Which direction to ensure data security in the new era of Vietnam?

At the seminar with the theme "Data security and network security in the era of national development" held on September 25 at Nhan Dan Newspaper, experts pointed out risks and recommendations in data protection and network security in Vietnam.

Data security is as important as protecting territorial sovereignty .

At the seminar, Mr. Pham Dai Duong - Member of the Party Central Committee, Deputy Head of the Central Policy and Strategy Committee, said that today, digital transformation is present everywhere, becoming an inevitable trend of the times. Digital transformation is closely linked to many fields such as digital government, digital economy , etc. In which, data is a very important factor, considered as a national asset.

Mr. Pham Dai Duong emphasized that data security has the same meaning as protecting territorial sovereignty at sea and on land. The Central Government always attaches importance to protecting sovereignty in cyberspace, considering this a continuous and inseparable task in ensuring national security.

"Data is considered a national strategic asset, so we need strategies to ensure data security and network security. The Party and State's viewpoint in ensuring network security and data security is that in policy making, it is necessary to shift from passive defensive thinking to proactive and active identification of risks early and proactive measures."

Mr. Duong said that this is a very important factor in protecting data security, and is also the responsibility not only of state agencies, but also of businesses and people - the subjects directly using and exploiting data. "If in the past the law only stopped at the prevention level, then with the rapid development of technology today, it is necessary to emphasize the role of leadership and proactive orientation."

Mr. Ngo Tuan Anh - Head of Data Security Department, National Data Association ( Ministry of Public Security ), shared that data sharing is the most important component in the system. Many leaks come from very basic vulnerabilities, mainly from configuration, storage-related vulnerabilities and backup-related vulnerabilities.

"First of all, it's a configuration issue. We imagine that data is in a "house" but is not locked carefully. There are systems that contain very important information but use weak passwords, default configurations or are exposed directly to the Internet. When a service is put on the Internet, after a few minutes, there will be automatic scanning and exploitation tools worldwide. That's why many systems, just a small loophole, can be accessed illegally," said Mr. Tuan Anh.

Another risk, according to Mr. Ngo Tuan Anh, is the widespread storage situation. Many units store too many forms and unnecessary data, leading to increased storage costs and expanding the risk surface. When the storage system is compromised, the entire data block can be exposed. In the context of the newly completed law on personal data protection, the storage unit will be legally responsible when risks occur.

In fact, according to Mr. Tuan Anh, no system can guarantee 100% security. Surveys show that if a bad guy has a motive to attack, the success rate is very high when the system has weaknesses. Therefore, multi-layered defense measures are necessary, in which backup is considered one of the vital factors.

At the discussion, Mr. Nguyen Le Thanh - Founder, Executive Chairman of Verichains Security Company, shared that normally, systems are often attacked by weaknesses, which may be due to the system being too old or careless in configuration, or errors in protection. Sometimes, these weaknesses come from wrong authorization, user errors or system administration errors.

Attackers will look for these flaws and weaknesses in a database management system to attack first. If the system elements are well-built and controlled, they will continue to look for weaknesses that are harder to protect.

At this time, users and administrators will become targets of attackers. Depending on their capacity and awareness of personal security, each person has the ability to manage, protect, and secure their own information.

Another problem comes from the phenomenon of fraudulent individuals and companies recruiting part-time employees or collaborators. After a period of joining, these individuals will infiltrate the user's information system and the user will be infected with malware without knowing it. "There have been cases where many people applied for jobs at an organization, and after a period of working, their personal data was attacked," Mr. Thanh revealed.

Finally, according to Mr. Thanh, the subjects and organizations that infiltrate the data system can attack from third parties. These are partners who often provide products, services, and solutions related to the system. To build an information system, we need to use technology provided by many parties and sometimes we cannot master and control it all. Any third party can be negligent and this is an opportunity for the above subjects to attack.

In fact, according to this expert, third-party attacks are more numerous and effective than user attacks and direct attacks on system vulnerabilities.

This shows that technological autonomy to reduce dependence on third parties is extremely important. However, doing that is not easy. Because building a system requires many steps, as well as the participation of many different components and it is very difficult for us to build the whole thing ourselves.

Mr. Thanh believes that it is necessary to determine that no system is absolutely safe. "Currently, most modern cyber security attack units are organized and operate very systematically. They have motivation, goals and abundant financial resources. Therefore, we need to think differently, to determine which "assets" are the most important and necessary in the entire information system. From here, use other measures around protection so that in case of an incident, the data loss is not much, the amount of information lost is not too valuable and does not cause serious damage," said Mr. Thanh.

Need a general engineer for data governance and cybersecurity

Mr. Pham Dai Duong - Member of the Party Central Committee, Deputy Head of the Central Policy and Strategy Committee, said that to protect data, it is necessary to combine two elements: First is protection by technology, infrastructure, and processes - that is, technical solutions; second is protection by the legal system. We already have many laws such as the Law on Cyber ​​Security, the Law on Personal Data Protection,... and in the coming time, the National Assembly will continue to review and perfect related laws.

In addition, Resolution 57/NQ-TW also sets out an implementation plan, including Plan No. 01 on strategic technologies, to enhance autonomy and master core technologies to secure data. The consistent viewpoint is to move from passive defense to proactive early risk identification, proactive prevention and response.

According to Dr. Phan Van Hung - Deputy Editor-in-Chief of Nhan Dan Newspaper, we are lacking "general engineers" in data management and network security to have a harmonious and synchronous combination.

With the ability to copy without limits, data is becoming a key means of production, extremely important in the digital economy. In terms of management, it is necessary to build and institutionalize a synchronous legal system in the direction of law leading, creating fairness, protecting vulnerable groups and regulating according to the State's goals.

According to Dr. Phan Van Hung, the law needs to specify the ownership rights of individuals and the rights of the state, build a framework for conditional data sharing, and combine public and private data. There will be disputes that the law cannot regulate, so the prosecution and judicial agencies need to build precedents to synchronize the legal system and governance effectively.

From the perspective of a cybersecurity expert, Mr. Ngo Tuan Anh said: "From practical lessons, it is necessary to focus on three groups of solutions: tightening security configuration before putting services on the Internet; managing, classifying and limiting unnecessary data storage; building a process for early detection, isolation, recovery and legal coordination when incidents occur. These are essential steps to protect the organization's most important asset: data."

Mr. Tuan Anh also said that the National Data Association is developing a set of basic standards related to data security. It is expected that in the near future, the set of standards will be put out for comments from departments and branches to support units, first of all members, to publish and apply, thereby improving compliance.

Another important content is the proactive development of cybersecurity solutions. Domestic units and enterprises, together with the National Cyber ​​Security Association, are coordinating to develop a domestic cybersecurity product ecosystem. In fact, there is much evidence that foreign technology products pose risks, because there may be vulnerabilities, whether intentional or unintentional, that allow data to be extracted and transmitted.

"There are cases where some security systems deployed in Vietnam accidentally let data pass through foreign infrastructure before being stored. This increases the risk of data leakage. Therefore, to ensure data security, we need to focus on standardization, compliance implementation and promoting the development of security and safety solutions owned by Vietnam," the representative of the National Data Association emphasized./.

Source: https://www.vietnamplus.vn/huong-di-nao-de-dam-bao-an-ninh-du-lieu-trong-ky-nguyen-moi-cua-viet-nam-post1064101.vnp