<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=111591952803728&amp;ev=PageView&amp;noscript=1">
Skip to content
Our difference

We are on a mission to deliver innovative business transforming technology solutions that exceed our customers’ expectations.
 

Our culture

Our values guide us in everything we do and help shape our culture and customer approach. Find out more about our values and meet some of our team.
 

Our Microsoft Partnership

As a Microsoft Solutions Partner, we’ve been at the centre of the revolutionary changes that technology has brought to every aspect of life and we continue to stand by their side at the centre of tomorrow’s digital transformations.

Microsoft Solutions Partner

Our partners

We have successfully built relationships with multiple partners that prepare businesses for the future.
 

Carbon management

We understand our environmental responsibilities as a UK business and IT Managed Service Provider, and we understand how important it is for our customers to partner with responsible providers.
 

Careers

Our team is made up of a diverse group of people from all around the world, and we all have one thing in common: we’re passionate about providing our customers with outstanding solutions.

Thinking of selling your IT business?

Core is a well funded Microsoft Solutions Partner with a 30 year history of being at the heart of control in IT.

We are supported by our bankers and have funds available for strategic business acquisitions. Together with our successful acquisition track record and a commitment to making deals happen, now is the perfect time to talk to us if you are considering selling your IT business.

If you are interested in discussing a potential exit of your IT business, please complete the form on the right. All correspondence will be treated in the strictest of confidence and a mutual non-disclosure agreement will be exchanged prior to any discussions taking place.

Interactive Microsoft workshops

Our workshops are designed to help you realise the value of Microsoft technologies in your business, gain real value from your investment and transform the way you work.

The workshops are a collaborative and immersive experience; our experts will work with you to identify your business objectives and establish the Microsoft technologies to help you achieve them.
 

Request a workshop

Our range of workshops covers every aspect of the modern workplace including productivity, collaboration, identity, security and compliance and communication, with interactive and engaging sessions that bring the art of the possible to life.

Download our workshop guide

Read more about the interactive workshops we offer, and how they can benefit your business by downloading our guide.

MCI Workshop Introduction

Managed Services

Discover why Core is the first choice for many organisations looking to add flexibility, efficiency, and expertise to their teams.

Cloud Technology

From Microsoft’s leading platforms to bespoke cloud solutions, Core’s range of cloud technology solutions covers everything the modern workplace needs.

Professional Services

Whichever challenges you face on your digital journey, Core's professional services team has a solution to help, from IT Project Management to our innovative Smart Services.

Public Sector

Certified secure solution for the public sector, providing a reliable, flexible, secure and affordable IT solution.

Commercial Sector

Certified commercial sector solutions, covering all your commercial needs from financial and legal services, through to manufacturing.

Download our Frontline Workers white paper

Learn how technology can help to balance productivity with wellbeing for Frontline Workers.

White paper: How technology is revolutionising the health and productivity of frontline workers


Why customers choose us

Since we were founded in 1990 and started our Microsoft journey, we have supported over 10,000 customers on their communications and collaboration projects, and with the introduction of Microsoft's cloud technology, have grown our capabilities significantly across Microsoft 365 and Azure.

What sets us apart is a talented and passionate team who truly love what they do, demonstrating boundless enthusiasm and dedication in every single project.
 

logo-menu-david-lloyd

"It was apparent from day one that Core had a depth of knowledge in Microsoft 365, which we simply hadn’t found anywhere else."

Greater London Authority

"Core has a lot of experience working with the public sector, which was definitely a benefit."

Angel Trains

"There’s such a good working relationship with Core, it’s like having another permanent person in our organisation."

Talbot

"We had a really good, down to earth relationship with a few of the guys, and they know what they are doing."

Read our latest blog articles

Harnessing Evergreen IT Services for Strategic Advantage



Maximising Savings on Azure with Core’s Gain-Share Offer
Future-Proofing Your Business: The Perils of Rushing into Copilot for Microsoft 365



AI for All: How Microsoft's Latest Update on Copilot Opens Doors for all Businesses
The Core knowledge hub

Stay up-to-date with the latest insights, trends, and discussions from Core's team of subject matter experts through our blog topics and news articles.


Paul SaerJun 11, 2018 10:00:52 AM12 min read

Identity and Access Management - How to stop your users taking you to the data apocalypse: part 1

This week, Core is presenting on behalf of One Identity at IDM Whitehall, and I thought it would be fitting for this weeks’ blog, the latest in my Identity and Access Management series, to focus on the content of that seminar: identity hacking and how to prevent it.

Getting back to basics

One of the main things I come across when initially talking to customers about Identity and Access Management is a challenge as to what business value it delivers. Why spend money on an enterprise IDAM solution when Azure AD can deliver a lot of the functionality?  And it’s a fair challenge for some customers; in fact, for customers that are only adopting Microsoft’s cloud platform, Azure AD is a suitable solution if you switch all of the right features on.

