MAS Circular No. MAS/TCRS/2021/03 Highlights
The Monetary Authority of Singapore (MAS) has recently released a new circular on cyber risks associated with public cloud adoption ‘Circular No. MAS/TCRS/2021/03 June 2021’. This has come amidst the accelerated pace of digital transformation in the COVID-19 pandemic period. This circular focuses on identifying and managing cyber risk associated with public cloud adoption through Cloud Service Providers (CSPs).
Here are the key takeaways for Financial Institutions (FIs) from the circular:
- FIs should perform a risk assessment and risk mitigation for adopting public cloud platforms
- FIs should ensure strong security controls surrounding Identity and Access Management (IAM) and Data Protection
- FIs should ensure that activities within the public cloud are closely monitored for threats or be integrated into existing centralized security monitoring services
- FIs should work with their selected CSPs to ensure that they are able to perform outsourcing due diligence activities without being held back by contractual obligations
- FIs should ensure they are not locked into specific CSPs by ensuring they use open standards, maintaining interoperability of solutions amongst other strategies
- FIs should ensure that personnel are well-trained to manage and public cloud workloads securely
This circular will likely impact 2 broad groups:
- FIs with on-prem workloads, still ongoing or have completed migration to the Public Cloud Platforms (e.g. AWS, GCP, Azure, Alicloud)
- Fintech start-ups that are cloud-native and are already on the Public Cloud Platforms
Permissions and Data Security: It’s All About the Visibility
CSP’s platforms make it easy and cost-effective for organizations to scale and innovate on their business operations. However, this ease of use also increases the risks of misconfigurations within a cloud infrastructure. This could result in impacts such as unauthorized access and modification to data, and/or service outage. It is no surprise that in its circular, MAS has highlighted cloud security controls around Identity and Access Management as the “cornerstone of effective cloud security risk management”.
Identity and Access Management (IAM), as well as the concept of Zero Trust, limits the risk of compromise of the cloud infrastructure by enforcing strict controls on what each user or system is able to perform within a cloud environment. In the event that these accounts are compromised, an attacker’s actions will be limited accordingly. Managing permission levels across an entire cloud platform, however, typically requires a high level of visibility in order to effectively track activities across multiple accounts and resources.
Similarly, on data security, public cloud platforms have allowed for low-cost, easy-to-initiate processes of secret creation, storage, and handling. Most CSPs have existing services specifically designed for such purposes. For example, Amazon Web Services (AWS) allows users to enable HTTPS encryption in transit very easily, even providing their own trusted Certificate and CA (AWS Certificate Manager). AWS Key Management Service (KMS) also provides a low-cost and easy-to-manage alternative to purchasing and owning costly physical Hardware Security Modules (HSMs). However, the same challenge applies here in requiring adequate visibility to ensure that the security of data at rest and in transit has been assured through the application of encryption on all resources — old, new, and transient.
Multi-Cloud Strategy and the Importance of Interoperability
In the circular, MAS has also highlighted that FIs may be subjected to vendor lock-in and concentration risks in their engagements with CSPs. Although not defined in the circular, concentration risks in the context of CSPs can be understood as the over-reliance on one service provider for the company’s public cloud workload and infrastructure. In order to mitigate this, MAS has suggested that FIs consider adopting interoperable solutions and adopt a multi-cloud strategy.
A multi-cloud strategy presents an intuitive way to reduce concentration risks by either taking on redundancy or balancing cloud workload across several CSPs. However, in doing so, an FI should be aware of the potential roadblocks. Interoperability becomes a chief concern for FIs adopting a multi-cloud strategy. Within a single CSP’s cloud environment, all services are highly interoperable and are likely to be integrated or readily integrable based on the CSP’s designs. However, this is likely not the case across different CSPs. FIs also need to ensure that personnel is adequately trained to be familiar with the platforms of all CSPs they are engaging with.
Mitigating Risks with Cloud Security Posture Management (CSPM) and Cloud Infrastructure Entitlement Management (CIEM)
Given the potential challenges highlighted by MAS, FIs will likely need to dedicate resources to ensure that the ongoing security of their cloud platforms is assured. As recommended by Gartner, cloud solutions that feature Cloud Security Posture Management (CSPM) and Cloud Infrastructure and Entitlement Management (CIEM) capabilities are effective ways to assist organizations in the mitigation of cloud security risks.
The CSPM category continuously monitors cloud misconfigurations in relation to security and compliance risks and assists its users in remediating those risks.
FIs should ensure that their selected solutions are able to address the aforementioned security risks highlighted by MAS. This includes the ability to operate within a multi-cloud environment, continuous monitor all cloud identities and access levels, audit and monitor cloud configuration best practices such as data encryption, and show you permission access graphs for identities and entitlements across a multi-cloud environment, all while providing combined visibility on a unified dashboard.
Horangi WardenWarden (CSPM and CIEM) is a cloud security tool that is highly interoperable and has the ability to support multi-cloud strategies, including coverage for AWS, GCP, Azure, and in the near future, Alibaba Cloud. Once deployed, Warden is able to continuously monitor supported public cloud infrastructure to identify security misconfigurations in near real-time as they may arise. This can provide a boost in visibility for security teams in monitoring across a multi-cloud environment. Once issues have been identified, Warden provides various remediation methods to help its users quickly and easily resolve security misconfigurations and alerts. In addition, Warden is also able to support integration with most SIEMs to allow centralized monitoring by security teams.
Horangi Warden Capabilities
If you have questions on how to best approach this new set of advisory guidelines or require expert consulting to help protect your multi-cloud infrastructure, our team of Cloud Security Experts are on hand to help you address your concerns. To get in touch or know more about Warden, fill in this form.