Appendix 10: Key Risks and Control Measures for Cloud Services (continued)
- Cryptographic key management
(a) A financial institution should implement appropriate and relevant encryption
techniques to protect the confidentiality and integrity of sensitive data stored on
the cloud.
(b) A financial institution should ensure its policies and procedures on cryptography
are extended to cover cloud services where relevant, to promote the adoption
of strong cryptographic controls.
(c) Where appropriate and feasible, financial institutions should retain ownership
and control of the encryption key s (themselves or with an independent key
custodian), independent from the cloud service provider, to minimize the risk of
unauthorised access to the data hosted on the cloud.
(d) As the usage of cloud adoption increases, managing many encryption keys
used for protecting data has become more complex and may introduce new
challenges for f inancial institutions. A financial institution should adopt a
comprehensive and centralized approach to key management including the use
of centralised key management system that can handle generations, storage
and distribution of keys in a secure and scal able manner. - Access Controls
(a) The management plane is a key security difference between traditional
infrastructure and cloud computing where remote access is supported by
default. This access layer could be prone to cyber -attacks thereby
compromising the integrity of the entire cloud d eployment. In view of this,
financial Institutions should ensure the use of strong controls for accessing the
management plane which may include the following:
i) allocate dedicated and effectively hardened endpoints and up to date
patching of software to acc ess the management plane ;
ii) implement “least privilege” and strong multi -factor authentication (MFA)
e.g., strong password, soft token, privileged access management tool and
maker -checker functions;
iii) employ granular entitlement allocation for privileged user s;
iv) conduct continuous monitoring of the activities performed by privileged
users; and
v) ensure secure communication protocols are in place for accessing the management plane. e.g., secure end- to-end communication channels,
whitelisting of IP addresses , etc.
(b) A financial institution should extend its user access matrix to cover user access
rights for both the financial institution and its cloud service providers where
relevant for the ongoing access to cloud services.
(c) A financial institution should ensure their tenant access controls to all hypervisor
management functions or administrative consoles for systems hosting Risk Management in Technology 64 of 67
Issued on: 1 June 2023 virtualized systems are effectively implemented in accordance with the
requirements and guidance under the Access Control section (paragraphs
10.52 to 10.60) of this policy document. These controls should mitigate the risk
of any unauthorised access to the hypervisor management functions and virtual
machine.
(d) Point -to-point connections with cloud services m ay proliferate with the ease of
cloud adoption, resulting in fragmentation of identity and access management
and the risk of unsanctioned data being migrated to the cloud. In view of this,
rigorous planning is recommended for the design of identity and acc ess
management as it is inherently complex. Financial institutions are encouraged
to:
i) where appropriate and commensurate with the size and complexity of the
cloud adoption , implement a federated29 approach for identity and access
management to mitigate risks of identities in cloud services being
disjointed from the internal identities, unauthorised access and to ease
user access management; and
ii) consider additional attributes in context -aware decisi ons for identity and
access management such as pattern of access to further mitigate the risks
associated with remote access.
- Cybersecurity Operations
(a) A financial institution should ensure the governance and management of
cybersecurity operations is extended to cover cloud services, with appropriate
control measures to prevent, detect , and respond to cyber incidents in the cloud
environment to maintain the overall security posture of the institution.
(b) The interconnected cloud service supply chain could become a source of cyber risk. A financial institution should ensure integrated monitoring and full visibility
of cloud services are established. This should include the following
:
i) continuous monitoring of system communications between the cloud
service provider, on- premise IT systems and other service providers to
ensure the security perimeter is not breached; and
ii) ensuring that third party service providers, including those providing
ancillary functions, have adequate capabilities to monitor, detect and respond to anomalous activities, with timely communication to the financial institution of relevant cyber incidents.
(c) A financial institution should understand the segregation of responsibility in
security management, which varies across the cloud service models. A financial
29 Federated approach for identity and access management is a process / arrangement between
multiple systems or enterprises that enables users to use the same identification data to access all
related networks. Risk Management in Technology 65 of 67
Issued on: 1 June 2023 institution should manage the sources of vulnerabilities appropriately including
by:
i) proactively seek ing assurance of their cloud service providers to cond uct
periodic VAPT on the cloud infrastructure to ensure tenant isolation and
overall security posture remains healthy; and
ii) understanding the cloud service provider’s VAPT policy for the financial
institution on cloud infrastructure for IaaS model given the varying degree
of the financial institution’s access to the cloud environment and establish
a VAPT arrangement with cloud service provider s upfront which
commensurate with the complexity of the cloud environment .
