MAS Public Cloud Guidelines: A Deep Dive into its Impact on Cloud Security

MAS Public Cloud Guidelines: A Deep Dive into its Impact on Cloud Security

by Johanan Devanesan

November 10, 2023

Amidst a rapidly digitalising world, accelerated further by the COVID-19 pandemic, cloud technology has become a pivotal cornerstone for businesses worldwide. Recently, the Monetary Authority of Singapore (MAS) introduced a circular with public cloud guidelines concerning the cyber risks associated with its adoption, impacting the financial and tech sectors alike. 

The evolution of cloud technology has reshaped the way previously landlocked firms operate. The need for enhanced cloud security, especially within the tightly-regulated fintech industry which could have far-reaching implications, has never been greater. 

The recent webinar entitled ‘How the New MAS Public Cloud Guidelines Impact You‘, moderated by cybersecurity specialist Horangi’s CEO, Paul Hadjy, brought together industry experts to shed light on the updated guidelines set by the Monetary Authority of Singapore (MAS). 

Panelists included Anand Nirgudkar, CTO of payments fintech CardUp and Ivy Young, Head of Security at AWS Professional Services, ASEAN.

This pivotal discussion, featuring some of the industry’s foremost experts offering a holistic view of the public cloud landscape in relation to the guidelines set by MAS, delves into its implications and what they mean for organisations.

Harnessing the Power of the Cloud

The cloud’s omnipresence in recent years has not been lost on the panellists. From ensuring 24/7 uptime to providing market data access, cloud infrastructure is the backbone of their operations.

Meanwhile Anand, speaking on CardUp’s experience, highlighted the company’s cloud-first ethos, pointing to PCI DSS adherence, architectural best practices, and regional growth as key motivators for their cloud dependence.

The Challenge of Cloud Security

Despite the vast benefits offered by cloud technology, the inherent challenges it poses, particularly in the security realm, are noteworthy. One such challenge is misconfiguration. Anand stresses the dynamism of cloud security and cites the notorious Capital One incident as a stark reminder of how simple misconfigurations can lead to significant breaches.

However, it’s not just about misconfiguration. As pointed out in the MAS guidelines, identity and access management remains paramount. Paul stressed the importance of having robust controls in place, particularly with onboarding and offboarding practices.

Reflecting on the recent breaches of DeFi protocols Harbour and Exactly in separate attacks, the panel reminded of the motives driving attackers. When there’s more to gain, attackers’ attention is invariably drawn. As such, while cloud infrastructure offers unparalleled advantages, the stakes have never been higher.

The Shared Responsibility Model

A core topic of discussion centred around the “shared responsibility model”. Ivy Young remarked, “Something foundational here, when we consider security, is a shared responsibility model.” 

This model stresses the division of responsibility between cloud providers and their clients. While cloud providers ensure the security of the cloud, customers must secure what they put in the cloud, be it data or applications.

How the New MAS Public Cloud Guidelines Impact You

Ivy further pointed out that understanding the shared responsibility model is essential. However, the challenge arises when this understanding doesn’t translate into daily operations and processes. Consequently, misconfigurations or governance gaps could emerge.

Visibility in Cloud Infrastructure

Anand highlighted the importance of visibility in cloud infrastructure. “The fundamental aspect of whether you would like to secure data or prevent anything is the visibility aspect,” he commented. 

Having comprehensive oversight ensures effective prevention, detection, and incident management tailored for the cloud. Tools like AWS’s Incident Manager, Azure Sentinel, and others play a pivotal role in offering this visibility, helping organisations detect misconfigurations early and implement robust governance models.

Decoding Cloud Security Jargons

The fast-paced evolution of cloud technology often introduces new terminologies and acronyms. The panellists took attendees on a whirlwind tour of these, starting with CWPP (Cloud Workload Protection Platform) to CSPP (Cloud Security Posture Management) and finally CNAPP (Cloud Native Application Protection Platform). The overarching theme between each, was ensuring security and compliance in the rapidly evolving cloud environment.

“Understand the core use cases,” the panel stressed, adding that regardless of the acronym, the focus should always be on safeguarding data, control planes, and ensuring robust cloud security.

The Alert Fatigue Challenge

While having tools in place is essential, Anand pointed out the real challenge: “Alert fatigue is real.” 

Security systems can inundate teams with alerts, leading to a loss of focus on genuine threats amidst a sea of false positives. Hence, it’s crucial not just to implement tools, but also to ensure they are tailored to provide actionable insights without overwhelming security personnel.

Delving into the MAS Circular on Cloud Adoption

The Monetary Authority of Singapore’s new circular on cloud adoption for Singaporean organisations was the main focal point of the webinar. The circular emphasises the rapid migration of the financial services industry in Singapore to cloud platforms. 

