This post is also available in: Italiano
⏱ Reading time: 11 min
As those following this blog remember, among the main events of last year there were the change of location of MOLO17 facilities and the consequent design and construction of our new 4.0 Offices. Regarding this, we also had the opportunity to participate in the dedicated “Office 4.0” event of 11/27/2019, organised by our local Technology Hub (Polo Tecnologico di Pordenone). Below is the video of the intervention.
What is a 4.0 office
Referring to the concept of Industry 4.0 is clear: what has been done for the manufacturing sector, and for the secondary sector in general, was to make the structures and production machines connected and computerized together with their appurtenances. This interconnection, mediated by industrial IoT technologies, allowed to gather and correlate large amounts of data previously almost completely disconnected (even if not completely ignored) from the decision making process and its own now critical elements.
Analogies with Industry 4.0
Nonetheless, if we think about the entire flow of information, it is clear that the circle is not complete without digitising and linking the “back-office” part of the company to these data flows. Let’s imagine, for example, a stock monitoring and relative flow of purchase orders in case of lack of a component: it would be fantastic if warehouse operators could send the order to the purchasing office. However, if the operational flow of the purchasing department is not at the same automation and computerisation level it would end up acting as a bottleneck, if not even as a “hole” in the data collection process, which is instead a fundamental tool for decision making.
From factory to desk
Furthermore, even in the context of a pure tertiary sector, such as service or consultancy companies, they will certainly benefit from the integration and data collection in support to the decision making functions. Meanwhile, management control, as well as internal information flows, will become extremely more effective. Quite simply, it is a matter of bringing the experience of integration and correlation already experienced in industrial production to desks.
Improving of the employee’s quality of life
Maintaining the parallelism with industrial automation, the integration of IoT tools in offices can be, if done with the right criteria, an excellent tool to improve the efficiency and quality of work, as well as the quality of life of the employee. Functions such as adjusting the light with respect to the external brightness or switching off all systems automatically when the last employee left is no longer detected inside the building exemplify the ability of the environment to react autonomously to the metrics collected. They are all demonstrations of how it is possible to simplify and improve the management of the headquarters of their offices, both in terms of quality of life of employees but also and above all as management costs of the same.
You can read the entire story of the design of our office in this article. Now, however, I would like to spend a few words on the security implications that these tools carry.
Security issues in Office 4.0
Keep off from Commercial Off-the-Shelf components (COTS)
The first consideration on security to be done is to avoid IoT COTS tools as much as possible (which I personally try to avoid or isolate even in domestic use, as I highlight in these articles). Like in industrial IoT, the use of domestic tools in the workplace does not provide sufficient guarantees of security and reliability typical of professional tools.
3 points to keep in mind
In fact, it is really important to remember, as for every IT tool designed according to security criteria, to define at least three elements during this phase:
- security perimeter;
- security context;
- modello of potential threat(s).
By placing the device from the domestic environment to the workplace, we will significantly vary all these elements, thus making even the greatest design effort compliant with potentially vain safety parameters. This is without counting the inclusion of an IT system, in a connected context such as a workplace. Context that should involve the same safety assessments that are made in the design of the equipment itself, but applied to the entire office system by an expert professional.
Cloud or on-premises?
Another false belief that often hovers among SMEs is related to cloud solutions compared to on-premise.
This can easily be summarised with the sentence: “I don’t want my data in the cloud, because I want to know where it is, I will keep it here in my house”.
However, it is quite difficult to have an ISO 27001 certified datacenter on premise when you are an Italian SME. Potentially, with proper configuration and design, your data is more secure in the hands of a cloud provider.
In our case, seizing the opportunity of the change of our corporate headquarters, we opted to migrate all the infrastructures to the cloud, rather than physically moving them from one location to another.
Complete migration to the Cloud
The rationale that led us to this choice was carefully weighed and its winning points were mainly:
- hardware activities are not our core business and these activities distracted resources from core projects, causing significant expenditure of energy, unforeseeable interruptions of development work for hardware interventions and all that we know how to achieve by taking charge of the own hardware;
- TCO, however high it is, resulted still lower than a data center in the premises;
- resilience and the ability to reconstitute the system, even completely from scratch, are unparalleled compared to an on premise datacenter: each AWS availability zone is replicated in a datacenter cluster that is automatically switched in case of problems. Manually or, through some technical measures automatically, it is possible to restore the entire infrastructure in a new availability zone or in a new city in a few minutes from backup or from scratch using the project template;
- several security considerations, including:
- physical access to our “datacenter” is objectively impossible, even by ourselves;
- the only access to the datacenter is a VPN tunnel with the VPC (group of virtual subnets to which the virtual servers in the cloud belong), protecting data in transit;
- disks of remote machines are encrypted with a key of which we have a copy, kept in a safe place.
