Keynote Speech by Mr Khoong Hock Yun, Assistant Chief Executive, Infocomm Development Authority of Singapore at the Cloud Security Alliance Summit 2011

8 September 2011 - Keynote Speech by Mr Khoong Hock Yun, Assistant Chief Executive, Infocomm Development Authority of Singapore at the Cloud Security Alliance Summit 2011 at Suntec Singapore International Convention & Exhibition Centre

Keynote Speech by Mr Khoong Hock Yun, Assistant Chief Executive, Infocomm Development Authority of Singapore at the Cloud Security Alliance Summit 2011 on 8 September 2011 at Suntec Singapore International Convention & Exhibition Centre

Mr. Aloysius Cheang
Asia Pacific Strategy Advisor, CSA

Mr. Freddy Tan
Chairman, CSA Singapore Chapter

Ladies and gentlemen

1. A very good morning to you all. Singapore enjoyed an excellent start in the development of our Cloud Computing ecosystem; today we have many early enterprise and SME users, R&D and academia, as well as industry providers enriching the vibrancy of this ecosystem. The topic of Cloud Security has taken increasing prominence and I am delighted to join you this morning for the CSA Summit 2011 dedicated to the subject on "Cloud Security".

Background

2. As our first step towards seeding the development of a cloud ecosystem, in late 2007, IDA issued a Call-for-Collaboration for Cloud Resource Provisioning. Over the past three years, cloud computing services have since seen considerable growth in Singapore. From just the three winning Cloud Service Providers or CSPs, the Singapore Cloud Computing ecosystem has grown to host over 10 cloud data centers. These CSPs include Amazon Web Services, Microsoft, IBM, Fujitsu, Savvis, and Tata Communications.

3. In a recent announcement, VMWare, a virtualisation solutions company, shared results from their commissioned survey of nearly 7,000 respondents in Asia-Pacific; it showed that cloud computing adoption among companies continues to rise quickly. The results showed that almost 60 percent of regional companies are either using cloud or planning cloud initiatives now. This is significantly higher than the reported 45 percent six months ago and 22 percent in 2010.

4. Why do companies adopt cloud computing? Well, 57 percent of the respondents shared that it is cost savings. Significantly, 37 percent of the respondents, many of which are large firms with more than 10,000 employees, reported that they adopted, or are planning to adopt, cloud computing as a long-term strategic investment.

5. International Data Corporation or IDC estimated that the demand for public cloud computing in Singapore is likely to grow to US$188M by 2014.

Key Adoption Challenge

6. Against this backdrop of fine weather, are there any possible dark clouds ahead? Fundamentally, Cloud Computing shifts much of the control over data and operations from user organisations to the CSPs, much in the same way enterprises outsource their IT operations. From this shift arises the concern over cloud security.

7. Is this a new realisation? No. Several surveys over the years have consistently revealed that cloud security is the number one concern in adoption. For example, in IDC's 15 Dec 2009 IT Cloud Services survey report¹ entitled "Top Benefits and Challenges", data security was already cited by IT managers as the Number 1 concern when they think about cloud deployments. Other concerns following include availability and performance.

8. More recently, Trend Micro's May 2011 survey which was focused on large companies of 500 or more employees using cloud services, 43 percent of the 1,200 respondents from six countries, namely, US, Canada, UK, Germany, Japan and India, who are using cloud services, reported experiencing a data security lapse or issue within last 12 months. Of all the respondents, 40 percent indicated that their IT security requirements are not being met by CSPs and 50 percent said security was the key reason holding back their adoption of cloud. Therefore, as an industry, we need to put greater effort to address the user's Cloud Security concerns.

A Cloud Security Framework

9. If market demands for cloud security are clear, why is there seemingly lack of progress?

10. Cloud security concerns arise from many sources, ranging from simply lack of understanding to unavailability of clear guidelines and standards. These concerns are compounded by large variations of cloud service offerings.

