Presentations from Smoothwall and Ampliphae at Networkshop46. Managing Prevent duty through effective web content management - by Tom Newton, product manager, Smoothwall. The hidden risks of SaaS and cloud applications and how to take back control - by Nigel Oakley, director of business development, Ampliphae.

1. Smoothwall
Tom Newton, Smoothwall

2. www.smoothwall.com
Managing Prevent Duty
through Effective Web Content
Management
Tom Newton, Product Manager

3. The Prevent duty is the legal
obligation of authorities to provide
“due regard to the need to prevent
people from being drawn into
terrorism”.
Counter-Terrorism and Security Act, 2015

4. Compliance
To comply with the Prevent duty, institutions must:
● assess the risks associated with Prevent in the context of their local situation and draw up a
proportionate action plan to mitigate those risks
● have responsive, effective welfare support systems, ensuring concerns about students' wellbeing can
be acted on, linking to Prevent structures (such as local authorities or the police) if necessary
● ensure internal mechanisms and external arrangements are in place for sharing information about
vulnerable individuals when appropriate
● have systems in place for assessing and mitigating risks around external speakers and events on
campus, while maintaining the existing duty to promote freedom of speech
● ensure senior managers are engaged with the Prevent duty, build links with external Prevent partners,
and arrange ongoing Prevent training for relevant staff
● implement an IT usage policy which covers the Prevent duty
● ensure that students' unions and societies are aware of, and are consulted on, policies concerning
activities on campus.

5. Myths around the Prevent duty
Myth 1 - the Prevent duty facilitates spying
upon students
There is no reliable evidence suggesting that organisations
are interested in gathering security-related intelligence let
alone engaging in it.
The risk of being drawn into terrorism is to be treated as a
vulnerability i.e. suicide.
Higher Education Funding Council for England, 2017

6. Myths around the Prevent duty
Myth 2 - the Prevent duty requires
organisations to report students for the
expression of radical views
Nobody can lawfully be referred to a Prevent panel merely
for the expression of radical or unorthodox views, there
must be evidence of a risk of harm.
Higher Education Funding Council for England, 2017

7. Myths around the Prevent duty
Myth 3 - the Prevent duty violates basic
human rights
The Prevent duty complies with the European Convention
on Human rights, incorporated into UK law by the Human
Rights Act.
Higher Education Funding Council for England, 2017

8. Prevent and the web

9. What not to do
● Heavy duty filtering
● Try and do the same as schools
● Keep students from accessing useful
resources

10. What to do: Light Touch Filtering
& Visibility
Smoothwall achieves this in 5 key ways...
● Search term filtering
● Government URL databases
● Content Filtering
● Alerting
● Overview reporting

11. What to do: Search Term Filtering
● Shows intent
● Often better than looking at search
results

12. What to do: IWF & Counterterror Lists
● IWF members - block access to Illegal Child Abuse Images and Content
(CAIC)
● Integrate the CTIRU (Counter Terrorism Internet Referral Unit) list of
unlawful sites, produced on behalf of the Home Office
● First content filter to take CTIRU List

13. Smoothwall’s Categories
DiscriminationDrugs/
Substance
Abuse
Extremism
Malware/
Hacking
Pornography
Piracy and
Copyright Theft
Self
Harm
Violence
Abortion
Alcohol and
Tobacco
Weapons
Computer Games
Payday Loans
File Hosting
Child Abuse
Intolerance
Hacking
Gambling
Alcohol and
Tobacco
Medical
Information
Graphic
Novels
Terrorism

14. What to do: Content Filtering
● Useful on social networks
● Only way to see “logged in traffic”
● Only way to see what’s there in real time

15. What to do: Alerting
● Low positive false
rate
● Alerts to the correct
people
● Act before problems
occur

16. What to do: Overview Reporting
● Can be useful to evaluate prevalence of search queries and
inappropriate accesses
● A good balance with alerting is essential

17. Prerequisites
● Authentication - no filter is useful if you can’t identify users

18. Prerequisites
● Authentication - no filter is useful if you can’t identify users
● Coverage of BYOD - should be considered in any rollout

