CSA Congress APAC 2015

Following the success and tradition of previous CSA APAC Congress renditions, the 2015 APAC Congress is the premium event for compelling presentations and interesting discussions about research, development, practice and trends related to cloud security. Attendees represent end-user, research and industry viewpoints, and there are plenty of networking and business opportunities throughout the event.

DATE: December 1-3, 2015

TIME: 9:00 – 17:00

VENUE: The Garden Hotel Guangzhou, 368 Huanshi Dong Lu, Guangzhou, China

WEBSITE: https://csacongress.org/event/apac-2015/

CSA Knowledge Sharing Event – October 2015

CSA Knowledge Sharing Event provides an excellent opportunity for cybersecurity professionals to discuss the latest trends and developments in IT and in the process build a close-knitted cybersecurity community in Hong Kong and Macau. This month we have invited Mr Terence Yeung, Head of Managed Services at Atos Information Technology HK Limited to brief us on “How to run a Cloud environment from design to implementation as secure as GovCloud”.

Please do not miss this opportunity to learn from the expert and get connected with your peers.

DATE: October 8, 2015

TIME: 7:15 – 9:00 pm

VENUE: Room QR403, Core R

The Hong Kong Polytechnic University


  • CSA updates
  • How to run a Cloud environment from design to implementation as secure as GovCloud – Terence Yeung, Atos Information Technology HK Limited
  • CSA Training and education updates

Registration: https://www.eventbank.com/event/431/

Cloud Security Alliance Expands Star Provider Certification Into China

Guangzhou, CHINA, June 15, 2015 – The Cloud Security Alliance® (CSA) today announced the launch of CSA C-STAR Assessment, a technology-neutral assessment that leverages Chinese national standards to give customers a greater understanding of the security posture of cloud providers. Along with the launch, CSA announced that China-based Huawei and Bluedon, as well as Hong Kong-based Ribose are in the process of achieving C-STAR certification.

CSA C-STAR Assessment is the latest offering of the CSA’s Security, Trust and Assurance Registry (STAR) family, the world’s leading cloud provider assurance program. Joining CSA STAR’s self-assessment, ISO 27001 and SOC-2 products, C-STAR Assessment harmonizes CSA’s globally adopted cloud security framework with Chinese national standards, providing cloud providers and consumers with a trusted security benchmark. C-STAR’s independent assessment methodology establishes a robust security baseline for cloud providers and a roadmap for continuous improvement in security maturity.

“Organizations that outsource to cloud service providers often have a number of concerns about the security of their data and information,” said Aloysius Cheang, Managing Director of APAC for the Cloud Security Alliance. “By using the CSA C-STAR Assessment, cloud providers of every size, throughout the Greater China region, will be able to give customers a better understanding of their security management procedures.

We are pleased that leading cloud providers in the region are already achieving their certification, and look forward to expanding the number of certified providers in the coming months.”

The Managing Director of CEPREI, the Chinese national certification body, Mr. Zhao Guoxiang mentioned, ”CEPREI developed C-STAR based on CSA research results together with experience accumulated from more than 10 years of information security management work. As the first internationally aligned cloud security assessment in China, C-STAR is highly recognized by renowned corporations like Huawei, Bluedon and Ribose, and has gained nationwide attention in the cloud computing industry.”

Mainly used in the Greater China area, C-STAR is a rigorous third party independent assessment of the security management of a cloud service provider. C-STAR leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix. The C-STAR Assessment is based on GB/T 22080-2008 and the specified set of criteria outlined in the Cloud Controls Matrix, plus related requirements of GB/T 22239-2008 and GB/Z 28828-2012. C-STAR’s close alignment with the other STAR portfolio products provides a strong assurance bridge for Chinese cloud providers seeking to do business internationally and for international cloud providers seeking opportunities within China.

The Cloud Security Alliance C-STAR Assessment complies with all of the China national requirements and provides flexible solutions to senior management to show where the risks, threats and opportunities lie within a business.

