Singapore regulator casts doubt on banking clouds

Powered by SC Magazine
 

Too risky, says Monetary Authority of Singapore.

Banks considering using third party cloud computes for core applications are likely to meet strong opposition from regulators, according to an executive at the Monetary Authority of Singapore.

Tony Chew, director of technology risk at the Monetary Authority of Singapore told a security conference in the United States that regulators were unlikely to allow a bank to put customer data into the cloud without significant due diligence, pointing out that in Singapore such behaviour could be punished with a three year jail term and a hefty fine.

"[Cloud] vendors do not understand the regulatory system and laws applying to financial services," he told McAfee's Focus 2010 security conference in Las Vegas.

Chew also pointed to outages that have affected Amazon Web Services, Google App Engine, and Microsoft Azure, suggesting that there would be a huge loss of confidence in a bank that could not continue to process transactions.

Chew was also concerned by what he termed the 'nested cloud' - scenarios in which cloud providers use services from other providers to deliver a service. A hypothetical example would be an application offered by one provider that runs on virtual servers from Rackspace and uses storage from Amazon S3.

Chew pointed to disclosures in US SEC 10-Q filings by various cloud providers as examples of further cause for concern.

Rackspace's filing, he said, notes that the majority of its customers do not pay the extra fees charged for disaster recovery services. Rackspace customers have experienced interruptions in service, he said.

"How could a bank use such a facility?" he asked, noting that 10-Q filings by Google and Salesforce.com (among others) contain similar disclosures.

While legal requirements differ between countries, regulators generally require financial institutions to demonstrate the reliability, availability, resiliency and recoverability of their systems.

In Australia, this process is overseen by the Australian Prudential Regulatory Authority (APRA) via a series of published guidelines.

The Monetary Authority of Singapore has also issued various sets of guidelines to financial institutions. Among its requirements is the mandatory use of two-factor authentication for online banking sevrices - which Chew said has practically eliminated Internet banking fraud in Singapore. He expects to add specific guidelines around cloud computing to the list in 2011.

The writer travelled to Las Vegas as the guest of McAfee.

Copyright © iTnews.com.au . All rights reserved.


Singapore regulator casts doubt on banking clouds
 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  3%
 
A Federal Government agency (ATO, Centrelink etc)
  19%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1882

Vote
Do you support the abolition of the Office of the Information Commissioner?