CSA APAC Update
1) Cloud Vulnerabilities Working Group
Founded by the CSA APAC region in May 2013, the CSA Cloud Vulnerabilities Working Group (CVWG) is a global work group chartered to conduct research in the area of cloud computing vulnerabilities, with the goals of understanding and educating the classification and exact causes of cloud computing vulnerabilities, recommendations and best practices for the reduction of top vulnerabilities, reporting of vulnerabilities and the development of related tools and standards.
A white paper entitled, “Cloud Computing Vulnerability Incidents: A Statistical Overview,” was launched by the CVWG and to date, it has been downloaded more than 1,800 times and has been cited by institutions around the world, including the National Defense University in the USA and major businesses in China. The white paper is also the 6th highest download within CSA in the last year. The group had planned to establish a research-led command center via the Thailand chapter in November 2013, but plans were delayed by local political turmoil and situation. Discussions are currently underway to host the running of the Cloud Vulnerabilities Working Group via other APAC chapters, with the aim to regroup and kick start by Q3 2014.
2) Support of Academic Research Conferences
- 3rd IEEE International Symposium on Trust and Security in Cloud Computing (IEEE TSCloud 2013), Melbourne, Australia
- 4th IEEE International Symposium on Trust and Security in Cloud Computing (IEEE TSCloud 2014), Beijing, China
The region also played a key role in supporting the programme committee and review of the 3rd IEEE International Symposium on Trust and Security in Cloud Computing (IEEE TSCloud 2013) in Melbourne, Australia. Held in conjunction with the top-tier IEEE TrustCom conference series, the symposium attracted an attendance of about 100 attendees in Melbourne’s Rydges on Swanston hotel. This year, the CSA APAC region will continue its success in supporting the 4th IEEE International Symposium on Trust and Security in Cloud Computing (IEEE TSCloud 2014), held at the prestigious Tsinghua University in Beijing, China.
3) ISO/IEC JTC 1/SC 27 plenary and working group meetings in Hong Kong (April 7 – 15 2014)
The CSA Hong Kong and Macau Chapter hosted the CSA delegation, led by the International Standardization Council (ISC) Co-Chairs, Andreas Fuchsberger (also our Head of Delegation), Eric Hibbard and the CSA Standards Secretariat, Aloysius Cheang, who is also our Managing Director APAC. The CSA tracked and contributed to the following projects, which have potential relevance to cloud computing:
- ISO/IEC 27009 The use and application of ISO/IEC 27001 for sector/service-specific third-party accredited certifications
- ISO/IEC 27035 (all parts) Information security incident management
- ISO/IEC 27040 Storage security
- ISO/IEC 27044 Guidelines for security information and event management (SIEM)
- ISO/IEC 27050 (all parts) Electronic discovery
- Potential NWIP Requirements for certification of information security management professionals
Specifically, at the SC 27 meetings, the CSA shared key cloud security activities underway, in which there may be shared interests:
- The new version of the Cloud Controls Matrix (CCM) version 3.0.1
- Virtualization (and associated security) and its interdependency with Cloud
- Enhancement/improvement of the CSA GRC (Governance, Risk & Compliance) Stack
- CSA Open Certification Framework (OCF) to allow global accreditation and certification of cloud providers and the launch of the new Level 2 CSA Star Certification in conjunction with commercial certification and testing arm of BSI
- Security as a Service Implementation Guidance
- Mobile and Security
- Trusted Cloud
- Incident Management and Forensics
- Software Defined Perimeter (SDP)
- Cloud Trust Protocol (CTP)
A dinner was organized by the CSA Hong Kong and Macau Chapter to welcome CSA experts from the ISC, where the event was graced by his Hon. Charles Mok, a lawmaker from Hong Kong Legislative Council.