For more information about the Cloud Security Alliance C-STAR Assessment, please visit www.cloudsecurityalliance.org/star/c-star.

Hong Kong SME Cloud Adoption, Security and Privacy Readiness Survey Results Announced

SME Survey 2015
The Internet Society Hong Kong and the Cloud Security Alliance Hong Kong and Macau Chapter today jointly announced the results of the second year- “Hong Kong Small and Medium-sized Enterprises (SMEs) Cloud Adoption, Security & Privacy Readiness Survey”, which sponsored by Microsoft Hong Kong to facilitate the Cloud development in Hong Kong.

HONG KONG, May 14, 2015 – The Internet Society Hong Kong and the Cloud Security Alliance Hong Kong and Macau Chapter today jointly announced results of the second year- “Hong Kong Small and Medium-sized Enterprises (SMEs) Cloud Adoption, Security & Privacy Readiness Survey.” The report reveals more than 80% of surveyed SMEs have already adopted cloud services to varying degrees. This resulted in a significant climb compared to the 50% adoption rate among SMEs in 2014.

In addition, more than 50% of the SMEs that adopted cloud services believe their Cloud Service Providers (CSPs) can help protect their data. Aside from that, nearly 70% of the SMEs surveyed developed relevant policies to ensure the safety of their customer data since the Personal Data (Privacy) Ordinance has launched. However, over 25% of them have no knowledge regarding how their CSPs process their data and information.

The survey conducted in April this year analyzed SME cloud adoption, in addition to security and privacy readiness in Hong Kong for the second consecutive year. It aims to understand Hong Kong SMEs’ application of cloud technologies, with a key focus to analyze their level of cloud security and privacy readiness. Also, it reveals the market trends to provide useful recommendations to SMEs, by comparing the data from 2014. The survey was sponsored by Microsoft Hong Kong.

Chester Soong, Chairman of Internet Society Hong Kong, said, “Compared to last year, this year’s survey shows SMEs in Hong Kong have seen the importance of data security, especially those who hired external parties to conduct security audit and certification reviews in the past. An increase of 40% SMEs have started to formulate policies towards data security. The report also reveals, more than 50% of surveyed SMEs consider cloud services as one of the solutions to resolve data security issues. This indicates SMEs started to realize the higher level of data security they can enjoy, by adopting reliable cloud services.”

Claudius Lam, Chairman of Cloud Security Alliance Hong Kong and Macau Chapter, analyzed, “In response to the recent public concern towards personal data privacy, we added in particular questions. The results indicated around 70% of the respondents have policies to comply with the ordinance since the Personal Data (Privacy) Ordinance has been enacted, representing their concern on protection of personal data. However, a quarter of the surveyed SMEs using cloud services have uncertainty on how their CSPs would use their data and personal information. More than half of them will disapprove their CSPs to look at and use their company or customer data for marketing purpose. We recommend SMEs should look for CSPs who comply with international standards, like ISO/IEC 27018. The latter provides guidelines for CSPs concerning the protection of personally identifiable information.”

Alan Chan, National Technology Officer of Microsoft Hong Kong Limited, stated, “Microsoft has been committed to helping SMEs utilize technology to strive for greater competitiveness. In fact, given the pace of the cloud services market rapidly being developed, we have recorded triple-digit growths year-on-year. And, 80% of the SMEs in the survey also adopt and benefit from a myriad of cloud services. In view of the limited resources and expertise SMEs encounter, it is recommended to consider reliable and enterprise-class CSPs to provide proper cloud services with the right business models. This would help to better protect its business data and property with an efficient approach. Aside from that, SMEs can now enjoy enterprise-class data and privacy protection such as data loss prevention and email encryption at a more affordable cost.

