Saudi Arabia Essential Cybersecurity Controls - An Overview - White Paper - Thales
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
thalesgroup.com
Saudi Arabia Essential
Cybersecurity Controls
An Overview
White PaperExecutive Summary
Cyber-attacks are one of the top global risks facing our evolving technological landscape. In response, governments worldwide are
developing strategies to help bolster the digital defenses of their agencies and departments. The Kingdom of Saudi Arabia, as part of the
Saudi Vision 2030 has developed and promulgated the Essential Cybersecurity Controls (ECC). These measures aim to help government and
government-affiliated organizations enhance their cybersecurity posture.
Introduction: The Cyber Threats Landscape
Doing business either in the public or private sector has changed radically over the past years. Businesses are embracing digital transformation
as a means of delivering better quality products and services to meet the changing needs of their customers. Notwithstanding the benefits
that come with the adoption of state-of-the-art technology, many organizations now recognize digital security as one of the most important
considerations for their business continuity.
Plenty of digital security challenges face organizations today. In accordance with the World Economic Forum’s Regional Risks for Doing
Business 20191 report, technological risks is the only category that both the public and private sectors ranked as among their five most pressing
concerns. Specifically, “cyber-attacks” and “data fraud or theft” were the second and seventh risks that private-sector respondents felt were
most likely to increase within the next 10 years. These cyber threats worried the business community as much as they do academia, civil society,
governments and other thought leaders.
Top ten global risks for doing business
01 02 03 04 05
Fiscal crisis Cyber attacks Unemployment or Energy price Failure of national
underemployment shock governance
06 07 08 09 10
Profound social Data fraud Inter-state Failure of critical Asset bubble
instability or theft conflict infrastructure
According to the report, cyber-attacks are the most pressing risk for doing business in six of the 10 largest economies: the United States,
Germany, the United Kingdom, France, Italy and Canada. These countries have been the subject of multiple and notable incidents over the
past year. Attackers used the LockerGoga ransomware2 to target prominent industrial and manufacturing companies, for instance, while
digitized public services went down following ransomware attacks in Atlanta3 and Baltimore4.
As economies and societies continue to digitize, they’re increasing their attack surface and thereby putting their critical infrastructure at risk.
This comes at a time when cyberattacks are becoming both more lucrative for attackers and more dangerous for victims. Ponemon’s latest
Annual Cost of Cybercrime Study5 found that digital crimes increased by 12 percent between 2017 and 2018, for instance. At the same
time, Symantec warned in its Internet Security Threat Report6 that companies are beginning to encounter formjacking attacks and other new
cyber threats while still being susceptible to more ubiquitous forms of ransomware and cryptojacking. In the absence of nation-wide cyber
preparedness, these old and new threats jeopardize national security and safety.
1 https://www.weforum.org/press/2019/10/cyberattacks-and-fiscal-crises-top-list-of-business-risks-in-2019/
2 https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/what-you-need-to-know-about-the-lockergoga-ransomware
3 https://www.govtech.com/security/What-Can-We-Learn-from-Atlanta.html
4 https://www.npr.org/2019/05/21/725118702/ransomware-cyberattacks-on-baltimore-put-city-services-offline?t=1570086705893
5 https://www.accenture.com/us-en/insights/security/cost-cybercrime-study
6 https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-executive-summary-en.pdf
Saudi Arabia Essential Cybersecurity Controls White Paper 2The National Cyber Security Index (NCSI)7 measures how well countries are prepared for fundamental cyber threats such as denial of
e-services, data integrity breaches, and data confidentiality breaches. According to the index, Saudi Arabia is ranked8 34th with a score of
58%, which is far better than most developed countries. According to the report, the areas of concern are the development of cybersecurity
policy, protection of digital services and personal data, cyber crisis management and the fight against cybercrime.
Saudi Vision 2030 and National Cybersecurity Authority
The Kingdom’s Vision 2030 has set a goal to change the country’s security posture. As part of this plan, the country revealed its intentions
to diversify its economy away from its current reliance on oil and to develop public service sectors such as health, education, infrastructure,
recreation and tourism. Underpinning this initiative is an increased focus on technology, digital transformation and the development of digital
infrastructure.
