Amidst rapid digitalisation, which was accelerated further by the COVID-19 pandemic, cloud technology has become a pivotal cornerstone for businesses worldwide. In June 2021, the Monetary Authority of Singapore (MAS) introduced a circular with public cloud guidelines concerning the cyber risks associated with cloud adoption that have been impacting the financial and tech sectors alike.
The evolution of cloud technology has reshaped the way previously landlocked firms operate. The need for enhanced cloud security, especially within the tightly-regulated fintech industry (which could have far-reaching implications), has never been greater.
The webinar in 2021 entitled ‘How the New MAS Public Cloud Guidelines Impact You‘, moderated by the CEO of cybersecurity company Horangi, Paul Hadjy, brought together industry experts to shed light on the updated guidelines set by the Monetary Authority of Singapore (MAS).
Panelists included Anand Nirgudkar, CTO of payments fintech CardUp and Ivy Young, Head of Security at AWS Professional Services, ASEAN.
This pivotal discussion, featuring some of the industry’s foremost experts who offer a holistic view of the public cloud landscape in relation to the guidelines set by MAS, delves into its implications and what they mean for organisations.
Harnessing the Power of the Cloud
The cloud’s omnipresence in recent years has not been lost on the panelists, with the panelists pointing out that “cloud is everywhere” and has become indispensable for their global operations. From ensuring 24/7 uptime to providing market data access, cloud infrastructure is the backbone of their operations.
Meanwhile Anand, speaking on CardUp’s experience, highlighted the company’s cloud-first ethos, pointing to PCI DSS adherence, architectural best practices, and regional growth as key motivators for their cloud dependence.
The Challenge of Cloud Security
Despite the vast benefits offered by cloud technology, the inherent challenges it comes with are noteworthy – particularly in the security realm. One such challenge is misconfiguration. Anand stresses the dynamism of cloud security and cites the notorious Capital One incident as a stark reminder of how simple misconfigurations can lead to significant breaches.
However, it’s not just about misconfiguration. As pointed out in the MAS guidelines, identity and access management remains paramount. Paul stressed the importance of having robust controls in place, particularly with onboarding and offboarding practices.
The Shared Responsibility Model
A core topic of discussion centered around the “shared responsibility model”. Ivy Young remarked, “Something foundational here, when we consider security, is a shared responsibility model.”
This model stresses the division of responsibility between cloud providers and their clients. While cloud providers ensure the security of the cloud, customers must secure what they put in the cloud, be it data or applications.
Ivy further pointed out that understanding the shared responsibility model is essential. However, the challenge arises when this understanding doesn’t translate into daily operations and processes. Consequently, misconfigurations or governance gaps could emerge.
Visibility in Cloud Infrastructure
Anand highlighted the importance of visibility in cloud infrastructure. “The fundamental aspect of whether you would like to secure data or prevent anything is the visibility aspect,” he commented.
Having comprehensive oversight ensures effective prevention, detection, and incident management tailored for the cloud. Tools like AWS’s Incident Manager, Azure Sentinel, and others play a pivotal role in offering this visibility, helping organisations detect misconfigurations early, and implement robust governance models.
Decoding Cloud Security Jargons
The fast-paced evolution of cloud technology often introduces new terminologies and acronyms. The panelists took attendees on a whirlwind tour of these, starting with CWPP (Cloud Workload Protection Platform) to CSPP (Cloud Security Posture Management) and finally CNAPP (Cloud Native Application Protection Platform). The overarching theme between each was ensuring security and compliance in the rapidly evolving cloud environment.
The Alert Fatigue Challenge
While having the right tools in place is essential, Anand pointed out the challenge: “Alert fatigue is real.”
Security systems can inundate teams with alerts, leading to a loss of focus on genuine threats amidst a sea of false positives. Hence, it’s crucial not just to implement tools, but to also ensure they are tailored to provide actionable insights without overwhelming security personnel.