19. Prerequisites
● Authentication - no filter is useful if you can’t identify users
● Coverage of BYOD - should be considered in any rollout
● Responsibility - reports & alerts need action

20. Thank you
www.smoothwall.com

21. The hidden risks of
SaaS and cloud
applications and how
to take back control
Nigel Oakley, Ampliphae

22. Take Control of Your Cloud
Nigel Oakley
Business Development Director

23. Application Ecosystem
• Application ecosystems are growing in size, scope and
complexity…

25. Shifting Landscape
Lift and shift
Rearchitect
Innovation
‘Vendors are shifting their business
models from on-premises licensed
software to public cloud-based
offerings, this trend will continue.’
- Gartner
Applications that are lifted
and shifted to the cloud
can't take full advantage of
native cloud features - may
not be cost-effective.SaaSification

26. The SaaS Challenge
 Loss of Authority
 SaaS providers market direct to consumers
 Self selection – Consumerisation of IT
 Decentralised decision making
 Loss of Control
 Vendors define the architecture and
deployment
 All that’s required is a browser and
connectivity!
 Your data is managed by the vendor
 But IT retain Accountability
 Risk of security and regulatory infringement
 Fewer control points, reduced visibility
 Total dependence on many more vendors

27. GDPR and Compliance Risks
Privacy Rectification Erasure Access
Is the data adequately
secured and
encrypted in transit
and at rest?
Who can access the
data, who stores the
data, can the cloud
provider access it?
Is it easy to change
customer data on
request, do you know
where it is located?
Can a customer’s data
be completely
deleted under your
control?
Compliance
Can you prove that the SaaS applications your employees have
signed up to provide appropriate GDPR regulatory compliance
?

28. Cloud Adoption Lifecycle: Managed Adoption
Discovery: Evaluated by IT department as they test configurations, deployment, support processes
Understanding: Pilot with selected users who put the solution through it’s paces
Adoption: Controlled roll-out to departments and teams
Planned Commitment: In use across the organisation
Discovery Rejection Withdrawn
Uncontrolled
Adoption
Understanding Retirement
Unplanned Commitment
Adoption
Lingering
Planned Commitment
Niche
Planned
Decline
Conscious
UncouplingCriticality Threshold
Irreversibility Threshold
Discovery Threshold
Institutional

29. Cloud Adoption Lifecycle: Viral Adoption
Discovery: Adopted by a single user, who immediately invites their colleagues to join
Uncontrolled Adoption: Makes the team’s life easier, they enthusiastically adopt it
Unplanned Commitment: Integral to the business, it’s impossible to imagine life without it
Institutional
Discovery Rejection Withdrawn
Uncontrolled
Adoption
Understanding Retirement
Unplanned Commitment
Adoption
Lingering
Planned Commitment
Niche
Planned
Decline
Conscious
UncouplingCriticality Threshold
Irreversibility Threshold
Discovery Threshold
Institutional

30. Take Back Control

31. Identify all the Cloud
Applications in use
within your organisation.
Understand who uses
each application, when,
where and why.
Discovery
Highlight security,
regulatory and
commercial
considerations for each
Cloud Application, and
make an appropriate
decision.
Governance
Block or optimise access
to individual Cloud
Applications.
Give your people the
information they need to
make informed
decisions.
Control
Continuously monitor for
new Cloud Applications,
and audit cost and risk.
Cost and compliance
reporting
Audit Analyse
Discover which applications your people are using
Know where your data is stored
Understand how secure it is and who can access it
Govern and manage the vendors
Control applications and activities in the
Cloud
Manage your risks and exposures
Deep insights into the
usage and adoption of
cloud applications.
Predict application
growth, identify security
threats and anomalies
Ampliphae Overview

32. Comprehend, Comply, Control
www.ampliphae.com

33. Email: Nigel.Oakley@ampliphae.com
Tel: +44 (0)20 3289 0121
Thank you
Have you any questions?
Nigel Oakley
Business Development Director