"The human asset is the most critical element when it comes to defending against and defeating evolving security threats," asserted Seow. Organisations should thus promote a positive security culture and ensure that all employees have a good understanding of the company's security policies. "Once employees understand the importance of security and good practices, the chances of breaches will be reduced... as security is by and large a people issue rather than a tech issue. Employees [are able to not only] defend information assets through professional due care, [but also] detect attack attempts early and respond to them swiftly and coherently."
As security threats evolve alongside the advancement of security technologies, there is a need for security professionals to continually upgrade their skills and keep abreast of new threats. "The days where security is managed by non-security trained people are over. It is recommended that security professionals hold professional certification from [security certification bodies such as] International Information Systems Security Certification Consortium (ISC)2 or ISACA."
"To tackle security effectively, we have to first instill a good security education to the people around us and it must be relentless and continuous effort," concluded Seow.
Bringing Trust to the Cloud
Security is still the biggest barrier to cloud adoption, according to David Siah, Chair of Singapore Chapter, Cloud Security Alliance (CSA).
David Siah, Chair, Singapore Chapter, Cloud Security Alliance
"There is a lack of trust when you're subscribing to a cloud service today," said Siah. The CSA, a global not-for-profit organisation that was founded in the U.S. in 2009, thus "aims to bring trust to the cloud by developing a global trusted cloud ecosystem, and building best practices and standards for the next generation of IT."
The lack of transparency by cloud service providers (CSPs) might be a reason for the lack of trust in cloud services, he claimed. To address this issue, CSA launched a publicly accessible registry via the Internet, CSA STAR, in 2011. CSA STAR "documents the security controls provided by cloud service providers" and only lists cloud service providers that meet CSA's Open Certification Framework (OCF).
Consisting of three levels, the OCF is an industry initiative to allow global, accredited and trusted certification of cloud providers. Siah explained that level 1 consists of self-assessments based on the Consensus Assessment Initiative Questionnaire and Cloud Control Matrix. There are currently 60 organisations with this certification including Amazon Web Services, Microsoft and Box.com.
The STAR Attestation is positioned as CSA STAR Certification at Level 2 of the OCF. "Level 2 is a lot more rigorous as it is based on a third party independent assessment of the CSP's security," he said. The CSP's description of its system and controls will be assessed at this level.