Delving into the MAS Circular on Cloud Adoption
The MAS or Monetary Authority of Singapore’s new circular on cloud adoption for Singaporean organisations was the focal point of the webinar. The circular emphasises on the rapid migration of the financial services industry in Singapore to cloud platforms.
As Paul Hadjy observed, while the MAS circular may not detail every acronym, it underscores the importance of having effective solutions, processes, and mitigation strategies in place. The circular’s objective aligns with ensuring that regulated entities maintain the highest standards of cloud security.
How the MAS Public Cloud Guidelines Impact Firms
Paul stressed the importance of understanding the misconfigurations within cloud development, highlighting the value in the MAS public cloud guidelines. He said, “Developers, knowing kind of where a lot of the misconfigurations come from, can be very influential and important.” The guidelines, according to Paul, are an essential read for anyone in the industry, especially those involved in the cloud’s technical aspects.
Ivy spoke about enhancing one’s security posture. According to her, regulatory requirements should be seen as “just the beginning”. Businesses should aim to build a security culture early on, as this would benefit them in the long run. She mentioned that many companies now view security as a sales enabler, a perspective that is becoming increasingly prevalent in Asia.
Ivy enumerated three initial steps for regulated financial entities to kick off their cloud security program. One is to align the business goals with the cloud’s security maturity levels.Second is to leverage the extensive resources offered by cloud service providers. And thirdly, establishing visibility from the outset is crucial to detect and address risks timely.
Anand Nirgudkar, CTO of CardUp, offered a holistic view, likening the experience of cloud migration to riding a roller coaster for the first time. He reiterated the importance of a thorough discovery process and leveraging the help provided by cloud service providers.
Moreover, Anand underscored the necessity of threat modelling and the benefits of creating “guardrails” rather than “gates”
He also encouraged the community to explore AWS’s Cloud Adoption Framework from 2016, which provides comprehensive guidance that can be beneficial, regardless of the specific cloud service provider one might be using.
Transitioning to the Cloud: Where to Begin?
When considering transitioning to the cloud, the ‘where to start’ question was addressed by both Anand and Ivy. Anand stressed the importance of understanding and ranking assets before making any migration decisions. He advocated for an assessment based on the risk and business impact associated with the potential migration of each asset.
Echoing similar sentiments, Ivy singled out the significance of business objectives. Beginning with migrating less critical assets to build experience, and then gradually transitioning more critical workloads was advised, thereby fostering confidence and cultivating a hands-on learning environment.
MAS Public Cloud Guidelines: Key Takeaways
One of the most pressing questions was related to the changes brought about by the MAS public cloud guidelines. Anand provided an articulate summary of the essential elements of the guidelines.
He praised MAS for its comprehensive circular, which delves into aspects ranging from the introduction of various service models, shared responsibilities, identity and access management, workload security approaches, and zero-trust security principles.
The guidelines also advocate for continuous testing, data security, key management, and more. An emphasis on a risk-based security approach forms the backbone of the entire circular, underscoring the importance of a balanced, pragmatic approach to cloud security.
Cloud as Business Imperative
While not all questions could be addressed due to time constraints, the insights shared by the panellists offer invaluable learning. The ‘How the New MAS Public Cloud Guidelines Impact You’ webinar webinar underscored how the adoption and security of the cloud are not mere IT decisions, but are critical business imperatives in today’s digital age.
While these MAS guidelines introduce an added layer of complexity, they also usher in an era of enhanced security, transparency, and trust. As organisations navigate these guidelines, a comprehensive, strategic, and proactive approach to cloud adoption and security is not just recommended, but essential.
Watch the on-demand webinar at this link to gain insights.
Horangi will be participating in the upcoming Singapore Fintech Festival which takes place from 15th to 17th November. Learn more about their booth participation here.
Horangi will be participating in the upcoming Singapore Fintech Festival which takes place from 15th to 17th November. Learn more about their booth participation here.