Data protection strategies for cloud
During Trescon’s World Cloud Show, a panel discussion moderator shared a news report that cloud spending across APAC was growing at a CAGR of 25-percent. This momentum would likely double cloud budgets to 10-percent of total IT spending by 2023.
When speaking to his panellists about the security challenges of moving to the cloud, Hana Bank’s Head of IT Project, Benedict Sulaiman advised starting with the least priority systems. “Core systems would be put aside. Start with surrounding apps first, like reporting, front-end systems, development servers. Development servers located in cloud is not major because data stored is mostly dummy data.
In his book, risk and security assessments whenever an organisation deploys a new cloud server, is also important. “We want to ensure we can’t be penetrated so routine penetration testing should be done on a regular basis.
“Maybe, in a few years we can decide whether to put core systems into the cloud,” Benedict said, commenting that the new regulation does not state otherwise, and is actually very vague. “When something is not written, is it deemed as allowed or not? So, we will have to ask for approval from the Ministry or the financial regulator.”
Data protection strategy
Traveloka’s Head of Information Security, Hilal John Lone agreed with Benedict’s approach, sharing that his measures are applicable to an organisation whether it is financial services-based or not.
He wanted to also introduce the idea of data discovery and visibility. For an organisation to become agile with data-driven decisions, discovery and visibility is crucial, but it needs to go hand in hand with data classification, and then controls.
“Access controls becomes incredibly important, so you need a very good way to determine who has access and how that data is used,” Hilal said, adding that a data protection strategy needs to include operational excellence and vulnerability testing, as well as simple data encryption.
“Because we operate into multiple clouds like AWS and Google, so to maintain consistent data security, we have to keep an eye on the fundamentals. It works really well and does not leave anything to guesswork.
“There is proper procedure with documentation in terms of the data protection strategy,” Hilal explained, saying that hygiene factors also remain the same.
AIA Singapore’s Information Security, Antonius Ruslan agreed with his fellow panellists. He also shared four points which he observed.
The first is that organisations need to ensure their requirements are met by the cloud service provider (CSP), and the second is to consider the operational alignment of on-premise and the cloud environments, when moving to the cloud.
“In terms of support, the security operations centre (SOC), how we access data, how we secure the environments.. these must be considered,” Antonius emphasised.
Also, the investment into the cloud must be worth it: Are benefits derived from the cloud exceeding the cost of deploying the cloud?
This is where the fourth point comes into play; employees must be eager to continue learning new tech and new features (released by CSPs). “The hunger for continuous learning must be there,” Antonius pointed out.