Singapore regulator casts doubt on banking clouds

Powered by SC Magazine
 

Too risky, says Monetary Authority of Singapore.

Banks considering using third party cloud computes for core applications are likely to meet strong opposition from regulators, according to an executive at the Monetary Authority of Singapore.

Tony Chew, director of technology risk at the Monetary Authority of Singapore told a security conference in the United States that regulators were unlikely to allow a bank to put customer data into the cloud without significant due diligence, pointing out that in Singapore such behaviour could be punished with a three year jail term and a hefty fine.

"[Cloud] vendors do not understand the regulatory system and laws applying to financial services," he told McAfee's Focus 2010 security conference in Las Vegas.

Chew also pointed to outages that have affected Amazon Web Services, Google App Engine, and Microsoft Azure, suggesting that there would be a huge loss of confidence in a bank that could not continue to process transactions.

Chew was also concerned by what he termed the 'nested cloud' - scenarios in which cloud providers use services from other providers to deliver a service. A hypothetical example would be an application offered by one provider that runs on virtual servers from Rackspace and uses storage from Amazon S3.

Chew pointed to disclosures in US SEC 10-Q filings by various cloud providers as examples of further cause for concern.

Rackspace's filing, he said, notes that the majority of its customers do not pay the extra fees charged for disaster recovery services. Rackspace customers have experienced interruptions in service, he said.

"How could a bank use such a facility?" he asked, noting that 10-Q filings by Google and Salesforce.com (among others) contain similar disclosures.

While legal requirements differ between countries, regulators generally require financial institutions to demonstrate the reliability, availability, resiliency and recoverability of their systems.

In Australia, this process is overseen by the Australian Prudential Regulatory Authority (APRA) via a series of published guidelines.

The Monetary Authority of Singapore has also issued various sets of guidelines to financial institutions. Among its requirements is the mandatory use of two-factor authentication for online banking sevrices - which Chew said has practically eliminated Internet banking fraud in Singapore. He expects to add specific guidelines around cloud computing to the list in 2011.

The writer travelled to Las Vegas as the guest of McAfee.

Copyright © iTnews.com.au . All rights reserved.


Singapore regulator casts doubt on banking clouds
 
 
 
Top Stories
Feeling Shellshocked?
Stay up to date with patching for the Bash bug.
 
Amazon forced to reboot EC2 to patch Xen bug
Rolling restarts over next week.
 
Vodafone reveals plans to store users' online activity
Says retrieval under Govt proposal will impose massive cost.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  66%
 
Advanced persistent threats
  4%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  12%
TOTAL VOTES: 1355

Vote