APRA’s newly released Information Paper: “OUTSOURCING INVOLVING SHARED COMPUTING SERVICES (INCLUDING CLOUD)” recognises that public cloud is inevitable for financial services. It provides constructive guidelines for managing risks in a cloud world. By way of exception, APRA questions the appropriateness of migrating critical systems of record to the public cloud. APRA’s approach to risk is very broad – encompassing not only the traditional areas of risk assessment (including security and business disruption), but also:
- the up-front selection process;
- key factors to be addressed in contracts;
- governance requirements;
- the challenges around transition; and
- innovative and pragmatic approaches to ongoing assurance.
APRA focuses on “observed weaknesses” in current practices, and sets out useful checklists for best practice migration of APRA-regulated entities to cloud services. APRA also encourages financial sector entities to consult with APRA before entering into cloud services arrangements with a “heightened inherent risk”.
Key areas of focus include:
- the importance of “granular” risk assessments, focused on specific details and scenario analysis (rather than just “cursory” risk assessments);
- the importance of contractual rights in relation to:
- exit strategies (both for the overall arrangements, and for specific IT assets);
- pro-active management of material service providers;
- ensuring access to service provider information and personnel as required;
- ensuring operational and strategic oversight; and
- detailed governance guidelines.
The paper focuses on “shared computing services (including cloud)”. It is relevant to the outsourcing of hardware, software and/or data storage where the infrastructure and/or computing services are not dedicated to the financial sector entity. The paper does not apply to private cloud, but it may well apply to off-premises solutions that are not necessarily labelled “cloud”. For the purposes of this update, we will just refer to the scope as “cloud services”.
APRA encourages prior consultation for cloud services with a “heightened inherent risk”. APRA draws analogies with the consultation requirements for offshoring arrangements – and it is clear that some of the proposed assurance mechanisms have been drawn from those already in place for offshoring. The framework for identifying cloud services with heightened inherent risk focuses on:
- the criticality of the IT assets, applications and data stores involved (being a measure of the impact of a loss of availability);
- the sensitivity of the IT assets, applications and data stores involved (being a measure of the impact of a loss of either confidentiality or integrity);
- the associated business processes impacted;
- the projected and/or aggregated materiality of the arrangements;
- whether such arrangements would result in an increased likelihood of a disruption (including a compromise of confidentiality, integrity or availability); and
- whether a disruption would result in a significant impact.
Risk management considerations
The paper emphasises the rigour required to manage the risks associated with migrating to cloud services, looking at each stage in the process: from the initial planning stages through to service provider selection, contracting and transition to the required end state.
APRA warns against:
- focusing only on the cost savings;
- focusing only on the benefits (without adequate scrutiny of the associated risks);
- failures in the early stages of procurement, in terms of engaging up-front with the risk, security, outsourcing and assurance functions;
- cursory risks assessments, with a lack of focus on the specific risks, specific scenario analysis and specific changes to the risk profile;
- a lack of service provider due diligence – relying on the service provider’s own attestations and reference checks, rather than obtaining independent assurance;
- impediments placed on APRA’s access rights to the service provider (due to failure to obtain adequate contractual rights);
- a “fast track” transition (eg: taking short-cuts and bypassing established risk management); and
- a lack of consideration of critical and/or sensitive IT assets, or the sensitivity of data.
Some of the key messages emerging are:
- On-shore cloud services: When selecting service providers, the benefits of using Australian hosted options (if available) should be considered as a way of reducing inherent risk - in the absence of any compelling business rationale to do otherwise.
- Industry-specific solutions: Consider the benefits of limiting cloud services to those used only by parties with comparable security requirements, risk profiles and risk appetites (such as other financial sector entities).
- Governance guidelines: Governance guidelines encompass the roles and responsibilities of the Board, senior management and specific governance bodies or individuals – across the various stages of migration to cloud services.
- Exit strategies: Consider the importance of planning for exit strategies (both contractual and technical) to enable a financial sector entity to isolate and remove IT assets.
- Transition: Consider a progressive, staged approach to transition (piloting on low risk initiatives). Ensure an up-front assessment of the organisational change management capability required to oversee and manage transition. Ensure up-front clarity as to the operating model and security model – including the associated roles / responsibilities of all parties, handover and escalation points.
- Approach to risk assessment: Risk assessment needs to be undertaken with a level of granularity that allows for a meaningful understanding of actual risk and specific mitigating controls – as well as scenario analysis to ensure full understanding of the associated risks.
- Ongoing management of material service providers: APRA emphasises the importance of:
- establishing operational and strategic oversight mechanisms (eg: service levels, contractual rights to assess the ongoing viability of the service provider, contractual rights to obtain timely responses to issues and emerging risks);
- obtaining contractual rights around ongoing access to service provider information and personnel for oversight and assurance purposes, as well as the management of security incidents; and
- establishing ongoing access rights for APRA in accordance with CPS 231 and SPS 231.
- Assurance: One of the most useful parts of the paper is around assurance. APRA recognises the practical challenges involved with cloud services – and the requirement to balance the needs of multiple customers with the practicalities of not overburdening the service provider. The paper proposes pragmatic solutions around:
- using available sources of assurance such as internal audits, external experts, service provider attestations / certifications and reports generated by the service provider’s internal audit function;
- establishing collaborative assurance models where assurance work is designed to meet the needs of the various customers; and
- a holistic approach to assurance testing that encompasses all aspects of the IT security control environment over time, encompassing both the APRA-regulated entity and the service provider.
APRA’s information paper is not just essential reading – it warrants detailed scrutiny and analysis at a practical level. The guidelines and checklists provide an excellent starting point for implementing best practice in relation to migration to cloud services.