In this exclusive interview, fellow of cyber security and governance at Singapore University of Social Sciences, Anthony Lim, shares his insights on cloud migration, data security and sovereignty and why it is imperative that all those within your organization have a clear understanding of your incident response plan.
Anthony Lim, fellow of cyber security and governance at Singapore University of Social Sciences
Anthony Lim: Organization managers and cyber security professionals need to have a central policy and clear visibility on what data from which department is being placed in cloud services and which person in each department oversees and authorizes this process.
Secondly and similarly, there needs to be a centrally managed and enforced data classification system that decides what data sets are allowed to be stored in cloud services. Here you must bear in mind national or industry regulation requirements such as personal data protection, financial transaction data protection and data sovereignty. One must also be mindful of the types of data that will be stored in the cloud services, that it might leak or otherwise get breached and what the worst-case-scenario consequences of this might be.
Thirdly, cyber teams need to ensure basic data cyber security policies , solutions and practices are in place such as:
AL: First, be aware of all of the above. Next, make inventory lists of the following:
Second, as this moves away from being a technological or operational matter and into management, political and bureaucratic territory, cyber teams need the support and endorsement of executive management . This ensures the harmonious cooperation of all departments and allows the general cloud data security and risk mitigation strategies to succeed.
AL: This question points, and rightfully so, at the need for a proper, working and tested incident response plan.
Case in point, the inquiry report for the biggest data breach case in Singapore to date found that the company’s incident response management was broken. If it had not been, the attack could have been prevented.
Although they did have an incident response plan, it fell short in three critical ways:
Again, cyber security teams must get top-down executive management support for a comprehensive incident response plan involving all the stakeholders. There must be processes and playbooks that all the stakeholders and department staff must be completely aware of, much like for any other safety drill. These have to be tested at least once a year and improved upon. This is because as personnel and technology change, so does the way an incident should be responded to.
An incident response framework must include appropriate external parties who can work in a timely and efficient manner to manage the issue when it arises. This will ensure mitigation, minimalization, control of and recovery from the situation as well as business continuity both during and after the incident. Following this, the lessons learned must be used to improve cyber security to ensure such situations are prevented from happening again.
AL: It is hard to dictate a service level agreement (SLA) especially in regard to cyber security and data protection to a cloud service provider unless you are a very large organization. It is, however, a best practice to have your legal counsel or legal service provider have a look at the standard service level agreement the provider offers you to make sure it meets your requirements.
Irrespective of size, you as the customer can seek counsel with the cloud service provider about your data protection compliance requirements and they can advise you on how best these can be mutually achieved.
Remember that, at the end of the day, if the data hosted in the cloud is sensitive and it leaks or is breached or hacked, you as the customer and data owner will be held responsible , not the cloud service provider.