logins: Existing Social Media login methods (Facebook, Google, LinkedIn and Microsoft) can be used simultaneously on the same WLAN.
    WeChat WLANs: New social media WLAN type – WeChat – is now available.
  • AP Ethernet port status: The web UI displays information on AP Ethernet port status, including link status and link speed.
  • Unleashed Multi-Site Manager (UMM) Connectivity: Enables connectivity from UMM to an Unleashed Master AP behind a NAT firewall. Unleashed will initiate an SSH tunnel when the “Enable management by Unleashed Multi-Site Manager” option is selected, allowing TR-069 protocol traffic to traverse the firewall.

View the original post at The Ruckus Room.

Gemalto launches virtualised network encryption platform

June 11th, 2018

Gemalto, the world leader in digital security, today announced the launch of a new virtualised network encryption platform, SafeNet Virtual Encryptor CV1000 as part of its continued investment to address the rapidly changing data security needs of organisations worldwide.

(Gemalto will host a webinar entitled, “Network Encryption at the Flip of a Switch: Implementing Virtualised Network Encryption to Secure SD-WANs”, on June 21st at 3pm Central European Time. Click here to register.)

Today, enterprises and service providers are increasingly using network functions virtualisation (NFV) and software-defined networking (SDN) technologies to design, deploy and manage their networks and cloud-based services. These software-based technologies give organisations cost and operational benefits because they move network functions from dedicated network encryption hardware appliances to virtual servers. However, these technologies can also present additional security challenges for protecting sensitive data that runs across these networks because of their virtualised architecture.

Leveraging the proven security and performance of the hardware-based SafeNet High-Speed Encryptor family, the SafeNet Virtual Encryptor CV1000 is a hardened virtual security appliance designed to secure data in motion across both software-defined wide area networks (SD-WAN) and traditional networks. Developed by Gemalto’s high-speed encryption partner, Senetas (ASX:SEN), the SafeNet Virtual Encryptor CV1000 can encrypt data in motion at data-rates up to 5 Gbps.

“More and more organisations are embracing the advantages of virtualised networks to deliver cost-effective scalability, flexibility and network management to the network edge. Consequently, network services require trusted virtualised encryption for optimum data security,” said Todd Moore, senior vice president of Encryption Products at Gemalto. “Gemalto’s launch of a virtualised network encryption platform redefines network data security by providing the crypto-agility required to ensure sensitive data and transmissions remain secure, regardless of network design.”

Transforming the network encryption market, SafeNet High-Speed Encryptors are the first to offer Transport Independent Mode, which enables organisations to encrypt data across mixed high-speed WAN links (Layers 2, 3 and 4). Organisations can now be assured that they are getting the best performance and secure encryption, regardless of the network layer. This feature is currently available for the SafeNet Virtual Encryptor CV1000, and will be available for the hardware-based SafeNet High-Speed Encryptors later this year.

“As organisations increasingly embrace cloud-based applications and their use of multiple network types from Ethernet to MPLS, Senetas and Gemalto are ahead of the curve in providing seamless concurrent multi-layer network traffic encryption to ensure the best in network security and performance available today,” said Andrew Wilson, CEO of Senetas.

Key Features and Benefits of the SafeNet Virtual Encryptor CV1000 include:

  • Virtualised Network Functionality reduces dependence on dedicated network encryption hardware appliances for both enterprises and network operators.
  • Reduced Cost of Ownership makes the SafeNet Virtual Encryptor CV1000 up to 10 times more affordable than hardware-based appliances.
  • Rapid Deployment and Scalability enables organisations to spin up a virtual machine to protect data across the network rather than having to physically deploy hardware at each end point.
  • Crypto-Agile Encryption Across All Network Layers with Transport Independent Mode, providing the ability to encrypt traffic across Layers 2, 3 and 4 with optimised performance and robust encryption, including support for custom algorithms.
  • Combined Encryption Key Management option, integrates with SafeNet KeySecure for enhanced key lifecycle management.

Supporting Resources

View the original article by Gemalto.