Be aware of scammers impersonating as IMDA officers and report any suspicious calls to the police. Please note that IMDA officers will never call you nor request for your personal information. For scam-related advice, please call the Anti-Scam helpline at 1800-722-6688 or go to

Keynote Speech by Mr Khoong Hock Yun, Assistant Chief Executive, Infocomm Development Authority of Singapore at the Inaugural Ciso Asia Pacific Summit 2012

Keynote Speech by Mr Khoong Hock Yun, Assistant Chief Executive, Infocomm Development Authority of Singapore at the Inaugural Ciso Asia Pacific Summit 2012 on 1 November 2012, 9.15am, at Marina Bay Sands Singapore

Keynote Speech by Mr Khoong Hock Yun, Assistant Chief Executive, Infocomm Development Authority of Singapore at the Inaugural Ciso Asia Pacific Summit 2012 on 1 November 2012, 9.15am, at Marina Bay Sands Singapore

Mr Jim Reavis, Executive Director, CSA

Mr. Aloysius Cheang, Managing Director, Asia Pacific, CSA

Ladies and gentlemen

1. A very good morning to you all. I am honoured to be invited here to speak at the first event organised by the newly formed CSA APAC Corporate HQ office in Singapore.


2. With the advent of cloud computing, there is a paradigm shift in computing where businesses and end-users will be assessing applications such as word processing, storage and even compute power through the Internet. Cloud computing enables consumers and business users to consume infocomm services without the need for an IT support system. The cloud computing paradigm shift brings about changes to the traditional business models in the infocomm sector and how applications are delivered and consumed within the consumer and enterprise environments.

3. In Singapore, several initiatives and programmes were implemented to enhance cloud adoption. To catalyse the development of the cloud ecosystem with Cloud Service Providers or CSPs, in 2007, IDA launched a Grid (or Cloud) Services Provisioning Call for Collaboration. Thereafter, IDA put in place a cloud services bulk tender for easy procurement of public cloud services by government agencies. A second bulk tender initiative, known as EnVision, was launched for the supply of cloud-based video hosting and steaming services using the utility pricing model. This web-based video streaming service is used by several ministries, statutory boards, organs of state and participating entities. To date, IDA has also launched five Calls for Cloud Computing Proposals to promote cloud adoption. The five calls have seen 69 projects awarded cloud resources to undertake test-bedding, proofs-of-concept and research. IDA will launch the sixth Call for Cloud Computing Proposals on 5 November 2012.

4. To catalyse the provisioning of cloud based services which help transform the work of various industrial sectors, IDA established the Software-as-s-Service (SaaS) Enablement Programmes (or SEP) where funding support is provided for manpower, professional services and training expenses in relation to SaaS enablement efforts.

5. To encourage greater adoption, Cloud computing is also allowed under the Productivity and Innovation Credit or PIC Scheme, where the first $400,000 in costs incurred to acquire cloud computing resources qualifies for a 400 per cent tax deduction. Also, the IDA's iSPRINT scheme supports the adoption of ICT by Small and Medium Enterprises or SMEs. As part of the move to simplify the grant application process, the "iSPRINT Packaged Solutions" was introduced so that SMEs can purchase the relevant packaged solution and implement it before seeking funding support from IDA. To date, there are more than 150 iSPRINT Packages for Accounting, Payroll, Point-of-Sales and SaaS solutions, offered by over 120 ICT Solution Providers for SMEs to choose from.

6. To increase confidence and awareness in cloud computing adoption, IDA together with the National Library Board, Singapore Computer Society and Imperial College Alumni Association (Singapore) had organised a series of ten public talks on cloud computing from March 2011 to January 2012.

Cloud Security

7. While various incentive programmes are in place to enhance the adoption of cloud computing, one common inhibitor against cloud adoption is cloud security concerns.

8. According to the 2012 Future of Cloud Computing Survey results released on 20 June 2012 by the venture capital firm North Bridge, 55 percent of the 800 respondents rank cloud security as the topmost concern.

9. The Launchpad Europe IT Security Index 2009 showed that nearly half of organisations indicated no plans to use any cloud computing technologies, citing security concerns as the primary reason.

10. Cloud security concerns arise from many sources, ranging from simply lack of understanding to unavailability of clear guidelines and standards. These concerns are compounded by large variations of cloud service offerings for different user groups and industry verticals.