Saudi Arabia recognizes that this transformation will require the easing the flow of information, securing it and preserving the integrity of all
systems. It will also require maintaining and supporting the cybersecurity of the Kingdom in order to protect its vital interests, national security,
critical infrastructures, high priority sectors and governmental services and practices. To accomplish this objective, Saudi Arabia established
the National Cybersecurity Authority (NCA) and approved its mandate in October 2017, making it the national and specialized reference for
matters related to cybersecurity in the Kingdom.
NCA’s responsibilities include the development of cybersecurity national policies, governance mechanisms, frameworks, standards, controls
and guidelines and the continuous monitoring of the organizations’ compliance to the established policies. Besides the clear NCA mission
statement, cybersecurity is considered a shared responsibility. In fact, Royal Degree number 57231 states that “all government organizations
must improve their cybersecurity level to protect their networks, systems and data, and comply with NCA’s policies, framework, standards,
PROTECT
controls and guidelines.” NCA developedData across Cybersecurity Controls (ECC-1: 2018) to assist organizations meet their obligations
the Essential
network and the
and to set a framework of minimum cybersecuritycloudrequirements.
SECURE
Access and
Essential Cybersecurity Controls
Devices
The Essential Cybersecurity Controls are organized into five main domains:
• Governance
• Defense
• Resilience
• Third-Party and Cloud Computing, and
• ICS Cybersecurity.
The document includes 114 controls designed to ensure the confidentiality, integrity and availability of an organization’s information and
technology assets. They revolve around the four pillars of people, technology, processes and strategy.
Keeping systems uncompromised
PEOPLE
INTEGRITY
STRATEGY
C E SS
TEC H
RO
NO
CONFIDENTIALITY AVAILABILITY LO P
Keeping secrets Keeping systems available GY
7 https://ncsi.ega.ee/
8 https://ncsi.ega.ee/country/sa/
Saudi Arabia Essential Cybersecurity Controls White Paper 3Some important highlights and challenges of the Controls are the following: • The cybersecurity controls represent the minimum standards with which “all organizations and sectors in the Kingdom of Saudi Arabia” must comply. • Not all controls are applicable to all organizations. The applicability of this framework depends on the nature of the business activities that the organization is carrying out. For example, an organization using a cloud hosted solution would be subject to Subdomain 4.2, Cloud Computing and Hosting Cybersecurity. Organizations are therefore advised to perform an assessment if they are subject to the provisions of the ECC controls. • There is still some uncertainty as to how the NCA will assess compliance with the Controls. The document states this process will take place “through multiple means such as self-assessments by the organizations, periodic reports of the compliance tool or on-site audits.” It is, therefore, clear that self-assessment will be a significant part of the compliance framework. • The guide will be a live document. As such, the “NCA will periodically review and update the ECC as per the cybersecurity requirements and related industry updates.” All businesses must review future regulatory developments to ensure continuous compliance with the Controls’ provisions. • All organizations subject to the applicability of the controls must establish a cybersecurity administration independent from the IT department. Cybersecurity administration posts and other supervisory and critical positions must be held by Saudi nationals who are highly competent in the field of cybersecurity (Controls 1-2-1 and 1-2-2). • All third parties providing any kind of cybersecurity operations or monitoring services must be based in Saudi Arabia (Controls 4-1-3). • The hosting and storage of any of an entity’s information or technical assets must be localized within the Kingdom (Control 4-2-3). • Critical national infrastructure is defined in Annex A as “infrastructure whose loss or susceptibility to security violations may result in significant negative impact on the availability, integration or delivery of basic services or may have a significant impact on national security, national defense, the state economy or national capabilities.” “Critical infrastructure” and “significant negative impact” due to a security incident are common in most cybersecurity laws and frameworks. Organizations are encouraged to adopt practices and policies to establish a point of reference. The Essential Cybersecurity Controls are applicable to all government and government related businesses. Organizations affiliated with Saudi Arabian Monetary Authority (SAMA), such as all banks, insurance companies, reinsurance companies, finance companies, credit bureaus and all Saudi financial market infrastructure that are regulated by SAMA, must comply with the SAMA Framework. Organizations that are not either government entities (or their affiliates) or providing critical national infrastructure, are not currently required to adhere to the Controls. However, such organizations are strongly encouraged to do so. Complying with and adhering to the Controls would be a business advantage, as these organizations will stand out of the competition in a highly competitive environment. Thales Guide to Saudi Arabia ECC The development of the ECCs is a crucial and vital step towards increasing the cybersecurity posture of the Kingdom of Saudi Arabia. Organizations subject to the Controls can take advantage of top-level industry solutions and use existing frameworks such as the NIST Cybersecurity Framework as guidelines. Thales, a global leader in cybersecurity solutions and services, can help the Saudi Arabian organizations become compliant with the Essential Cybersecurity Controls. Saudi Arabia Essential Cybersecurity Controls White Paper 4
Cybersecurity Governance Domain
More than 30,000 organizations in more than 180 countries already rely on Thales’ solutions to verify the identities of people and things,
grant access to digital services, analyze vast quantities of information and encrypt data.
