What could a principle based framework for Cloud computing for regulators look like?
Wed 20 Apr 2016 | Michael Mudd
There have been reams of articles written about Cloud computing for both Government and the private sector. These have focused primarily on the agility of Cloud, its economics of scale and security. Gartner predicts that almost half of large enterprises will have deployed some form of Cloud by the end of 2017.
Many industries in the private sector provide services that are subject to government oversight through regulatory regimes. For example a key industry is financial services; the banks, insurance companies and securities market makers (the ’FSI’) are key sectors of society that have been regulated for decades. The degree of regulation varies by each country; however a commonality is that the regulators must be able to examine the records of those regulated.
Security and risk management is a given requirement, but how do you address the elements that make this up? In addition to the economic benefits, when it comes to regulated industries there can be a close integration of compliance and security with enhanced visibility. Cloud platforms also may act as “system containers”, providing a new kind of defence in depth (as the cloud is not only a programmable infrastructure, but a reacting infrastructure; it allows for monitoring, logging and alerting of “interesting” events).
It has been theorised that the less connected Data Centre staff are to the data owner, the less they may know how to monetise it. The damage caused by data theft may therefore be lower in an outsourced Cloud environment than in – house. This has yet to be proven, but the recent leaks from government organisations may support this hypothesis. My own experience in product management for a major bank revolved around not just innovation in the trade bank, but internal risk assessments of such innovation and then discussing with the regulator on the risks.
So my discussions on behalf of the OCA in Australia, Hong Kong, Japan, The Philippines, Singapore, Thailand and Vietnam over the past 12 months with banks and insurance companies, their regulators and trade associations, has given some insights. At least one prominent regulator in the region has specifically endorsed Cloud for the banking sector*. We have taken this inclusive approach here in going to all stakeholders in the market on this key issue, the feedback which I would like to share here.
From the FSI Industry view, it is clear that they want to deliver competitive quality services, without any compromise as to; Data Security, Confidentiality, Integrity and High Availability. At the same time they need to reduce costs to improve the balance sheet, so Cloud is attractive, but implementation needs to be done in a way that will keep their respective regulators happy.
Discussions with regulators have given an overall view of Cloud Outsourcing, one has mentioned ‘the ‘3 P’s’: Principles, Preparedness and Partnerships’*. This means that CSP’s must deliver services with; Confidentiality, Integrity and Availability, while satisfying their due diligence and audit process and minimizing risks. All regulators that I have met with are currently looking at Cloud computing primarily through their technical departments at the moment and are looking at a framework for Cloud.
From these discussions and working with Industry associations and OCA members, a ten point framework based these principles has been drafted that may satisfy all stakeholders’ needs and concerns. This can be summarised as follows.
With respect to system Confidence;
- CSP’s must disclose exactly where Data will be located. (and any changes in location that occur during the life of the contract) FSI’s should ensure that the government policies, economic and legal conditions of the identified locations are safe and stable. (and any changes in location that occurs during the life of the contract). Customers should take into account the government policies, data access, economic and legal conditions of the relevant locations as a part of their due diligence and compliance assessment.
- Customers contracts with CSPs should be very clear not use the FSI’s data for any purpose other than that which is necessary to provide the Cloud Service. The contract should prevent CSPs from using FI Data for any secondary purpose at all times and be in compliance with ISO 27018.
- A customer’s data must be segregated from other data held by the CSPs. CSPs must be able to identify the FI’s Customer Data and at all times be able to distinguish it from other Data held by the CSP.This requirement will also help to make any termination of an arrangement easier to deal with so that the relevant customer data can be more easily returned or deleted
- CSPs may use subcontractors to provide the Cloud Services in some areas for certain support services. This should not be a problem but Regulators may require that subcontractors are not used unless the CSP ensures that the subcontractor will have equivalent protections and controls in place as the prime CSP. Privacy Regulations in certain countries also require that sharing Personal Data with subcontractors is subject to scrutiny to ensure that applicable commitments are met (notably in relation to security, transfers overseas and use of the Personal Data solely for the specified purposes and on behalf, ultimately, of the data controller).
With respect to system Integrity;
- Service Provider Reputation and Competence: FIs must carry out, and CSPs must assist in facilitating, a risk assessment and due diligence on the CSP to ensure that the CSP and its services meet the legal, regulatory, contractual and business requirements. FSI;s should have in place a risk management plan that includes measures to address the risks associated with the use of Cloud Services. A customer must carry out, and a CSP must assist facilitating, a risk assessment and due diligence to ensure that the CSP’s systems and service are able to meet legal, regulatory, security, privacy, as well as business requirements.
- Confidentiality and Certified Security Standards. CSPs must be certified to have and maintain robust security measures and comprehensive security policies that meet or exceed international standards (ISO 27001 and ISO 27018 at a minimum). CSPs should use encryption technology that meets or exceeds international standards to protect and secure the FI’s Data at all times. Policies should be in place to guarantee that employees are monitored and have proper background checks.
- Review, Monitoring and Control: CSPs must provide regular reporting and information to demonstrate continued compliance with the legal, regulatory, contractual and business requirements throughout the duration of a contract. FIs and CSPs must meet regularly to review the reports and performance levels. The contract must provide for an effective mechanism for remedial actions arising from any issues that emerge or non-compliance. This will enable Regulator and the customer to confirm themselves that CSPs are complying with the requirements set out in this framework.
- Audit:Most Financial Regulators require that CSPs allow the Financial Regulator rights to carry out an inspection of the CSP. This will enable the Financial Regulator and FI to confirm that CSPs are complying with these Principles, regulatory, contractual and business requirements of the FI.
With respect to system Availability;
- Resilience and Business Continuity: The Cloud Service must be reliable. CSPs must have an effective business continuity plan (BCP) with appropriate service availability, recovery and resumption objectives and with regularly tested and updated procedures and systems in place to meet those objectives. The risks of downtime should be minimized through good planning and a high degree of system resilience. The BCP should be in compliance with ISO 223001 as a minimum.
- Conditions on Termination: FIs must have appropriate exit provisions in the contract with the CSP. To the extent that the FI requires, on termination, the CSP must work with the FI to return the FI’s Data to the FI and then the CSP must permanently delete the Data from the CSP’s systems. Any Data that does not need to be returned to the FI must be permanently deleted by the CSP. It would be prudent for data owners to also test at least annually, whether their data can be exported safely in order to confirm the contract terms with the CSP for a potential exit from the service.
The OCA is working with the Asia Cloud Computing Association in consultation with healthcare providers and other industry groups on refining the above principles that may satisfy all regulators concerns and provide ample room for both competition and innovation. To take full advantage of the economy and scalability of the Cloud, a regional approach that is consistent with global standards and sound principles is required. Perhaps most importantly the right CSP should act as a trusted business partner, not just a vendor.
There are qualified Cloud service providers that can deliver a Secure Cloud service right now. In a short time I believe Cloud services will be seen as business as usual for all regulated industries.