Mike Mudd, Chief Representative for Asia Pacific, Open Computing Alliance, reveals how regulated industries can enjoy the benefits of cloud technology while minimizing risks, and satisfying their due diligence and auditing processes.
Many private sector industries provide services that are subject to government oversight through regulatory regimes. While industries find new ways to deliver competitive quality services with technology, they have to continue to meet these regulatory standards.
The financial services industry is a key example – banks, insurance companies and securities market makers have been regulated for decades. Cloud technology, in particular, has attracted the attention of global financial regulators.
Mudd spent the last 12 months in discussions with government regulators, financial institutions and trade associations across seven countries in Asia Pacific. Government regulators are looking at a framework for cloud computing, he noted.
Regulators have taken an overall view of cloud outsourcing through three Ps – ‘Principles, Preparedness and Partnerships’.
“Cloud service providers must deliver services with confidentiality, integrity and availability, while minimizing risks, and satisfying their due diligence and audit process,” Mudd said. These three principles can help industries and regulators think of how to safely adopt cloud.
Cloud service providers should be fully transparent about where data will be located. They must not use customers’ data for any purpose other than what is necessary to provide the contracted cloud services as per ISO 27018. Moreover, customers’ data must be separated from other data held by the service providers, he noted. Providers should also use subcontractors only if they are subject to equivalent controls as the providers.
Cloud service users should satisfy their due diligence and service provider compliance by putting in place a risk management plan that includes measures to address the risks associated with the use of cloud services from a provider.
Users should ensure security and confidentiality by contracting services only to those providers that have been certified to have and maintain robust security measures and comprehensive security policies that meet international standards ISO 27001 and ISO 27018 at minimum.
Cloud vendors must also provide regular reporting and information to demonstrate their continued compliance with agreed standards, legal and contractual requirements throughout the duration of service provision. Additionally, they should provide access and inspection rights to regulators.
A cloud service provider must have an effective business continuity plan to ensure resilience. Service termination conditions should clearly provide data transfer and destruction of copies.
Regional framework on cloud
The Open Computing Alliance is also working with other industry groups to refine this framework into a set of detailed principles that may satisfy regulators and provide ample room for innovation and competition, said Mudd.
“Regulated services and industry may work with the IT industry to create an acceptable set of recommendations to manage risks. Some governments, for example Singapore, are already heading down this path,” he continued.
“To take full advantage of the scalability of cloud computing, we need a regional framework approach that is consistent with global standards. In a short time, I believe this will be seen as business as usual for all regulated industries,” Mudd concluded.
Report: Medha Basu