This level of security, ease of management and resilience is really difficult to achieve at the same costs with an on-premises datacenter.
The weak point, if we can consider it this way, is the need to have a stable connection with the cloud, almost certainly equipped with second failover connectivity.
A look at what we have “on field”
On the “ground”, compared to the cloud, it is necessary to have a great deal of attention to network design, since this is the fundamental asset with which you will work.
In our headquarters, at infrastructure level, we have a network mainly based on Ubiquiti and Watchguard, with access points for client high density, equipped with spectrum analyser independent from the radio used for communications and IDS on board each.
This is a reflection of our flexible and mobile way of working, therefore access to the network is mainly via wireless network, which must however guarantee adequate levels of security and reliability.
Solutions for remote working
We then created a cloud vpn concentrator that allows access to servers from all over the world, while ensuring a much higher quality and availability of access to business systems than that normally guaranteed by SME datacenters and connectivity.
This goes extremely well with the fact that MOLO17 has full remotely working employees, personnel who work from home for most part of the timetable and similar situations. Therefore resilient, secure and fast remote access to company servers is essential for this type of business relationship.
Managing Mobile and Edge
To facilitate the management of security issues and client management of this setup we have implemented various organizational and technical measures, for example:
- the use of an MDM solution, specifically Cisco’s MERAKI, to send configurations to company computers and to assess compliance with security policies in real time;
- the use of mandatory and forced full disk encryption by the MDM itself, to protect company data;
- the use of a cloud solution, Google’s GSuite, for corporate email and centralized authentication. We access all corporate services through GSUITE accounts;
- as company phones, we use apple phones, also managed with DEP, supervision and management via MDM;
- For employees who want to use their own telephone terminal, we have implemented the “bring your own device“, via Google for Work, forced through the MDM. When you try to log in to your account with an Android device:
- work profile is created in employee terminal. This profile is an isolated container that can be deactivated at any time by the same;
- MDM allows its creation and consequent access to company data only if the phone has not been tampered with (as via rooting and / or custom rom) and has full disk encryption active;
- in the event of theft or loss of the phone, we can delete the container remotely at any time, as well as in the event of the employee leaving the company. On the other hand, what is out of the container is opaque for us, protecting user privacy;
- we can ensure data compliance by preventing copying out of the container.
It does not end here
In our search for flexibility we have not stopped here. We have also moved in the Cloud our telephone switchboard, specifically with 3CX.
In-Cloud VoIP PBX
In-Cloud VoIP PBX all employees have their own internal extension number.
Except for special uses, we do not use landline phones, but we use an app inside our mac and / or our cellphones.
We can of course disconnect from the switchboard at any time, divert calls and similar functions that are classically available on any switchboard.
Access with digital key
At any time, technically even in the middle of the night, employees can enter and leave the building, using bluetooth keys present in an application on their phones or in their work profile. Access is then recorded and the alarm is deactivated.
This allows you to work flexibly and at the most appropriate times for any projects that the various teams are following. Of course, we can invalidate any employee’s electronic keys at any time.
Is anybody in?
The building is able to react to the presence or absence of its “residents”, for example by observing wifi users it is capable to determine when the time has come to close the lights and activate the night alarm.
A win-win choice
Security in 4.0 offices can, and in my opinion, have to be perceived as a tool with double potential.
The most heartfelt example in the company is perhaps the implementation of the MDM for all devices and Work Profile on Android: not only do these countermeasures significantly improve endpoint security, but they give their user a positive counterpart that improves balance between working and personal life.
Route to a better office
I firmly believe that Office 4.0 is an unmissable opportunity to move the image we commonly have of IT security procedures and tools.
In the first place because we move from considering them sources of frustration to tools that, in addition to making us feel safe, can make us live better the working context with a strong counterpart on the quality of life for every employee.
The ROI of the solution
Last, all the costs incurred that are usually perceived as unnecessary by management become opportunities to lower the TCO of IT infrastructures and beyond. This also allows to optimize company procedures with all the positive consequences that derive from them.
DevSecOps Lead @MOLO17