However, it’s rare to come across a customer that is truly only consuming cloud services from one provider. Most companies today are using a host of cloud services, from accounting and payroll, through HR, expenses, CRM, purchasing and social media. Better yet, they are probably consuming multiple platforms for each of these. For instance, a lot of companies have an official presence on LinkedIn, Facebook and Twitter, services like Glassdoor and Trustpilot, and I know a lot of companies of various sizes that buy items for their businesses on Amazon and eBay.

These are all cloud services, and all of them present a challenge to your business. But most businesses don’t think of them as cloud services, or discount them because they don’t contain corporate or personally identifiable data, so they don’t realise the potential security challenges that they can present.

People: the double-edged sword

If there is one single thing every business on the planet needs to be successful, it’s people. Currently, there is not one successful business that doesn’t have people driving it forward, and typically, the better the people, the more successful the business is.

But, this same critical resource is also the biggest security threat to your business. Specifically, people are the biggest factor in enabling a data breach, with all of the regulatory, reputational and remediation costs that come with it.

Why?

There are actually two key reasons why, but both of them are there purely to support the limitations of human beings when we need to give them access to data and services.

The first of these is the desire to provide the customer with a great, frictionless user experience. Nobody wants to sell or drive consumption of a cloud platform that is a hassle for users to access, and no user is going to flock to a platform that is difficult or challenging to use. Software providers globally spend millions of dollars collectively trying to make the user experience as easy and intuitive as possible, with pleasing visuals and common-sense navigation, (and also, great platform-level security). This has to extend out to the whole experience including the initial log in. Sure, it needs to be secure, but it also needs to be friendly and relatively straightforward for the user. If the initial log in process is too complicated user interest will fall at the first hurdle.

So, typically every cloud platform has pared down its (at least initial) log in process down to a simple de facto standard: give me your username and your password in order to gain access. If you are really lucky, the user may have the option to switch more security on, but whether they do or not is a different story.

Nothing unusual so far… this is the model we have used for access in the workplace for years, right? Well, actually, it is this experiential piece that has been the main driver for ‘Shadow IT’ solutions over the years; people using non-approved services because they are easier to use than the corporate-approved applications (coincidentally, also adding to the problems that we highlight in this blog).

SharePoint

The problem with human beings

This leads into the second and main reason for the security challenge: human beings are not good at memorising multiple complex usernames and passwords.

One of the ways that the software industry copes with this, is to suggest (or mandate) that your username is your primary email address, so you have one less thing to remember.

Email addresses are, by nature, not protected information. We share them with anyone we communicate with, on social media platforms, and give them out to anyone who asks for it. As a result, the entire security factor protecting the data in your cloud applications may revolve around only one factor: a password.

Reminder: human beings are not good at memorising multiple complex passwords. We just weren’t designed for it. So, your people will generally be using one of the following strategies for their password, not just in your corporate platforms, but also in their own consumer applications, which multiplies the threat substantially, and they are deliberately listed in order of adoption.

Strategy 1 – The Golden Password

Conventional wisdom is that if you create a suitably complicated alpha numeric password, or string of three random words, you will be secure. Well, partly; at least you can be relatively secure from some sort of brute-force attack. But, if your golden password is compromised in any way, a cyber threat actor then has access to everything. Your golden password could be compromised in a number of ways:

  • Phishing attack
  • A breach on one of the platforms you use
  • A breach on a device
  • Via key logging or a “man in the middle” attack
  • Someone watching the keys you tap while you are at your desk (unless you work alone in a SCIF room), in a coffee shop or some other public place while you are accessing any service, personal or corporate

The golden password model is the most common password strategy for human beings. And just because you enforce a 30, 60 or 90-day password refresh on corporate platforms, don’t think for one minute you have solved this problem. The most likely coping mechanism for that one, is for the user to simply change a digit, normally at the end of the password string, each time the password is updated.

For the Digital Jedis in IT that would never dream of this approach, if you don’t believe me, look at the password histories of your employees. Even if they are hashed out, are they always the same length or do they increase by one character after 10 resets? Bingo…

N.B. – Some people think that when any website asks for a username and a password, they have to use the same one as they use on the device, or they won’t get access. My parents both came to this conclusion independently and merrily used (until I corrected them), the same single set of credentials for everything, because they thought that there was some magic key inside their device that tied this all together. This isn’t a generational thing; I know a few Millennials that came to the same conclusion, thinking there was some form of global identity specific encryption at play.

Strategy 2 – The Password List

The second most widely-used strategy for coping with managing complex password requirements is for someone to create a list of passwords. This can either be for someone who just cannot memorise a password at all, or someone who is aware enough to know that “one password to rule them all” is not wise, but they aren’t advanced enough technically to use our next strategy.