Pushpa Jayanna, Chief Operating Officer of Just Service, shared: “Just Service, a SME in Hong Kong, is a specialist service provider and a licensed life insurance broker. We have started deploying Microsoft Office 365 and CRM online half a year ago. Like many other local enterprises, we strictly comply with the Personal Data (Privacy) Ordinance provision, to ensure our business governance and sustainability. Therefore, we have to ensure our CSP is qualified in conjunction with the ordinance, and is able to provide relevant services at international standards. An example of these standards is ISO/IEC 27018, the code of practice for protection of personally identifiable information, released earlier. This guideline helps SMEs to select an appropriate CSP and do overall management more easily and effectively.”

The Hong Kong Small and Medium-sized Enterprises (SMEs) Cloud Adoption, Security and Privacy Readiness Survey was conducted by the Internet Society Hong Kong and the Cloud Security Alliance Hong Kong and Macau Chapter, who commissioned the Hong Kong Productivity Council (The Council) to carry out telephone interviews to Hong Kong SMEs (10 – 100 employees) over the course of three weeks and to review data from the Census and Statistics Bureau. The Council successfully collected 168 responses to the survey. The research covered major industry sectors in Hong Kong. The survey questionnaire was developed based on the Cloud Security Alliance Cloud Control Matrix international standard with questions adapted to local conditions. The survey was sponsored by Microsoft Hong Kong.

Cloud Computing Events Supported by CSA Hong Kong & Macau Chapter


ICT Conference 2012 – Cloud Technology

Organised by Informatics & Control Technologies Section , Insitute of Engineering Technology

Date: 14 September 2012      Time: 0900 – 1700

Venue: Regal Hong Kong Hotel, 68 Yee Wo Street, Causeway Bay,  Hong Kong

Supporting Organization’s Member: HK$500 (lunch included)


Cloud Security Forum 2012

Organised by KORNERSTONE and ComputerWorld

Date: 27 September 2012        Time: 1:30 – 6:15p.m.

Venue: 15/F, Hong Kong Club Building, 3A Chater Road, Central, Hong Kong

Admission: Early bird Rate: HK$970 (on or before 15 September 2012)   Standard Rate: HK$1,260


The 3rd Annual Cloud World Forum Asia 2012

Organised by Cloud World Series 2012

Date: 13th – 14th November 2012          Time: 0800 – 1730

Venue : Eaton Hotel, Hong Kong, 80 Nathan Road, Kowloon, Hong Kong


contact : event< @ > hkm.chapters.cloudsecurityalliance.org if you need more information 


2012 Working Committee

We setup the following four committee to organise activities and also develop our chapter.

If you like join committee meetings, please send your contact information with a short introduction to

member< @ >hongkongmacau.chapters.cloudsecurityalliance.org

Working Committees: 

Committee Name


Vice Chair

 External Affair  Dale Johnstone  Kent Tong

Paritosh Sharma

 Research  Ian Christofis  Vincent Ip
 Education  Ricci Leong  Geoffrey Thonon
 Membership and Internal Affair  KL To  Terry Cheung


CSA Hong Kong and Macau Chapter Launched

2012 年 5 月 17 日,雲端安全聯盟香港及澳門分會正式成立,當日聯盟更於香港數碼港舉行名為“建立對雲端運算之信心”(Building Trust in Cloud Computing) 峰會,出席演講嘉賓包括香港政府資訊科技總監賴鍚璋,雲端安全聯盟行政總裁 Jim Reavis,美國國家標準技術研究所高級計算機科學家 Tim Grance 等等,Linuxpilot 一直關注雲端運算產業發展,於會上訪問了雲端安全聯盟亞太區執行委員會主席 Ken Low,他本人同時是趨勢科技新加坡公司企業安全部總監,是雲端安全領域的專家。

Q Linuxpilot      A Ken Low

Q 雲端安全聯盟香港及澳門分會剛剛成立,可否為本地的資訊科技業界人士介紹其成立背景及宗旨,以及目前的最新發展狀況。
A 雲端安全聯盟 (Cloud Security Alliance, CSA) 從 2008 年開始醞釀,直到 2009 年的 RSA 會議中,由數十家業者共同組成了,CSA 是一個非營利性的組織,主要任務是推廣雲端運算的安全應用實務,提供雲端運算一個安全的架構,同時也肩負了教育培訓及相關研究工作,以協助會員組織強化各項雲端運算服務的安全。

