With the onset of the pandemic, there is no doubt that agencies and companies feel a more pressing need to ramp up cybersecurity infrastructure and network security models. Cyberattacks are getting more sophisticated, driven by accelerated digital transformation – moving to cloud, rolling out new applications and e-services at lightning speed – to address the needs of citizens and customers.

Combined with the surge in the use of end-point devices for remote working and the entry of new emerging technologies like IoT (Internet of Things), cybercriminals are having a field day, creating havoc in customer records, causing huge financial and intellectual property losses in public and private sector organisations alike.

The widespread move towards remote work and hence, the need for access and security have spurred investment in ZeroTrust security. The ability to authenticate and monitor all traffic, regardless of its position inside or outside of an organisation’s network, promises to reduce or eliminate many security risks.

The pandemic changed things and there is no turning back to an old reality. The question is: How can organisations keep up with the never-ending threat of cyberattacks and futureproofing themselves?

The 7th Annual Singapore OpenGov Leadership Forum 2022, Day 3, was held on 19 May 2022 at Singapore Marriott Tang Plaza Hotel. It convened digital leaders from the Singapore public sector and financial services industry to discuss, deliberate, share and plan for the next phase of transformation.

Security in a post-covid reality

Mohit Sagar, Group Managing Director, and Editor-in-Chief, OpenGov Asia, kicked off the session with his opening address.

“We’re in the age of the metaverse,” Mohit claims, pointing out the growing trend of the metaverse. “The metaverse is where all the information will be sitting very soon. Everyone who does not know cryptocurrency will think that it is bad.”

Being a digital-first nation, Singapore is at the centre of attention. If the nation is not future-ready, it cannot be said to be prepared at all, Mohit claims. And in a future-ready country, data is foundational.  Safe and wide access to data then becomes the challenge and goal.

With consumers and businesses operating in a more distributed fashion, the attack surface has widened more than ever before as well. Like in other parts of the world, cyber-attacks are becoming increasingly common in Singapore, Mohit acknowledges. Ransomware cases in Singapore rose 154% in 2020, clearly becoming a growing threat.

Against this backdrop, a new ransomware economy has emerged for attackers, enabled by ransomware-as-a-service providers. Attackers have grown sophisticated in executing double extortion attacks whereby sensitive data is exfiltrated under threat of release.

“The world is not the same as it was, but are organisations keeping up with the changes?” Mohit asks. “ About 95% of all successful cyber-attacks are caused by human error.”

People need more intel because the threat is ongoing. Cyberthreats will continue to evolve, Mohit claims. People can no longer hide behind security o stifle development and innovation. Organisations must embrace the risks, plan for them and push the envelope as far as possible.

In conclusion, he feels, the best approach to safeguard data is to look for partners who are experts in their field of work who can help organisations keep their glass full so that they can focus on their business objectives.

Acknowledging the changing frontiers of technology

Bidyut Dumra, Executive Director & Head of Innovation DBS Bank spoke next on the rising trend of the metaverse.

In his current role, Bidyut looks after innovation in the bank and also furthers other areas of interest – metaverse, running an online gaming tournament and a network of gaming cafes. Bidyut begins by sharing his experience of working in different sectors.

As part of innovation at DBS, they do trend spotting and create a house field that dictates when to jump on a trend and how. According to Bidyut, the semblance of the metaverse came in 2019 and there were a few indicators that heralded it: 1) The typical persona of a gamer changed significantly. The number of gaming personas increased and the financial activity online has increased dramatically. 2) There was a dramatic increase in the popularity of e-sports and 3) Technology pushed that bridge between digital and physical experience.

Considering the trends, DBS began sponsoring championships, creating their team to compete and addressing gamer incentives. They invested heavily in understanding blockchain and went about creating their platform, tokens and digital assets.

“To put it simply, the metaverse is a digital reality,” Bidyut opines. “It is characterised by being real-time, its persistence and the experience of identity and assets. Within the metaverse, there can be multiple experiences of work, life, and play. With the metaverse, one can take on multiple avatars to mimic what people can do in their physical life.”

