How to secure data on cloud: best practices from 3 case studies
Increasing digitalisation has prompted a rise in the adoption of cloud services and platforms by organisations in Singapore. Due to the security protections incorporated by cloud service providers (CSPs), cloud services and platforms are typically more secure than on-premises implementations. Nonetheless, data breaches can still occur if organisations fail to adhere to best practises and security regulations when managing cloud data.
We have prepared the following fundamental best practises to prevent typical sorts of cloud-related data breaches. To protect personal data in the cloud, organisations are urged to implement these measures:
How to secure data on the cloud from Misconfiguration of Cloud Platforms
Organisation A’s cloud storage was incorrectly configured as publicly accessible, and it contained personal data. As a result, personal data was exposed as a result of the exposed cloud storage.
Organisation B negligently breached security as part of a data migration exercise by configuring the setting of an exposed port to the “public” without any security restrictions on the cloud. As a result, the threat actor gained unauthorised access to the cloud storage that contained personal data.
To secure data on the cloud from Misconfiguration of Cloud Platforms, you can Implement robust control to cloud resources such as:
1. Whitelist or allowlist the IP addresses that have access to cloud resources.
2. Make “private” access to cloud resources the default setting.
3. Audit cloud configurations and security controls on a regular basis to ensure compliance with the organization’s security pol
Also Read: Data governance framework: What organisations in Singapore should know
How to secure data in cloud from Malware and Phishing
Through social engineering, an employee of a domain provider was duped into transferring control of Organization C’s domain hosting account to an external actor. The external actor used the control to redirect all of Organization C’s cloud-based email traffic to its own email servers. The external actor obtained information that allowed them to reset email passwords and successfully changed the password for a DevOps account that had access to the cloud storage database, allowing them to steal sensitive personal data.
To secure data on the cloud, protect your cloud infrastructure against malware and phishing through:
- Enabling advanced protection services for cloud-based email servers, such as Microsoft 365 advanced protection and Google Protection service, to protect incoming mail.
2. Disabling email auto-forwarding by default for cloud-based email servers, particularly if the email accounts handle sensitive personal data.
3. Using a one-time password (OTP) or two-factor authentication (2FA) or multi-factor authentication (MFA) to secure administrator account(s) whose job function requires regular access to sensitive personal data or large amounts of personal data.
How to secure data on the cloud from Compromise of Cloud Access Keys
All developers in Organization D were granted full access privileges to cloud resources, with no security restrictions. Because no proper user roles or groups were defined to manage access keys to critical cloud resources, the threat actor used credential stuffing to gain unauthorised access to a database hosted on a public cloud.
Former and current employees of Organization E had access to old access keys that had not been rotated or changed in the Github repository. The threat actor was able to gain admin privileges and unauthorised access to cloud storage using the compromised access keys obtained through credential stuffing.
Employees of Organization F frequently communicated and shared access keys via email in plain text; the threat actor obtained the compromised access keys via phishing email in order to gain unauthorised access to cloud storage and personal data.
Organization G had embedded access keys in an obsolete application source code repository on Github. A security breach occurred as a result of the organization’s failure to remove obsolete application source code containing access keys, which was easily accessible by threat actors via the internet.
To secure data on the cloud from Compromise of Cloud Access Keys, adopt good cloud security practices as follows:
1. Limit the access privileges of cloud access keys (access key id plus secret access keys) based on user roles/functions, i.e., generate these keys with the least privileges required for the user roles/functions rather than root accounts.
2. Do not directly embed cloud access keys (access key id plus secret access key) in source codes.
3. Store and manage critical keys using standard key management solutions.
4. Conduct a periodic review of critical key deletion and rotation.
5. Perform scans for cloud access keys that may have been committed in shared repositories, such as installing “shhgit” to detect possible secret keys being committed to GitHub repositories.
How a DPO and regular VAPT can help secure data in the cloud
With these organisations suffering breaches, they are now liable under the PDPA. They could be subjected to loss of trust from investors and consumers, and worse, they could be obliged to pay a financial penalty of up to S$1,000,000.
A DPO can help prevent these from happening by making sure that the organisation’s cybersecurity posture is in its fittest shape. It is crucial that an organisation has a Data Protection Officer (DPO) to oversee how the data is managed when using the cloud for storage. It is important that each organisation has an officer who ensures that at each step of the way, there will be no room for data mismanagement. If they do not have one, they can employ DPO-as-a-service providers such as Privacy Ninja.
DPOs complement organizations’ efforts to ensure that data management is in compliance with the PDPA and that there are no instances of data leaks or any problems organisations face nowadays due to the lack of security arrangements.
Regular penetration testing is also beneficial for organisations in Singapore as it ensures that there will be no loophole within the organisation that the bad actor can exploit. Pen testers or commonly known as Whitehat hackers will see to it that each vulnerability found will be patched to secure the data on the cloud.
The PDPC advises organisations to conduct regular penetration testing through service providers such as Privacy Ninja, which is CRSO licensed.
Also Read: Outsourced Data Protection Officer Singapore