Check out our research activities!

Our thoughts on cloud security

Recap of the previous edition
In the previous edition, the topic was centered around data security and privacy which concluded in a system where end-to-end encryption is standard practice. On a small scale, that would help users secure their data in cloud storage solutions. When it comes to storing data that has to be processed, end-to-end encryption is still ineffective since data needs to be decrypted at some point (e.g. within the database) to be processed reliably. The technique to do such processing of encrypted data reliably is an approach known as homomorphic encryption.

In the absence of encryption solutions like homomorphic encryption, what are the mechanisms that protect our data in data centers and how effective are they? We learnt from the experts attending the 15th RAISE Forum held in the first week of August in Qingdao, China that there are more serious concerns and considerations before business can trust the cloud providers with their sensitive data. RAISE is a reputable security standards organization co-chaired by Dr. Meng Chow Kang of Singapore National Body (“NB”), who is also a member of the CSA APAC CXO Roundtable and Prof. Koji Nakao of Japan NB. According to them and other industry experts, most notably Professor Pauline Reich, an American lawyer, arbitrator, mediator, Professor at Waseda University School of Law since 1995 and also the Founder and Director Asia Pacific Cyberlaw Institute, there exist fundamental security issues in the cloud computing model despite the business agility and costs savings that it brought. Solve the security issue, you got a trusted cloud that can be used. Agile and cheap, Cloud Computing will revolutionize the way that we do business.

Distributed resources and its implications
One of the key discussion area that loomed in every expert's mind is the issue of cloud data governance. Due to the geographical distribution of data centers, data stored in these data centers are subjected to different local laws and regulations in terms of how data is to be governed.

A Brave New World
This is where cloud computing becomes a technology of disruption as the boundaries and rules that used to define legal jurisdictions are blurred due to complicated circumstances. For instance, an individual from Singapore could have personal data managed by an American company. The American company then outsource some of their functions, the data could end up residing in a data center in Brazil.

If the local data laws and regulations in the country where the data resides in are adhered to, this means that local governments are given access to data of non-citizens. Some have argued that this is the crux of the problem, precisely because such a situation would give local governments power over foreign data that resides in their country.

Alternatively, the contract between the individual and the company whose services were contracted could be prioritized. In this approach, a customer from a specific country would engage the cloud services of a business, with a legal entity in said country, and be subjected to local data laws and regulations of this country, regardless of where the data center resides. With such an alignment, the local government would still have jurisdiction over the cloud service provider and the customer. However, this approach really begs the question, what happens if the individual engages the services of a cloud service provider that does not have a local legal entity? Would this mean that the data of the individual is no longer under the jurisdiction of the local government?

These are some of the problems faced by society when technological advancement happens too fast such that other parts of society struggle to keep up. Different aspects of society like legal systems, security education lack behind and have not develop mature solutions to fill the gap brought about by technology disruption.

Dr. Ryan Ko, CSA APAC’s Research Advisor has been hard at work trying the solve the cloud data governance conundrum. Besides establishing CSA’s Cloud Data Governance working group in 2011, he has since led global efforts in the research of data provenance that provided another way other than SLA that could resolve the problem with data accountability, transparency and the issue with data residency once and for all! In addition, Dr. Ko’s team at the University of Waikato and the CSA have been working quietly on Project STRATUS in New Zealand, which is funded by the Ministry of Business, Innovation and Employment (“MBIE”) in a $12.1 million dollar effort that aims to deliver these solutions to the world!

Further Reading

Kerr, Orin. 2015. "Does it matter who wins the Microsoft Ireland warrant case?" The Washington Post , July 23. Retrieved August 31, 2015 (https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/07/23/does-it-matter-who-wins-the-microsoft-ireland-warrant-case/).