到目前為止,CSA 在全球已有 3.5 萬名個人會員,而參與的企業會員已超過 150家,包括電信公司、網路服務供應商、資訊安全供應商、網路安全供應商、資訊安全組織、高性能計算組織、學術及研究機構等,CSA 在全球 60 個地區設立了分會,我們很高興香港及澳門分會在這個關鍵時刻加入,最近新加坡及韓國兩地的政府雲項目已先後推出,今年將是亞太區雲端運算市場起飛之年。

雲端安全知識認證 CCSK (中)

Q 以我們所知,CSA 推出了本身的培訓課程及證書,究竟與市場上現有的資訊安全認證有何分別,為何 CSA 要再辦一個?

A 市場上其實沒有一個像 CSA 般的組織,專門關注雲端運算的安全問題,我們在全球擁有龐大會員組織及豐富資源,使我們有能力推動業界注重雲端安全,而且我們的培訓課程都是建基於我們專家會員主持的研究基礎上。在 2011 年,CSA 推出了幾個重要的專案,其中包括雲端安全指南 3.0 版,當中包括 14 個技術領域的知識,例如虛擬化及數據安全等熱門題目。

在有關的教育計劃之上,CSA 設計了全球第一個雲端安全知識認證(Certificate of Cloud Security Knowledge, CCSK)」,以確保來自各個領域的雲端運算相關工作者,擁有足以對抗雲端運算安全威脅的認知,以及所需的最佳實務來捍衛雲端安全,目前已有超過 1000 名專業人士取得 CCSK 認證。

雲端運算三大安全挑戰 (中)

Q 本次峰會以“建立對雲端運算之信心”為題目,是否意味用戶對雲端運算欠缺信心?雲端運算與 30 年前的主機運算十分類似,在安全性方面有何分別?

A 任何創新科技在採納過程中都需要先增強用戶信心,雲端運算也不例外。雲端運算與主機運算有三大分別,第一,主機只有大型機構才負擔得起,用戶人數有限,但雲端運算卻是面向全球人類,用戶數目龐大,而且不同用戶需要共享運算資源,令安全問題變得更複雜。第二,主機明確限制誰人有權限存取什麼資料,但雲端運算卻有公有雲、私有雲、混合雲多種,數據的監管及存取權限設定必須十分謹慎。第三,主機的數據只存在於一個地方,在不需要時可以徹底刪除,但在雲端運算環境,資料可能分散儲存於不同的數據中心,用戶較難確定數據是否被徹底銷毀,解決方法是將資料加密,令第三者無法讀取。

Q 相對於大企業,個人及中小企沒有專業的保安知識,我們如何分辨哪家雲端運算供應商是真正安全可信?

A 我們也明白用戶在選擇雲端運算供應商時需要指引,所以在 2011 年第四季推出 CSA  Security, Trust & Assurance Registry(CSA STAR),作為一個免費、公開的安全信任保證登錄。不論大小的 IaaS、SaaS 與 Paas 雲端供應商,如通過內部審核,確認已遵照我們的指引執行安全措施,便可以在 CSA STAR 上免費註冊,用戶在與雲端供應商簽約之前,可先行查詢其資安狀況,從而加速評估速度,創造更佳的採購經驗。




(csa01) 雲端安全聯盟香港及澳門分會主席 Antony Ma,亞太區董事總經理 Aloysius Cheang,行政總裁 Jim Reavis 及亞太區執行委員會主席 Ken Low (左至右)。

(csa02) 雲端安全聯盟亞太區執行委員會主席 Ken Low 表示,CSA 的研究項目都是由會員義務執行,目前研究結果是免費公開,內容極之豐富,其精神與開放源碼軟體社群相似。