Each metaverse is a planet, where you can own land, assets (characters, clothes, etc.) and privileges, which can sometimes be transferred into the physical world. For instance, a ticket in the metaverse might grant you access to the physical world, and vice-versa. All transactions in the metaverse are stored in a blockchain – it is an underlying tech.

To serve and take advantage of this market and business opportunity, people are creating ancillary services and businesses, he notes. There are a lot of people are in the space – investments have gone up.

Ultimately, it is code, and code is built by people. This means that security falls back on the integrity of the code and the coder. He encourages delegates to take a closer look at metaverses because that is where the money and sentiment are heading towards.

Staying secure with Zero Trust

Scott Hesford, Director of Solutions Engineering, APJ, BeyondTrust elaborated on Zero Trust and how privileges can be applied.

“What is Zero Trust?” Scott begins. “It is an evolving set of cybersecurity paradigms that move defences from static, network-based perimeters to focus on users, assets, and resources.”

The Zero Trust framework is still fairly vague in terms of what specific technology is required and how to implement it. It has mostly been left up to technology vendors, agencies and organisations to determine what Zero Trust is. Consequently, it has become an industry buzzword that can mean many different things, depending on the vendor offering it.

Assets, users and devices are no longer confined in a physical structure behind a secured perimeter but instead scattered in a new cloud-based universe. Organisations can no longer rely on typical network controls for their security. Digital transformation – including cloud and workforce mobility – has vastly expanded the attack surface.

The Zero Trust model brings a lot of focus to the potential that something or someone within the network perimeter has been compromised.

Under the assumption that every user, request and server is untrusted until proven otherwise, a zero-trust solution dynamically and continually assesses trust every time a user or device requests access to a resource.

This approach prevents attackers from exploiting weaknesses in the perimeter to gain entry, and, once inside, move laterally to access confidential applications and data.

On the path to Zero Trust, NIST provides a clear playbook on how to adopt zero trust principles. He emphasises that zero trust is not a single set of technologies an organisation can purchase, but a guiding set of principles that organisations will gradually adopt as they shift resources from on-premises to the cloud and retire legacy architecture. In the implementation process, hybrid implementations are expected to continue, given the challenges of modernising legacy systems that may be incompatible with zero trust

In the adoption journey, the role of Privileged Access Management (PAM) is critical, Scott asserts. Applying the granularity of PAM to achieve Zero Trust objectives ensures all access is appropriate, managed and documented – regardless of how the perimeter has been redefined.

According to Scott, PAM enables Zero Trust in 8 ways:

• Continuously enforces adaptive and just-in-time access controls based on context
• Manages and enforces credential security best practices for all privileged passwords, secrets, and keys for accounts
• Applies least privilege controls for every identity and account – human, application, machine, employee, vendor, etc.
• Implements segmentation and micro-segmentation to isolate various assets, resources, and users to restrict lateral movement
• Secures remote access with granular least privilege and adaptive capabilities well beyond that of VPNs, RDP, and other common remote access technologies
• Secures access to control planes (cloud, virtual, DevOps) and sensitive applications
• Continuously monitors, manages and audits every privileged session that touches the enterprise

BeyondTrust and ZeroTrust are solutions that support the smart, practical implementation of NIST’s Zero Trust security model without disrupting business processes. BeyondTrust solutions can be implemented with a Zero Trust Architecture (ZTA). Scott concludes that the hybrid approach provides companies with the ability to select the parts of the Zero Trust model that make sense to implement in their environment with a common-sense approach toward long-term security. In closing, he urges the delegates to consider Zero Trust adoption – a vital framework to keep the data safe.

Cyber resilience in face of evolving challenges

Soh Kiat Hiong, Head of System Engineering, Rubrik, shared thoughts on cyber resilience in the new normal.

“As we all know, ransomware is a clear and growing threat,” Kiat Hiong observes. “With consumers and businesses operating in a more distributed fashion, the attack surface has widened more than ever before as well”

Agreeing with Mohit, he acknowledges that a new ransomware economy has emerged for attackers, enabled by ransomware-as-a-service providers. Attackers have grown increasingly clever in deploying double extortion attacks in which critical data is taken under threat of release. There is a shift from an opportunistic approach to a targeted approach.

