APRA readies data management guide

The Australian Prudential Regulation Authority (APRA) has urged financial institutions to establish data classification regimes before taking up cloud or outsourcing services.

The national financial services regulator will shortly begin work on a data management guide that builds on principles of its March 2007 letter to institutions (pdf).

APRA’s head of IT risk David Pegrem said the guide would include advice on data security risk management, data management frameworks, staff training and auditing processes.

Speaking at an FST Media cloud computing conference in Sydney last week, Pegrem said APRA would urge institutions to define “critical data” and classify their various data holdings.

“The data management issue is very important if anyone is looking to put any data in the cloud,” he said.

“The number one step is to understand and to be able to classify your data in order to understand what data is going out [to third-party service providers] and what level of sensitivity has to do with that data.

“If your data is not properly classified, you’re not going to know.”

APRA planned to start working on the data management guide within the calendar year.

It would begin by considering whether to issue a single guide or separate documents for banking, superannuation and insurance industries.

Pegrem said APRA would not prescribe data classifications because it was a “principle- and risk-based regulator” that called for a “best-fit” structure from each of its constituents.

In an open letter last November, the regulator urged financial services institutions to view cloud computing as a new form of outsourcing or offshoring that required APRA’s tick of approval.

It required would-be cloud adoptors in the financial services sector to undertake a “comprehensive risk assessment” of the cloud service and the “criticality and sensitivity of the IT assets involved”.

Pegrem told the conference last week that cloud computing was an as-yet immature industry, highlighting security concerns and a lack of industry standards.

“Universally accepted standards are a measure of the maturity of an industry, and we are definitely not there yet,” he said.

“The other thing is that possibly security methodology is going to have to alter if this is the future for us. At the moment, the security that we implement these days is not keeping pace with the hybrid and varied cloud offerings that are occurring.”

To date, various consortiums have banded together to develop cloud computing standards, including the Intel-backed Open Data Center Alliance and TM Forum’s Enterprise Cloud Leadership Council.

In the absence of public cloud standards, Suncorp’s executive general manager of enterprise services Paul Cameron said in-house, private cloud deployments would have to serve as aggregators and integrators of various services.

“I call it an internet service bus, an ISB,” he said, in reference to the enterprise service bus architecture model that facilitated heterogeneous enterprise IT environments.

“[The ISB] is that service integration layer in getting an elegant, secure, easy-to-use integration with a third party. Therein lies some challenges.”

Integration challenges could be amplified by “rogue” cloud services, commissioned by various business units without the approval of the IT department.

Pegrem said cloud deployments should be approved by an institution’s board of directors or executive management and by data architecture managers.

He urged institutions to “think strategically and hasten slowly” into cloud computing.

“If you think the offerings today are any good, they should be better tomorrow and probably cheaper,” he said.

“Think very carefully and think long and hard about what it is exactly you’re trying to do. And do your homework from end to end.”