11. The tolerance level of security risks may differ among companies, and from industry sector to sector as different industries may have their own unique characteristics, and hence, security requirements. For example,

  • The banking community, is concerned with clear and unambiguous controls of customer information stored in cloud and is taking a cautious approach in adoption of cloud computing.

  • SMEs are generally more amenable to adopting cloud computing solutions since cloud service providers (CSPs) have the scale and expertise to provide the needed security at a much lower cost and extent than what the SMEs can do themselves. The situation faced by SMEs also typifies industries which are more forthcoming in using cloud solutions as the benefits outweigh the potential risks of such adoption.

12. However, cloud security is not an insurmountable obstacle and can be addressed through a multipronged holistic approach with some key considerations.

A Six-Pronged Approach

13. There are at least six key avenues to consider.

14. Firstly, in terms of technology, we need to consider the risks associated with the introduction of new technologies such as "virtualisation". This requires concerted effort among the research institution, industry vendors and practitioners to devise new management protocols, tools and processes to mitigate the associated risks.

15. There is also the need for greater awareness. - Cloud users and service providers need to have a better understanding of the issues and to communicate these to the relevant stakeholders, business managers and regulators, so that advancements in cloud adoption can be made in an appropriate manner, while protecting the interests of the end users. The awareness can be enhanced through seminars, workshops and conferences.

16. Third, each organisation should have a classification scheme to provide a basis for identifying the security management requirements of the various information and systems in a company. This enables every system to have a class or level of security that is unambiguously defined such that cloud users, based on this definition, will be able to clearly identify and catergorise its security needs. These needs are then matched with corresponding security controls specified in the cloud security standards as adopted and offered by CSPs.

17. However, the values of these Cloud Security Standards and Guidelines are only realised when they are accepted and deployed by the CSPs. Such deployment of the standards through certification of CSPs would be similar to certification of ISO27001 for Info Security Management System.

18. Finally, for regulated industries or sectors of economy, it may be necessary to establish relevant policies and regulatory framework to govern the use and provision of cloud services to ensure some minimum compliance.

ITSC Cloud Computing Task Force

19. To make further progress in adoption of cloud computing, we will all need to make a concerted effort to address the users' concerns on cloud security.

20. In February 2011, IDA and the Singapore's Information Technology Standards Committee (ITSC) jointly established a cloud computing standards coordinating task force to focus efforts to address users' concerns on cloud security, develop appropriate standards and guidelines meeting the industry demands for cloud computing standards and coordinate cloud computing standardisation efforts across different technical committees in ITSC. The task force comprises representatives from IDA, ITSC, Singapore Computer Society or SCS, Singapore infocomm Technology Federation or SiTF, Information Technology Management Association or ITMA as well as industry verticals. The task force worked on guidelines for issues with inputs from the industry. Arising from such a concerted effort, several working groups have been established. To-date, we have already published two Technical References in March 2012, namely, the "Best Practices for Server Virtualisation Security" and "Security & Service Level Guidelines for Adoption of Public Cloud Services".

21. As virtualisation is a key enabling technology in the provision of cloud services, users have expressed a need for a guideline to address the technology risks brought about by virtualisation of servers. This set of best practices focuses on the process controls. The document explains the potential security risks in server virtualisation and provides implementation guidance to enterprise infocomm personnel managing data centres that are embarking upon consolidation of servers through virtualisation technologies. This guideline, at present, does not cover risks associated with other delivery components such as network and storage which form other parts of the entire infrastructure in the provisions of various cloud services.

22. The second deliverable provides security guidance to cloud users on the usage of public clouds that conform to Infrastructure-as-a-Service and SaaS models, and the service level guidelines that public cloud users should consider when procuring services.

23. We have also formed an industry working group in April 2012 to undertake the development of multi-tier cloud security standards and guidelines. We will also undertake industry consultation to discuss its deployment to address this key impediment to cloud adoption.


24. The development of the above-mentioned cloud security guidelines is only made possible by the active participation of more than 40 infocomm professionals, who have generously volunteered their time and expertise. I would like to acknowledge their valuable contributions and efforts.

25. With CSA's presence in Singapore, we look forward to the opportunity to collaborate on cloud security related development. We hope to continue to be a responsible user, contributor and host to the development international standards and best practice guidelines.

26. On this note, I wish you all a fruitful summit ahead.