Thales banner

Practice Guide for Cloud Computing Security in Hong Kong

Thales enables Bureaux and Departments in Hong Kong to align with the ISPG-SM04 requirements on cloud computing security.

Practice Guide for Cloud Computing Security (ISPG-SM04) for Bureaux and Departments


The Office of the Government Chief Information Officer (OGCIO) in Hong Kong attaches great importance to improving information and cyber security in the Government as well as to promoting awareness and preparedness in the wider community. In response to the use of cloud computing emerging as a global trend, OGCIO has developed the Practice Guide for Cloud Computing Security (ISPG-SM04).

Thales enables Bureaux and Departments (B/Ds) in Hong Kong to align the ISPG-SM04 requirements, in part through:

  • Simplify data security and accelerate time to compliance
  • Secure sensitive data at rest with encryption/ tokenization
  • Centralize cryptographic key management for hybrid and multi-cloud environments
  • Offers granular access control
  • Regulation
  • Compliance

Regulation Overview

Practice Guide for Cloud Computing Security (ISPG-SM04) is the guidance notes to Bureaux and Departments (B/Ds), it highlights common security considerations and industry security best practices for the adoption of cloud computing with the purposes below:

  • Enhance B/Ds' understanding on the basics of cloud security; and
  • Facilitate B/Ds on the secure use of cloud computing when building their own private cloud or acquiring cloud services from external parties.

Cloud computing uses similar management tools, operating systems, databases, server platforms, network infrastructure, network protocol, storage arrays, and so on. Therefore, security controls in the cloud are largely similar to those controls in traditional IT environments. As such, security controls described in HK government security documents including the Baseline IT Security Policy [S17] and IT Security Guidelines [G3] will still apply. The description of ISPG-SM04 focuses on the following security domains:

  • Management Responsibilities
  • IT Security Policies
  • Human Resource Security
  • Asset Management
  • Access Control
  • Cryptography
  • Physical and Environmental Security
  • Operation Security
  • Communications Security
  • System Acquisition, Development and Maintenance
  • Outsourcing Security
  • Security Incident Management
  • IT Security Aspects of Business Continuity Contingency Management
  • Compliance

Thales enables Bureaux and Departments (B/Ds) in Hong Kong to align the ISPG-SM04 requirements through:

  • Asset Management
  • Access Control – Key Management and Identity and Access Management
  • Cryptography

Asset Management

Thales CipherTrust Data Security Platform (CDSP), an integrated suite of data-centric security products and solutions, helps Bureaux and Departments (B/Ds) complying the guidelines effectively by protecting data at rest and in transit with strong encryption.

Protect Data at Rest:

Once Bureaux and Departments (B/Ds) know where their sensitive data are, protective measures such as encryption or tokenization can be applied. For encryption and tokenization to successfully secure sensitive data, databases and applications with modernized architecture, the cryptographic keys themselves must be secured, managed and controlled by the organization.

Protection of sensitive data in motion

Thales High Speed Encryptors (HSEs)

Access Control – Key Management

Thales CipherTrust Data Security Platform (CDSP) offers advanced encryption and centralized key management solutions that enable organizations to store sensitive data in the cloud safely. CDSP delivers robust enterprise key management across multiple cloud service providers (CSP) and hybrid cloud environments to centrally manage encryption keys and configure security policies so organizations can control and protect sensitive data in the cloud, on-premise and across hybrid environments.

Access Control – Identity and Access Management (IAM)

Thales Access Management and Authentication solutions provide both the security mechanisms and reporting capabilities organizations need to be compliant.


Bureaux and Departments (B/Ds) can manage and protect cryptographic keys with Thales Luna HSM & CipherTrust Manager.

  • Thales Luna HSM protects cryptographic keys and provides a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption, and more.
  • CipherTrust Manager simplifies the management of encryption keys across their entire lifecycle, including secure key generation, backup/restore, clustering, deactivation, and deletion.

Recommended Resources

Addressing requirement of Practice Guide for Cloud Computing Security (ISPG-SM04) of Hong Kong with Thales

Addressing requirement of Practice Guide for Cloud Computing Security (ISPG-SM04) of Hong Kong with Thales - eBook

As the leader in digital security and data protection, Thales has helped hundreds of enterprises comply with regulations worldwide by recommending the appropriate data protection technologies required to meet regulatory requirements. Thales enables Bureaux and Departments in...

Data Security Compliance and Regulations - eBook

Data Security Compliance and Regulations - eBook

This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.

The Key Pillars for Protecting Sensitive Data in Any Organization - White Paper

The Key Pillars for Protecting Sensitive Data in Any Organization - White Paper

Traditionally organizations have focused IT security primarily on perimeter defense, building walls to block external threats from entering the network. However, with today’s proliferation of data, evolving global and regional privacy regulations, growth of cloud adoption, and...

Multicloud Data Security Strategies - Whitepaper

Multicloud Data Security Strategies - White Paper

As the forces that drive a multicloud strategy become clear, the challenges of securing data across multiple clouds meets the reality that a significant amount of global sensitive data is stored in the cloud. This paper informs readers on some of the drivers for multicloud...

Other key data protection and security regulations


Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.


Active Now

Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.