As Singapore accelerates its transition to a Smart Nation, it recognises that data security is key. The Public Sector Data Security Review Committee was formed last year to evaluate data security policies and practices across the public sector. Following the review, the Committee detailed five security recommendations to strengthen the nation’s data security regime.
“The 5 key recommendations and 13 technical measures set forth by PSDSRC are crucial to transforming the delivery of our government digital services to building our smart nation infrastructure, and Singapore Government is taking this correctly to ensure the highest standard of data security,” says Seah Shao Xiong, Head of Sales and Channel for Singapore Government, Cloud Protection & Licensing business, Thales Digital Identity and Security.
Experts from Thales share how agencies can step up data security in line with these new regulations.
Bolstering data security
In its review, the Committee analysed 336 government data systems across all 94 public agencies. Three in four agencies had at least one finding of non-compliance with government regulations.
Common instances of non-compliance were in management and monitoring of privileged user accounts, user access reviews, encryption of emails with highly-sensitive data, and extraction of production data.
To tackle such vulnerabilities, the Committee gave out five data security recommendations. The first was for entities to enhance technology and processes to protect data against security threats and compromises.
The Singapore government aims to implement the measures in 80 per cent of government systems by the end of next year. “With the rise in digital services and sensitive data that are shared, stored, and processed on a national level, these sets of data security recommendations and detailed technical guidelines, could not have come at a better time,” says Seah.
In line with the first recommendation to enhance technology, agencies should reduce the attack surface, the Committee wrote in its report. That can happen by minimising data collection, retention, access and downloads.
Automatic identity and access management tools will come in handy to ensure data is only accessed when needed, and that access is only given to authorised people. Privileged identity and management tools also monitor administrator accounts and guard it with more stringent measures such as multi-factor authentication.
Some public service officers deployed to the frontline during the pandemic, for instance, may have access to Covid-19 patient data. But when they resume their usual role, identity and access management tools will halt their access to the database.
Thales’s SafeNet Trusted Access validates identity by taking into account variables such as a user’s network, location, and operating system. It also taps on contextual data to provide additional information on a login attempt, and creates compliant access policies.
Agencies should also enhance the logging and monitoring of data access to detect high-risk activity, wrote the Committee. Logs should be stored and analysed to flag suspicious activity and support remediation in the event of a data breach.
This is key as hackers tend to lay low and carry out attacks over a sustained period of time. Individual actions by the hacker may not raise any red flags – however, his actions over time might be suspicious, says Thales. With the storage and analysis of logs, such anomalies can be detected.
Thales’s CipherTrust Security Intelligence partners with security information and event management systems to detect suspicious activity. It monitors real-time events, analyses long-term data, and also qualifies possible threats to save security teams the trouble of chasing after false positives.
Data encryption and tokenisation
Agencies’ security technology should also protect data directly when it is stored and distributed, the Committee wrote. When extracted or intercepted, data should be rendered unusable.
That requires data hashing and tokenisation. Both techniques will ensure that sensitive values and identifiers, such as passwords and NRICs, cannot be seen or recovered in the event of a breach. Instead, the data will be replaced with a value known only to authorised users.
Singapore’s Smart Nation initiatives must go hand-in-hand with data security to gain public confidence, said Teo Chee Hean, the Committee’s chairman.
“Singapore’s Smart Nation ambitions cuts across all sectors, and Thales in Singapore is present in many of these, from aerospace, defence, transportation and digital identity and security. Our solutions are cyber-secured by design and addresses the entire information security lifecycle. We remain committed to supporting our customers here guard against the insidious nature of cyber threats as they further their digital ambitions,” says Kevin Chow, Country Director and Chief Executive, Thales in Singapore.
Data is the gold of the 21st century, and governments have the formidable task of guarding the precious commodity against cyber threats. Singapore’s current efforts to bolster data security will pave its way to a resilient Smart Nation.
To find out how your agency can enhance data security in line with PSDSRC recommendations, download Thales’s eBook here.