On May 13th, The Vietnamese Security Network Joint Stock Company (VSEC), in collaboration with CIO Vietnam community and Noventiq, organized a sharing and practical session on solving cybersecurity incidents in the Azure cloud computing platform. The event was attended by representatives from the Department of Information Security, Ministry of Information and Communications, who shared about security policies in cloud computing environment for businesses.
In addition to providing general updates on global security trends and emphasizing the importance of digital transformation to the cloud computing environment, participants also gained a clearer insight into the community activities of CIO Vietnam, policies and regulations ensuring Information Security when using cloud, and NIST framework aiding organizations in arranging security operations, and the tools that Microsoft equips in Azure environment.
On May 13th, 2023, the “Cyber Security in the Cloud” Boot Camps were held in Ho Chi Minh City.
Regarding the issue of many participants was interested in during the process of digital transformation to the cloud environment, such as regulations on data management in the cloud environment. Mr. Tran Nguyen Chung, the Head of Information System Security Department at the Department of Information Security, shared insights from the perspective of the regulatory agency, the information security is a core issue for successful digital transformation, it is as the brake that facilitates the achievement of digital transformation, rather than being an obstacle. He also recommended that businesses ensure various considerations while utilizing the cloud, such as: Assessing the current situation – actual needs to choose the appropriate cloud model, adhering to regulations and documents issued by Government Authorities, following data center standards, complying with the 4-layer management regulations to enhance the capabilities of organizations, agencies, organizations, etc. and adhering to data sovereignty regulations to promote transparency in data and safeguard the interests of businesses.
With the two documents that the Department of Information Security has advised the Ministry of Information and Communications for issuance, namely Document No. 1145/BTTTT-CATTT dated April 3rd, 2020, regarding guidelines for criteria and technical indicators to assess and select cloud computing platform solutions for E-Government/E-Administration, and Document No. 2612/BTTTT-CATTT dated July 17th, 2021, concerning the supplementation of criteria and indicators to assess and select cloud computing platform solutions for E-Government/E-Administration, these two documents assist enterprises in ensuring network information security issues during the digital transformation process, up to the present time.
Mr. Tran Nguyen Chung, Head of the Information System Security Department, Department of Information Security, shared his insights at Boot Camps.
In response to questions regarding data security in the cloud environment, both Mr. Chung and Mr. Huan Tran – Chairman of CIO Vietnam, emphasized that whether the data on the cloud is the original or backup version, it’s essential to consider whether the data is usable or not. The responsibility for data storage is not solely assumed by the cloud computing service provider; rather, enterprises and their IT teams also must actively backup and safeguard their own data systems.
From another perspective, the responsibility for the exploitation of user data originating from any business lies primarily with the entity that owns the customer data rather than solely attributing the responsibility to the unit entrusted with storage. Mr. Huan Tran shared, “As time goes by, the act of collecting data for competitive advantage will progressively tighten; this is no longer a new concept worldwide. Customer data ownership belongs to the customers. When customers entrust us with their data in exchange for enhanced services, the responsibility of the exploiting entity is to ensure proper and secure usage in order to retain the trust of users.” Therefore, proactively selecting service providers or methods to secure user data is a responsibility that businesses need to prioritize during the safe digital transformation process.
“Proactively selecting service providers or methods to secure user data is a responsibility that businesses need to prioritize during the safe digital transformation process” – Mr. Huan Tran – Chairman of CIO Vietnam stated.
In the role of an information security management service provider, Mr. Le Minh Quy – Senior solution consultant, raises the question about the awareness of information security within businesses. With 20 years of conducting security audits in various companies of both large and small scales, VSEC has observed that sometimes the most unforeseeable vulnerabilities are located in what appears to be the most secure positions, which might not be apparent without scanning thoroughly. It could be the network system, misconfigurations during cloud migration, etc. or simply due to the lack of information and knowledge, practical drills related to information security for the “human” aspect – the employees in the organization.
“In a cybersecurity survey conducted among end users, despite having awareness of information security issues, up to 45% of respondents still clicked on phishing links. In many cases, ransomware doesn’t directly come from hackers, but hackers will attack a specific object or employee, thereby infiltrate the company’s systems from there. Humans are considered the “weakest link” in information security management.” Mr. Le Minh Quy from VSEC said.
Mr. Le Minh Quy – VSEC Security Solution Consultant shared about information security issues during the digital transformation process at Boot Camps
Despite significant investments in information technology systems with substantial costs, neglecting the human factor could pose hidden risks that businesses should not overlook. Therefore, equipping businesses with information security training and drills is a necessary proactive measure, depending on each enterprise’s scale. Similar to the challenges that startups in Vietnam currently face, which involve reducing or even cutting costs for security audits and enhancing security features in applications to ensure solution, application delivery time and optimize operating costs. Mr. Tran Thanh Long, CEO of VSEC, and Mr. Huan Tran both agree that opting for cloud environments to expedite development while disregarding cybersecurity is a difficult dilemma for startups.
However, startups or businesses investing in cloud-based services can consider the option of investing each step or each important segment in high-security measures. Moreover, the crucial aspect is that when startups complete their offering service to Big ENT, the question these enterprises raise revolves around whether the product adheres to specific security standards, whether there are any cybersecurity risks, and so on, rather than solely focusing on the product’s features. Thus, it can be acknowledged that network security and information safety will remain the foremost concerns that businesses need to carefully consider during the service development and cloud transformation process.
Mr. Pham Minh Sang – Representative of Novetiq
Mr. Vu The Hai – Head of VSEC Security Monitoring Center – guiding the participating units before participating in the Practical Training Session.
During the final session of the event, representatives from both Noventiq and VSEC also shared about the security tools equipped in the Azure system – Microsoft 365 Defender, which is developed based on the core value of the Zero Trust model. Participants gained detailed information about the operational model of the service and, in particular, had the opportunity to directly experience practicing malware scanning, detecting, and handling malicious code in the cloud environment.
The participating units engaged in practical drills on the training field
According to VSEC