Public Sector Data Security For Government Agencies

Public Sector Data Security For Government Agencies
Recommendations in Singapore

Thales helps organizations address the requirements of Public Sector Data Security.

Public Sector Data Security For Government Agencies


The strong fundamentals of Singapore’s current security regime need to be reinforced because there are increasing demands for valuable data to make better policies and offer digital services to the public at the very time that the IT landscape is becoming progressively more complex.

The regulation will enable government organizations to secure and protect citizens’ data end to end and will include vendors and other authorized third parties. This is expected to encourage public confidence and deliver improved public service to the people of Singapore.

All public sector agencies will be able to maintain the highest standards of data governance, bolstering the efforts taken for the vision of the Smart Nation.

Thales’ CipherTrust Data Security Platform provides the tools you need to address these guidelines in your organization, in part through:

  • Strong access management and authentication
  • Data-at-rest encryption
  • Access monitoring and intelligence
  • Granular privileged access controls
  • Regulation
  • Compliance

Regulation Overview

The Singapore Government is reaffirming the importance of data security while “seeking the views of industry and global experts to recommend a slate of technical measures to strengthen data safeguards.”

The announcement was made by the Public Sector Data Security Review Committee, which was convened by Prime Minister Lee Hsien Loong in March 2019. The committee conducted a comprehensive review and inspection of 336 systems across 94 public agencies to identify risk areas and common causes of data breaches. The Committee completed its work in November 2019 and the Public Sector Data Security Review Committee (PSDSRC) report contains five key recommendations for the public sector, which when implemented would:

  1. Effectively protect against data security threats and minimize the occurrence of data incidents;
  2. Detect and respond to data incidents swiftly and decisively, and learn from each incident; (c) Build data security competencies and inculcate a culture of excellence around sharing and using data securely;
  3. Build data security competencies and inculcate a culture of excellence around sharing and using data securely;
  4. Raise the accountability and transparency of the public sector data security regime; and
  5. Put in place the organizational structures to sustain a high level of security, and to be adaptable to new challenges.

The Committee’s recommendations will address existing gaps and build a resilient data security regime as technology advances, systems become more integrated, and risks become increasingly multi-faceted.

The Government targets to implement the measures in 80 percent of Government systems by end of 2021. The timeline for the remaining 20 percent which involves systems that are complex or require significant redesign is end-2023. In the interim, agencies will put in place appropriate measures to manage the relevant data risks.

Recommendation Descriptions

1.1: Reduce the surface area of attack by minimizing data collection, data retention, data access and data downloads.

  • Collect and retain data only when necessary
  • Minimize the proliferation of data to endpoint devices
  • Access and use data for the task at hand

1.2: Enhance the logging and monitoring of data transactions to detect high-risk or suspicious activity.

  • Enhance logs and records to more accurately pinpoint high-risk activity and assist in response and remediation
  • Detect suspicious activity and alert the user or stop the unauthorized activity automatically

1.3: Protect the data directly when it is stored and distributed to render the data unusable even when extracted or intercepted.

  • Render data unusable even if exfiltrated from storage
  • Partially hide the full data
  • Protect the data during distribution

1.4: Develop and maintain expertise in advanced technical measures.

1.5: Enhance the data security audit framework to detect gaps in practices and policies before they result in data incidents.

1.6: Enhance the third-party management framework to ensure that third parties handle Government data with the appropriate protection.

The Committee has also identified six advanced technical measures, which are not sufficiently mature or readily integrate for widespread implementation:(i) Homomorphic Encryption; (ii) Multi-party authorization; (iii) Differential Privacy; (iv) Dynamic Data Obfuscation and Masking; (v) Digital Signing of Data File; and(vi) Secured File Format.

Thales CPL helps organizations to comply with Public Sector Data Security For Government Agencies through:

  • Data access control
  • Encryption and tokenisation (pseudonymisation) of data at rest
  • Keeping and monitoring user access logs

These recommendations cover Government and non-Government Entities that handle public sector data to deliver public services, perform operational processes, or provide consultation services for policy planning.

Data Access control

  • Thales CPL’s CipherTrust Transparent Encryption (CTE) enables the organizations to limit user access privileges to information systems that contain sensitive Information. CTE is designed to meet data security compliance and best practice requirements with minimal disruption, effort, and cost. The solution works in conjunction with the FIPS 140-2 up to Level 3 compliant CipherTrust Manager, which centralizes encryption key and policy management for the CipherTrust Data Security Platform.
  • SafeNet Trusted Access (STA) is a cloud-based access management service that combines the convenience of cloud and web single sign-on (SSO) with granular access security. By validating identities, enforcing access policies and applying Smart Single Sign-On, organisations can ensure secure, convenient access to numerous cloud applications from one easy-to-navigate console.
  • Adding Thales’s SafeNet certificate-based authentication (CBA) smart card solution as an integral part of IT infrastructure significantly improves client logon security by requiring multi-factor authentication. Adding multiple factors ensures secure login to workstations and enterprise networks, eliminates complex and costly passwords, and significantly reduces help desk calls.
  • With SafeNet Authentication and Access Management solutions you can leverage a unified authentication infrastructure for both on-premises and cloud-based services—providing a centralized, comprehensive way to manage all access policies. Users can log into enterprise cloud services such as Office 365, or GoogleApps through their existing SafeNet authentication mechanisms.

