Cloud and security, and the changing Asian approach
By Gabey Goh April 15, 2015
- Governments getting more nuanced in developing cloud ecosystems
- Weak links in government cybersecurity, more holistic defending needed
WHILE regulation around access to and use of data domestically and internationally is being hashed out, the fact remains that adopting cloud computing services offer organisations numerous benefits.
Which was why Singapore took a strategic approach in developing its cloud ecosystem, according to Dr Lee Hing Yan, director of the National Cloud Computing Office under the Infocomm Development Authority (IDA) of Singapore.
“The question was how we could inject vibrancy into our infocomms industry by building an ecosystem. The first step was to be able to attract cloud service providers to come to Singapore and offer their services to the market.
“With over 6,000 multinationals based here, we were confident that this group would form the initial set of adopters.
“We then decided that the Government should take the lead and do its utmost to get our agencies to adopt the cloud,” he said at a cybersecurity briefing hosted by Microsoft Corp in Singapore.
To accelerate the typically lengthy cycle of procurement within the public sector, the decision was made to introduce a ‘Cloud Services’ bulk tender system, which saw four providers awarded the tender to build a whole-of-government private cloud, G-Cloud, to deliver cloud services to government agencies, with a prescribed security assurance level.
The number of providers has since been increased to eight, according to Lee (pic).
A Singapore Cloud Adoption Study commissioned by the IDA in April 2012 showed that Singapore already ranked third, after Australia and Japan, in cloud adoption.
In addition to these ‘hard enablers,’ there were considerations about ‘soft enablers,’ such as ensuring that there was an adequate supply of trained professionals, with government policies that encouraged the use of cloud computing, as well as reassuring users.
“The issues and principles around security and data remain the same even after cloud came into the picture, but its adoption accelerated the demand to address data protection and privacy, and cross-border data flows,” Lee said.
One such policy response was the establishment of the Personal Data Protection Commission (PDPC) in January 2013, a statutory body to administer and enforce the Personal Data Protection Act 2012 (PDPA), he added.
The PDPC serves as the country’s main authority in matters relating to personal data protection, and represents the Singapore Government internationally on data protection issues.
Surface level to nuanced understanding
Executive director of the Asia Cloud Computing Association Lim May-Ann said governments in the region have progressed in “leaps and bounds” when it comes to their understanding of cloud computing – with many now possessing a more nuanced approach to it.
In addition, she believes that public-private partnerships are the “best way to move forward” at present, due the rapidly changing nature of technology advancements and the inherently slower pace of public sector initiatives.
“No matter where you are in terms of implementing any sort of IT project, the technology is going to move as you’re in the process of executing,” said Lim.
“I’m excited to see a lot of countries taking a holistic approach to policy-making when it comes to technology and security.
“For example, in Singapore, the fact that the newly established Cyber Security Agency (CSA) sits under the Prime Minister's Office with centralised oversight of national cybersecurity functions, is recognition of the need for moving across agencies to coordinate efforts,” she added.
With similar initiatives being discussed or executed in other markets, including Indonesia and Malaysia, Lim (pic) said that this is indicative of a “huge tectonic shift” within government.
Previously, technology used to be very industry-specific, with policies centred on building up specific sectors, be it PCs or semiconductors.
“But the landscape has changed and we’re now seeing a move away from a vertical to a horizontal approach to looking at technology,” she said.
“I’m enthusiastically looking at what governments are doing, and it all bodes very well, as many have enough foresight to see the need for coordinated efforts, and also to having trusted partners be part of the process if trying to formulate a holistic approach is key to success,” she added.
Drafting out the roadmap
While governments are increasingly spending more IT resources and budgets on cybersecurity, there are still blind spots and weak links in their IT management, usage and policies.
This makes them vulnerable to cyberattacks, according to an independent study released by research consultancy firm TRPC, titled Public Data at Risk: Cyber Threats to the Networked Government.
READ ALSO: Google ‘hack’: Malaysian domain register MYNIC breached again
The study, commissioned by Microsoft, assessed trends around the IT systems and infrastructure being built by governments, as well as the related IT investments, types of public and sovereign data and information stored by governments, and the types of cybercrime threats being targeted at governments.
