Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing

        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing

        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing

        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing

        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training

        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing

        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review

        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention

        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise

        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle

        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

I'VE BEEN BREACHED

How to secure data on cloud: best practices from 3 case studies

How to secure data on cloud
Learning how to secure data on cloud is no easy task. Luckily, we are here to break it down for you through 3 cases studies.

How to secure data on cloud: best practices from 3 case studies

Increasing digitalisation has prompted a rise in the adoption of cloud services and platforms by organisations in Singapore. Due to the security protections incorporated by cloud service providers (CSPs), cloud services and platforms are typically more secure than on-premises implementations. Nonetheless, data breaches can still occur if organisations fail to adhere to best practises and security regulations when managing cloud data.

We have prepared the following fundamental best practises to prevent typical sorts of cloud-related data breaches. To protect personal data in the cloud, organisations are urged to implement these measures:

How to secure data on the cloud from Misconfiguration of Cloud Platforms

Organisation A’s cloud storage was incorrectly configured as publicly accessible, and it contained personal data. As a result, personal data was exposed as a result of the exposed cloud storage.

Organisation B negligently breached security as part of a data migration exercise by configuring the setting of an exposed port to the “public” without any security restrictions on the cloud. As a result, the threat actor gained unauthorised access to the cloud storage that contained personal data.

To secure data on the cloud from Misconfiguration of Cloud Platforms, you can Implement robust control to cloud resources such as:

1. Whitelist or allowlist the IP addresses that have access to cloud resources.

2. Make “private” access to cloud resources the default setting.

3. Audit cloud configurations and security controls on a regular basis to ensure compliance with the organization’s security pol

Also Read: Data governance framework: What organisations in Singapore should know

Increasing digitalisation has prompted a rise in the adoption of cloud services and platforms by organisations in Singapore.

How to secure data in cloud from Malware and Phishing

Through social engineering, an employee of a domain provider was duped into transferring control of Organization C’s domain hosting account to an external actor. The external actor used the control to redirect all of Organization C’s cloud-based email traffic to its own email servers. The external actor obtained information that allowed them to reset email passwords and successfully changed the password for a DevOps account that had access to the cloud storage database, allowing them to steal sensitive personal data.

To secure data on the cloud, protect your cloud infrastructure against malware and phishing through:

  1. Enabling advanced protection services for cloud-based email servers, such as Microsoft 365 advanced protection and Google Protection service, to protect incoming mail.

2. Disabling email auto-forwarding by default for cloud-based email servers, particularly if the email accounts handle sensitive personal data.

3. Using a one-time password (OTP) or two-factor authentication (2FA) or multi-factor authentication (MFA) to secure administrator account(s) whose job function requires regular access to sensitive personal data or large amounts of personal data.

Data breaches can occur if organisations fail to adhere to best practises and security regulations when managing cloud data.

How to secure data on the cloud from Compromise of Cloud Access Keys

All developers in Organization D were granted full access privileges to cloud resources, with no security restrictions. Because no proper user roles or groups were defined to manage access keys to critical cloud resources, the threat actor used credential stuffing to gain unauthorised access to a database hosted on a public cloud.

Former and current employees of Organization E had access to old access keys that had not been rotated or changed in the Github repository. The threat actor was able to gain admin privileges and unauthorised access to cloud storage using the compromised access keys obtained through credential stuffing.

Employees of Organization F frequently communicated and shared access keys via email in plain text; the threat actor obtained the compromised access keys via phishing email in order to gain unauthorised access to cloud storage and personal data.

Organization G had embedded access keys in an obsolete application source code repository on Github. A security breach occurred as a result of the organization’s failure to remove obsolete application source code containing access keys, which was easily accessible by threat actors via the internet.

To secure data on the cloud from Compromise of Cloud Access Keys, adopt good cloud security practices as follows:

1. Limit the access privileges of cloud access keys (access key id plus secret access keys) based on user roles/functions, i.e., generate these keys with the least privileges required for the user roles/functions rather than root accounts.

2. Do not directly embed cloud access keys (access key id plus secret access key) in source codes.

3. Store and manage critical keys using standard key management solutions.

4. Conduct a periodic review of critical key deletion and rotation.

5. Perform scans for cloud access keys that may have been committed in shared repositories, such as installing “shhgit” to detect possible secret keys being committed to GitHub repositories.

Due to the security protections incorporated by cloud service providers (CSPs), cloud services and platforms are typically more secure than on-premises implementations.

How a DPO and regular VAPT can help secure data in the cloud

With these organisations suffering breaches, they are now liable under the PDPA. They could be subjected to loss of trust from investors and consumers, and worse, they could be obliged to pay a financial penalty of up to S$1,000,000.

A DPO can help prevent these from happening by making sure that the organisation’s cybersecurity posture is in its fittest shape. It is crucial that an organisation has a Data Protection Officer (DPO) to oversee how the data is managed when using the cloud for storage. It is important that each organisation has an officer who ensures that at each step of the way, there will be no room for data mismanagement. If they do not have one, they can employ DPO-as-a-service providers such as Privacy Ninja.

DPOs complement organizations’ efforts to ensure that data management is in compliance with the PDPA and that there are no instances of data leaks or any problems organisations face nowadays due to the lack of security arrangements.

Regular penetration testing is also beneficial for organisations in Singapore as it ensures that there will be no loophole within the organisation that the bad actor can exploit. Pen testers or commonly known as Whitehat hackers will see to it that each vulnerability found will be patched to secure the data on the cloud.

The PDPC advises organisations to conduct regular penetration testing through service providers such as Privacy Ninja, which is CRSO licensed.

Also Read: Outsourced Data Protection Officer Singapore

0 Comments

Let us help you out.

Grab your free consultation NOW!

Privacy Ninja

Data Protection​

Cybersecurity

Support

Company

Locations

Singapore

7 Temasek Boulevard
#12-07, Suntec Tower One
Singapore 038987

Thailand

The Royal Place 1
2, 2/399 Mahatlek Luang 1 Alley, Lumphini, Pathum Wan, Bangkok 10330, Thailand



email-icon
Facebook Twitter Linkedin Youtube

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
TALK TO US
×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

× Chat with us