Published on the 07/07/2015 | Written by Beverley Head
The Australian Prudential Regulation Authority (APRA) has delivered a damning report card on the checks and balances undertaken by regulated entities when moving to the cloud…
APRA is the prudential regulator for Australia’s banks, credit unions, insurance companies and most of the superannuation industry. It has since 2010 taken a keen interest in the ambitions of these companies to migrate some of their computing requirements to the cloud.
Regulated entities are generally required to alert APRA after they have outsourced any material activities, and before they offshore them. But in a report issued this week, APRA said it has uncovered a series of weaknesses in the approach taken to cloud computing and has recommended that regulated entities consult with APRA ahead of taking any significant plunge into cloud computing.
It claims that too many regulated organisations are performing cursory risk assessments, focusing too often on potential savings while skating over the risks, failing to perform adequate due diligence and relying too heavily on vendor claims when negotiating contracts. APRA has also complained about the lack of adequate access to cloud based systems provided to it, in order to perform its regulatory duties.
It also delivered a slap to cloud vendors. “In light of weaknesses in arrangements observed by APRA it is not readily evident that risk management and mitigation techniques for public cloud arrangements have reached a level of maturity commensurate with usages having an extreme impact if disrupted.” In a nutshell APRA is concerned that a lack of mature business continuity strategies in some cloud arrangements might limit a regulated entity’s ability to fulfil its obligations were access to the cloud disrupted.
According to APRA; “While shared computing services may bring benefits, such as economies of scale, they also bring associated risks. These can vary considerably depending on the particular usage. Low risk usages are those involving IT assets with low criticality and sensitivity. Other usages involve heightened risk, such as the exposure of highly critical and/or highly sensitive IT assets to ‘un-trusted’ environments, necessitating a greater degree of caution and supervisory interest. For these arrangements, APRA encourages prior consultation.”
In its paper it questions the appropriateness of migrating systems of public record to the cloud, and advocates for the use of locally hosted clouds where possible and share services which specialise in delivering services to other financial institutions, or organisations with “high security expectations.”