Thales offers a variety of data protection professional services designed to help you effectively take your investment and ensure a successfully
deployment. These services include:
• Best practices and awareness workshops for learning about the latest security trends and practices, managing governance risk and
compliance and implementing data protection.
• Strategy and Design for identifying stakeholders and assigning roles and responsibilities.
• Implementation and Operations such as on-site product training, installation and customization of Thales products.
• Assessment to help your organization prepare for upcoming security audits while reviewing existing environment and business needs.
Cybersecurity Defense Domain
Control 2-2: Identity and Access Management
IDENTIFY
Thales’ Identity and Access Management9 (IAM) solutions allow Verify users
organizations to meet the evolving needs around cloud applications identity
and mobile devices by enabling secure access to online resources
and protecting the digital interactions of employees, partners, and
customers with market-leading strong authentication and digital
signing products. Thales IAM solutions allow you to verify users’
identities, assess which access policy should be applied and apply
APPLY ASSESS
the appropriate access controls. The on-premises and cloud based Appropriate access Which access policy
IAM solutions cater for passwordless user authentication to eliminate controls, with smart should be aplied
SSO
the friction of text-written passwords.
Control 2-7: Data and Information Protection
The available Thales data and information protection solutions10 can help you reduce the risk posed by hackers, insider threats, and other
malicious attacks to protect sensitive data wherever it is found across your on-premises, virtual, public cloud, and hybrid environments. This
GENERATION
includes data-at-rest in application and web servers, file servers, databases, and network attached storage, as well as data-in-motion across
your network and your cloud environments.
Thales Data-at-Rest encryption11 solutions apply security and access controls directly to your sensitive structured and unstructured
DESTRUCTION EXCHANGE data,
REVOCATION
wherever it resides. Thales Data-in-Motion solutions12 ensure your data, video, voice and even metadata is protected from eavesdropping,
surveillance, and overt and covert interception. With Thales’ comprehensive portfolio of data-at-rest and data-in-motion
Crypto Key encryption solutions,
you can secure all types of sensitive data across today's distributed enterprise. Management
Lifecycle
In addition, Thales tokenization solution13 for sensitive data organizations can protect their sensitive information by replacing it with a surrogate
value that preserves the length and format of the data. The solution tokenizes numeric ARCHIVE
and alphanumeric data and returnsSTORAGE
tokens in an unlimited
number of formats, and can help any organization meet compliance not only with ECC but with other international regulations such as GDPR
and PCI DSS.
ROTATION
9 https://www.gemalto.com/enterprise-security/identity-access-management
10 https://www.gemalto.com/enterprise-security/enterprise-data-encryption
11 https://safenet.gemalto.com/data-encryption/data-at-rest-encryption/
12 https://safenet.gemalto.com/data-encryption/network-encryption/
13 https://safenet.gemalto.com/data-encryption/data-center-security/tokenization/
Saudi Arabia Essential Cybersecurity Controls White Paper 5Control 2-8: Cryptography
GENERATION
When encryption is used, the risk is transferred from the data itself to
the cryptographic keys. The ability to securely manage, store and use
keys is essential. With a copy of the private key, an attacker could
decrypt data, create fraudulent identities and generate certificates DESTRUCTION EXCHANGE
REVOCATION
at will. Thales delivers the breadth of cryptographic management
solutions14 across the crypto key management lifecycle, enabling
security teams to centrally employ defense-in-depth strategies and Crypto Key
ultimately make sure encryption yields true security. Management
Lifecycle
The Thales hardware security module (HSM)15 is a dedicated crypto
processor that is specifically designed for the protection of the ARCHIVE STORAGE
crypto key lifecycle. Hardware security modules act as trust anchors
that protect the cryptographic infrastructure of some of the most
security-conscious organizations in the world by securely managing, ROTATION
processing and storing cryptographic keys inside a hardened,
tamper-resistant device. Thales HSMs are FIPS-140 validated
and cloud agnostic, providing services in the cloud for customer
cryptographic storage and processing needs.
