Last updated: 27 September 2018
Following SingHealth cyberattacks last August, the CyberSecurity Agency of Singapore instructed CII (critical information infrastructure) sectors to raise their level of network security. In this blog, we emphasize the importance of CII entities owning their own encryption keys and how to gain control over their stored data.
The State of Cybersecurity in Singapore
Cybersecurity has become a much discussed topic globally mainly due to the fact that threats come in from all sorts of factors in the cyberspace: web, email, and have even evolved into advanced persistent threats (APTs) that are beyond what normal technology can handle.
Singapore has had its fair share of cybersecurity issues as of late; with its most recent and impactful one being the SingHealth database cyberattack that resulted in stolen data belonging to more than 1.5 million patients. The stolen data included patients’ names, NRIC numbers, addresses, race, date of birth, and other outpatient information.
Thankfully, more sensitive personal information like credit card details were spared, but the Cyber Security Agency of Singapore (CSA) notes that the information might be abused to impersonate customers. Medical records contain valuable data that can be used for identity, insurance, or tax fraud.
The Aftermath of an Attack
The SingHealth attack serves as a perfect reminder of the implications a breach and how it can undermine public trust. Moreover, it sheds light on the newly-ratified Singapore Cybersecurity Bill earlier this year, the nation’s answer to securing organizations designated as Critical Information Infrastructures, or CIIs. Such sectors include the energy, water, health, banking, transportation, and media sectors. The Bill outlines a framework that formalizes securing CIIs before and after an attack or data breach occurs.
The SingHealth cyberattack might not have targeted credit card details, but the chances of its financial motivation are high. (Related: Healthcare Data Security Solutions). Cybersecurity awareness has naturally cascaded into shaping policies and regulations across industries. For instance, the Monetary Authority of Singapore (MAS) recently issued a notice to all financial institutions to tighten verification processes and veer away from the usual customer identification methods.
Following the cyberattack, the Government ordered a pause on all Information and Communications Technology (ICT) projects in the public sector to review cybersecurity policies. The pause has since been lifted in August but called for additional measures that would let the Government detect and respond to attacks more quickly.
Collaborating with CII Providers: Raising Network Security
In lifting the pause, one of the listed measures is for CII sectors to raise the security in information gateways. According to the CSA press release, “…if two-way communication between the secured network and unsecured external network is required, a secured informational gateway has to be implemented.” This is especially important as high-potential data leaks and attacks can occur in this stage of network traffic. Our 2017 Breach Level Index report reveals that there were 1,765 reported data breaches and over 2.5 billion compromised data records worldwide.
So what do these measures mean for CIIs? Understand that CIIs need to operate on the possibility that a breach can and will happen. Raising network security requires knowing where your sensitive data lie, with the attack surface continuously expanding and adapting today’s digital transformation.
As the SingHealth incident has shown, data breaches are inevitable and the only way to safeguard stored data is through key management. You can read all about it at SecuretheBreach.com.
Owning Your Keys: Why Key Management is Important
There’s no denying that the cloud services are here to stay—yet organizations are still hesitant to adopt the proper security, privacy, and compliance measures to ensure its maximum benefits. Entrusting sensitive data to cloud services means relinquishing control over it, and as far as the recent data breaches are concerned, this may severely impact a company’s ability to adhere to privacy regulations, such as the General Data Protection Regulation.
Sure, it’s possible to outsource services for cloud data encryption and management services, but you can’t outsource the responsibility for that data. With the rise of new technologies, such as mobility, cloud, and virtualization, enterprises need to adopt encryption to keep sensitive data secure, especially the data stored on-premise.
Strong data encryption requires encryption key management. Being able to own and manage your encryption keys is crucial to meet compliance standards and to satisfy regulatory sovereignty requirements. Key management additionally ensures regulatory compliance and secures data from risks posed by privileged users. An effective key management solution also ensures that keys and their policies can be stored in an appliance that remains in full control of security teams, and not the storage administrators.
At this year’s GovWare 2018 in Singapore, we discussed our “Secure the Breach” approach and how encryption and key management solutions can help enterprises form a new data security mindset. But without an overarching encryption solution with centralized key management, you can expect businesses to end up with gaps and weak links in the environment.
What Can Gemalto Do for You?
Fortunately, our solutions offer a multilayered approach to help enterprises protect themselves against breaches to ensure data security in case perimeter defenses are compromised. We offer a portfolio of data protection solutions that include data encryption, encryption key management, and access management, enabling organizations to secure sensitive data in databases and to help achieve compliance.
For instance, Gemalto’s SafeNet Identity and Data Protection includes solutions for the following:
• Authentication & Access Management, Encryption, Tokenization & Key Management
• Cloud Security
• Compliance & Data Privacy
• Big Data Security
As data owners, it’s also important to know that encrypting data isn’t the same as protecting it. In our white paper Own and Manage Your Encryption Keys, we outlined how customer-owned encryption keys are is the only way to safeguard data in cloud environments. In the paper we talk more about data encryption scenarios and understanding the vulnerabilities of third-party encryption.
In customer-owned encryption, YOU own the data and YOU own the encryption keys. Owning and managing your encryption means compliance and ensuring that your data is always secure, while also giving you the power to address any and all access requests for surrendering your company’s data. Using encryption and owning the keys means that even when systems are handed over to the authorities, they might not be able to decrypt sensitive data, proving that the data were leaked in the event of a breach.
The power to secure data resides with no one but you and your customer-owned keys. Download our white paper to learn more about customer-owned encryption keys and safeguarding your data.