Ransomware as a service is making it easier for criminals to commit crimes. There is also a rise in high-profile ransomware incidences. “How do we secure and eliminate the surface area and ensure that data is encrypted?” Kiat Hiong asks.

For Kiat Hiong, resilience is about having data security that aligns with the Zero Trust data security framework. It is not just about backup and recovery but about understanding the magnitude of impact – about understanding, identifying the sensitive data, and tiering the recovery. To do that requires one to streamline the valuable information, understand the high-value data that is impacted and prevent re-infection.

Additionally, Kiat Hiong shares that Rubrik is also able to offer insights on cyber-attacks. Rubrik saw an opportunity in understanding what has happened and what has changed. When data is ingested, it allows them to understand the environment and prevent ransomware from reinfecting customers.

He highlights the use case in the public sector in Singapore. Before Rubrik stepped in, there were legacy platforms without an air gap, which has a big surface area for attack due to the separation between the backup and storage. As such, Rubrik implemented zero-trust data security to eliminate the surface area for an attack so that no data is presented online.

With Rubrik’s Zero Trust Data Security, the organisation:

• Scaled-Out Simplicity with Zero Data Security
• Removed storage online or on the network (native logical air gap)
• Ensured that backups cannot be modified/encrypted (immutable file system)
• Integrated with AWS S3 Immutable Object Lock
• Guaranteed that major attacks are now recoverable events from the 1st copy

As a result, the organisation achieved:

• 80% Productivity Improvement
• Accelerated DevTest with API (application programming interfaces) automation
• Reduced Business Downtime with Instant Live Mount
• Near 100% success rate

In concluding his presentation, Kiat Hiong outlined the 3 key pillars of Rubrik’s Zero Trust Data Security – Data Resilience, Data Observability and Data Recovery. More importantly, Rubrik is also able to give insights, conduct ransomware investigation and sensitive data discovery, and carry out threat hunting. He encourages the delegates to speak with him to further understand how Rubrik can assist organisations in the security of their data.

Polling results in the morning session

Throughout the morning session, delegates were polled on different topics.

The first poll inquired about key business initiatives for the next 12-18 months. Over a third (35%) are focused on improving employee productivity through digital technology, followed by modernising, and securing apps (29%), embedding compliance transparently in applications (18%), enabling real-time performance visibility and analysis (9%) and improving agility and delivery through Cloud Migration (9%).

Delegates were then asked about what would have the bulk of their budget allocation in 2022 –2023. Under a quarter (23%) indicated embracing cloud technology, be it public or private as the bulk of their budget. One section was equally divided between allocating the bulk of their budget to the digitalisation of processes to deliver better or ‘Smart’ services (19%) and improving integrity and governance while reducing inefficiency (19%). The rest indicated they would invest in leveraging IoT to improve processes and productivity (15%), enhancing or adopting AI (Artificial Intelligence) and Analytics for improving outcomes through forecasting, prediction, and optimisation (12%) or fortifying resilience (12%).

On the main motivator that is driving digital transformation, most (40%) are influenced by the desire to speed up their time-to-market to fully capitalise on business opportunities or to serve citizens better. Just over a quarter (28%) see a growing need to maximise value/insights from an increasing amount of data assets as a motivator. Others were split between the improved capability to manage an increasing amount of data at the edge locations while ensuring security and compliance (16%) and providing a consistent and seamless cloud-everywhere experience across a distributed organisation (16%).

Inquiring about concerns in the consideration to move to cloud, over half (52%) were anxious about security and governance. Other delegates were focussing on the need to re-skill talent (28%), operational costs (17%) or vendor lock-in (3%).

The subsequent poll asked delegates what they saw as the biggest challenge in digitalisation and cloud migration. Over a third (38%) found people and skillset the biggest issue, under a quarter chose data classification/data sovereignty/data residency and just over a fifth (21%) went with security and compliance risk. One group of the remaining delegates was evenly divided over executive support/top management strategy (7%) and legacy infrastructure (7%) while the rest (3%) said the budget was of concern.