Segal, Adam. 2015. “Do Local Laws Belong In a Global Cloud? Q&A with Brad Smith of Microsoft (Part One)” Council on Foreign Relations, August 26. Retrieved August 31, 2015 (http://blogs.cfr.org/cyber/2015/08/26/do-local-laws-belong-in-a-global-cloud-qa-with-brad-smith-of-microsoft-part-one/)

Segal, Adam. 2015. “Do Local Laws Belong In a Global Cloud? Q&A with Brad Smith of Microsoft (Part Two)” Council on Foreign Relations, August 27. Retrieved August 31, 2015 (http://blogs.cfr.org/cyber/2015/08/27/do-local-laws-belong-in-a-global-cloud-qa-with-brad-smith-of-microsoft-part-two/)

Will, Mark and Ryan Ko. 2015. “Chapter 5 - A guide to homomorphic encryption.” Pp. 101-127 in The Cloud Security Ecosystem, edited and authored by Ryan Ko and Raymond Choo. Syngress 2015.

Ko, Ryan, Peter Jagadpramana, Miranda Mowbray, Siani Pearson, Markus Kirchberg, Qianhui Liang and Bu S. Lee. 2011 “TrustCloud: A framework for accountability and trust in cloud computing.” Pp. 584-588 in SERVICES. IEEE 2011.

Ko, Ryan, Markus Kirchberg and Bu S. Lee. 2015 “From system-centric to data-centric logging-accountability, trust & security in cloud computing” Pp. 1-4 in Defense Science Research Conference and Expo (DSR). IEEE 2011.

Ko, Ryan. 2013 “Data accountability in cloud systems” Pp. 211-238 in Security, Privacy and Trust in Cloud Systems. Springer 2014.

Business Cloud News. 2015. “CSA lends prototype compliance tool to six-year cloud security project” Business Cloud News, July 16. Retrieved August 31, 2015 (http://www.businesscloudnews.com/2015/07/16/csa-lends-prototype-compliance-tool-to-six-year-cloud-security-project/)

The latest updates about CSA APAC events and activities.

The latest updates about CSA APAC supported conferences

Featured chapter of the month

In this last quarter, the CSA Singapore Chapter has focused on promoting thought leadership via special topics in Cybersecurity.

Cybersecurity has never been more important and the dangers have never seemed more real. Cyber attacks are getting more sophisticated every day and so CISOs just have to be fast, flexible and nimble in constantly evolving their defenses. More needfully, they should not lack the guts and the spine to do what's right.

Zero day vulnerabilities has become such a common word today that researchers work overtime to identify and shield them, as the Chapter derives some epiphany by NSS Labs' latest breach detection report, CISOs need to take such zero day and other threat research information to formulate a systematic breach detection and mitigation response.

In the last two CSA Singapore Executive Luncheons, the topics have pretty much focused on APTs and Targeted attacks, we saw esteemed speakers and CXOs grace our events with very healthy and active participation in the above-mentioned topics.

Some of the key discussion pointers from our visitors include the intelligence bloat issue: Today, malware threats have evolved into a form where incumbent techniques and technologies fail to keep up, we are then forced to adopt counter measures which give us more analysis than our department staffing is equipped to handle. Think of the 'famous' firm target, it is the thinking that their detection systems generated too many alarms, which made it tough to single out the truly malicious threat. It is akin to trying to hunt for a needle in a haystack and yet, when we pick out a potential threat, we have to be sure it is a real threat rather than just another piece of hay in that stack.

In the upcoming thought leadership series in October 2015, the Singapore Chapter will be educating CISOs on web application vulnerabilities and techniques for uncovering the ‎stealthy threats tunnelling through organisations' defences disguised as legitimate traffic. Look out for it!

 

David Siah is the Country Manager of Trend Micro and also the Chairman of the Cloud Security Alliance Singapore Chapter. In Trend Micro, David runs Trend Micro’s business operations in Singapore and he is also in charge of Trend Labs Singapore, which is responsible for malware analysis and response. He is actively involved in cyber-security activities in Singapore and is a member of Infocomm Development Authority (iDA) of Singapore’s Cyber Security Agency. David is also involved in iDA’s work group on Cloud Outage Incidence Response and is a committee member of the Singapore Information Technology Federation’s Security and Governance Chapter.

Come and Join Us!