GovInsider SaaS Day: Security needs to scale alongside adoption of SaaS

Speakers at a cybersecurity panel at GovInsider’s SaaS day debunked the myth that organisations, including government agencies, can outsource cybersecurity to service providers when they adopt software-as-a-service (SaaS) solutions.

Different SaaS applications come with different layers of security.

Therefore, it is important for agencies to ensure that their security policy is independent and consistently enforced across different applications, said cloud cybersecurity provider Cloudflare’s ASEAN, SASE Specialist, Jeremy Jorrot.

He was speaking at a panel discussion on Staying Compliant: Best Practices for Ensuring Secure SaaS Adoption at GovInsider’s SaaS Day event on July 9, 2024.

His other panellists were GovTech Singapore’s Director (Governance Planning and Policy), Yeo Beng Huay, and Synapxe’s Director, Policy, Risk Management & Capability Development (Cyber Defence Group), Leonard Ong. The panel was moderated by GovInsider’s Contributing Editor, Amit Roy Choudhury.

Continued emphasis on a ‘zero trust’ approach

Jorrot and Ong highlighted the need for a zero-trust approach when it comes to tackling cybersecurity threats.

This security approach assumes that “all the activities are dangerous from the get-go,” and is one that has been emphasised by GovTech Singapore previously, as reported by The Straits Times.

The three key phrases to a zero-trust approach are visibility of threats, classification or prioritisation of threats, followed by enforcement of controls, said Jorrot.

But as information is spread across different SaaS providers, it is difficult for agencies to have a single security control for an entire network.

“In a normal cyber incident, you would have access to all your systems and resources. When SaaS comes in, you’re letting go of a lot of controls, so [cybersecurity] is important,” said Synapxe’s Ong.

Agencies are also faced with a rapidly evolving threat landscape. Today, most attackers as seen in the US and Europe no longer operate in a single location and cast very wide nets to infiltrate as many organisations as possible, said Jorrot.

How can smaller agencies then stay protected amidst the new and more sophisticated threats?

Traditional security controls would not suffice to keep up with the speed and scale of threats.

“Don’t look at security just for regulatory compliance's sake. Look at it as part of your overall digital transformation journey,” he added.

For one, agencies can consider SaaS solutions for their cybersecurity tools, which are simpler to deploy and manage. More importantly, the agencies can tackle the threats at scale and speed, he added.  

Cybersecurity controls to evolve with increasing SaaS adoption

As Singapore supercharges SaaS adoption in the public sector, GovTech Singapore will be soon announcing reforms made to the Instruction Manual for ICT&SS Management (IM8) to make it easier for agencies to adopt SaaS.

IM8 provides policies, standards, and guidelines to govern agencies' adoption of ICT (Information and Communications Technology) services and smart systems.

Currently, IM8 requires applications to be hosted on the Government Commercial Cloud (GCC) and SaaS applications cannot be hosted on GCC. The upcoming reforms will make it easier for agencies to adopt SaaS applications hosted outside GCC for low-risk use cases.

“If it’s [a] low risk [use case], you can just do your risk assessment, check the certification and start using it,” Yeo said. Productivity tools are an example of a low risk use case for SaaS adoption.

Low risk, according to Yeo, is defined as no or minimum disruption to critical information infrastructure, including energy, water, banking and finance, healthcare, transport, infocomm, media, security and emergency services, and government.

“[GovTech Singapore is] giving a big push for agencies to adopt SaaS instead of building new applications... [and] enabling you to deliver better, faster, more cost effective, and risk-mitigated systems and services,” Ong said.

To this end, GovTech Singapore has simplified the procurement processes around SaaS applications, and introduced a SaaS portal that is available to both the public and private sectors to access information and resources.