- Distributed Denial of Service (DDoS)
(a) A financial institution should ensure that its DDoS mitigation service is
commensurate with the size and complexity of the cloud adoption.
(b) The risk of a single point of failure (SPOF) may surface when a financial
institution leverages solely on a cloud- based solution to mitigate DDoS attacks.
As such, a financial institution is encouraged to engage alternative DDOS
mitigation providers or establish circuit breakers to avoid service disruption
when the main DDOS mitigation provider is disrupted. - Data Loss Prevention (DLP)
(a) A financial institution should protect the data hosted in cloud services as
required under the Data Loss Prevention section (paragraphs 11.14 to 11.16)
of this policy document, including the expansion of the endpoint footprint if the
financial institution allow s its staff to use their own devices to access the
sensitive data.
(b) As it becomes increasingly easy to distribute digital content to customers via cloud services, a financial institution should adopt the appropriate digital rights
management mechanism to preserve the confidentiality of its proprietary and
customer information. - Security Operations Centre (SOC)
(a) A financial institution should understand the scope of cloud service providers’
responsibility for cybersecurity monitoring and adapt its SOC strategy and processes to ensure proactive and holistic monitoring of its cybersecurity
posture . This adapt ation should includ e the ability to ef fectively improve
cybersec urity telemetry and analysis to detect and respond to cyber threats.
(b) Where applicable, the responsibilities of cloud service providers with respect to
SOC operations should be formalised in the agreement or arrangement
between the financial institution and the cloud service provider s, including the
retention period required for relevant logs needed for forensic purposes and the right of the financial institution to access the logs for quick restoration as and Risk Management in Technology 66 of 67
Issued on: 1 June 2023 when needed, in accordance with the requirements and guidance under the
Access Control section (paragraphs 10.52 to 10.60) and Security of Digital
Services section (paragraphs 10.64 to 10.80) of this policy document.
- Cyber response and recovery
(a) A financial institution should enhance existing cyber crisis management policies
and procedures to remain in a state of readiness to respond to cyber threats in
a cloud environment.
(b) A financial institution should extend its Cyber Incident Response Plan (C IRP)
to include adverse scenarios that may affect cloud services and establish clear
roles and responsibilities between the financial institution and cloud service
providers for incident response and remediation. The incident escalation
process and turnaro und time should be established with cloud service providers
and periodically reviewed, to achieve an effective incident response.
(c) A financial institution should consider the following additional measures in the
development of its CIRP:
i) enhance its ability to detect security breach incidents to achieve effective
incident management, including the ability to detect data leakage on the
dark web;
ii) provide adequate assistance to customers in the event of a security breach in view that the complexity of cloud arr angements and
sophistication of cyber -attacks often exceed the response range
reasonably expected of customers; and
iii) ensure CIRP is ready to manage cross -border incidents where the data
resides in a foreign jurisdiction.
(d) A financial institution should ensure that relevant Cyber Emergency Response Team (CERT) members are conversant with the CIRP covering cloud services to effectively activate the CIRP when incidents occur.
(e) A financial institution should extend its existing incident reporting requirements
to include cloud services.
(f) A financial institution should enter into agreements or arrangements with its
cloud service providers to conduct integrated business continuity testing
and
cyber drill in accordance with the requirement on testing of disaster recovery
plan in paragraph 9.48 and 9.50 of the Bank’s policy document on Business
Continuity Management (BCM) and paragraphs 11.22 to 11.27 relating to cyber
response and recovery under this policy document to test the effectiveness of
the financial institution’s CIRP and recovery plan.
(g) A financial institution should review its loss provision arrangements to ensure
its adequacy to cover cyber incidents based on its scenario analysis of extreme
adverse events. Where cyber insurance is adopted to mitigate impact of cyber
incidents, the financial institution should: Risk Management in Technology 67 of 67
Issued on: 1 June 2023 i) understand the cyber insurance policy scope t o ensure it adequately
covers the information security events and liability types identified;
ii) understand the insurance policy or takaful certificate’s terms and
conditions such as the accuracy of financial institution’s attestation on its
cyber risk manage ment capability and its on- going responsibility in
information security management to ensure any changes to the IT services and associated control measures do not result in unintended
exclusions from the insurance policy or takaful certificate; and
iii) continue to strengthen cloud risk management to mitigate likelihood of
cyber incidents from materialising.
Gilagolf 