As Paul Hadjy observed, while the MAS circular may not detail every acronym, it underscores the importance of having effective solutions, processes, and mitigation strategies in place. The circular’s objective aligns with ensuring that regulated entities maintain the highest standards of cloud security.

How the MAS Public Cloud Guidelines Impact Firms

Paul stressed the importance of understanding the misconfigurations within cloud development, highlighting the value in the MAS public cloud guidelines. He said, “Developers, knowing kind of where a lot of the misconfigurations come from, can be very influential and important.” The guidelines, according to Paul, are an essential read for anyone in the industry, especially those involved in the cloud’s technical aspects.

How the New MAS Public Cloud Guidelines Impact You

The panellists shed light on the broader implications of the guidelines. He pointed out the importance for not only current industry players but also budding entrepreneurs in the fintech sector to familiarise themselves with these guidelines. 

Speaking about the fintech industry’s burgeoning growth, the panel said, “The dynamics of where business is going is definitely towards the cloud.” They believe that investment should be directed towards cloud security procedures, emphasising the significance of cloud-based work, whether it involves information handling, workflow, or claims.

Ivy, the Head of Security at AWS Professional Services in ASEAN, spoke about enhancing one’s security posture. According to her, regulatory requirements should be seen as just the beginning. 

Businesses should aim to build a security culture early on, as this would benefit them in the long run. She mentioned that many companies now view security as a sales enabler, a perspective that is becoming increasingly prevalent in Asia.

Ivy enumerated three initial steps for regulated financial entities to kick off their cloud security program. One is to align the business goals with the cloud’s security maturity levels.

The second is to leverage the extensive resources offered by cloud service providers. And thirdly, establishing visibility from the outset is crucial to detect and address risks timely.

Anand Nirgudkar, CTO of CardUp, offered a holistic view, likening the experience of cloud migration to riding a roller coaster for the first time. He reiterated the importance of a thorough discovery process and leveraging the help provided by cloud service providers. 

Moreover, Anand underscored the necessity of threat modelling and the benefits of creating “guardrails” rather than “gates”.

He also encouraged the community to explore AWS’s Cloud Adoption Framework from 2016, which provides comprehensive guidance that can be beneficial, regardless of the specific cloud service provider one might be using.

Understanding the Pillars of Cloud Security

The panel began by identifying three pillars fundamental to an effective cloud security program. Firstly, endpoint security holds paramount importance, especially in industries susceptible to frequent attacks, such as the cryptocurrency sector. 

Secondly, they spotlighted data loss prevention (DLP). As workforces expand and operate remotely, data leakage has become a salient concern. Ensuring access to crucial information without compromising security through mechanisms like single sign-on or two-factor authentication is vital.

The final pillar revolved around cyber hygiene. As organisations grow, instilling a culture of good cybersecurity practices becomes indispensable. Ensuring employees, both old and new, are well-informed about potential threats is crucial.

Transitioning to the Cloud: Where to Begin?

When considering transitioning to the cloud, the ‘where to start’ question was addressed by both Anand Nirgudkar and Ivy Young. Anand stressed the importance of understanding and ranking assets before making any migration decisions. He advocated for an assessment based on the risk and business impact associated with the potential migration of each asset. 

Echoing similar sentiments, Ivy singled out the significance of business objectives. Beginning with migrating less critical assets to build experience, and then gradually transitioning more critical workloads was advised, thereby fostering confidence and cultivating a hands-on learning environment.

MAS Public Cloud Guidelines: Key Takeaways

One of the most pressing questions was related to the changes brought about by the MAS public cloud guidelines. Anand provided an articulate summary of the essential elements of the guidelines. 

He praised MAS for its comprehensive circular, which delves into aspects ranging from the introduction of various service models, shared responsibilities, identity and access management, workload security approaches, and zero-trust security principles. 

The guidelines also advocate for continuous testing, data security, key management, and more. An emphasis on a risk-based security approach forms the backbone of the entire circular, underscoring the importance of a balanced, pragmatic approach to cloud security.

Cloud as Business Imperative

While not all questions could be addressed due to time constraints, the insights shared by the panelists offer invaluable learning. The ‘How the New MAS Public Cloud Guidelines Impact You’ webinar underscored how the adoption and security of the cloud are not mere IT decisions, but are critical business imperatives in today’s digital age. 

While the new MAS guidelines introduce an added layer of complexity, they also usher in an era of enhanced security, transparency, and trust. As organisations navigate these guidelines, a comprehensive, strategic, and proactive approach to cloud adoption and security is not just recommended, but essential.

Watch the on-demand webinar at this link to gain insights.

Horangi will be participating in the upcoming Singapore Fintech Festival which takes place from 15th to 17th November. Learn more about their booth participation here.

Source link

This post originally appeared on TechToday.