0
The Australian Prudential Regulation Authority (APRA) has warned the entities it regulates to only enter into cloud computing arrangements where the risks are adequately understood and managed, putting banking, superannuation, and insurance companies on notice for choosing options based solely on cost.
The warning comes via the authority’s Information Paper on Outsourcing involving cloud computing services [PDF], which details how best to procure cloud services, and says that decisions driven by the board or senior management which only focus on benefits and do not provide adequate visibility of associated risks has been an “observed risk” in the past by APRA.
It also highlighted the importance in being aware of the required changes to organisational capability when adopting new cloud-based technologies — often referred to as a “cultural transformation”.
“When an APRA-regulated entity is considering the use of cloud computing services, it would be expected to apply an appropriate amount of rigour to the planning of the target IT environment, and the transition from current state to the desired architecture and operating model,” APRA wrote.
“This would typically be informed by business and technology strategies, and consider integration with the broader IT environment and operating model. Strategies would normally include consideration of organisational change and required capability to manage and operate such arrangements.”
It is asking entities it regulates to ensure that there is little to no impact to business when transitioning to a cloud-based solution from a legacy model.
An APRA-regulated entity should consider the benefits of Australian-hosted options, if available, with the authority noting the contrary brings in a number of additional risks which can “impede a regulated entity’s ability to meet its obligations; or impede APRA from fulfilling responsibilities considered necessary in its role as prudential regulator”.
With security front of mind, APRA recommends that best practice would be to design the solution and associated control on the assumption that the cloud environment is un-trusted and therefore could be compromised.