Public Sector Data Security For Government Agencies
Recommendations in Singapore

Regulation Overview

The Singapore Government is reaffirming the importance of data security while “seeking the views of industry and global experts to recommend a slate of technical measures to strengthen data safeguards.”

The announcement was made by the Public Sector Data Security Review Committee, which was convened by Prime Minister Lee Hsien Loong in March 2019. The Committee completed its work in November 2019 and the Public Sector Data Security Review Committee (PSDSRC) report contains five key recommendations for the public sector, which when implemented would:

1. Effectively protect against data security threats and minimize the occurrence of data incidents;
2. Detect and respond to data incidents swiftly and decisively, and learn from each incident; (c) Build data security competencies and inculcate a culture of excellence around sharing and using data securely;
3. Build data security competencies and inculcate a culture of excellence around sharing and using data securely;
4. Raise the accountability and transparency of the public sector data security regime; and
5. Put in place the organizational structures to sustain a high level of security, and to be adaptable to new challenges.

The Committee’s recommendations will address existing gaps and build a resilient data security regime as technology advances, systems become more integrated, and risks become increasingly multi-faceted.

The in-depth investigations of the IT systems revolve around five agencies that deal with high volumes of sensitive data:

• Ministry of Health Health
• Sciences Authority (HSA)
• Health Promotion Board (HPB)
• Central Provident Fund Board
• Inland Revenue Authority of Singapore

The Government targets to implement the measures in 80 percent of Government systems by end of 2021. The timeline for the remaining 20 percent which involves systems that are complex or require significant redesign is end-2023. In the interim, agencies will put in place appropriate measures to manage the relevant data risks.

Recommendation Descriptions

1.1: Reduce the surface area of attack by minimizing data collection, data retention, data access and data downloads.

• Collect and retain data only when necessary
• Minimize the proliferation of data to endpoint devices
• Access and use data for the task at hand

1.2: Enhance the logging and monitoring of data transactions to detect high-risk or suspicious activity.

• Enhance logs and records to more accurately pinpoint high-risk activity and assist in response and remediation
• Detect suspicious activity and alert the user or stop the unauthorized activity automatically

1.3: Protect the data directly when it is stored and distributed to render the data unusable even when extracted or intercepted.

• Render data unusable even if exfiltrated from storage
• Partially hide the full data
• Protect the data during distribution

1.4: Develop and maintain expertise in advanced technical measures.

1.5: Enhance the data security audit framework to detect gaps in practices and policies before they result in data incidents.

1.6: Enhance the third-party management framework to ensure that third parties handle Government data with the appropriate protection.

The Committee has also identified six advanced technical measures, which are not sufficiently mature or readily integrate for widespread implementation:(i) Homomorphic Encryption; (ii) Multi-party authorization; (iii) Differential Privacy; (iv) Dynamic Data Obfuscation and Masking; (v) Digital Signing of Data File; and(vi) Secured File Format.

Thales CPL helps organizations to comply with Public Sector Data Security For Government Agencies through:

• Data access control
• Encryption and tokenisation (pseudonymisation) of data at rest
• Keeping and monitoring user access logs

These recommendations cover Government and non-Government Entities that handle public sector data to deliver public services, perform operational processes, or provide consultation services for policy planning.

Data Access control

• Thales CPL’s CipherTrust Manager (CM) enables the organisation to limit user access privileges to information systems that contain sensitive Information and orchestrates the CipherTrust Data Security Platform, which makes it easy to manage data at rest security across your organization information
• SafeNet Trusted Access (STA) is a cloud-based access management service that combines the convenience of cloud and web single sign-on (SSO) with granular access security. By validating identities, enforcing access policies and applying Smart Single Sign-On, organisations can ensure secure, convenient access to numerous cloud applications from one easy-to-navigate console.
• Adding Thales’s SafeNet certificate-based authentication (CBA) smart card solution as an integral part of IT infrastructure significantly improves client logon security by requiring multi-factor authentication. Adding multiple factors ensures secure login to workstations and enterprise networks, eliminates complex and costly passwords, and significantly reduces help desk calls.
• With SafeNet Authentication and Access Management solutions you can leverage a unified authentication infrastructure for both on-premises and cloud-based services—providing a centralized, comprehensive way to manage all access policies. Users can log into enterprise cloud services such as Office 365, Salesforce.com or GoogleApps through their existing SafeNet authentication mechanisms.

Encryption and tokenisation

• Thales CPL’s CipherTrust Transparent Encryption Suite (CTE) protects data with file and volume level data-at-rest encryption, access controls, and data access audit logging without re-engineering applications, databases, or infrastructure. Deployment of the transparent file encryption software is simple, scalable and fast, with agents installed above the file system on servers or virtual machines to enforce data security and compliance policies. Policy and encryption key management are provided by the CipherTrust Data Security Manager.
• CipherTrust Tokenization dramatically reduces the cost and effort required to comply with security policies and regulatory mandates. The solution delivers capabilities for database tokenisation and dynamic display security. Enterprises can efficiently address their objectives for securing and pseudonymising sensitive assets—whether they reside in data centre, big data, container, or cloud environments.
• CipherTrust Application Encryption (CAE) delivers key management, signing, and encryption services enabling comprehensive protection of files, database fields, big data selections, or data in platform-as-a-service (PaaS) environments. The solution is FIPS 140-2 Level-1 certified, based on the PKCS#11 standard and fully documented with a range of practical, use-case based extensions to the standard. CipherTrust Application Encryption eliminates the time, complexity, and risk of developing and implementing an in-house encryption and key management solution. Development options include a comprehensive, traditional software development kit for a wide range of languages and operating systems as well as a collection of RESTful APIs for the broadest platform support.
• The CipherTrust Developer Suite is a set of products that streamline development efforts to add encryption, tokenisation, masking, and other cryptographic functions to applications. The job of the developer is made easy and fast by leveraging sample code and APIs that are best for their environment, while key management functions are kept separate and secure in a FIPS 140-2 hardware or virtual appliance that is operated by IT or SecOps. Securing data at the application, with separation of duties for key management, provides the highest levels of protection and compliance. The CipherTrust Developer Suite also includes applications and utilities that leverage the core components to add security layers to databases and other structured data stores.

User access logs

• CipherTrust Security Intelligence Logs let your organisation identify unauthorized access attempts and build baselines of authorized user access patterns. CipherTrust Security Intelligence integrates with leading security information and event management (SIEM) systems that make this information actionable. The solution allows immediate automated escalation and response to unauthorized access attempts. It also provides all the data needed to specify behavioral patterns required to identify suspicious use by authorized users, as well as for training.