Lessons from NTUC Enterprise: Protecting diverse enterprise networks
MODERN organization in the digital era are not only growing in size but also in diversity — organizations often have a varied service portfolio with multiple business units.
While this is great in the business sense, to have multiple different revenue streams and various enterprises running concurrently, securing the group company’s network is quite a complex task to say the least.
According to Ian Loe, Senior Vice President, Cybersecurity at Singapore’s NTUC Enterprise Co-operative Limited, it is notably more tricky at a large conglomerate that is made up of various social enterprises with varying levels of maturity across multiple industries.
“It is hard to get uniformed security measures and also to use the same level of controls across all businesses,” Loe told Tech Wire Asia in an exclusive interview.
The borderless environment calls for a zero trust approach
To support its portfolio, NTUC Enterprise has adopted a host of strategies, which include the “shift left approach” to cybersecurity that puts more emphasis on the development of secure code and secure pipeline.
“With everything moving to the cloud, we are increasing our focus on the quality of the CI/CD pipeline and the code that is built with it. This also means investing in newer technologies like serverless security, next-generation code scanning, secure coding education, and improve monitoring capabilities,” said Loe.
Loe added that the creation of a Cybersecurity Centre of Excellence that is part of its digital transformation unit also helps to develop baseline policies, standards, and guidelines, to achieve a uniform security measure across the organization.
“Also, with the move to the borderless environment, we need to move towards a zero-trust architecture to enable our workforce to work anywhere, anytime, and yet maintain the right level of security controls. These are all very challenging areas to overcome,” Loe said.
The ‘zero trust’ approach to cybersecurity, which was introduced by analyst firm Forrester Research, is rooted in the principle of “never trust, always verify,” and moves away from the antiquated notion that everything on the inside of the enterprise network is safe.
In addition to that, NTUC Enterprise is also looking at the extensive use of Managed Detection & Response (MDR) capabilities to help detect and respond to endpoint incidents with better efficiencies.
Augmenting these capabilities with a unified security operations center (SOC), according to Loe, allows NTUC Enterprise to understand the threats better and determine how and where to invest their limited resources.
Incorporating cybersecurity into digital transformation
Security, Loe believes, should never be a standalone silo but an integral part of an organizations’ digital journey, all the way from the requirement, to building the solution, deployment through to decommissioning.
The “shift left” mindset, Loe explained, is where the focus is on the development aspect of a project, instead of the end product.
By adopting this approach, enterprises can ensure that security remains the utmost priority while designing all the systems that will eventually support their core and critical functions.
Further, companies should also instill awareness and training.
This is because regardless of how cutting edge or advanced technologies get, humans remain the weakest links in any defense against cyberthreats. And thus regular training, exercises should be done at regularly and randomly, instead of fixed intervals, explains Loe.
Finally, businesses should also have a robust monitoring and incident response program.
Loe warns that even some of the best security solutions may not be completely impervious, and in the event that a breach or compromise does occur, an organization should have a ‘standard playbook’ that could be applied enterprise-wide and not just by the tech team, to ensure business continuity.
Loe is expected to share more of industry insights and his domain expertise in cybersecurity at the Cloud Expo Asia 2019 in Singapore later this year.