Unsubscribe from this newsletter by sending us an email.
CSA APAC Monthly Codebook
Welcome to the CSA APAC Cloud Codebook!
A monthly newsletter, and your source for the most up-to-date news on CSA APAC Region.

CSA APAC Research Activities

Check out our research activities!


MAST Initiative

The CSA Mobile Application Security Testing (MAST) Initiative conducted a meeting on the 20th of August led by CSA APAC Executive Corporate Member, Gapertise. The meeting was held at the CSA Taiwan Summit 2015. Experts in the MAST Initiative took part in a discussion with Timothy Grance from NIST, co-author of the NIST SP 800-163. The group discussed the challenges and the importance of developing and implementing a mobile application security testing programme.


The MAST initiative has began working on the first draft of a whitepaper, which incorporates elements in NIST’s SP 800-163, ISO 27034, Domain 10 of CSA’s Security Guidance (Application Security) as well as other best practices documents. The MAST initiative is expecting to complete the first draft of the document within the next month and will be starting the CSA peer review process.


Memoir of An Analyst

Our thoughts on cloud security


What must be done in order to achieve absolute data security and privacy?

Recap of the previous edition
In the previous edition, the topic was centered around data security and privacy which concluded in a system where end-to-end encryption is standard practice. On a small scale, that would help users secure their data in cloud storage solutions. When it comes to storing data that has to be processed, end-to-end encryption is still ineffective since data needs to be decrypted at some point (e.g. within the database) to be processed reliably. The technique to do such processing of encrypted data reliably is an approach known as homomorphic encryption.

In the absence of encryption solutions like homomorphic encryption, what are the mechanisms that protect our data in data centers and how effective are they? We learnt from the experts attending the 15th RAISE Forum held in the first week of August in Qingdao, China that there are more serious concerns and considerations before business can trust the cloud providers with their sensitive data. RAISE is a reputable security standards organization co-chaired by Dr. Meng Chow Kang of Singapore National Body (“NB”), who is also a member of the CSA APAC CXO Roundtable and Prof. Koji Nakao of Japan NB. According to them and other industry experts, most notably Professor Pauline Reich, an American lawyer, arbitrator, mediator, Professor at Waseda University School of Law since 1995 and also the Founder and Director Asia Pacific Cyberlaw Institute, there exist fundamental security issues in the cloud computing model despite the business agility and costs savings that it brought. Solve the security issue, you got a trusted cloud that can be used. Agile and cheap, Cloud Computing will revolutionize the way that we do business.

Distributed resources and its implications
One of the key discussion area that loomed in every expert's mind is the issue of cloud data governance. Due to the geographical distribution of data centers, data stored in these data centers are subjected to different local laws and regulations in terms of how data is to be governed.

A Brave New World
This is where cloud computing becomes a technology of disruption as the boundaries and rules that used to define legal jurisdictions are blurred due to complicated circumstances. For instance, an individual from Singapore could have personal data managed by an American company. The American company then outsource some of their functions, the data could end up residing in a data center in Brazil.

If the local data laws and regulations in the country where the data resides in are adhered to, this means that local governments are given access to data of non-citizens. Some have argued that this is the crux of the problem, precisely because such a situation would give local governments power over foreign data that resides in their country.

Alternatively, the contract between the individual and the company whose services were contracted could be prioritized. In this approach, a customer from a specific country would engage the cloud services of a business, with a legal entity in said country, and be subjected to local data laws and regulations of this country, regardless of where the data center resides. With such an alignment, the local government would still have jurisdiction over the cloud service provider and the customer. However, this approach really begs the question, what happens if the individual engages the services of a cloud service provider that does not have a local legal entity? Would this mean that the data of the individual is no longer under the jurisdiction of the local government?

These are some of the problems faced by society when technological advancement happens too fast such that other parts of society struggle to keep up. Different aspects of society like legal systems, security education lack behind and have not develop mature solutions to fill the gap brought about by technology disruption.

