How Singapore FIs can address the tech and cyber security risks associated with public cloud adoptionBy Thio Tse Gan, Eric Lee, and Amol Ashok Dabholkar
The cloud is increasingly becoming the primary location for financial institutions to store and process data: most financial institutions have moved their applications to cloud platforms, and many of those that still have their data on-premise today are planning their imminent migration to cloud.
Yet too often, financial institutions are moving rapidly to migrate to the cloud without paying enough attention to security. In Singapore, this concern has been made more salient following the circular issued by the Monetary Authority of Singapore (MAS) on 1 June 2021, which details the technology and cyber security risks associated with public cloud adoption for financial institutions.
Securing the public cloud
Broadly, the MAS advisory spells out five common key risks and control measures that financial institutions in Singapore should consider before adopting public cloud services. In this article, we examine each of these and highlight several considerations for financial institutions in view of the latest requirements:
#1: Developing a public cloud risk management strategy
To develop a public cloud risk management strategy, financial institutions will require a clear understanding of the shared responsibility model, including their responsibility for configuring the meta-structure layer which integrates the organisation’s applications to its cloud platform services.
As a first step, financial institutions should conduct a maturity benchmarking exercise of their security processes, tools, and technology with the use of an appropriate standards-based cloud security framework, such as the National Institute of Standards and Technology (NIST) and Cloud Security Alliance (CSA) standards.
Based on the outcomes of this exercise, financial institutions can then design a detailed strategy roadmap to close any identified gaps, and develop customised cloud security reference architectures and design patterns to implement these roadmaps.
But depending on whether the cloud service model in question is an infrastructure-as-a-service (IaaS), software-as-a-service (SaaS), or somewhere between these two extremes, the control on cloud security could differ in terms of implementation.
For IaaS models, financial institutions would be able to leverage the cloud platform to implement various controls, including continuous security automation such as cloud security posture management (CSPM) and container workload protection platform (CWPP) solutions. On the other hand, for SaaS models, financial institutions may need to pay more attention to the secure configuration of their applications within the capability restrictions defined by the SaaS provider.
#2: Implementing strong controls in a cloud environment
Financial institutions will be expected to implement strong controls for their cloud environments in areas such as identity and access management (IAM), cyber security, data protection, and cryptographic key management. This requires them to design, implement, and manage authentication and authorisation in a cloud environment, and develop blast radius containment strategies to limit the impact to their on-premise and cloud environments.
To ensure that security is embedded throughout their continuous integration and deployment (CI/CD) pipelines, financial institutions should also adopt the appropriate secure software development lifecycle (SSDLC) for their DevOps. This approach, known as DevSecOps, enables organisations to embed security into their workflow rather than as a bolt-on to development. This allows developers and security professionals to achieve their shared goals of having secure configurations continuously monitored, remediated, and managed for cybersecurity to drive the creation of agile, resilient solutions.
In addition, data protection should be a key focus area for financial institutions. As cloud platforms provide various cryptographic capabilities for key management and cryptographic operations, financial institutions should consider the different levels of data sensitivity and security controls that they will possess under each option when making configuration decisions. In particular, they should carefully consider bring-your-own-key and hold-your-own-key strategies for different types of workloads and cryptographic key management options.
Under the MAS advisory, financial institutions are also encouraged to consider the adoption of zero-trust principles in their overall cloud architecture. As financial institutions differ in terms of maturity, a customised roadmap should be developed to cover the different zero-trust milestones. Key initial activities could include, for example, determining the zero-trust scope; establishing foundational capabilities and mapping traffic flows or application relationships; federating and centralising user management; as well as establishing data discovery, inventory, encryption, and governance.
#3: Expanding the financial institution’s cyber security operations
To maintain a holistic cyber situational awareness of information assets, financial institutions must avoid performing the security monitoring of their cloud and on-premise assets in silos. This requires adequate monitoring capabilities to cover all the new assets and technologies introduced by the cloud environment, as well as the seamless integration of logging and monitoring solutions with existing on-premise solutions to create a single, integrated security incident event monitoring (SIEM) solution.
The MAS advisory goes one step further to recommend that financial institutions put in place a single pane of glass architecture to centralise all monitoring and logging activities. The advantages of having such a single point of access and control include a consistent view of all monitoring and logging activities, ease of managing data storage and retention, as well as centralised access control and auditing. The caveat, however, is that financial institutions will need to take measures to ensure the security of data that is in transit to this central repository.
#4: Managing cloud resilience and other risks
While cloud platforms provide resiliency options, applications do not by default become resilient by virtue of residing in the cloud. To ensure resiliency, financial institutions need to understand the application requirements for resiliency, analyse whether their cloud solution provider provides the necessary options for the required level of resiliency, and ensure that their cloud architecture is correctly configured to deliver that desired level of resiliency.
In addition, to prevent the inadvertent movement of data to non-compliant geographical locations, financial institutions should carefully examine their data sovereignty, and scrutinise the movement of their data to different geographical locations in line with the resiliency options offered by their cloud platforms.
Financial institutions should also consider the use of independent audits and expert assessments of their cloud outsourcing arrangements. These include, but are not limited to, readiness assessments for a variety of regulatory and industry requirements – such as the MAS Technology Risk Management (TRM) Guidelines, and requirements set out by the Association of Banks in Singapore’s Outsourced Service Provider Audit Report (OSPAR) – as well as in-depth security assessments of proposed cloud solutions, to provide a view of the security issues within the financial institution’s area of responsibility on the cloud.
#5: Ensuring adequate skillsets
To ensure that their organisations possess adequate skillsets to manage public cloud workloads and risks, financial institutions should design employee training curricula on cloud and technology-related topics that are specific to the cloud platforms that the organisation has chosen.
Frontline IT teams, in particular, could benefit from a simulated cyber training curriculum. By providing a hyper-realistic, virtual environment – one that closely mimics the financial institution’s real environment – such a curriculum could enable application developers to experience simulated, real-time attacks on their applications, and develop the necessary security acumen and cross-team communication skills that they will need to effectively protect their organisation’s infrastructure.
An integrated team is essential
In recent years, cloud has emerged as one of the largest areas of investments for financial institutions. But as more data and applications move outside their traditional security perimeter, the risk of cyberattacks increases exponentially for financial institutions.
Staying one step ahead of these attacks will require financial institutions to not only adopt a conscious, integrated approach to security by design from the get-go, but also implement them with an integrated team. Yet, in many financial institutions today, cyber security teams tend to be siloed from the rest of the organisation, often with minimal or incomplete transparency.
What is urgently needed, therefore, is for cloud and cyber teams to come together under a shared operating model – one that takes into consideration the various aspects related to the cloud migration journey, including but not limited to the talent operating model, DevSecOps, and microservices.
Apart from enabling higher levels of collaboration, coordination, and implementation across controls, such a shared operating model could also ensure that risk management, compliance, and other security practices are built in at the IT infrastructure layer from the very beginning – and thereby allow financial institutions to focus their efforts on more value-adding activities, such as leveraging the cloud platform for enhanced business performance and improved customer experiences.
The writers are: Thio Tse Gan, the Financial Services Industry Leader as well as the Banking & Capital Markets Leader for Southeast Asia; Eric Lee, Executive Director with the Southeast Asia (SEA) Risk Advisory practice; and Amol Ashok Dabholkar, a Director with the Southeast Asia (SEA) Risk Advisory practice, respectively, at Deloitte.