Regulations are still necessary to make sure organizations are compelled to adopt measures designed to strengthen their cybersecurity posture.
Singapore this week released guides it said will help organizations, including small- and mid-sized businesses (SMBs), better understand risks associated with using cloud services and what they, as well as their cloud providers, need to do to secure cloud environments.
The two cloud security "companion guides" serve to facilitate the adoption of national cybersecurity standards, Cyber Essentials and Cyber Trust, developed by Singapore's Cyber Security Agency (CSA), which announced the launch at its annual Singapore International Cyber Week conference.
Published alongside Cloud Security Alliance, the companion guides were developed closely with three cloud vendors -- Amazon Web Services (AWS), Google Cloud, and Microsoft -- which provided customer insights and relevant market statistics. The cloud players also "validated" the content provided in the companion guides, CSA said.
The guides outline organizations' cloud-specific risks and responsibilities, and the steps they should take to safeguard their environments, including staff training and mechanisms to track and monitor their cloud services inventory. The documents also include provider-specific guides for environments running on AWS, Microsoft, and Google platforms, which are organized based on measures for Cyber Essentials and Cyber Trust standards.
"[A common] confusion when organizations use the cloud is the division of responsibility between themselves as cloud users, and that of their cloud providers," CSA said. "In a cloud deployment, there is shared responsibility, and organizations may not be fully aware of the areas they are responsible for. This may increase the likelihood of misconfigurations, malicious attacks, and/or data breaches."
Available for free, the guides are expected to help 27% of businesses in Singapore that use cloud computing services, the government agency said, citing a 2022 study from the Infocomm Media Development Authority (IMDA).
Singapore this week also took further steps toward expanding a national security labeling initiative to include medical devices, with the release of a sandbox with which manufacturers can test their products. Participants of the sandbox then will provide feedback on the requirements and application processes, against which devices will be assessed under the medical labeling scheme slated for launch at a later date.
The sandbox will run for nine months, with the feedback to be used to finetune the operational workflow and requirements in the scheme, where necessary, CSA said. The sandbox was launched in collaboration with the Ministry of Health, Health Sciences Authority, and Synapxe.
Noting that 15%, or more than 16,000, of medical devices in local public healthcare institutions have internet connectivity, CSA said medical devices are increasingly connected to hospitals and home networks. This can drive up cybersecurity risks, where security gaps in software used for clinical diagnostics, for instance, can be exploited to generate wrong diagnoses. Unsecured medical devices can also be targeted in denial-of-service attacks, thereby preventing patients from receiving treatment.
Such equipment also can be tapped by malicious hackers to breach a hospital's network, which can result in data leaks or network shutdown.
With the expansion of the security labeling scheme to include medical devices, manufacturers will be motivated to embed security into their product design, and healthcare operators can make more informed decisions on the use of such devices, according to CSA. The scheme encompasses four ratings, with each level reflecting additional tests on which the product was evaluated.
The sandbox will allow device manufacturers to test their products based on various assessments, including software binary analysis, penetration testing, and security evaluation.
However, such initiatives and other security best practices can only go so far if these are offered as guidelines and advisories, rather than mandates that businesses must adopt.
Many technology practitioners and CISOs will refer to guides and look at industry best practices, but doing so can only go so far if these are offered only as advisories, rather than as regulations, said Karan Sondhi, vice president and CTO of the public sector for security vendor, Trellix.
Initiatives such as the security labeling program, for instance, serve as an information tool, and not as enforcement, Sondhi said in an interview with ZDNET, on the sidelines of the conference.
Harold Rivas, who serves as Trellix's CISO, concurred, noting that the labeling scheme helps with purchasing decisions and creates awareness about potential risks. It provides decision-makers cause to consider alternatives and serves as a good reference point for best practices that are independently validated, Rivas said.
Ultimately, though, there should be clear mandates to push the industry toward clear outcomes, Rivas said.
Such requirements, for example, could include a proper patch management strategy and robust monitoring system, Sondhi said. These should be accompanied by roadmaps for rollout, so market players would be given the necessary timelines to ensure compliance, he added.
Acknowledging there will inevitably be pushback over concerns such mandates have on cost and time-to-market, he said regulations need not be overly complex. They also can point to accompanying standards bodies tasked to provide more details and update the adoption of best practices when necessary. This will free up governments from having to keep up with market changes and to instead focus on mandating high-level requirements, he noted.
Enforcement also is a good starting point when the road toward cyber resilience may be long and fraught with complexities.
Organizations in operational technology (OT) sectors, in particular, have ecosystems that have to be managed differently from IT infrastructures, Sondhi said. They will need to establish an inventory of all their OT systems and devices, and ensure third-party tools are secured as well as integrated so they have clear visibility across their entire supply chain.
Governments can facilitate by enforcing certain industry requirements, enabling all industry players to gradually fall into place, Sondhi said. For instance, organizations that provide government-related services such as smart meters must demonstrate they have a clear inventory of their systems and patch management schedule. Vendors that breach requirements stipulated in these contractual agreements then should be penalized, he said.
Such overarching regulatory frameworks help drive actions forward and serve to safeguard both organizations and citizens, Rivas said.
Robust cyber resilience is essential, especially as some of these sectors face growing threats.
Public-sector organizations in Asia-Pacific, for one, had to fend off close to 3,000 attacks on average a week over the last six months, according to Vivek Gullapalli, Asia-Pacific CISO at Check Point Software Technologies.
The education and research sector experienced the highest number of weekly attacks, at 4,057 for each organization, over the last six months, followed by healthcare at 2,958 and the government and military sector, at 2,882 attacks.
He added that some of these sectors remain nascent, where smart nations are still being built out with emerging technologies such as driverless vehicles, smart cameras, and other Internet of Things (IoT) devices.
As the underlying OT infrastructure continues to evolve, the ability to manage the entire ecosystem will be complex. For instance, a different approach may be required to apply security patches for OT devices. And as demand for connectivity grows, organizations will need to figure out which devices are interconnected and, hence, require further security safeguards and embedded tools.
With the management of infrastructures sometimes overlapping between public and private sectors, a proper framework also will need to be established to protect the entire OT ecosystem, he said.
There still is a lot to be learned and different approaches will be needed, Gullapalli said. Amid this ongoing evolution, he urged the need for continued conversations and collaboration between governments, OT device manufacturers, and security players to plug the gaps.