Singapore Issues Guidance for Cloud Outage ThreatsNew Guidelines Meant to Enhance Business Resiliency
Singapore-based enterprises face new challenges with the Smart Nation ecosystem and the changing landscape of disruptive technologies such as the cloud, the Internet of Things and big data. One of the challenges is that the enterprises are prone to cloud outages, which would affect business continuity and data sensitivity, resulting in vulnerabilities.
See Also: Beginners Guide to Observability
Because these outages are likely to increase, the Singapore government has issued the new Cloud Outage Incident Response Guidelines for better cloud resiliency.
"As a responsive security [measure], critical alignment of resources is important as it provides a focal point from which the boundaries of systems can be identified," says Singapore-based Chuan-Wei Hoo, technical adviser, Asia-Pacific at (ISC)².
Security Risks of Cloud Outage
The Infocomm Development Authority of Singapore sees the need of preparing for and mitigating the threat of cloud outages, whether for business-critical uptime or data sensitivity in the face of rapidly emerging new technologies.
According to Khoong Hock Yun, assistant chief executive of IDA, there is a need for a flexible, cohesive, and integrated cloud ecosystem that meets business enterprises' needs in a digital economy.
He doesn't rule out risks associated with the cloud outage that may result in the unavailability of subscribed cloud services, which could adversely affect users' accessibility to data and also in a data leakage.
Some of the risks IDA lists are:
- Cloud service failure due to oversubscription in peak usage periods;
- Inability to troubleshoot performance issues due to continuous environment changes;
- Single points of failure due to addition of complex technology components;
- Inability to verify cloud infrastructure resiliency;
- Lack of continuity plan for cloud service failure, provider acquisition, or change in service strategy resulting in data loss;
- Inadequate monitoring of cloud resource utilisation.
"This will pave the way for a successful intrusion from a cyberattacker, which could result in a breach or incident, as the security intelligence would have the challenge of responding faster to neutralise these threats before real damage is done," says Singapore-based Bill Taylor-Mountford, vice president for Asia Pacific and Japan at LogRhythm.
Another risk that Aloysius Cheang, MD of Cloud Security Alliance-Singapore chapter, anticipates during cloud outages is that a cloud customer may find it impossible to receive the required cooperation from their cloud service provider when handling a security incident.
"The teams should be concerned about the resource pooling practiced by cloud services, to the rapid elasticity offered by cloud infrastructures, may dramatically complicate the incidence response process, especially forensic activities carried out as part of the incident analysis during cloud outages," Cheang says.
Incident Response for Better Cloud Resilience
IDA's incident response blueprint to enhance cloud service providers' resilience capabilities recommend four tiers of responses CSPs can prepare for, based on the projected impact of outages:
- Systemic/life-threatening impact - hosting functions that are mission-critical to human safety or the stability of the economy, market or industry.
- Business critical impact - such as payment gateways, which could drive vulnerabilities and restoration of operations within hours and have a high urgency to access data during this period.
- Response plan - for operational impact, including corporate emails where data protection is critical.
- Game plan - to restore functions affecting website hosting non-critical information and testing environment.
Khoong says by utilising these guidelines, CSPs can clearly outline the scope and scale of resilience measures they offer as part of their cloud services, including mobilisation of emergency resources, prioritisation levels for recovery and restoration of affected cloud services.
IDA says it is critical for cloud users to conduct a business impact analysis to identify business requirements being automated through the procurement of a cloud service.
Mechanism attestation is a must, Hoo stresses. The procedures need to be verified, challenged and tested to ensure they are fit for the purpose.
"The key challenge is the availability of experienced information/cybersecurity practitioners to conduct/lead the attestation. There is a need to really understand how to measure 'insecurity' and understand dependencies in such cases," Hoo asserts.
Cheang says the question is whether the CSPs can meet the requirements recommended by IDA. "The guidelines would compel cloud providers to assess themselves and invest in best-of-class infrastructure and solutions that can help can monitor specific network nodes and data points within a very distributed environment," Mountford says.
Ensuring Security by Cloud Providers
The key component of IDA's guidelines is to manage data breach/loss implications. Besides managing a crisis, the CSP shall immediately notify affected cloud users.
The action plan for CSPs to contain data breaches during an outage as per IDA includes:
- Shutting down the compromised cloud service that led to the data breach.
- Establishing whether steps can be taken to recover lost data and limit any damage caused by the breach.
- Preventing further unauthorised access to the system by resetting passwords.
- Isolating the causes of the data breach in the cloud service, and where applicable, changing the access rights to the compromised system and removing external connections to the cloud service.
Security practitioners recommend use of new proactive security solutions, such as virtual security appliances, which give the ability to deploy agile, powerful and intelligent security systems.
Hoo recommends forming a team of trained and certified information/cybersecurity professionals to be part of the incident response team.
Despite the most diligent planning, CSA's Cheang says, implementation and execution of preventive controls cannot completely eliminate the possibility of an attack on the information assets. "The users need to ask one fundamental question during outages as to what can be done to enable efficient and effective handling of security incidents that involve the resources in the cloud."