Cloud providers explain their data protection strategies

Data protection has become more important than ever, especially in the wake of the COVID-19 pandemic. In addition to the fundamental need of consumers to have their personal data handled with care (a pandemic notwithstanding), the increased frequency of cyberattacks and data breaches has made stricter data protection a requirement.

To bolster its data protection, Alibaba Cloud announced earlier this year that they have secured all three data protection certifications established by the Infocomm Media Development Authority (IMDA) in Singapore. These are namely:

  • The Data Protection Trustmark (DPTM) – a voluntary certification for companies to demonstrate accountable data protection practices.
  • The APEC Cross Border Privacy Rules (CBPR) System – a data privacy certification that facilitates how companies can exchange personal data across APEC member economies.
  • The APEC Privacy Recognition for Processors (PRP) System – a voluntary certification for organisations who process data on behalf of client organisations.

Alibaba Cloud’s announcement raises the question: what are other major cloud companies doing to safeguard the data of their clients, partners, and employees – particularly during a time when people carry out more online transactions, and more organisations are embarking on digital transformations?

In an effort to provide more details about IMDA’s data privacy standards, Frontier Enterprise recently ran a feature that summarised the agency’s data protection certifications in the country, and included an interview with Lee Wan Sie, Director, Trusted AI & Data at IMDA, which clarified further details on the matter.

As a continuation of that piece, we contacted several major cloud platforms and asked them about data protection concerns in Singapore, including the technologies they use to look after data, and the actual benefits of data protection, among other topics.

Data protection advantages

Dr Derek Wang, General Manager, Alibaba Cloud Singapore. Image courtesy of Alibaba Cloud Singapore.

To Dr Derek Wang, General Manager of Alibaba Cloud Singapore, meeting IMDA’s data protection standards is all about helping their customers. “We hope to help brands and businesses strengthen the trust of their customers, while accelerating growth through digitalisation,” explained Dr Wang. “For our customers, this means giving them the confidence that their business and personal data are well-managed and secured, and allowing them to focus on growing their business further in the region.”

In terms of concrete benefits – beyond an increase in credibility – Dr Wang said the certifications provide guidance for the smooth transfer of information across borders required for business and operational use. “In complying with the APEC Cross Border Privacy Rules and Privacy Recognition for Processors System, we help our customers reduce compliance time and costs needed by different regulating bodies in reviewing the flow of information across borders.” 

Beyond business advantages, Dr Wang said the IMDA certifications provide their customers “peace of mind that all organisations conform to the same rules, under the same network of trust in processing, managing, and transferring data to different parts of the region.”

According to Mark Johnston, Head of Security, Customer Engineering at Google Cloud APAC, the voluntary data protection certifications outlined by IMDA are used by companies to demonstrate accountable data protection practices. He noted, however, that it isn’t as applicable to cloud service providers like Google Cloud who are data intermediaries that provide solutions to these enterprises in question to protect data.

As a response to Alibaba Cloud’s recent certifications, Johnston said Google Cloud is Multi-Tier Cloud Security (MTCS)-certified by the IMDA. “After undergoing an audit conducted by an independent MTCS-certifying body, Google Cloud received Tier 3 MTCS certification – the most stringent level of certification – for 114 Google Cloud services and 20 data centre sites,” he said.

Richard Koh, Chief Technology Officer at Microsoft Singapore, said his organisation has over 90 compliance offerings, including privacy protection standards such as ISO27001 and 27701

For Koh, data protection comes with several advantages. “This (i.e. data protection) is especially helpful to industries such as financial services, government, and telecommunications, who must quickly adapt to a changing security and privacy landscape,” he observed. “For example, Microsoft implemented many global changes on how we handled and protected personal data back when we were preparing to implement the General Data Protection Regulation and extended this know-how to the work we do in the region. We also actively use certifications to ensure that our suppliers who use or process customer data and personal data (sub-processors) are upholding data protection from their end.”

Koh added that data protection certifications build confidence and promote trust with customers and business stakeholders. They can also help strengthen the data ecosystem, support data sharing practices across borders, and provide a framework for organisations to use and share data in a trusted manner.

Singapore’s data rules

Richard Koh, Chief Technology Officer, Microsoft Singapore, Image courtesy of Microsoft Singapore.

While the overall goal of IMDA’s certifications is data protection, the rules used in other countries or regions may differ. According to Microsoft’s Koh, Singapore’s data protection rules are aligned with key privacy laws from other regions, notably the European Union’s General Data Protection Regulation (GDPR) and others in the Asia-Pacific region.

“IMDA and the Personal Data Protection Commission (PDPC) are focused on ensuring that privacy and data protection requirements in Singapore serve the needs of its citizens by ensuring that data is adequately protected,” Koh said. “They also align with key global laws and standards to promote Singapore’s competitiveness as a global economic player. For example, PDPC’s guidance on cloud services like Azure explicitly notes that relevant ISO standards can provide assurance of a suitable level of personal data protection for organisations using cloud service providers like Microsoft.”