According to Keshav Dhakad, regional director of the Digital Crimes Unit (DCU) at Microsoft Asia, the study was initially inspired by a request from a South-East Asian government official during a discussion on vulnerabilities in the IT supply chain.
“The official said ‘I have no idea what to do; I’m a policy-maker and I don’t understand technology. I need a roadmap to help resolve these issues.’
“And that was what prompted this paper, which is meant for senior bureaucrats and ministers, not the technocrats or IT people,” said Keshav (pic).
The paper proposes a roadmap for senior government policy leaders and business decision-makers to enable a resilient, reliable and strong cybersecurity strategy and trusted IT usage framework, Microsoft claimed.
It has also been established that an unmanaged and unregulated IT supply chain is one of the most potent ways in which malware infections are taking root inside systems, leading to cybersecurity breaches, according to the TRPC study.
“It’s not about protecting intellectual property at the point, it’s about attackers exploiting vulnerable systems to execute their attacks,” said Keshav.
Dr Peter Lovelock, director at TRPC, noted that current government cybersecurity efforts are often “piecemeal at best.”
“Two problems are arising for procurement professionals in Asia – the increasing prevalence of infected networks, including in supply chains, and the lack of experience in dealing with actual threats.
“A more holistic approach towards cybersecurity must be undertaken if a country is to be ‘cyber-ready,’ said Lovelock, adding that the elements of building a safer government ecosystem include:
- Setting up agile and empowered computer emergency response teams (CERTs);
- Sensitising and educating civil officials (particularly non-IT focused personnel);
- Regulating and monitoring the IT procurement and purchasing processes; and
- Using trusted technologies capable of defending and responding to cybersecurity breaches.
For example, a global survey by security firm ISACA (the Information System Audit and Control Association) found that most security professionals have not yet had to deal with an actual Advanced Persistent Threat (APT) attack – a type of network attack in which an unauthorised person gains access and stays undetected for a long period of time, usually with the objective of stealing data.
According to the ISACA study, only 21.6% of respondents have been subject to an APT attack. [ISACA is the global association of IT security, assurance, governance and risk professionals.]
The association also pointed that many were not taking enough precautions against APTs – up to 81.8% of respondents had not updated their agreements with vendors which provide protection against APTs, while 67.3% of respondents have not held any APT awareness training programme for employees.
Roadmap for governments
Many security loopholes can be addressed by ensuring that best practices and guidelines are enforced for the purchase, maintenance, and upgrading of IT infrastructure and services, according to the TRPC white paper.
An effective roadmap towards constructing a resilient strategy should include steps to:
- Raise awareness through regular training on cyber-hygiene to government officers and staff, and mandated usage of genuine and current software products, safer Internet practices, and added malware protection through antivirus solutions. On the other hand, government IT procurement officers, government contractors and agencies should be strictly regulated, audited and sensitised towards the standards of security and safety of public data as well as national security.
- Ensure readiness by having a central agency responsible for coordinating cybersecurity preparedness and prevention protocols, and for coordinating cybersecurity responses in the event of a state-targeted attack. Establish a strong and empowered CERT and create or join a network of trusted CERT partners to share information and cyber-threat intelligence and mock attack exercises.
- Prevention of attacks through building and maintaining a safe and secure network infrastructure and clean and genuine IT supply chain through strong IT maintenance and procurement practices. Develop, implement and enforce cybersecurity standards for IT vendors and suppliers for all public sector organisations, particularly for critical infrastructure and sensitive national projects.
- Responding effectively by establishing domestic, regional and international legal avenues for pursuing redress following a cyber-attack. Develop best practices for recommended timeframes and standards for constant upgrading and updating software used in the public sector.
- Mitigate damage by establishing a cyber-forensics team in place which can work alongside the CERT, private industry and police to investigate security breaches and prevent further losses. Develop or join a cybersecurity network of other government or international organisations for information, intelligence and alliance-building purposes.
To read the report [PDF] in full, click here.
Previous Instalment: Snowden Revelations a blessing, trust needs to be built: Microsoft
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.