Inquiring about the cyber security concerns that organisations are most worried about, about a third (32%) were concerned about phishing and spear-phishing campaigns. The remaining delegates are concerned about social engineering campaigns targeting employees/partners/users (29%), attacks on public-facing websites and infrastructure, e.g. SQLi, XSS, DDOS (25%) and attacks on remote access infrastructure, e.g. VPN compromise (14%).

On their plans to implement Zero Trust across their extended environment, most (47%) are partnering with multiple security partners to build a practical and pragmatic roadmap to implement zero trust. Other delegates were split between implementing zero trust with a primary focus on identifying our critical assets (42%) and making huge investments in different technologies and not sure where to start due to operational complexities (11%).

On the key driver for their organisation’s initiating/augmenting an identity access/Zero Trust management programme, over half (58%) identified Security/Data Protection/Breach Prevention as a key driver. That is followed by the desire to reduce endpoint, Insider and IoT security threats (16%). The remaining delegates were split between internal/Industry/Regulatory compliance (11%), operational efficiency (11%), and addressing hybrid IT (Information Technology) security issues (5%).

When asked about the approach that is for their organisation in evolving to SASE (Secure Access Service Edge), an overwhelming majority would take a best of breed approach to select partners that are most appropriate to my organisation’s needs (73%), followed by looking for partners who can provide complete SASE solution (27%).

In conversation: Digital Sovereignty – the impact on your cloud strategy

The polling was followed by a conversation between Mohit Sagar, Group Managing Director & Editor-In-Chief OpenGov Asia, Kenny Seah, Head of Identity Access Management, Adnovum Singapore and Melvin Koh, Head of Sales Engineering ASEAN, Thales.

The rapid and pervasive development of digital technology has brought ‘digital sovereignty’ to the forefront of many governments’ policy agendas. Many countries have introduced digital sovereignty laws of varying scope on account of concerns about cybersecurity, data privacy and sensitivity and cyber capabilities, often imposing broad restrictions on cross-border data transfer or introducing local content requirements for digital-related services.

Melvin explains that digital sovereignty is about an organisation’s control over hardware software and data controlled by the organisation, which is related to the data privacy act. It shifts the responsibility to the organisation to protect the data. He notes that the prevailing data protection challenge lies in instances where data is shared outwards or in use and emphasises the importance of seeing where the data is shared.

Mohit was curious about Kenny’s thoughts on the impact of digital sovereignty on the deployment of cloud strategy, to which Kenny observes the trend that more organisations are embarking on a cloud strategy. However, the missing focus is on the migration process – knowing how to do it and choosing the approaches. Organisations need to be aware of the different strategies.

Mohit adds that it is not a lift-and-shift play and that organisations need to re-organise their data when they adopt cloud technology. Kenny believes that the process of determining whether data can migrate to cloud is understanding whether data is protected through encryption, generalisation, tokenisation, and anonymisation to maintain the control.

Mohit concurs that data classification is a complex question and when thinking about a successful cloud strategy, 3 major pillars support digital sovereignty objectives: data sovereignty, operational sovereignty and software sovereignty.

Besides data sovereignty, which was mentioned by Melvin, Kenny offers definitions of the other two terms: 1) Operational Sovereignty – maintaining resilience and having control over operations and managing incidence when a breach is detected and 2) Software sovereignty – propriety control over the software that organisations or their vendor have developed or co-sourced. That arrangement needs to be well-protected through legal means so that organisations will have ownership of the software

Melvin feels that when moving to cloud, it always begins as hybrid cloud. Organisations at the start of the journey will need to classify what can be moved to cloud. They will have to understand the security they have on-prem and on their cloud service provider. It would be crucial to maintain the same level of security for both systems.

For organisations already in the cloud and have multiple clouds, management becomes an issue. There needs to be a centralised component to manage both clouds and maintain the lifecycle of the key.

In conclusion, Kenny added that data classification and complexity of multi-cloud strategy are considerations for organisations planning their cloud strategy and Melvin added that it is a journey that will require time and patience.

