Cloud security hacks from Singapore Government IT leaders at the Cloud Security Summit

“Cloud technologies have greatly enhanced our companies’ digital footprint and capabilities. But with this increased adoption of cloud technologies and infrastructure, the ability to maintain and protect the cloud becomes increasingly important,” said Tan Kiat How, Senior Minister of State for National Development and Senior Minister of State for Communications and Information in Singapore.

He was speaking at the Cloud Security Summit 2023, organised by the Association of Information Security Professionals (AiSP). This year’s theme, “Simplifying Cloud for a Safer Future”, focused on making cloud security more accessible for enterprises. 

At the session, government leaders from the Cyber Security Agency (CSA) and Government Technology Office (GovTech) shared how organisations can improve the security of their cloud environments, drawing on lessons learned from the Singapore government’s cloud migration.

Cloud decisions a tradeoff

Donald Ong, Senior Consultant, Cloud Cybersecurity Programme Office, Cyber Security Agency of Singapore highlighted that Singapore’s government cloud programme led to rapid improvements in user experience for government applications and was a vital backbone for government digital services during the Covid-19 period.

However, he highlighted that despite the opportunities presented by the cloud, security challenges in cloud adoption persist. For one, organisations may not have full visibility into how cloud service providers manage the security of their cloud infrastructure. 

Under the shared responsibility model, cloud service providers manage the security of the cloud infrastructure, while customers manage the security of data and applications hosted within the cloud. While cloud providers do provide assurance reports to verify their security measures, organisations should still consider preparing business continuity plans in case of cloud outages.

Some organisations may choose to adopt a hybrid or on-premises approach for systems and applications that are more sensitive. This will enable them to have stronger oversight over the security measures in place to safeguard the physical and virtual infrastructures of the cloud, he shared. 

“For systems that are very sensitive, my recommendation is to stay on-premises for the time being. Get a feel of the cloud and understand how to secure it, before you take steps,” he said. 

However, he cautioned that isolated cloud environments will lack the breadth, agility, and cost-effectiveness that public cloud platforms offer, citing a recent Gartner article on this topic. Hybrid and multi-cloud environments may also have more complex security requirements.

The Singapore Government previously set a goal of migrating 70 per cent of its less-sensitive systems to the public cloud, and agencies can access these cloud services through the Government Commercial Cloud. Legacy systems and more sensitive systems are remaining on premises or in private cloud environments.

Regardless of cloud model, he shared that it is critical for organisations to maintain a full inventory of cloud assets, from data to applications to physical servers, and employ zero-trust principles to secure these assets.

“When things go wrong, we need to know exactly where it went wrong,” he said.

Finally, he emphasised that organisations should adopt shift-left and shift-right principles when developing software. This means continuously testing code for security earlier in the development lifecycle as well as testing applications that have already gone live to ensure that they have remained secure and resilient.

Secure every layer of the cloud ‘onion’

Next, Bernard Tan, Director of the Cyber Security Group, GovTech, shared that it is important to secure each layer of the cloud, from data to identity to applications to infrastructure, depending on the cloud model, public, private, or hybrid, that organisations have adopted.

To do this, he recommends going back to the good ol’ framework of people, processes and technologies.

When it comes to technology, he recommended that organisations reduce technology debt. This can mean building cloud-native services and reducing a reliance on legacy systems. Then, organisations can build a set of common security services that can be applied across systems. 

Tan explained that the Government Commercial Cloud platform enables GovTech to standardise the security services offered to Government agencies that use the cloud.

Next, Tan shared that it is important to reduce complexity to limit possible points of entry. To simplify access, organisations can decide not to provide anybody with administrative rights at all. Instead, organisations can choose to allow users access to sensitive systems only when they absolutely need it.

When it comes to securing processes, Tan emphasised that it is important to integrate and automate security configuration checks during the development lifecycle. In this way, cyber security professionals can focus on higher level tasks and reduce toil.

Finally, he shared that it is important to reduce delusion. This means listening to, supporting, and empowering engineers and developers to focus on delivering the best possible services. 

Investing in cybersecurity talent

Finally, nurturing cybersecurity talent will be critical towards boosting the overall cloud security landscape in Singapore. In his presentation, Ong noted that the current cybersecurity talent shortage means that there is still a lack of widespread knowledge about how cloud systems can be implemented securely. 

At the event, AiSP signed a memorandum of understanding with Cisco Networking Academy. Under this MOU, AiSP and Cisco Networking Academy plan to organise a series of awareness training and hands-on workshops to boost cybersecurity education in the industry and widen opportunities for people to gain practical experience in cybersecurity.