Cloud control: APRA evolves its stance on shared computing services
Insight Issue 3 2018
The advent and development of cloud computing technology over the past decade has had a profound impact on the financial services sector, both in Australia and globally. The availability of elastic, cost-effective, virtually limitless computer processing, network and data storage has allowed organisations of all sizes and levels of sophistication to offer financial services without the need to purchase and maintain costly infrastructure and support staff. APRA–regulated entities were quick to embrace the cloud, and usage of the technology continues to grow.
Though cloud offers the potential for substantial benefits and opportunities, it also presents significant risks that APRA-regulated entities must manage in the interests of prudential safety. With that in mind, APRA released an information paper in 2015 on the use of cloud computing. The paper expressed scepticism about the ability of entities to safely use the cloud for functions involving heightened inherent risk.
In the three years since, there has been continuous evolution of both cloud computing service offerings and APRA-regulated entities’ risk management. APRA recognises that, generally, cloud service providers have strengthened their control environments, increased transparency regarding the nature of the controls in place and improved their customers’ ability to monitor their environments. APRA-regulated entities have also improved their management capability and processes for assessing and overseeing the cloud services provided.
On that basis, APRA released in late September an updated information paper on cloud computing, expressing a more open stance on cloud usage by APRA-regulated entities. The update reflects APRA’s observation of the growing use of cloud computing services by APRA-regulated entities, an increasing appetite to do so for higher risk activities, as well as areas of weakness identified as part of APRA’s supervisory activities that entities are expected to address as they consider increased cloud usage.
Risks must be understood and managed
Cloud computing services are used for a variety of functions by APRA-regulated entities. Depending on the function, disruption of a cloud service (including a compromise of confidentiality, integrity or availability of systems or data) could have material consequences for the entity or its customers. The various services offered through the cloud present differing risk profiles, with each cloud provider offering numerous options with varying technologies, controls and responsibility models. These factors add greater layers of complexity and, potentially, a lack of clarity with respect to responsibility, which can challenge effective risk management.
APRA has classified the inherent risk of cloud computing services into three broad categories: low, heightened and extreme.
- For arrangements with low inherent risk (and not involving off-shoring), APRA would not expect an APRA-regulated entity to consult APRA prior to entering into the arrangement.
- For arrangements with heightened risk, APRA would expect to be consulted after the APRA-regulated entity’s internal governance process is completed.
- For arrangements involving extreme inherent risk, APRA encourages early engagement, and will subject these arrangements to a higher level of scrutiny. APRA expects all risks to be managed appropriately, commensurate with their inherent risk. However, for extreme inherent risk, APRA expects an entity will be able to demonstrate to APRA’s satisfaction, prior to entering into the arrangement, that the entity understands the risks associated with the arrangement, and that the entity’s risk management and risk mitigation techniques are sufficiently strong.
| Under CPS 231 Outsourcing, APRA-regulated entities must demonstrate the following: |
|---|
| Ability to continue operations and meet obligations following a loss of service and a range of other disruption scenarios. |
| Preservation of the quality (including security) of both critical and sensitive data. |
| Compliance with legislative and prudential requirements. |
| Absence of jurisdictional, contractual or technical considerations that may inhibit APRA’s ability to fulfil its duties as prudential regulator, including impediments to timely access to documentation and data/information. |
| Risk management area | Key message |
|---|---|
| Strategy | Strategies should be defined and supported by a clearly articulated architectural roadmap. Strategies should align with the broader business and technology strategies, and include consideration of organisational change and required capability to manage and operate the arrangements. |
| Governance | The APRA-regulated entity’s board, governance committee or other appropriate governance authorities should be informed of material cloud initiatives and be able to form a view as to the adequacy of the risk and control frameworks to manage the arrangement in line with the board risk appetite. |
| Solution selection process | The process for selecting the IT solution (including related software programs and related services) should be systematic, considered and comply with established processes for changing the IT environment. This includes a comprehensive due diligence process to verify the maturity, adequacy and appropriateness of the cloud provider and services selected (including the associated control environment), taking into account the intended usage of the cloud computing service. |
| APRA access and ability to act | An APRA access clause must be included in the cloud provider agreement. This includes access to documentation and information, and the right for APRA to conduct onsite visits of the cloud provider. |
| Transition approach | A cautious and measured approach should be adopted for transitioning to a cloud computing service, particularly where risks are heightened. |
| Risk assessments and security | Entities are expected to conduct comprehensive security and risk assessments of all material cloud arrangements, initially and periodically, and on material change. Controls should be commensurate with the risks involved. |
| Implementation of controls | The implementation of controls by the cloud service provider and the APRA-regulated entity should reflect the entity’s and service provider’s differing levels of responsibility for operating and managing the various cloud arrangements. |
| Ongoing oversight | Entities should develop and maintain ongoing operational and strategic oversight mechanisms that facilitate assessment of performance against agreed service levels, assessment of the ongoing viability of the cloud provider and the service, timely notification of key changes and a timely response to issues and emerging risks. |
| Business disruption | APRA expects that an APRA-regulated entity would continue to meet its obligations regardless of disruptions resulting from a failure of technology, people, processes or cloud provider. |
| Internal audit | Entities should provide assurance to the board that material arrangements are appropriately managed, and that the service provision management framework is effective. This includes assessing the assurance provided from audits initiated by the service provider. |
Common areas of responsibility for the different cloud computing models
| Areas of responsibility | Infrastructure as a Service | Platform as a Service | Software as a Service |
|---|---|---|---|
| Ongoing monitoring for control effectiveness | Customer | Customer | Customer |
| Customer-side information security* | Customer | Customer | Customer |
| Data quality | Customer | Customer | Customer |
| Application management | Customer | Customer | Provider |
| Virtual machines and networks | Customer | Provider | Provider |
| Cloud infrastructure** | Provider | Provider | Provider |
* This includes customer side: user identity and access, interface control, vulnerability and threat management, maintenance of IT asset currency, incident detection and response, configuration management, encryption and key management.
** This includes: data centres, servers, networks, cloud fabric, customer access as well as information security controls such as vulnerability and threat management, incident detection, response and client notification.
Conclusion
The use of cloud computing services represents a significant change to the way technology is employed, and APRA expects cloud usage by its regulated entities will continue to grow. While cloud computing can bring benefits, it also brings associated risks which must be understood and managed effectively if APRA-regulated entities wish to take advantage of this service.
APRA will seek to ensure that regulated entities’ risk management and mitigation techniques are commensurate with their usage of cloud computing services. Consequently, APRA encourages regulated entities that are contemplating using cloud solutions which involve heightened and extreme inherent risks to consult APRA prior to entering into any formal arrangement with a cloud provider.