Strengthening security through SaaS

Lim Wee Jian, Senior Solutions Engineer Public Sector, VMware talked about the SaaS approach toward security.

VMware’s goal is to run more with existing resources and make their business run faster. He notes that the cloud migration has made data more distributed and VMware’s mission is to help organisations run more apps on any of the cloud at scale.

Cloud technology has its own set of complications, Wee Jian believes. It can be an inconsistent experience for operations or development – applications are leveraging on a cloud-native architecture which makes running applications and multi-cloud complicated.

There are many compelling reasons for modernising applications. COVID-19 has brought about a radical change in how businesses operate and deliver to consumer expectations. Technologies like Grabfood, Shopping website, Netflix and most importantly, Tracetogether, are good examples of the user experience becoming a digitally driven one.

Digital transactions are the new currency for services and this requires modern applications and systems that support a digital ecosystem. The ability to deliver new features and services rapidly is essential.

For businesses to remain competitive and agile, they would require systems that are fast, automated, and repeatable capabilities. Capabilities such as automated application building and deployment within hours or minutes including all phases of code and security testing.

More importantly, a digital system drives the need for cultural and operational change, and this needs a digital ecosystem that is well integrated and automated.

While building our modern application using cloud-native approach, we will need to inject security during development or operation time.

DevSecOps is a way of approaching IT security with an “everyone is responsible for security” mindset. It involves injecting security practices into an organization’s DevOps pipeline. The goal is to incorporate security into all stages of the software development workflow. The obvious advantage of doing this is that organisations can identify potential vulnerabilities and work on resolving them sooner – the earlier you find any bugs, the cheaper it will be for you to fix them.

About the factors contributing to the SaaS trend, Wee Jian mentioned:

• Operational efficiency – Customers are looking at the time and cost benefits of using vendor-managed services.
• Security – Customer looking at a vendor to take up the responsibility to maintain and update the software to resolve security vulnerabilities
• Reliability – SLA is always sometime on top of our customer’s minds to ensure that the availability of services is guaranteed.
• Allow enterprises to focus more on business and less on maintaining operations, security, and high availability

Using the Tanzu portfolio, Wee Jian demonstrates the processes involved in the context of the day-to-day work of building, delivering, and managing modern apps – from how to support developer velocity to operating in production at scale.

Wee Jian emphasises that it is an effort that requires tight collaboration across development, security, and operational teams, ensuring each team’s needs are met, but with a clear separation of concerns so that each role can be optimised for their jobs. Developers can focus on delivering key business logic. Security teams can ensure security and compliance guardrails are inserted end-to-end (and automated), and operations teams (or platform teams) can focus on the platform —and the applications and clusters running there.

In conclusion, Wee Jian believes that great modern software is not just about the tools but about the people and culture. Tanzu Lab is a consultancy service that can help the team scale their practice.

Buttressing your cyber recovery capabilities

Marcus Loh, General Manager, South Asia Data Protection Solutions, Dell Technologies spoke next on cyber recovery.

Marcus begins by emphasising that people cannot afford to be walled off even though that is the most secure position – businesses need a productive solution that can be deployed in their environments.

Unpacking the concept of cyber resiliency, Marcus explains, “Cybersecurity describes a company’s ability to protect against and avoid the increasing threat from cybercrime. Meanwhile, cyber resilience refers to a company’s ability to mitigate damage (damage to systems, processes, and reputation), and carry on once systems or data have been compromised. In essence, cyber resilience is about reducing the impact of a cyber event.”

The explosion of data is a pressing issue that many organisations face. COVID-19 expedited the process because brick-and-mortar establishments are going online. However, most organisations do not know what info they have and why they are keeping them.

What is making data retention policy problematic is when organisations keep it forever. He shares that only 15% of all data are mission-critical. Keeping data increases the attack surface – and especially so because people are working from home.

What he also observes is the unequal attention on prevention but not on recovery. However, he highlights that ransomware has been designed to target the backup.

