• Applying conventional security practices in the cloud environment
  • Directly assessing the compliance and security practices of cloud providers
  • Having sufficient resources to be able to evaluate the security practices of cloud providers
  • Controlling or restricting end-user access

As such, businesses rely on the cloud service providers to take on the onus of safeguarding their data on cloud, including the encryption of sensitive information and the safekeeping of the encryption key.

However, transferring the responsibility of safeguarding encryption keys to cloud providers does not mean the risk of breaches goes away. Organizations need to be responsible for their own encryption keys if they want to truly secure their data.

Data compliance regulations like GDPR necessitates the uniformity of data protection laws, and controls how organizations should store personal data and how they must respond in the event of a data breach. Whether your organization collects data or processes it, its obligations attach to the data itself, and travel wherever it goes. What this means is that many Asian businesses could find themselves falling within the GDPR’s scope, as long as they have any sort of footprint in the EU.

So how can controllers and data processors manage this web of responsibility? The answer is simple:

  • Identify where sensitive data resides
    • By establishing a complete, accurate picture of where sensitive personal data resides, businesses can identify key areas to focus their resources
    • This includes:
      • Knowing how many different locations and environments the data resides in
      • Tracking access and assignment rights
      • Understanding how data is transmitted between data centers, whether in point-to-point or multi-point environments
  • Classify data to streamline operations and compliance
    • By classifying data, businesses could potentially significantly streamline their compliance efforts and better manage data in line with governance and policies.
  • Safeguard data leveraging encryption and key management
    • The guidance issued by the National Institutes of Standards and Technologies (NIST) provides a wide range of best practices to defend against security compromise, including that keys, or at the very least, key material, must be updated regularly. Second is that different products across the data security industry provide different key management functions. If a breach occurs but data was encrypted and keys are adequately secure to NIST guidelines, a cyber attacker will be unable to decrypt and access the data.
    • Encryption represents an essential way to establish data confidentiality and integrity. In fact, the Data Privacy regulations will only intensify the demand for encryption and to separate encryption keys from data encryption and decryption operations for compliance.
  • Control access
    • Repeatedly, it is weak, static credentials and multiple applications connected to a single network that are vulnerable. It is therefore essential for organizations to eliminate this vulnerability by establishing strong access management solutions with authentication methods such as multi factor authentication and secure single-sign-on processes.

With regards to cloud security in Asia, compared to other regions in the world, where do we stand? And which industries do we see the greatest growth in cloud adoption?

Tay: Today cloud computing applications and platform solutions are considered critical to organizations’ operations. The use of cloud will only proliferate as businesses continually leverage the operational efficiencies that cloud services offer. In fact, our Data security in Asia-Pacific 2019 survey found that virtually every organization will be using cloud services within the next two years. And they should – especially when data processing requirements and demand for data storage capacity continue to increase.

However, these perks of utilizing the cloud could potentially translate into security threats as more organizations adopt a multi-cloud strategy, making it even more challenging for businesses to identify, track and protect all data, be it in transit or stored data.

Presently, the data privacy standards being discussed on a global level are not uniform, and organizations could find that they must comply with different privacy legal frameworks as well as face conflicts in legislation – especially if we are talking about multinational/multiregional organizations.

While Asia is still early in terms of securing data in the cloud, our 2019 Global Cloud Security Study showed promise in Asia’s commitment to cloud security. Respondents who indicated the business’ commitment to protecting confidential or sensitive information has increased significantly from 62% in 2015 to 72% of respondents in this year’s study.

At the same time, more than half of respondents also expressed that their organizations have established clearly defined roles and accountability for safeguarding confidential or sensitive information stored in the cloud, as compared to a mere 38% four years ago. I believe that with this optimistic outlook and increased awareness of cloud security, we can expect to see stronger collaboration across public and private sectors to refine the current data management frameworks.

2019 APAC overview in a nutshell:

  • The Singapore government announced a set of data security recommendations for data sharing between government agencies. This is a good set of guidelines for the private sector to adopt.
  • The Thai government instated a PDPA bill in May 2019. This sets the starting point for Thailand to progress next to more cloud-based data security guidelines within the year or next.
  • In Malaysia, the Bank Negara Malaysia issued a paper in late 2019 providing guidelines on cloud and data security. This means that Malaysia banks are getting the go-ahead to move their workloads into the public cloud which is a significant move.
  • In Indonesia, the National Cyber and Encryption Agency (Badan Siber dan Sandi Negara; BSSN), requested a public consultation in mid-2019 to comment on a draft regulation on Information Security Management Systems (Sistem Manajemen Pengamanan Informasi; SMPI). We should be able to expect a formal gazette document in 2020.

All the aforementioned proof points show that countries in APAC are progressing quickly in the areas of information security – pointing towards how organizations should start considering their cloud and data security postures, owing to the rollout of these regulatory frameworks.