Dr. Ryan Ko, CSA APAC’s Research Advisor has been hard at work trying the solve the cloud data governance conundrum. Besides establishing CSA’s Cloud Data Governance working group in 2011, he has since led global efforts in the research of data provenance that provided another way other than SLA that could resolve the problem with data accountability, transparency and the issue with data residency once and for all! In addition, Dr. Ko’s team at the University of Waikato and the CSA have been working quietly on Project STRATUS in New Zealand, which is funded by the Ministry of Business, Innovation and Employment (“MBIE”) in a $12.1 million dollar effort that aims to deliver these solutions to the world!

Further Reading

Kerr, Orin. 2015. "Does it matter who wins the Microsoft Ireland warrant case?" The Washington Post , July 23. Retrieved August 31, 2015 (https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/07/23/does-it-matter-who-wins-the-microsoft-ireland-warrant-case/).

Segal, Adam. 2015. “Do Local Laws Belong In a Global Cloud? Q&A with Brad Smith of Microsoft (Part One)” Council on Foreign Relations, August 26. Retrieved August 31, 2015 (http://blogs.cfr.org/cyber/2015/08/26/do-local-laws-belong-in-a-global-cloud-qa-with-brad-smith-of-microsoft-part-one/)

Segal, Adam. 2015. “Do Local Laws Belong In a Global Cloud? Q&A with Brad Smith of Microsoft (Part Two)” Council on Foreign Relations, August 27. Retrieved August 31, 2015 (http://blogs.cfr.org/cyber/2015/08/27/do-local-laws-belong-in-a-global-cloud-qa-with-brad-smith-of-microsoft-part-two/)

Will, Mark and Ryan Ko. 2015. “Chapter 5 - A guide to homomorphic encryption.” Pp. 101-127 in The Cloud Security Ecosystem, edited and authored by Ryan Ko and Raymond Choo. Syngress 2015.

Ko, Ryan, Peter Jagadpramana, Miranda Mowbray, Siani Pearson, Markus Kirchberg, Qianhui Liang and Bu S. Lee. 2011 “TrustCloud: A framework for accountability and trust in cloud computing.” Pp. 584-588 in SERVICES. IEEE 2011.

Ko, Ryan, Markus Kirchberg and Bu S. Lee. 2015 “From system-centric to data-centric logging-accountability, trust & security in cloud computing” Pp. 1-4 in Defense Science Research Conference and Expo (DSR). IEEE 2011.

Ko, Ryan. 2013 “Data accountability in cloud systems” Pp. 211-238 in Security, Privacy and Trust in Cloud Systems. Springer 2014.

Business Cloud News. 2015. “CSA lends prototype compliance tool to six-year cloud security project” Business Cloud News, July 16. Retrieved August 31, 2015 (http://www.businesscloudnews.com/2015/07/16/csa-lends-prototype-compliance-tool-to-six-year-cloud-security-project/)


CSA Events and Activities

The latest updates about CSA APAC events and activities.


Knowledge Sharing Seminar July, 20 July, Singapore


The bimonthly Knowledge Sharing Seminar was held on the 20th of July at HP’s office in Singapore and was sponsored by Utimaco. There was an overwhelming registration of 33 people. Mr. Teo Poh Soon from Utimaco presented to the audience “Data Security in the Cloud”. In addition, Mr. Steve Tan, partner at Rajah & Tann Singapore LLP, was also invited to the seminar and shared with the audience the topic “Protecting and Securing Data: The Menace of Data Breach, IT system compromise and cyberattack - Are you prepared?”.


CSA APAC Summit and CXO Luncheon, 21st July, Singapore

The second CSA CXO Luncheon was held at Marina Bay Sands, Singapore, on the 21st of July, 2015. CXOs from both the public and private sectors were in attendance. The sponsors for the luncheon were Trend Micro, Tata Communications and Singtel. During the event, Trend Micro’s CTO, Mr. Raimund Genes, shared with the audience “APT: Are we losing the battle?”, Tata Communications’ Vice President, Mr. Vishak Raman, shared with us Tata Communications’ views on “Advanced Targeted Attacks: MSSP perspective”. Last but not least, Singtel’s Director for Emerging Businesses, Group Enterprise, Mr. Richard Koh, presented to the audience cloud services from the Singtel point of view. Currently, a study is being conducted and the analytic report will be shared at the next CXO luncheon on scheduled the 30th of October, 2015.


