Cloud Security is Not a 'Fashion Statement'CSA's Cheang on the Art of Securing Data on Cloud
Singapore-based Aloysius Cheang, managing director of Asia Pacific at the Cloud Security Alliance, believes the term "cloud" is used loosely by most managed security services providers as they repackage and sell their products.
"It's time CISOs from APAC practise securing data on cloud and ask their service providers some imperative questions," he says.
"Like the western world, APAC enterprises must embrace cloud to protect their critical infrastructure," he asserts.
Banishing fears about cloud, CISOs must accept it's driven by business needs and helps organizational growth through agility, scalability and support.
Security leaders should provide an actionable roadmap to managers wanting to adopt the cloud paradigm safely and securely and review security, stability, and privacy in a multi-tenant environment.
In this interview with Information Security Media Group, conducted during his recent visit to Bangalore, Cheang discusses cloud in the Indian context. He offers insights on:
- Research in cloud security specific to APAC;
- Unique cloud security challenges of the region;
- How to prepare organizations to leverage cloud to combat threats
Cheang is a senior information technology (IT) executive with extensive experience in managing and delivering direct business values in complex multi-million dollar IT programs for Global 500 organizations. A globally recognised cybersecurity expert, Cheang holds a B.Sc (Hons) and Masters in Computer Science. His professional certifications include CISA, CISSP and GCIH.
Research specific to APAC
GEETHA NANDIKOTKUR: What research focus does APAC demand to stay relevant to cloud security challenges?
ALOYSIUS CHEANG: Like the west, APAC enterprises must embrace cloud to protect critical infrastructure. They must realize cloud is driven by business - helping enterprises build agility, scalability and support to drive business growth. The research is about helping enterprises build their future controls and establish continuous monitoring of networks and applications. Extensive research is built around mobile security, the endpoint and entire supply chain against the backdrop of cloud. Mobile computing is experiencing tremendous growth and adoption in the region, and the devices are being used to access systems and cloud hosted data both via browser-based and native mobile applications.
Research focus is on helping enterprises on cloud-based management, provisioning, policy, and data management of mobile devices to achieve security objectives, provide guidelines for mobile device security framework and mobile cloud architectures, establish authentication from mobile devices to multiple, heterogeneous cloud providers, best practices for secure mobile application development, enabling existing applications on mobile platforms and identification of primary risks related to individually-owned devices accessing organizational systems.
I think cloud data governance is a key imperative for customers. It's critical to design a universal set of principles and map these to emerging technologies and techniques for ensuring privacy, confidentiality, availability, integrity and security of data across private and public clouds.
These will feed into the GRC stand and can be implemented as controls across the CAIQ, CCM and STAR, based on individual markets across HongKong, Singapore, Malaysia and India.
NANDIKOTKUR: What unique challenges do you see in this region? How do you address them?
CHEANG: The APAC market is diverse and not as matured as the U.S. market - enterprises are oblivious of even simple computer malware. It's hard to harmonize data privacy regulations to a set of data protection principles that can help cloud consuming organizations and cloud service providers meet new data privacy requirements more efficiently. Cloud is just a fashion statement - most MSSPs sell their products and repackaging as cloud; it's just outsourcing or shared service model. Organizations are reluctant to adapt to the changes of cloud security. CIOs and CISOs believe their job is endangered by deploying cloud. They've hired consultants spending hundreds of dollars to align IT with business and try to make a difference to the organization, rather than build team expertise on cloud security. The challenge has been providing security guidance for critical areas of focus in cloud to establish a stable secure baseline for cloud operations.
Dealing With Cyber Threats
NANDIKOTKUR: How do APAC enterprises leverage cloud and prepare to deal with growing cyber threats?
CHEANG: Enterprises must rule out confusion about legal issues facing cloud. We'll partner with local government agencies to educate customers on harmonizing local standards with international best practices, rather than encourage expensive certification. Each country must create security professionals to understand country-specific regulations and standards. Cross-section training is a must for deploying cloud controls, plus understanding laws governing privacy protection for citizens and cross-border export of data based on jurisdiction. CISOs must conduct imperative checks with their service providers:
- Has proper due diligence to evaluate data been done to determine what moves to cloud? ;
- Evaluate data privacy bill and its relevance to cloud;
- Understand the local laws applying to cloud;
- Understand who must be given access to data on cloud and who must regulate data;
- Check if the service provider possesses all kinds of security services.
Approach to Indian market
NANDIKOTKUR: How will you influence the Indian market about cloud security and data privacy?
CHEANG: India's regulations are complex. Buying in the government to drive regulations frameworks on cloud is tough. We'd engage with a local partner to impart training on cloud security, academia to drive innovation, and private companies for seed funding for incubation. We'd offer cloud security certifications. We'd partner with government and private bodies to create job roles with expertise in cloud security. Training will be imparted across three spheres: level 1 with basic knowledge of security in cloud for the architectural and operational level, impart high level managerial training to address management concerns and also to the service providers. On top priority, India incubation centres and universities will create awareness and innovation.