He believes that traditional strategies are not enough to do the following:

• Backup Server encryption
• Backup encryption
• DNS/AD down/corruption
• Recovery performance in massive change rate, full application recovery
• Full-stack recovery
• Primary data encryption
• Restore targets

It is easy to say that data recovery is about identifying the correct backup version and recovery but it is hard to tell if your backup is dirty. “How do you ensure that you have a clean backup copy?” Marcus asks.

In conclusion, he emphasises the importance of finding out the MVO (minimal viable organisation) of an organisation. He reiterates that organisations only need 15% of mission-critical applications to run their business in the event of a cyber event. “When you protect everything, you protect nothing,” Marcus claims.

Polling results in the afternoon session

Throughout the afternoon session, delegates were polled on different topics.

The first poll inquired about key business initiatives for the next 12-18 months. Most (47%) are focused on improving employee productivity through digital technology, followed by modernising and securing apps (27%) and improving agility and delivery through Cloud Migration (13%). The remainder were equally split over embedding compliance transparently in applications (7%) and enabling real-time performance visibility and analysis (7%).

Delegates were then asked about what would have the bulk of their budget allocation in 2022 –2023. Half (50%) indicated embracing cloud technology, be it public or private as the bulk of their budget. The remaining delegates allocated the bulk of their budget to fortifying cyber resilience (22%), digitalisation of processes to deliver better or ‘Smart’ services (17%), improving integrity and governance whilst reducing inefficiency (6%) and enhancing or adopting AI and Analytics for improving outcomes through forecasting, prediction, and optimisation (6%).

On the main motivator that is driving digital transformation, delegates were equally divided between speeding up their time-to-market to fully capitalise on business opportunities or to serve citizens better (31%) and improving their capability to manage an increasing amount of data at the edge locations while ensuring security and compliance (31%). The rest of the delegates are driven by the need to provide a consistent and seamless cloud-everywhere experience across a distributed organisation (15%).

Regarding key concerns in the consideration to move to cloud, most (47%) were focused on the need to re-skill talent (47%), followed by security and governance (40%) while the rest were looking at operational costs (13%).

About what they saw as the biggest challenge in digitalisation and cloud migration, half (50%) found people and skillset the biggest issue. The rest of the delegates found data classification/data sovereignty/data residency (21%) and security and compliance risk (21%) challenging. The remaining delegates found budget (7%) to be of concern.

Inquiring about the cyber security concerns that organisations are most worried about, most delegates (40%) were concerned about attacks on public-facing websites and infrastructure. (e.g., SQLi, XSS, DDOS). A third (33%) are concerned about phishing and spear-phishing campaigns. The remaining delegates are bothered about social engineering campaigns targeting employees/partners/users (20%) and attacks on remote access infrastructure, e.g., VPN compromise (7%).

On their plans to implement Zero Trust across their extended environment, most (67%) have already started implementing zero trust with a primary focus on identifying our critical assets and a third (33%) are partnering with multiple security partners to build a practical and pragmatic roadmap to implement zero trust.

Asked about key drivers for their organisation’s initiating/augmenting an identity access/Zero Trust management programme, most (45%) identified Security/Data Protection/Breach Prevention as critical and was followed by internal/Industry/Regulatory compliance (18%). The rest of the delegates are evenly split between the desire to reduce endpoint, Insider and IoT security threats (9%), operational efficiency (9%), response to audit or security incidents (9%) and addressing hybrid IT security issues (9%).

Inquiring about the approach for their organisation in evolving to SASE (Secure Access Service Edge), an overwhelming majority (75%) would take a best-of-breed approach to select partners that are most appropriate to the organisation’s needs. The rest said they would be staying with existing partners, consolidating as necessary (17%) or are looking for partners who can provide a complete SASE solution (8%).

Closing

To conclude the day, Mohit stresses the importance of getting started on the journey of securing data and information. It is the only way to stay relevant in face of changing realities. For Mohit, there is a need to take a serious look at security and data recovery – attacks are inevitable. It is crucial because organisations are focusing on technologies to keep their most vulnerable populations safe and secure – kids, seniors, families and communities.