Sound risk guidelines set priorities for secure cloud ventures

Asian governments are embarking on digital transformation initiatives – such as Singapore’s Committee on the Future Economy, ASEAN’s ICT Masterplan 2020, the Digital Thailand 4.0 and Digital Malaysia roadmaps, and China’s 13th Five-Year Plan – to ready their respective economies for an innovation-driven future.

At the heart of these initiatives lie positive and relevant customer experiences across channels and endpoint devices driven by a rapidly growing ‘internet of applications’. Customers interact with businesses and access data from anywhere, switching seamlessly between in-house and cloud-based applications. IDC predicts that one in four applications will be delivered as a service over the internet by 2020.

However, data breaches and data theft have reared their ugly heads already in Singapore’s Ministry of Defence (Mindef) and the Hong Kong Registration and Electoral Office, respectively, just three months into 2017.

Although data lost in these incidents were basic, they underscore the importance of strong risk management within digital transformation strategies to hold up user trust and confidence in the safety of digital assets and availability of critical services. Thankfully, the 3.7 million Hong Kong voters’ data in two stolen laptops were encrypted and banks have indicated to the Hong Kong Monetary Authority that the lost data neither include necessary information required to access online services nor fulfill rigorous vetting and approval procedures to obtain a loan.

Financial attraction

The finance industry stands out as an obvious, lucrative target for cyber attackers. The banking industry could be 70% “more targeted” by hackers than any other sector due to the value of financial information, commented Indonesia Cyber Security Forum cofounder and chairman Ardi Sutedja in the Jakarta Post.

Not surprising then that the financial industry sets the benchmark for high standards in security and availability. Being a highly regulated industry, it is guided by comprehensive technology risk management guidelines and cybersecurity best practices. Even so, the industry has made great strides toward digital innovation with the use of cloud technologies.

Having embraced private cloud architecture, IDC believes that at least 80% of Asia-Pacific banks will run on a hybrid cloud architecture by 2018.

“With growing regulatory support for cloud and the intensifying competitive pressures forcing Asia/Pacific banks to look at what cloud can offer in terms of cost take-out and quicker go-to-market, cloud adoption will scale up this year,” said Michael Araneta, associate vice president for IDC Financial Insights Asia/ Pacific.

For example, the growing adoption of IT outsourcing and the use of cloud services have prompted the Monetary Authority of Singapore (MAS) to issue its Guidelines on Outsourcing Risk Management, which covers cloud services, to financial institutions (FIs) last year.

Given the characteristics of cloud services, such as multi-tenancy, data commingling and multi-location parallel processing, the guidelines encouraged FIs to address risks associated with data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance and auditing. Specifically, FIs should pick service providers that clearly identify and segregate customer data using strong physical or logical controls and provide robust access controls to protect customer information, among other must-haves.

Beyond the finance industry, a recent Hong Kong Productivity Council (HKPC) study found that 65% of enterprises that outsourced IT jobs will provide privileged access to partners in the next 12 months. Following the report, Wilson Wong, general manager of IT and Business Process at HKPC advised enterprises to enhance privileged access management for IT outsourcing partners or cloud service providers.

Neglected policies

In another study, F5 Networks’ 2017 State of Application Delivery survey found increases in preferences for managed or as-a-service options as organizations struggle to find staff to address security challenges. Yet, despite companies’ increasing exposure to cyber risks, many companies are still grossly underinsured with only 12% of the total costs of a typical breach covered.

After all, only 19% of companies polled in a global study have cyber insurance coverage. But PwC estimated that cyber insurance annual premiums will surge from around US$2.5 billion today to hit $7.5 billion by 2020.

With cyber insurance so integral to an enterprise’s security strategy, F5 recommends that IT leaders “calculate how much the business can absorb from a breach without financial catastrophe, pick a level of risk that the business is comfortable with, and insure the rest”.

In balancing cloud-driven innovation and security, Leong Keng Thai, chairman of Singapore’s Personal Data Protection Commission advocated firm data protection laws to influence the incorporation of personal data governance in organizationsʼ risk management practices.

Yet, while security laws and guidelines help foster best practices, they cannot foresee all cybersecurity risks in the cloud as attack surfaces expand and threats evolve. To be vigilant, organizations need to create a culture of security among staff and stakeholders; craft a realistic cloud strategy using metrics to assess readiness in responding to incidents and protecting critical assets; and embed sound risk management practices into digital transformation initiatives.

This is a QuestexAsia feature commissioned by F5 Networks Asia Pacific.