Regulatory environment hindering S'pore FSIs from embracing the public cloud

The regulatory environment that financial services institutions (FSIs) are working under often tends to constrain moves on to public cloud environments due to concerns that it may cause regulators to downgrade their risk rating.

Whilst some financial organisations have begun to deploy public cloud services for non-mission critical application and workloads, by and large the majority have avoided public cloud and maintained a strict on-premise or private cloud environment.

Gartner estimates that, since 2013, regulatory bodies have introduced more stringent cloud vendor risk management guidelines, making compliance with regulatory standards more challenging for business leaders. It estimates that public cloud services in APAC would rise from US $7.4 billion in 2015 to US $11.5 billion in 2018, a compounded annual growth rate (CAGR) of 11.65 percent.

The Infocomm Development Authority of Singapore (IDA) as well as research firm IDC have, meanwhile, listed cloud computing as a key pillar for Singapore to achieve its vision of becoming the world’s first Smart Nation. Adoption among the financial services industry will play a key part in this growth.

Singaporeans FSIs have several compliance regulations to be considered before moving into an outsourced or cloud environment for their IT, these include the  Monetary Authority of Singapore (MAS) Technology Risk Management (TRM) Notice and Guidelines (2013); the MAS Outsourcing Guidelines (updated 2016); and the IDA Personal Data Protection Act (2012).

These documents act as a set of guidelines to guide FSIs as they move into cloud environments and ensure they adopt proper governance and risk management.

At a high level these controls are:

1. Board and Senior Management must retain accountability and oversight;
2. Proper governance is put in place, including the right organisational and management structures, policies, processes and procedures;
3. Use an effective technology risk management framework on an ongoing basis;
4. Organisations must retain a register of all outsourcing agreements;
5. Management of IT outsourcing should be done to perform due diligence and to assesses that outsourcing remains appropriate and effective;
6. Information systems should have security controls planned during design, and should be properly project managed, reviewed and tested;
7. Ensure there is a strong IT Service Management process that includes change, program migration, incident, problem and capacity management;
8. Build systems for availability and recoverability including redundancy, recovery planning and testing at least annually and data backups;
9. Operational Security management should include data classi cation, strong access controls and encryption for data at rest, in motion and at end points.
10. Security baselines should be established and monitored, network security devices such as firewalls implemented, and vulnerability assessments, penetration tests and security monitoring, including log reviews, should be put in place.
11. Data centres should have a threat and vulnerability risk assessment (TVRA) performed on them. Physical security should be strong, with controlled access, guards and security surveillance systems.
12. Access controls should be done according to key principles including ‘never alone’ (or ‘four eyes’) for critical activities, segregation of duties and the ‘need to have’ basis. The activity logs for privileged access should be reviewed to ensure only the approved actions took place.
13. Online systems should be secure with encryption, strong authentication and monitoring in place. Users should be educated by the FI.
14. For payment cards, encrypt card data and use secure chips and not magnetic stripes.
15. ATMs and payment kiosks should have security such as anti-skimming, tamper-proo ng and video surveillance on own and 3rd-party kiosks.
16. An independent IT audit function should be used, who should perform comprehensive audits and track any issues through to resolution.

FSIs considering moving workloads into public cloud environments need experience in designing and managing and migrating their IT to ensure they meet compliance requirements in Singapore. To address this concerm, Datapipe has built a practice around AWS security and compliance to facilitate FSIs moving to the cloud in a manner that ensures MAS guidelines and requirements are met.

The workbook and whitepaper seeks to help the financial sector adopt public cloud, in accordance with security and compliance guidelines charted by the MAS and updated as recently as July 2016.

Joel Friedman, Chief Technology and Security Officer at Datapipe, said: “Financial markets are competitive and a move into a cloud environment can easily help banking and financial institutions gain a competitive advantage by helping scale businesses faster and improve speed to market.

“We see increased demand for cloud services among the sector, however this rightly comes with an increased demand for security and compliance controls. The content and program we have released today directly address these requirements. Our newly available resources look to accelerate cloud deployment on AWS and hybrid environments for the financial services industry in Singapore.”

Singapore-based Catena Technologies is a fast-growing Fintech company which has recently moved to the cloud with Datapipe. As a consulting and technology services company that works with banks and other financial institutions to implement their proprietary technology solutions, Catena moved its primary workloads to the cloud with Datapipe ensuring MAS compliance was achieved through the design, build and management of the cloud environment.

On working with Datapipe to realize cloud computing efficiencies while remaining compliant with regulations, its CEO Aaron Hallmark said: “Not only can we continue to offer our installed software, but we now have an efficient, hosted solution aligned to MAS’ requirements. We can spin up on-demand for our customers in need of a hosted environment with ongoing management and support.”

Ultimately, all FSIs need to have the requisite governance and controls in place to meet the myriad of regulations in order to take advantage of the public cloud deployments.