The Australian Prudential Regulation Authority (APRA) has warned the entities it regulates to only enter into cloud computing arrangements where the risks are adequately understood and managed, putting banking, superannuation, and insurance companies on notice for choosing options based solely on cost.
The warning comes via the authority's Information Paper on Outsourcing involving cloud computing services [PDF], which details how best to procure cloud services, and says that decisions driven by the board or senior management which only focus on benefits and do not provide adequate visibility of associated risks has been an "observed risk" in the past by APRA.
It also highlighted the importance in being aware of the required changes to organisational capability when adopting new cloud-based technologies -- often referred to as a "cultural transformation".
"When an APRA-regulated entity is considering the use of cloud computing services, it would be expected to apply an appropriate amount of rigour to the planning of the target IT environment, and the transition from current state to the desired architecture and operating model," APRA wrote.
"This would typically be informed by business and technology strategies, and consider integration with the broader IT environment and operating model. Strategies would normally include consideration of organisational change and required capability to manage and operate such arrangements."
It is asking entities it regulates to ensure that there is little to no impact to business when transitioning to a cloud-based solution from a legacy model.
An APRA-regulated entity should consider the benefits of Australian-hosted options, if available, with the authority noting the contrary brings in a number of additional risks which can "impede a regulated entity's ability to meet its obligations; or impede APRA from fulfilling responsibilities considered necessary in its role as prudential regulator".
With security front of mind, APRA recommends that best practice would be to design the solution and associated control on the assumption that the cloud environment is un-trusted and therefore could be compromised.
Under its outsourcing standards, APRA said the entities it regulates must develop contingency plans that allow for the cloud-based service to be provided through alternative means if required, such as shifting from one cloud provider to another, or to be brought in-house.
The document released this week is an update from information published in 2015, with APRA noting that the updated content is in response to observations made on the growing usage of cloud computing services by APRA-regulated entities, and an "increasing appetite for higher inherent risk activities" as well as "areas of weakness identified as part of supervisory activities".
"The new paper acknowledges that advancements in cloud computing service offerings over the past three years have improved the ability of APRA-regulated entities to manage the risks involved," APRA said.
"However, it also emphasises the need for entities to be mindful of the differing levels of responsibility for operating and managing these arrangements."
Spruiking a public cloud-first approach, the Australian government has lifted the lid off its new Secure Cloud Strategy.
Financial services company AMP was one of the first Australian companies to turn to the cloud giant, but being at the bleeding edge meant it had to make a case for regulators.
A review has requested that Australia's largest banks be ready to hand over customer data at request from the day an Open Banking regime becomes legislated.
The bank didn't alert customers, as the tapes containing the data were 'most likely' disposed of, rather than lost.
Trying to understand and articulate the differences between public, private, and hybrid cloud? Here's a quick breakdown.