In
this
exclusive
interview,
fellow
of
cyber
security
and
governance
at
Singapore
University
of
Social
Sciences,
Anthony
Lim,
shares
his
insights
on
cloud
migration,
data
security
and
sovereignty
and
how
to
ensure
all
those
within
your
organization
have
a
clear
understanding
of
your
incident
response
plan.
Cyber
Security
Hub:
What
are
the
top
data
security
and
sovereignty
challenges
facing
cyber
security
professionals?
Anthony
Lim:
Organization
managers
and
cyber
security
professionals
need
to
have
a
central
policy
and
clear
visibility
on
what
data
from
which
department
is
being
placed
in
cloud
services
and
which
person
in
each
department
oversees
and
authorizes
this
process.
Secondly
and
similarly,
there
needs
to
be
a
centrally
managed
and
enforced
data
classification
system
that
decides
what
data
sets
are
allowed
to
be
stored
in
cloud
services.
Here
we
need
to
bear
in
mind
national
or
industry
regulation
requirements
such
as
personal
data
protection,
financial
transaction
data
protection
and
data
sovereignty.
So,
one
must
be
mindful
of
the
types
of
data
that
will
be
stored
in
the
cloud
services
and
that
it
might
leak
or
otherwise
get
breached
and
what
the
worst-case-scenario
consequences
of
this
might
be.
Thirdly,
cyber
teams
need
to
ensure
basic
data
cyber
security
policies,
solutions
and
practices
are
in
place
such
as:
-
Proper
password
and
authentication
regime
including
the
use
of
two-factor
authentication. -
Data
encryption
wherever
feasible. -
A
data-leakage
prevention
solution. -
Network
segmentation
and
access
control. -
Least
privilege
and
zero-trust
principles. -
Firewall,
anti-virus
or
anti-malware
software. -
Monitoring
and
logging
of
network
and
data
movement
activity. -
Consistent
patching
and
updating
of
software
applications,
operating
systems,
middleware
and
other
software.
CSH:
What
advice
would
you
give
to
those
facing
these
challenges?
AL:
First,
be
aware
of
all
of
the
above.
Next,
make
inventory
lists
of
the
following:
- Departments.
-
Data
stores
including
backups
and
archives. -
Personnel
including
job
role
and
function. -
IT
assets
lists
including
software
applications
and
services. -
Cyber
solutions
inventory
list. -
What
cloud
services
are
being
used
by
which
department(s),
for
what
services
and
what
data
is
being
stored
in
these
cloud
services.
Second,
as
this
moves
away
from
being
a
technological
or
operational
matter
and
into
management,
political
and
bureaucratic
territory,
cyber
teams
need
the
support
and
endorsement
of
executive
management.
This
ensures
the
harmonious
cooperation
of
all
departments
and
allows
the
general
cloud
data
security
and
risk
mitigation
strategies
to
succeed.
CSH:
How
can
cyber
security
professional
prepare
in
the
case
of
a
data
security
issue
or
emergency?
AL:
This
question
points,
and
rightfully
so,
at
the
need
for
a
proper,
working
and
tested
incident
response
plan.
Case
in
point,
the
inquiry
report
for
the
biggest
data
breach
case
in
Singapore
to
date
found
that
the
company’s
incident
response
management
was
broken.
If
it
had
not
been,
the
attack
could
have
been
stemmed
earlier
and
prevented
from
becoming
worse.
Although
they
did
have
an
incident
response
plan,
it
fell
short
in
three
critical
ways:
-
Staff
were
unaware
of
what
to
do,
including
how
or
when
to
report
a
cyber
security
incident
and
to
whom.
Instead
of
escalating
the
incident
up
the
chain
of
command,
it
went
unreported
as
employees
tried
to
deal
with
it
on
their
own.
-
Staff
did
not
have
adequate
cyber
security
awareness
and
training,
meaning
they
were
unable
to
understand
the
severity
of
the
attack
or
how
to
respond
effectively
to
it. -
Though
there
was
a
framework
in
place
to
report
cyber
security
incidents,
employees
were
not
sufficiently
trained
on
how
to
use
it.
Again,
cyber
security
teams
need
to
get
top-down
executive
management
support
for
a
comprehensive
incident
response
plan
involving
all
the
stakeholders.
There
must
be
processes
and
playbooks
that
all
the
stakeholders
and
department
staff
must
be
completely
aware
of,
much
like
for
any
other
safety
drill.
These
have
to
be
tested
at
least
once
a
year
and
improved
upon.
This
is
because
as
personnel
and
technology
change,
so
does
the
way
the
incident
should
be
responded
to.
An
incident
response
framework
must
include
appropriate
external
parties
who
can
work
in
a
timely
and
efficient
manner
to
manage
the
issue
when
it
arises.
This
will
ensure
mitigation,
minimalization,
control
of
and
recovery
from
the
situation
as
well
as
business
continuity
both
during
and
after
the
incident.
Following
this,
the
lessons
learned
must
be
used
to
improve
cyber
security
to
ensure
such
situations
are
prevented
from
happening
again.
CSH:
How
can
those
in
cyber
security
govern
with
service
level
agreements
AL:
It
is
hard
to
dictate
a
service
level
agreement
(SLA)
especially
in
regard
to
cyber
security
and
data
protection
to
a
cloud
service
provider
unless
you
are
a
very
large
organization.
Otherwise
you
will
just
have
to
live
with
the
standard
service
level
agreement
the
provider
offers
you,
which
itself
will
be
quite
comprehensive
anyway.
It
is,
however,
a
best
practice
to
have
your
legal
counsel
or
legal
service
provider
have
a
look
at
it
to
make
sure
it
meets
your
requirements.
Irrespective
of
size,
you
as
the
customer
can
seek
counsel
with
the
cloud
service
provider
about
your
data
protection
compliance
requirements
and
they
can
advise
you
on
how
best
these
can
be
mutually
achieved.
Remember
that,
at
the
end
of
the
day,
if
the
data
hosted
in
the
cloud
is
sensitive
and
it
leaks
or
is
breached
or
hacked,
you
as
the
customer
and
data
owner
will
be
held
responsible,
not
the
cloud
service
provider.