Google’s Johnston views this from a different angle: “Every country’s data protection rules and laws are unique but what is central to their beliefs is that data needs to be sensitively treated and robustly secured. Singapore’s PDPA aims to strike a balance between individuals’ rights to protect their personal data, and organisations’ needs for this data for legitimate and reasonable business purposes.”

How cloud providers protect data

Each of the major cloud platforms we interviewed uses different technologies to safeguard data within its fold. Alibaba Cloud, for instance, creates “end-to-end data security solutions” that are first tried within its digital ecosystem before they are deployed for commercial use, said Dr Wang.

“This includes using emerging technologies like artificial intelligence (AI) and machine learning (ML)  to provide tailored security assessments and analyses for businesses, to cloud-native security services that help us respond to threats in a timely fashion and provide quick recovery options to our customers,” he revealed.

Microsoft’s cloud services, said Koh, use a range of encryption capabilities like AES-256, encrypted transport protocols such as Transport Layer Security (or TLS) and Internet Protocol Security (otherwise called IPSec), and as well as managed encryption keys cloud services.

To help organisations meet compliance obligations under the shared responsibility model for public clouds (including GDPR and the California Consumer Privacy Act), Microsoft also provides resources such as tools, documentation, and guidance. “These include the Microsoft Compliance Manager, Azure Security Center compliance dashboard, Delta Lake on Azure Databricks, and Azure Information Protection,” said Koh.

For Google, giving customers control over their data in the cloud is essential for helping businesses adopt cloud technologies. “If you can’t help customers achieve a sustainable cloud security posture, you can’t help them accelerate their business,” declared Johnston.

He added that Google follows Trusted Cloud principles, which are built on the following pillars:

Mark Johnston, Head of Security, Customer Engineering, Google Cloud APAC. Image courtesy of Google Cloud APAC.
  • A secure platform that seeks to provide customers transparency and sovereignty.
  • A zero-trust architecture.
  • A shared-fate model for risk management.

Swimming against the current

Considering that the COVID-19 pandemic has seen a dramatic increase in cyberattacks, and that anything connected to the internet can be breached, one has to wonder about the point of data protection certification. Is it merely a losing battle against the inexorable tide of more cyber crime? The cloud providers believe otherwise.

“Data protection certifications give cloud providers like Alibaba Cloud the opportunity to work with government agencies like IMDA to uphold transparency and accountability in the movement of data,” said Dr Wang. “Amid a heightened surge in increasingly sophisticated and manipulative cyberattacks, it is crucial for businesses to work with a trusted partner who can effectively protect the data of their customers while allowing them to focus on future innovation.”

“The cybersecurity landscape has fundamentally changed due to large-scale, complex attacks in recent times,” Koh remarked. “We are seeing hackers launch an average of 50-million password attacks every day, and phishing attacks have increased. With more sophisticated attacks comes the need to put modern safeguards in place to protect against them. While the possibility of cyberattacks will always be present, having robust data protection technologies, coupled with strong governance processes, and well-trained privacy and security personnel in place will reduce the probability of these attacks. Data protection certifications provide auditable assurance that best practices are implemented.”

Koh believes that taking basic security precautions such as enabling multi-factor authentication, securing and managing devices, as well as using anti-malware and workload protection tools, can help organisations prepare for and mitigate modern cyber threats. “Organisations ultimately need to adopt a zero-trust approach to strengthen networks and bolster security to enhance our security posture,” he suggested.

Google’s Johnston maintains that independent security, privacy, and compliance certifications, attestations, and audit reports are relevant and important. “We go a step further to also create resource documents and mappings for compliance support when formal certifications or attestations may not be required or applied,” he added.

Johnston revealed that the search giant has been studying and documenting these destructive, financially-motivated attacks for years. The combination of recent attacks, the growing importance of digital assets, and the shifts due to COVID-19 are bringing issues around security and privacy to the forefront.

“We are seeing industrial-scale threats attack continue to grow – from the likes of the Hafnium attack against legacy on-premises Exchange, to the SolarWinds supply chain attack, and to the Colonial Pipeline Ransomware attack,” said Johnston. “Applications are evolving for speed of development and developers are shipping code faster. This also increases the attack surface by an order of magnitude, requiring completely new approaches to security,” he explained.

“Despite these increasing risks, many security products focus on solving problems created by other security products, rather than the root causes of the issues,” Johnston observed. “But confidence and security can’t be achieved simply by buying another new product. We need a hard reset – to rethink our approach to security with today’s environment in mind. Organisations of all sizes need confidence in the providers to whom they entrust their mission-critical processes and information assets,” he concluded.