11. Furthermore, such concerns of security vary from users to users and across different industry verticals. Tightly regulated industries like the financial services sector is concerned with the potential exposure of their customers' confidential information. Other user groups such as the SME sector may even feel the benefits of using Cloud Computing far outweigh the potential risk.

12. Perhaps we need a security framework that will provide greater clarity in the level of risk exposure, and provide us greater visibility into the security provisions of various CSPs. Today, for example, it is difficult for a buyer of cloud services to source for the right CSP to give him the confidence that his data will be well protected, to be able to compare and understand which the CSP offers him the desired level of security. The crux of the issue may be how to match the security needs of users, perhaps as required by various regulatory and supervisory agencies, with the security provisions of CSPs.

A Six-Pronged Approach

13. Perhaps a multi-pronged approach is required to tackle the issue of cloud security. There are possibly at least six key avenues to consider.

14. In terms of technology, we need to consider the risks associated with the introduction of new technologies such as "Virtualisation". This requires concerted effort among the research institutes, industry vendors and practitioners to devise new management protocols, tools and processes to mitigate the associated risks.

15. We also need greater awareness - both cloud users and service providers need to have a better understanding of the issues and to communicate these to the relevant stakeholders, business managers and regulators, so that advancements in cloud adoption can be made in an appropriate manner, while protecting the interests of the end users. There can be more awareness seminars, workshops and conferences, such as this CSA Summit.

16. Third, each organisation should have a classification scheme to provide a basis for identifying the security management requirements of the various information and systems in a company. Each class or level of security of information and systems must be unambiguously defined such that cloud users, based on this definition, are able to clearly identify and classify its information and systems' security needs. These needs are then matched with corresponding security controls specified in the cloud security standards as adopted and offered by the various CSPs.

17. However, the values of these Cloud Security Standards and Guidelines are only realised when they are accepted and deployed by the CSPs. Such deployment of the standards through certification of CSPs would be similar to certification of ISO27001 for Info Security Management System.

18. Last but not least, for regulated industries or sectors of economy, it may be necessary to establish relevant policies and regulatory framework to govern the use and provision of cloud services to ensure some minimum compliance.

19. Today, several efforts have been expended globally such as

1. ENISA or European Network and Information Security Association,
2. Cloud Security Alliance,
3. SAS70 or Statement of Auditing Standards by American Institute of Certified Public Accountants,
4. FedRAMP or Federal Risk and Authorization Management Program, and
5. ISO/IEC.

20. However, at this time, these are primarily questionnaires and/or points of considerations, not specific auditable standards for compliance check. Therefore, Cloud Security standards and Guidelines is still very much work-in-progress.

21. Can there be a security framework or model that will help to:

• Address the needs of different industries or users;
• Provide visibility and clarity on security provisions of CSPs; and
• Ultimately facilitate the matching of security needs with security provisions?

22. Is it possible to have a multi-tier model similar to the well-known data centre tier defined by Uptime Institute which addresses a wide spectrum of user's needs - from basic requirements, to the high confidentiality requirements of highly regulated industries? The tiered model must be able to differentiate amongst public, private and hybrid CSPs.

Conclusion

23. To make further progress in adoption of Cloud Computing, we will all need to make a concerted effort to address the users' concerns on cloud security.

24. In this vein, I am happy to note that the Infocomm Standards Committee (or ITSC) and IDA has formed a Cloud Computing Standards Coordinating Task Force in February this year. As part of this effort, there is also a Working Group comprising key industry players, representatives from user groups and professional bodies to develop security best practices for Virtualisation. We also have plans to work on the fore-mentioned Cloud Security standards and create a SLA checklist to facilitate cloud services engagement between cloud users and CSPs.

25. In the next three to six months, IDA and ITSC will undertake industry consultation to further discuss the development and deployment of cloud security standards and guidelines to address this key impediment to cloud adoption.

26. On this note, I wish you all a fruitful seminar day ahead.

27. Thank you.

Note to Editor:

¹ The same result was presented at the Cloud Leadership Forum that IDC hosted in June 2010 in Santa Clara, California.