Encryption and tokenisation

  • CipherTrust Transparent Encryption (CTE) delivers data-at-rest encryption with centralized key management, privileged user access control and detailed data access audit logging. This protects data wherever it resides, on-premises, across multiple clouds and within big data, and container environments. CTE is designed to meet data security compliance and best practice requirements with minimal disruption, effort, and cost. The solution works in conjunction with the FIPS 140-2 up to Level 3 compliant CipherTrust Manager, which centralizes encryption key and policy management for the CipherTrust Data Security Platform.
    Furthermore, CTE for Kubernetes enables protection of sensitive data on persistent volumes via encryption, user and process-based access controls, and data access logging. This solution enables developers to establish security controls inside of containers. With this extension for CTE, data protection can be applied on a per-container basis, both to data inside of containers and to external storage accessible from containers.
  • CipherTrust Tokenization dramatically reduces the cost and effort required to comply with security policies and regulatory mandates while also making it simple to protect other sensitive data including personally identifiable information (PII). CipherTrust Tokenization offers application-level tokenization services in two convenient solutions that deliver complete customer flexibility: Vaultless Tokenization with Dynamic Data Masking and Vaulted Tokenization. With CipherTrust tokenization leveraging FIPS 140-2 compliant Ciphertrust Manager as a secure encryption key source, PII protection is gained without encryption key management required by the software developer.
  • CipherTrust Data Protection Gateway (DPG) offers transparent data protection (Encryption/Tokenization) to any RESTful web service or microservice leveraging REST APIs. DPG is deployed between the client and web service and transparently protects sensitive data inline without modifying legacy or cloud native applications. DPG is deployed as a container and is fully compatible with Kubernetes orchestration systems such as Helm, Ansible, Terraform, and Kubernetes horizontal scaling. DPG interprets RESTful data and performs data protection operations based on policies defined centrally in Thales’s CipherTrust Manager and operates seamlessly with other pod-supporting services.
  • CipherTrust Application Data Protection (CADP) offers developer-friendly software tools for encryption key management as well as application-level encryption of sensitive data. Protecting data at the application layer can provide the highest level of security, as it can take place immediately upon data creation or first processing and can remain encrypted regardless of its data life cycle state – during transfer, use, backup or copy. The solution is flexible enough to encrypt any type of data passing through an application. CADP offers well documented Crypto APIs with a wide range of language bindings (eg. Java, C, and C# for .NET, XML Open Interface,REST,KMIP), integrated with a range of industry-standard Crypto Service Providers that enable fast development of data protection for integration into mission-critical applications.

User access logs

  • Ciphertrust Transparent Encryption (CTE) offers comprehensive security intellingence that let your organisation identify unauthorized access attempts and build baselines of authorized user access patterns. CTE integrates with leading security information and event management (SIEM) systems that make this information actionable. The solution allows identifying and stopping threats faster with detailed data access audit logs that not only satisfy compliance requirements, but also enable data security analytics.

Recommended Resources

A Compilation of Regulatory Mandates in Singapore

A Compilation of Regulatory Mandates in Singapore - eBook

Today, it is imperative for professionals working in Singapore, and with its people and businesses, to understand the importance to enterprises of compliance with this country's digital security standards and regulations as well as the repercussions of failing to comply. This...

A Review of the Monetary Authority of Singapore (MAS) Advisory on Addressing the Technology and Cyber Security Risks Associated with Public Cloud Adoption - eBook

A Review of the Monetary Authority of Singapore (MAS) Advisory on Addressing the Technology and Cyber Security Risks Associated with Public Cloud Adoption - eBook

This eBook illustrates how a financial institution addresses advisory from the Monetary Authority of Singapore with Thales Data Security Solutions, it covers the following requirements: What is the Advisory on Addressing the Technology and Cyber Security Risks Associated with...

Data Security Compliance and Regulations - eBook

Data Security Compliance and Regulations - eBook

This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.

SafeNet Trusted Access - Solution Brief

SafeNet Trusted Access - Solution Brief

More and more cloud-based services are becoming an integral part of the enterprise, as they lower costs and management overhead while increasing flexibility. Cloud-based authentication services, especially when part of a broader access management service, are no exception, and...

Other key data protection and security regulations


Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.


Active Now

Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.