With the close of the inaugural MAS Fintech Festival last week there has been a lot of discussion and interest around AWS, particularly around how to adopt inline with MAS’ guidelines on Outsourcing and Technology Risk Management (TRM).
For those who are unfamiliar, in July 2016 MAS refreshed their Guidelines on Outsourcing which introduced a new section that sets out MAS’ stance on cloud computing. In short, MAS noted that cloud services can offer many advantages including the following:
- economies of scale & cost-savings
- access to quality system administration
- operations that adhere to uniform security standards and best practices
- flexibility and agility for institutions to scale up or pare down on computing resources quickly as usage requirements change
- enhance system resilience during location-specific disasters or disruptions
This message was further reinforced during the Fintech festival last week where Ravi Menon (Managing Director, Monetary Authority of Singapore) specifically called out:
There used to be a view within some quarters that “ MAS does not like the cloud”. Lest there be any lingering doubt, let me reiterate: MAS has no objections to FIs using the cloud.
MAS expects FSIs to perform the necessary due diligence and sound risk management to address potential risks & vulnerabilities. Section 5.4.3 of the MAS Outsourcing guidelines detail the areas to be evaluated as part of the FSIs due diligence on outsourced service providers. Section 6.7 details the potential risks that need to be addressed when implementing cloud services, which include data access, confidentiality, integrity, sovereignty, recoverability, regulatory compliance and auditing.
With the due diligence complete, FSIs are still expected to perform sound risk management of technology, and this may be addressed via an assessment against the MAS TRM. When completing the TRM (or any other form of security questionnaire/assessment) it is important to remember that when using AWS you adopt the ‘shared security model‘.
FSIs should clearly understand that AWS is responsible for ‘Security of the cloud’ and customers are in turn responsible for ‘Security in the cloud’, which includes customer content, access control, applications, data protection etc.
To further strengthen Singapore’s position as a FSI hub with a clear adoption path for cloud computing, The Association of Banks in Singapore (ABS) recently released their cloud computing implementing guide. The guide contains recommended advice for member banks to consider when entering in cloud outsourcing agreements, including due diligence and key controls. ABS specifically details the following key controls:
- Encryption & Tokenisation
- ‘Private cloud’ capabilities
- Change Management and Privileged User Access Management (PUAM)
- Virtualised Environment Security
- User Access Management and Segregation of Duties
- Collaborative Disaster Recovery Testing
- Security Events Monitoring and Incident Management
- Penetration Testing & Vulnerability Management
- Administrative Remote Access
- Secure Software Development Life-cycle and Code Reviews
- Securing logs and backups
The ABS Key Controls are another area where FSIs must clearly identity ownership, either by the cloud service provider, themselves, or an implementation partner. For example, AWS has a number of services that allow for securing backups and logs via encryption, but the use of this control needs to be selected by the FSIs architecture team or system integration partner.
To close, I expect cloud adoption to really ramp up for FSIs in 2017 that aim to build upon the momentum set out by both MAS and ABS. I would encourage MAS regulated FSIs wishing to start their journey to the cloud to reach out to their AWS account team to find out more.