Third-Party and Cloud Computing Cybersecurity Domain
Cloud and virtualization give your organization agility and efficiency to instantly roll out new services and expand infrastructure. But the lack
of physical control or defined entrance and egress points can bring about privileged user abuse, data leakage and other cloud data security
issues.
Thales’ proven two-factor authentication, encryption and enterprise key management solutions16 to turn any cloud environment into a trusted
and compliant environment by solving the critical challenges of data governance, control and ownership no matter where you store your data.
PROTECT
Data across
network and the
cloud
SECURE
Access and
Devices
Many cloud service providers offer data-at-rest encryption capabilities with the encryption keys managed by the service provider. But for
better compliance with both best practices and a range of data protection mandates, many providers also offer Bring Your Own Key (BYOK)
services. With BYOK, customers have the ability to generate and import the encryption keys or key material for their cloud-native encryption
services. Thales leverages the cloud provider BYOK Application Programming Interfaces (APIs) to provide different solutions17 and services for
greater control and visibility.
14
Keeping systems uncompromised
https://www.gemalto.com/enterprise-security/crypto-management PEOPLE
15 INTEGRITY
https://safenet.gemalto.com/data-encryption/hardware-security-modules-hsms/?utm_source=gto&utm_medium=cm-lk&utm_campaign=dp-
16 https://safenet.gemalto.com/cloud-data-security/
17 https://safenet.gemalto.com/resources/hybrid-cloud-data-security-control-solution-brief/
STRATEGY
C E SS
TEC H
Saudi Arabia Essential Cybersecurity Controls White Paper 6
RO
NO
CONFIDENTIALITY AVAILABILITY LO P
Keeping secrets Keeping systems available GYVirtual and cloud environments require agility and flexibility that traditional hardware encryption solutions cannot provide. Rolling out a virtual application that requires encryption, signed digital certificates or other PKI functions can often add days or weeks to a project. Here is where cryptography-as-a-service18 comes in handy. Cryptography-as-a-Service solutions offered by Thales can help you consolidate your enterprise key vaulting and PKI services by moving away from physical HSMs to virtualized HSMs. Your organization can benefit from cost savings, simplified management and increased visibility. When data and applications move to the cloud, user access takes place remotely. Organizations therefore have to implement user access controls for enterprise resources residing both in the cloud and within the confines of the data center. With enterprise security perimeters becoming increasingly blurry, organizations are having difficulty affording, implementing and managing consistent, unified access policies to distributed IT resources. Thales' Authentication and Access Management Solutions19 overcome these challenges by allowing organizations to seamlessly extend secure access to the cloud through identity federation. Thales' platforms leverage organizations’ existing authentication infrastructures, allowing them to extend users’ on-premises identities to the cloud and implement consistent access control policies for both cloud and network applications. Whatever your infrastructure, future development plans and security requirements, Thales is here to advise and help. Across time zones and continents, we protect businesses, governments and individuals from data breaches and identity theft. By relying on us, our clients in 180 countries can offer trusted and secure digital services so that your customers and citizens can enjoy their digital lifestyles. 18 https://safenet.gemalto.com/data-encryption/crypto-command-center/ 19 https://safenet.gemalto.com/cloud-data-security/saas-security-cloud-access-control/ Saudi Arabia Essential Cybersecurity Controls White Paper 7
Thales Security Solutions & Services
P.O. Box 5463, Riyadh 11422,
Saudi Arabia
Tel: +966 11 291 2000 Ext. 595 & 566
> thalesgroup.com <
© Thales - March 2020 • RMv3You can also read
