Appendix 10: Key Risks and Control Measures for Cloud Services (continued)
Part B: Cloud Design and Control
A financial institution should design its adoption of cloud services with a degree of
portability, scalability and fault tolerance that is proportionate to the materiality of the
cloud service to its business operation. It should also ensure robust operational
controls are in place to manage its ongoing cloud operations.
- Cloud architecture
(a) A financial institution should design a robust cloud architecture and ensure such
design is in accordance with the relevant international standards for the
intended application.
(b) A financial institution is encouraged to adopt zero- trust principles23 to provide a
cyber resilient architecture by adopting an “assume breach” mindset, layering
defense- in-depth through micro- segmentation, “deny -by-default “, “least
privilege” access rights, and conducting deep inspection and continuous
validation where applicable.
(c) A financial institution should use the latest network architecture approach and
appropriate network design concept and solutions for managing and monitoring granular network security and centralized network provision in managing
complexity of the cloud network environment .
(d) A financia l institution should establish and utilise secure and encrypted
communication channels for migrating physical servers, applications, or data to
the cloud platforms .
(e) For financial institutions leveraging on their financial group’s cloud
infrastructure, the financial institutio ns should consider an appropriate level of
network segregation (e.g., logical tenant isolation in the shared environment of
the cloud) to mitigate the risk of cyber -attacks from propagating cross -border or
cross- entity and affecting the Malaysian financial institution’s operations.
(f) The increasing use of application programming interfaces (API) by financial
institution to interconnect with external application service providers could
achieve efficiency in new service delivery. However, this may increase the
cyber -attack surface and any mismanagement may amplify the impact of an
information security incident. A financial institution should ensure its APIs are
subject to rigorous management and control mechanism s which include the
following :
i) APIs should be designed for service resilience to avoid the risk of single points of failure and configured securely with appropriate access controls;
and
23 Zero-trust principles is a security paradigm designed to prevent data breaches and limit internal lateral
movement of threat actors by requiring all users, whether in or outside the organization’s network, to be
authenticated, authorized, and validated before being granted the access. Risk Management in Technology 59 of 67
Issued on: 1 June 2023 ii) APIs should be tracked and monitored against cyber -attacks with
adequate incident response measures and are de- commissioned on a
timely basis when no longer in use.
- Cloud application delivery models
(a) Cloud application delivery models may evolve to support faster time- to-market
in response to consumer demand. Currently, DevOps and Continuous
Integration / Continuous Development (CI/CD)24 are amongst the prevailing
practices and processes for cloud application delivery. For instance, the ability
to enforce segregation of duties for CI/CD where application developers may require access to the management plane for service configuration. A financial
institution should ensure CI/CD pipelines are configured properly to enhance
security of automated deployments and immutable infrastructure
(b) A financial institution should continuously leverage enhanced cloud capabilities
to improve the security of the cloud services and financial institutions are,
among others, encouraged to:
i) adopt industry best practices such as infrastructure- as-code (IaC)26 to
automate the provisioning of IT infrastructure in a consistent, scalable and
secure manner; and
ii) use immutable infrastructure practices for deployment of services to
reduce the risk of failure by creating a new environment with the latest
stable version of the software . The on- going monitoring of the cloud
environment should include automating the detection of changes to
immutable infrastructure to improve compliance review and combat
evolving cyber -attacks.
(c) Where relevant, a financial institution should implement appropriate controls on
the IaC process to minimise the risk of misconfiguration and reduce the cyber –
attack surface. This includes the following measures that should be taken by
the financial insti tution:
i) conduct vulnerabilities scanning as part of IaC automation steps and
ensure issues are remediated prior to the provisioning of IT infrastructure;
ii) ensure virtual machine images (VMI) or container images of IaC templates are trusted and digitally si gned; and
iii) implement appropriate access control to prevent unauthorized changes to
IaC templates .
24 CI/CD is a set of methods that enables developers to deliver code changes more frequently using
automation.
25 Immutable infrastructure is an approach to managing and deploying infrastructure where
components, such as virtual servers and networks, are created once and then never modified. If a new
version of a service or application requires changes to the underly ing infrastructure components, new
instances of those components are created and the old instances are replaced.
26 The process of managing and provisioning an organization’s IT infrastructure using machine- readable
configuration files, rather than employin g physical hardware configuration or interactive configuration
tools.
- NIST Special Publication 800- 172, U.S. Department of Commerce, February 2020 Risk Management in Technology 60 of 67
Issued on: 1 June 2023 3. Virtualization and containerization management
The guidance provided in this paragraph is applicable to financial institutions which
use or plan to use PaaS and IaaS cloud service models only .
(a) A financial institution should ensure virtualization services are configured in line
with the prevailing guidance from the cloud service provider s and industry best
practices, commensurate with the evolution of cloud computing technologies.
(b) A financial institution should ensure virtual machine and container images are
configured, hardened, and monitored appropriately. This includes the following:
i) use stable images and keep images up to date;
ii) store and use images from trusted repositories or registries;
iii) scan images for vulnerabilities, remediate any vulnerabilities prior running
in production;
iv) enforce “least privilege” access;
v) harden images based on industry best practices; and
vi) stored images are subjected to security monitoring from unauthorised
access and changes.
