In this exclusive interview, fellow of cyber security and governance at Singapore University of Social Sciences, Anthony Lim, shares his insights on cloud migration, data security and sovereignty and why it is imperative that all those within your organization have a clear understanding of your incident response plan.
Anthony Lim, fellow of cyber security and governance at Singapore University of Social Sciences
Cyber Security Hub: What are the top data security and sovereignty challenges facing cyber security professionals?
Anthony Lim: Organization managers and cyber security professionals need to have a central policy and clear visibility on what data from which department is being placed in cloud services and which person in each department oversees and authorizes this process.
Secondly and similarly, there needs to be a centrally managed and enforced data classification system that decides what data sets are allowed to be stored in cloud services. Here you must bear in mind national or industry regulation requirements such as personal data protection, financial transaction data protection and data sovereignty. One must also be mindful of the types of data that will be stored in the cloud services, that it might leak or otherwise get breached and what the worst-case-scenario consequences of this might be.
Thirdly, cyber teams need to ensure basic data cyber security policies, solutions and practices are in place such as:
- Proper password and authentication regime including the use of two-factor authentication.
- Data encryption wherever feasible.
- A data-leakage prevention solution.
- Network segmentation and access control.
- Least privilege and zero-trust principles.
- Firewall, anti-virus or anti-malware software.
- Monitoring and logging of network and data movement activity.
- Consistent patching and updating of software applications, operating systems, middleware and other software.
CSH: What advice would you give to those facing these challenges?
AL: First, be aware of all of the above. Next, make inventory lists of the following:
- Data stores including backups and archives.
- Personnel including job role and function.
- IT assets lists including software applications and services.
- Cyber solutions inventory list.
- What cloud services are being used by which department(s), for what services and what data is being stored in these cloud services.
Second, as this moves away from being a technological or operational matter and into management, political and bureaucratic territory, cyber teams need the support and endorsement of executive management. This ensures the harmonious cooperation of all departments and allows the general cloud data security and risk mitigation strategies to succeed.
CSH: How can cyber security professional prepare in the case of a data security issue or emergency?
AL: This question points, and rightfully so, at the need for a proper, working and tested incident response plan.
Case in point, the inquiry report for the biggest data breach case in Singapore to date found that the company’s incident response management was broken. If it had not been, the attack could have been prevented.
Although they did have an incident response plan, it fell short in three critical ways:
- Staff were unaware of what to do, including how or when to report a cyber security incident and to whom. Instead of escalating the incident up the chain of command, it went unreported as employees tried to deal with it on their own.
- Staff did not have adequate cyber security awareness and training, meaning they were unable to understand the severity of the attack or how to respond effectively to it.
- Though there was a framework in place to report cyber security incidents, employees were not sufficiently trained on how to use it.
Again, cyber security teams must get top-down executive management support for a comprehensive incident response plan involving all the stakeholders. There must be processes and playbooks that all the stakeholders and department staff must be completely aware of, much like for any other safety drill. These have to be tested at least once a year and improved upon. This is because as personnel and technology change, so does the way an incident should be responded to.
An incident response framework must include appropriate external parties who can work in a timely and efficient manner to manage the issue when it arises. This will ensure mitigation, minimalization, control of and recovery from the situation as well as business continuity both during and after the incident. Following this, the lessons learned must be used to improve cyber security to ensure such situations are prevented from happening again.
CSH: How can those in cyber security govern with service level agreements
AL: It is hard to dictate a service level agreement (SLA) especially in regard to cyber security and data protection to a cloud service provider unless you are a very large organization. It is, however, a best practice to have your legal counsel or legal service provider have a look at the standard service level agreement the provider offers you to make sure it meets your requirements.
Irrespective of size, you as the customer can seek counsel with the cloud service provider about your data protection compliance requirements and they can advise you on how best these can be mutually achieved.
Remember that, at the end of the day, if the data hosted in the cloud is sensitive and it leaks or is breached or hacked, you as the customer and data owner will be held responsible, not the cloud service provider.