On the same day, CSA also held the CSA APAC Summit 2015: Enterprise Cloud Adoption and Security Lessons Learned. Registrations for the Summit numbered more than 600. Dr. Lee Hing Yan from Infocomm Development Authority of Singapore (iDA) gave the keynote address for the event. The attendees were treated to a half-day of content from industry leading thought leaders like CSA CEO Jim Reavis and CSA Singapore Chapter Chairman David Siah, who highlighted how cloud computing was changing information security and the human capital required secure our information assets. CSA APAC would like to thank the sponsors of the event, Trend Micro, F5 Networks and Quantiq International.


Meeting with Data Security Council of India, 6 August, New Delhi, India


CSA APAC Managing Director, Aloysius Cheang, and Chairman of NCR Chapter, Madhav Chablani, met up with Mr. Nandkumar Saravade, CEO of Data Security Council of India to discuss collaboration between CSA and DSCI. The group talked about CSA’s research with migration of core banking application in cloud, research or alliance with other governments, industry and academia and areas of collaboration, both in research and in innovation.


CSA Supported Conferences

The latest updates about CSA APAC supported conferences


RSA APJ, 22-24 July, Singapore


The CSA team exhibited at RSA Conference @ APJ from the 22th to the 24th of July, 2015. CSA CEO, Mr. Jim Reavis, delivered a keynote speech titled “Security Lessons Learned: Enterprise Adoption of Cloud Computing” on the 23rd of July.


(ISC)2 APAC Congress, 28-29 July, Manila, Philippines


The two day conference hosted by (ISC)2 Security Congress APAC was an event for information security professionals across Asia-Pacific. It was held on the 28th and the 29th of July in Manila, Philippines. Mr. Henry Rhoel Aguda, Board Member of CSA Philippines Chapter, delivered a speech on Cyber Law and Cloud Security and talked about recent developments in data privacy and cybercrime and how to apply them in cloud security. On the second day, CSA APAC Managing Director Aloysius Cheang presented in the panel discussion of Challenges in Critical Infrastructure Protection.


Dr. Ryan Ko, CSA APAC Research Advisor, was awarded the (ISC)2 ISLA Managerial Award during the (ISC)2 APAC Congress for his efforts and contributions in information security projects. Dr. Ko established New Zealand's first university cyber security education and research programme, launched New Zealand's first Master of Cyber Security and cyber security lab in 2013, kickstarted CSA APAC working groups; Cloud Data Governance Working Group and Cloud Vulnerabilities Working Group and lastly, he was also involved in the development of CCSP, a new certification that was launched in April 2015.


Trusted Cloud Computing Service Summit 2015, 31 July, Beijing, China


CSA APAC was invited to the Trusted Cloud Computing Service Summit 2015 on the 31st of July, 2015 at Beijing. CSA APAC Managing Director, Aloysius Cheang, delivered a keynote speech on “5 Cloud Trends Changing Information Security”. The event was a platform for China to showcase its national cloud certification programme and its latest trends. CSA, through CEPREI Certification Body, is currently in discussion to evaluate how CSA C-STAR Certification Programme will value add to the Chinese national cloud certification programme. C-STAR was launched in June 2015 and it is an assessment of security management of cloud service providers specific to Mainland China. It was also announced that Huawei, Bluedon and Ribose had been C-STAR certified. Currently, CEPREI Certification Body is the sole certified auditor for this programme and for more enquiries about C-STAR, please email us


Cloud Computing India 2015, 6 August, New Delhi, India

Cloud Computing India 2015, 3rd International Conference was held on the 6th of August, in Shangri-La’s Eros Hotel in New Delhi, India. Cloud Security Alliance was the Cloud Security Strategic Partner for this event. CSA APAC Managing Director, Aloysius Cheang, delivered a keynote speech on Top 5 Cloud Trends for 2015. CSA APAC also met up with leaders from Cloud Computing Innovation Council of India, NASSCOM and National Institute for Smart Government India.


The objective of this exclusive conference was to help the information and technology experts understand the potential business impacts of cloud computing now and in the future and to keep up-to-date with the trends and updates in the industry. It also gave professionals a chance to learn from the experience of those who are in the process of, and those who have already implemented cloud computing.