Password lists exist in many forms, ranging from post-it notes on the monitor or a cork board, to notebooks, through to the note-taking application on a mobile phone. If you are really lucky, someone using the latter may have password-protected the note application, but don’t count on it… and it doesn’t matter anyway in a lot of scenarios.

In this model, the people still generate the password themselves, from their brain, and this again can lead to predictable behaviours, repetition or re-use. Incorporating the name of the family dog, a favourite restaurant or someone’s birthday is probably secure enough to withstand brute force attacks, but not beyond some social engineering.

For mobile employees the password list needs to be mobile too, so they will either have a notebook or a note app with them at all times. If they are logging in somewhere in public, they will probably open the notebook or app to get their password as they log on. Anyone with a smartphone camera could take a snap, (and the likelihood is that the page won’t just have the one password contained on it). Or, they could lose the notebook or device.

As for the post-it notes on the monitor or elsewhere in the office, well they are safe because they are in the office, aren’t they? Not really. Your office will have various people within it - disgruntled employees, contractors, visitors, cleaners, delivery people… a whole host of human beings who may have an even larger host of reasons why obtaining a password would be useful or desirable.

Strategy 3 – The Password Manager

The truly enlightened will hopefully be using some form of Password Manager that will generate a unique, complex password for each platform, air-gapping every platform you access from the others and providing the perfect circle of security.

Well, mostly!

There are a wide range of Password Managers in the marketplace and most of them are very secure, leveraging biometric capabilities of the device for access and enabling 2-factor authentication for access. The best ones are paid apps or require an ongoing subscription, which is important to note. I’m not sure anyone should trust a “free” password management tool. And that is the holy grail for solutions outside of an enterprise IDAM solution, except for a couple of things…

Firstly, not every device or password manager app enables biometrics, in which case the user will need to (you guessed it) enter a username and password to gain access, or in some cases a passcode on a phone handset. Also, quite often, 2FA is an option rather than a mandated requirement that the user needs to accept and switch on. This throws us back to all of the issues of phishing or someone seeing your access password while you enter it. And if you only need it as a backup in the event that your device is lost or damaged, how do you remember it? We are back to golden password or password list territory.

If the Password Manager is not integrated with corporate devices or apps, this again will lead to someone logging into the Password Manager interface, where they will be presented with a range of usernames and passwords to either key in or copy and paste, that again could be compromised by anyone in eyeline of the screen.

If you are a complete Digital Jedi, and you have switched on the biometrics and 2FA, you are relatively secure, or as secure as you can be independently. But you have a productivity problem if you lose or break your primary device.

Chances are you will have to revert back to some sort of username or password combination with a verification process to get access back to your passwords, and that is a vector that could be exploited by a cyber-criminal. SMS messages can be intercepted or diverted, as can email traffic.

Advanced Find

So, what IS the answer?

Having this discussion with a customer is always interesting. In the IT world, we tend to be focussed on what is happening at 40,000 feet, looking at strategic issues, high-tech developments and clever solves for complex problems. The result is, we tend to forget about ground-level issues where the basic problems are.

This is the point in the conversation where the worried look creeps in and the reality of the risk is obvious. They always knew it, really, it had just been forgotten because other challenges frankly are more interesting. Or maybe the problem has been forgotten because there is no obvious solution for it?

The absolute worst part about all three of the scenarios above, is that in every case you won’t know that a password has been compromised until you have had a breach. Maybe you would in the event that someone lost the password list notebook, (as long as they looked for it relatively quickly afterwards), and then immediately notified everyone and got them to change their passwords…

Here comes another human failing: we as human beings don’t like admitting that we have made a mistake, and there is a very real chance that a percentage of people, having lost their password list, might delay taking action while they panic about the potential repercussions of exposing their mistake to their employer, or try to figure out a way to get out of the problem without involving anyone else.

And there are other breaches all of the time. I have had a number of identities compromised through platform-level breaches on LinkedIn, Twitter, Last FM, Talk-Talk and a couple of others. I haven’t done anything wrong, but my credentials got out. In my case they were all personal apps, but all were a potential issue for my employers at the time. In the early days, I used to use a small number of golden passwords, one for general personal, low threat log ins; one for subscriptions and anything with payment details; and a third for work stuff, so there was an air gap between each one, a small layer of protection. That was the limit of what I could manage in psychic RAM.

Now I do something different….

The cold hard reality of this is that there is no single system or strategy that is 100 per cent secure. And that is fine. You don’t have to swim faster than the shark to not get eaten, you just need to swim faster than the person next to you.

That said, you can get a significant order of magnitude higher than all of the strategies listed above by adopting an enterprise grade IDAM solution, such as Aurora. Aurora enables us to provide multiple layers of security to protect against or completely mitigate all of these issues. In the shark analogy above, IDAM is a fairly substantial boat, with a couple of guys to help you out of the water and a couple more guys with harpoons.

 

webinar

 

Read part two of 'How to stop your users taking you to the data apocalypse' here.