TitleOpening Remarks by Mr. Daniel Lai, BBS, JP, Government Chief Information Officer, at the "4th InfoSecurity Summit 2012"
Distinguished Speakers, Ladies and Gentlemen,
Good morning! I am delighted to be invited to address you at this 4th InfoSecurity Summit 2012. The theme of this year's Summit is "IT Security and Compliance Risks in a World of Cloud and Mobile Computing" which truly reflects the information security challenges being faced by most business enterprises today due to the fast paced technological development in data centric platforms in the cloud and mobile environments.
In response to the needs for continuous increase in productivity and competitiveness, many enterprises start shifting their information systems from traditional platforms to mobile and cloud computing. According to a global information security survey conducted in 2011, 80% of the 1,700 respondents from over 50 countries were either planning, evaluating or actually using tablet computers at the time of the survey, and over 60% were using, evaluating or planning to use cloud computing-based services within the next 12 months of the survey. Enterprises will find cloud computing complement their mobile users as they can communicate easily anytime and anywhere with low cost. One significant impact however brought by this trend is that physical boundaries are disappearing as more business data is transmitted and stored outside the organisation. In other words, securing the information systems is no longer just about firewalls and perimeter-based defences. When we talk about the new opportunities resulting from these new technologies, we must also not forget the new security challenges that come along. Our security strategy and protection mechanism needs to be brought up-to-date in harmony.
Another area of concerns is the device itself, the rapid rise in the number and variety, the small size and the large capacity and capability of these smart devices and gadgets bring much hazard to the enterprise.
The New Trend of Data Protection
The requirement of anytime and anywhere access to data necessitates a new approach to protecting our data. With today's cloud computing and mobile devices, enterprises need security that protects their data wherever it travels and in whatever type of device it resides on, leading to a data-centric security model rather than perimeter-based. There could be various approaches and components in implementing a data-centric security model, but in principle it will place a greater emphasis on securing the data itself, from its first creation, all through the life cycle up to the time of its disposal. It aims at protecting the data directly, independently of the infrastructure components that store, transmit, or process the data. Among the various solutions under a data-centric security model, a well recognised protective means is to implement data encryption. Only when an authorised user obtains the keys to decrypt the data does it become usable.
Encryption is one facet for ensuring confidentiality of sensitive information. Securing data transmission and online transaction require other attributes including maintaining data integrity during processing and transmission, ensuring authenticity of the access and preventing any denying of the action taken (i.e. non-repudiation). All these can be accomplished under the public key infrastructure (PKI) technology which is still considered nowadays in the industry a secure technology for high risk transactions. In the core of the PKI technology, the strength of cryptographic algorithms and length of the cryptographic keys used for data encryption and digital signing determine the strength of the protection.
The cyber world that we live in is changing fast. With the revolutionary advancement of the computing capabilities due to new generation of supercomputers and distributed computing technologies, cryptographic keys considered safe today do not warrant them robust forever. There is a trend of adopting stronger cryptographic methods and solutions to ensure the robustness of secure information storage and exchange.
As you may know, the National Institute of Standards and Technology of the United States published a guide in January 2011 recommending US federal agencies to plan for transitioning to the use of longer cryptographic key lengths and more robust cryptographic algorithms. One of the recommendations is the use of 2048-bit (versus the 1024-bit) key for the RSA algorithm before end of 2013.
In Hong Kong, the Government has adopted PKI technology, which rides on the RSA algorithm, to secure e-government services provided to the public as well as for internal data and systems protection. The OGCIO has started off in 4Q 2011 a number of activities to arouse B/Ds' awareness for the need to plan out for adoption of stronger cryptographic solutions in their infrastructure and systems. Our local Recognised Certification Authorities have also included in their business plan the issuing of digital certificates with 2048-bit key aligning with the industry practice, while continuing the support of the 1024-bit key for a period of time in order to ensure smooth transition. You will appreciate that the supply chain process would not stop here as hardware and software vendors have to equip their products with this capability; and service providers, being relying parties, have to plan out timely the changes at their application end. While this may not be a task of mammoth effort like the millennium change, we should not under-estimate the complexity and should start off for planning if have not done so.
IT Compliance in the New IT Era
The next topic that I would like to talk about is on IT compliance, a subject which is getting more complex in this new IT era. Cloud computing enables our data to be stored in disparate places, improving availability and resilience. The dark side of this would be that the risks in IT compliance may increase substantially because of the vague corporate boundary and even situation that crosses jurisdiction. IT compliance in this new cloud era is complicated by issues like service agreement, data ownership, accountability, auditability, e-discovery, exit rights, incident response, etc. that need a holistic approach to tackle.
In Hong Kong, the OGCIO has established an Expert Group on Cloud Computing Services and Standards for the industry, academia, and Government to get together to explore, identify, and propose initiatives to narrow the technological and standardisation gaps in support of cloud computing adoption and deployment in Hong Kong. The Expert Group focuses on a couple of areas including service management, service level agreement, interoperability, and security and privacy. The recommendations made by the Expert Group will be shared with the local cloud service providers as references of good practices in service delivery and with the private sectors for their useful reference in choosing cloud services suitable for them.
Today, we are facing new security challenges brought by the increasing use of mobile and cloud computing. With the concerted effort of the industry, the academia, the business community, the government and the general public, Hong Kong would stay in the forefront as a knowledge economy with sustaining economic prosperity.
I note that there will be a wide variety of topics that are to be covered today, enabling the distinguished speakers in the industry to share their experiences and insights on emerging and evolving new challenges, and ways to outcome such challenges. I wish you all a very fruitful event.
- ENDS -