RAISE Forum, 9 August, Tsingtao, China

The CSA’s International Standardization Council (ISC) took part in the 15th annual RAISE Forum. The Regional Asia Information Security Exchange (RAISE) Forums aims to provide a platform for knowledge and experience sharing in regional economies on security standards development, adoption and deployment. The forum also aims to help regional bodies identify opportunities for collaborations to further the course of international security standards development and promulgation more effectively in the Asia region.


The ISC elaborated on their participation in key global standardization activities which included virtualization security, cloud security and service level agreements in ISO/IEC JTC 1/SC 27: Security Techniques and SC 38: Cloud Computing and Distributed Platforms.
The RAISE Forum is currently co-chaired by Mr Koji Nakao of KDDI, Japan and Mr Kang Meng Chow of Singapore.


Chapter Spotlight


CSA Singapore Chapter

Featured chapter of the month

In this last quarter, the CSA Singapore Chapter has focused on promoting thought leadership via special topics in Cybersecurity.

Cybersecurity has never been more important and the dangers have never seemed more real. Cyber attacks are getting more sophisticated every day and so CISOs just have to be fast, flexible and nimble in constantly evolving their defenses. More needfully, they should not lack the guts and the spine to do what's right.

Zero day vulnerabilities has become such a common word today that researchers work overtime to identify and shield them, as the Chapter derives some epiphany by NSS Labs' latest breach detection report, CISOs need to take such zero day and other threat research information to formulate a systematic breach detection and mitigation response.

In the last two CSA Singapore Executive Luncheons, the topics have pretty much focused on APTs and Targeted attacks, we saw esteemed speakers and CXOs grace our events with very healthy and active participation in the above-mentioned topics.

Some of the key discussion pointers from our visitors include the intelligence bloat issue: Today, malware threats have evolved into a form where incumbent techniques and technologies fail to keep up, we are then forced to adopt counter measures which give us more analysis than our department staffing is equipped to handle. Think of the 'famous' firm target, it is the thinking that their detection systems generated too many alarms, which made it tough to single out the truly malicious threat. It is akin to trying to hunt for a needle in a haystack and yet, when we pick out a potential threat, we have to be sure it is a real threat rather than just another piece of hay in that stack.

In the upcoming thought leadership series in October 2015, the Singapore Chapter will be educating CISOs on web application vulnerabilities and techniques for uncovering the ‎stealthy threats tunnelling through organisations' defences disguised as legitimate traffic. Look out for it!


APAC Volunteer Leadership Spotlight


Mr. David Siah


David Siah is the Country Manager of Trend Micro and also the Chairman of the Cloud Security Alliance Singapore Chapter. In Trend Micro, David runs Trend Micro’s business operations in Singapore and he is also in charge of Trend Labs Singapore, which is responsible for malware analysis and response. He is actively involved in cyber-security activities in Singapore and is a member of Infocomm Development Authority (iDA) of Singapore’s Cyber Security Agency. David is also involved in iDA’s work group on Cloud Outage Incidence Response and is a committee member of the Singapore Information Technology Federation’s Security and Governance Chapter.


Upcoming Events

Come and Join Us!

    CSA APAC Events
  1. Inaugural CSA Bangalore Summit, 11 September, 2015, Bangalore, India
  2. 6th CSA Korea Summit, 23 October, 2015, Seoul, Korea
  3. Inaugural CSA Innovation Conference, 28-29 October, 2015, Singapore

    For more information please visit: Click Here

  4. Inaugural CSA New Zealand Summit, 19 November, 2015, Wellington, New Zealand
  5. 3rd CSA APAC Congress and 6th CSA Greater China Summit,1-3 December, 2015, Guangzhou, China

    Registration is open now! To register: Click Here

    For more event information: Click Here

    CSA APAC-Supported Events
  1. The IOT Show & The Cyber Security Show, 22-23 September, 2015, Singapore

    CSA Members enjoy 15 % discount; for more details and to register: Click Here

  2. Cloud Expo Asia 2015, 28-29 October, 2015 Singapore

    For more event information and to register for free: Click Here



    If you are interested in utilising the CSA Cloud Codebook for marketing purposes, please contact the co-editors.