- Change management
(a) A financial institution should establish a process to systematically assess and
take appropriate action to manage the impact of the releases by cloud service
providers in relatio n to existing infrastructure, network, upstream and
downstream systems to minimize the impact of any service disruption.
(b) A financial institution should ensure its existing change management process
is extended to cover cloud services where appropriate to promote effective and
secure system development. The escalation process and approving authority
should be clearly defined to ensure critical changes can be implemented and
risk of service disruptions are mitigated promptly .
(c) All critical changes deployed to the production environment should also be
timely applied across environments such as disaster recovery site or supported
cloud regions and availability zones where appropriate. - Cloud backup and recovery
(a) As part of an effective recovery capability, financial institutions should ensure
existing backup and recovery procedures are extended to cover cloud services,
which includes the following:
i) define and formalise backup and recovery strategy at the planning stage
of cloud adoption;
ii) conduct periodic reviews of the cloud service providers’ restoration and
recovery capabilities; and
iii) conduct testing of recovery strategy prior to deployment of the system .
(b) A financial institution should ensure backup and restoration procedures are
periodically tested to validate recovery capabilities. The frequency of backup Risk Management in Technology 61 of 67
Issued on: 1 June 2023 procedures should be commensurate with the criticality of the system and
recovery point objective ( RPO) of the system . Remedial actions should be taken
promptly by the financial institution for unsuccessful backups.
(c) A financial institution should ensure su fficient backup and recovery of virtual
machine and container including backup configuration settings (for IaaS and PaaS, where relevant), which includes the following:
i) ensure the capability to restore a virtual machine and container at point –
in-time
27 as per the business recovery objectives; and
ii) make virtual machine and container images available in a way that would
allow the financial i nstitutions to replicate those images at alternate sites
or recovery site s28 ;
(d) A financial institution should assess the resilience requirements of the cloud
services and identify appropriate measures that commensurate with the
criticality of the system, to ensure service availability in the extreme adverse
scenarios. Financial institution s should consider a risk -based approach and
progressively adopt appropriate mitigating controls t o ensure service
availability and mitigate concentration risk . Amongst the viable options are:
i) leverage cloud services’ high availability and redundancy features to
ensure production data centres have redundant capacity in different
availability zones;
ii) achieve geographical redundancy by having data centres in different geographical regions;
iii) adopt hybrid cloud (combination of on- premises and public cloud setup);
iv) establish back -up cloud service providers and identify appropriate
arrangement for porting of data and application to ensure timely service resumption; and
v) adopt multi -cloud strategy, with the use of services from different cloud
service providers to mitigate concentration risks and geopolitical risks.
- Interoperability
and Portability
Interoperability standards for cloud services continue to evolve such that porting data,
related configurat ion and security logging across different cloud service providers may
be challenging. To facilitate the smooth process of interoperability and portability between on- premise IT systems or alternate cloud service providers, financial
institutions are encour aged to:
(a) assess technical requirements for interoperability and portability prior to
entering into an agreement or arrangement with the cloud service provider s to
avoid vendor lock -in;
27 Point -in-time refers to the ability to preserve and retrieve the state of a virtual machine or system at
a specific moment.
28 The alternate sites and recovery sites could either be in- house arrangements, or
available through agreement with third -party recovery facility provider, or a combination of both options. Risk Management in Technology 62 of 67
Issued on: 1 June 2023 (b) maintain a list of third party service providers and tools that are needed to
facilitate a smooth transition;
(c) ensure usage of standardized network and communication protocols for ease
of interoperability and portability with on- premise IT systems or alternate cloud
platforms;
(d) ensure the use of common electronic data format s, where applicable, to ease
the movement of data between cloud service providers or to on- premises IT
system; and
(e) extend patch and EOL management to ensure technology solutions employed
remain effective and protected against system vulnerabilities.
- Exit strategy
(a) A financial institution should establish a robust cloud exit strategy as part of its
cloud risk management framework to prepare for extreme adverse events such
as the unplanned failure or termination of cloud service providers. The exit
strategy should:
i) be developed during the cloud deployment planning phase rather than on
an ex -post basis;
ii) identify alternative cloud service providers (multi -cloud approach) or third-
party solutions , or other such means to ensure no business recovery
objectives disr uption or vendor lock -in;
iii) be properly documented including details on the various exit trigger
scenarios, roles and responsibilities, and sufficient resources to manage
exit plans and the transition activities; and
iv) be updated in a timely manner to reflect any material developments.
(b) A financial institution’s exit strategy should be supported by an appropriate and
proportionate exit plan that establishes the operational arrangements to
facilitate an orderly exit from a n agreement or arrangement with cloud service
provider , includ ing the following:
i) conduct impact assessment to determine potential costs, resources, and timing implications of transferring cloud services to an alternative cloud
service provider s or rely on the in-house arrangement at the financial
institution;
ii) identify appropriate methods to port data and applications to an alternative arrangement;
iii) to obtain written confirmation or attestation from the cloud service
provider s or independent external service provider s that all sensitive data
has been securely deleted from the cloud service provider’s system upon
completion of the exit process; and
iv) conduct testing to validate the effectiveness of the exit plan, to obtain a
reasonable degree of assurance of its effectiveness. Risk Management in Technology
Gilagolf 