Opening Address by Mr. John Wong, Assistant Government Chief Information Officer, at the Information Security Summit 2009
18 November 2009
Security in the Age of Cloud Computing, Virtualisation and Social Networking
Mr. Yung, Distinguished Guests, Ladies and Gentlemen,
Introduction
Good morning! It gives me great pleasure to address you at this Information Security Summit 2009. Today is a cloudy and chilly day but we have a big audience here gathering to share views on the cool topic “security in the Age of Cloud Computing, Virtualisation and Social Networking”.
Technological Trends
The rapid development of computer technologies and Internet services has changed the business models and user behaviour on the use of computing facilities.
Cloud Computing, Virtualisation and Social Networking are examples of emerging or emerged computing technologies and services that are making significant impact on our business activities and personal life.
This morning, I did a search on the Internet using these three terms as the keywords and got a result of 33.1 million, 3.45 million and 270 million items respectively returned.
Indeed, cloud based technologies and services allow end users and businesses to access information through the Internet anytime and anywhere without worrying about the location and IT infrastructure settings. By utilizing such a processing model, it could help businesses defer large capital expenses, cut operating costs and improve productivity.
Gartner analysts projected in October this year that cloud computing was the top 10 technologies and trends that will be strategic for most organisations in 2010. However, some people are doubtful about Cloud Computing that it has a lot of unrealistic hopes and unresolved issues. For example, there are serious security concerns about the storage and processing of highly sensitive data in a cloud environment as well as the potential of vendor lock-in situations.
Security Concerns
Cloud Computing, Virtualisation and Social Networking are subject to the usual Internet security issues and threats.
These include old tricks like phishing, spamming, man-in-the-middle attack, spyware such as keyboard logger, variants of virus, hacking, botnets, cyber hijacking, backdoors, fake websites, etc. According to Panda Security's report, there has been 600% increase in the number of machines infected by malware intended to steal confidential, personal or banking details in the past year up to September 2009. Trojans now account for over 70% of malware while it was about 50% back in 2007. This could be due to the economic crisis.
More recently, malware not only cheat and direct victims to fraudulent sites but also emulates payment platforms, online stores, auction sites or even charity sites to lure people to disclose their account information.
Like many paradigm changes, these technologies also introduce new cyber security threats, vulnerabilities, cross border legal issues as well as privacy concerns which can compromise our credibility and offset the benefits of using these technologies. Naturally, the number one concern of cloud-based services is security and data privacy since the business information and critical IT resources are held outside the corporate boundary. In a survey conducted by Unisys in September 2009, 51% of the 312 respondents cited security and data privacy as their top concern regarding Cloud Computing.
For example, there are worries that the Cloud Computing and Virtualisation service providers who have system/ administrator privilege might have unauthorised access to business information of the clients, their files analysed to become targets for specific advertising, or their private information shared or sold to third parties.
Recently, a firm that ran into financial difficulty has been brought to lawsuit because it is alleged to be selling customer data including biometric data of thumb prints and iris images only contracted for speedy airport clearance.
It is necessary to take a new look at the various information security issues of these technologies. It is necessary to understand, stay alert to, and put in place effective measures to deal with the threats and associated cyber challenges in order to protect our IT assets.
In order to avoid security exposure, it is necessary to uphold good governance and risk management practices. User organisations are advised to execute due diligence to evaluate the potential risk among organisations, business partners and customers as well as extend their governance and enterprise risk controls as a mandatory security requirements before adopting the cloud environment.
For individuals who wish to make use of cloud computing services, it is advisable to look for service providers that provide good authentication and encryption features for protecting their data privacy. When the cloud service expires or terminates, the service provider are obliged to provide proper destruction of the customer's data if their retention are no longer necessary. Customers should look for a service level agreement with the service quality clearly defined.
Social Networking is even more worrying in respect of security concerns. As it is extremely difficult to maintain good practices among all users, and software vulnerability also offer opportunities for exploitation. Many popular websites have been reported to have incidents of serious data leakage, hacking or hijacking from time to time. Besides, dangerous 'darknets' exist in the dark Internet, that are deployed by cyber criminals, political activists or intelligence agencies using non-standard communication protocols to pursue their special interests.
Finally, I want to mention that despite working at home or outside office is rather popular nowadays, such a practice carries considerable risk. According to the finding of ScanSafe, mobile or home workers are 8.5 times more likely to visit illegal file sharing sites than those working in the office and 2.5 times more likely to visit pornography sites thus putting the employers at risk of legal liability and malware exposure. If the staff is using company-supplied computers and work away from the formal work environment, the potential of a compromised equipment affecting the whole organisation through subsequent connection to the corporate network is quite high.
Government's Roles
To cope with ever growing security threats, the Government has established various information security resources including the InfoSec website (www.infosec.gov.hk) to facilitate the access to information security related materials by the public and organised different educational and promotional activities.
Recently, we have launched an Internet Education Campaign “Be NetWise” in the community to promote the awareness and enhance knowledge of the public on information security. On next Wednesday (that is, 25th November), there will be a public seminar on "Security of Online Transaction” jointly organised by the HKCERT, Hong Kong Police Force and OGCIO.
Closing
In closing, it is necessary to understand, stay alert to, and put in place effective measures to deal with the threats and cyber challenges associated with these technologies. A large international bank has been fined £3 million in September this year due to careless handling of data even though no actual data loss occurred.
The development and maintenance of a safe and healthy e-environment requires concerted efforts of the Government, industry stakeholders, security experts and all our citizens.
Cloud Computing, Virtualisation and Social Networking are great technologies but must be used with great care in order to derive benefit from them. The agenda today cover a rich collection of topics on cloud computing security. I am sure our audience will be able to gain a lot of insights from the experts.
I would like to thank the organiser for giving me the opportunity to share with you this message. I wish the Summit a successful event.
Thank you.
- ENDS -
|