In a new advisory, MAS highlights the key risks and control measures FIs should consider before adopting public cloud services.
MAS (Monetary Authority of Singapore) released an advisory on Tuesday (1 June) calling on FIs to ensure that the risks associated with the use of public cloud services are adequately addressed.
The advisory is a response to the growing adoption of public cloud services in the financial sector, particularly given the accelerated pace of digital transformation during the Covid-19 pandemic.
“FIs should perform a comprehensive risk assessment as they plan for public cloud adoption and manage the risks identified appropriately,” the advisory says.
It outlines a set of risk management principles and best practice standards to guide FIs in managing the technology and cyber security risks of public cloud adoption.
In particular, the advisory recommends FIs develop a public cloud risk management strategy that takes into consideration the unique characteristics of public cloud service models being offered by service providers (i.e. IaaS, PaaS, SaaS).
“FIs should be aware that responsibilities for the administration, cyber security, and resilience of applications, operating system, virtual network, data and cloud workloads differ across the models,” the advisory says, warning against misconfigurations, poor access controls and poor cyber hygiene.
The advisory emphasises that FIs have a shared responsibility with cloud services providers to manage cyber security in the use of cloud services, specifically in relation to managing the controls implemented by providers and protecting their own encryption keys.
FIs should also implement strong controls in areas such as identity and access management (IAM), cyber security, data protection and cryptographic key management.
“As IAM is the cornerstone of effective cloud security risk management, FIs should enforce the principle of ‘least privilege’ stringently when granting access to information assets in the public cloud,” the advisory says.
It recommends the use of multi-factor authentication, regular changing of access keys, and centralised management of security policies wherever multiple public cloud services are used.
For securing applications in the cloud, FIs should adopt ‘zero-trust’ principles in the architectural design, secure software development processes, and robust threat modelling practices.
The advisory warns that microservice architectures used for applications could be specifically targeted by “malicious insertion of rogue microservices, redirection of requests and API attacks.”
Adequate security controls should be in place to guard against such attacks, including to secure the service discovery mechanism, use a service mesh for fine-grain access control to APIs, and implement robust authentication for microservices.
Where containerisation is used, each container should include only the core software components needed by the application, use “container-specific” security solutions (rather than those developed for on-premise IT infrastructure), and ensure stringent control over access to container orchestrators.
Appropriate data security measures should also be implemented to protect the confidentiality and integrity of sensitive data in the public cloud, taking into consideration whether the data is at rest, in motion, or in use.
Emphasis is placed on the adoption of cryptographic key management strategies and ensuring they provide a high level of control and protection over the keys used for encrypting sensitive data.
The advisory also recommends that an FI’s cyber security operations be expanded to include security of public cloud workloads, as opposed to performing security monitoring in silos. Cyber-related information on public cloud workloads should feed into FIs’ enterprise-wide IT security monitoring services, it says.
The advisory also highlights the need to proactively manage cloud resilience by ensuring service providers have appropriate cloud redundancy or fault-tolerant capability enabled.
“Cloud workloads could also be deployed in multiple geographically separated data centres to mitigate location-specific issues that may disrupt the delivery of public cloud services,” it says.
As part of their outsourcing due diligence and risk management, FIs should ensure that contractual terms and conditions in cloud outsourcing arrangements do not impede their ability to manage risk and meet regulatory requirements, and that independent audits and/or expert assessments of such arrangements are conducted.
In addition, FIs should establish a process to assess their exposure to service provider lock-in and concentration risk before entering an outsourcing arrangement. These risk evaluations should be re-performed periodically as part of the FIs’ strategic planning, risk management and internal control review of the outsourcing arrangement.
The advisory also says FIs should ensure their staff have adequate expertise and experience to manage public cloud workloads and the related risks, which may differ from one service provider to the next.
“FIs are ultimately responsible and accountable for maintaining effective oversight and governance of their engagement with CSPs for public cloud services,” MAS says.
“A risk-based approach should be taken to ensure that risk associated with the use of public cloud services are adequately addressed, and to ensure that the level of governance and controls are commensurate with the risks posed by public cloud services.”
The advisory is available here.
access controls, access management, authentication, cloud resilience, cloud services, concentration risk, containerisation, Covid-19, cyber hygiene, Cyber Security, Data Protection, digital transformation, Due diligence, encryption, Governance, identity, MAS, microservices, Multi-factor authentication, Outsourcing, Oversight, Resilience, Risk Assessment, Risk Management, security monitoring, software development processes, technology risk, threat modelling