Cybersecurity and regulatory costs of cloud
During Trescon’s World Cloud Show, a panel discussion moderator shared a news report that cloud spending across APAC was growing at a CAGR of 25-percent. This momentum would likely double cloud budgets to 10-percent of IT spending by 2023.
With cloud technology usage becoming increasingly mainstream, businesses must also remain vigilant of the various regulatory costs they potentially incur if they fail to comply.
For example in Indonesia, there are data localisation requirements under Government Regulation No.82 (GR82). This requires domestic storage of ‘a range of data’, which in turn is open to more than one interpretation – is this range of data applicable to all websites and applications that provide services, or not?
This is just one of many areas to consider when compute moves from on-premise to the cloud, moderator Joshua Au from Singapore’s A Star Agency pointed out.
“How do you assure that you meet these various regulatory requirements?” he asked his panellists from AIA Singapore, PT Bank KEB Hana, and Traveloka.
Planning for cloud
Hana Bank’s Head of IT Project, Benedict Sulaiman admitted that data privacy and security is always a sensitive issue for a regulated sector like banking, and that many regulations prohibit use of cloud technologies.
Due to this, there is a lot of reliance on on-premise IT although Benedict did observe more frequent use of cloud across the local tech landscape, since the past two years.
And then the pandemic came, and it created an opportunity to accelerate usage of cloud, because there was a need to speed up implementation and reduce time-to-market of products and services.
“In terms of security, there is plenty of supporting partnerships that provide huge opportunity in terms of securing applications or the network itself. So, security is ok, in my opinion.”
There is a challenge of ensuring long-term investments into security, which large or medium-sized banks with good investment planning, could manage.
“For smaller banks or newly created banks, it will be a hassle, however,” he observed.
Parallels could be drawn between the start up scene in Indonesia, and startup scenes in other countries in Asia. Especially for startups in finance, Benedict saw them achieve “major breakthroughs” because some regulations do not apply to them.
For example, peer-to-peer lenders could be licensed by the regulator to provide P2P lending, but they are not bound by certain regulation to not use cloud technologies.
“Banks, on the other hand, are bound to keep data within their own premises. That’s the downside of our own regulations,” he said.
On the plus side, the local regulator has recently released a new regulation, the POJK 20, which allows banks and other financial institutions to use external data centres or cloud, with certain rules and approval.
Benedict sees this as opportunity to use cloud services like AWS, Azure, or even Oracle.
Head of Information Security, Hilal John Lone, described startup Traveloka as having had the luxury of starting with cloud, and not having any on-premise infrastructure.
However, implementing compliance and regulatory mechanisms is a time-consuming process because of regulatory language that is ‘hazy’. Hilal commented, “Certain data protection standards were not fleshed out entirely; some were still in draft or in process of being adopted by industry.”
“We have massive transactions on our platform, so we have to catch up and define our own standards, sometimes. The challenge for the industry is to work with the government to bring out (these) standards for them to enforce, and for us to comply with,” Hilal rationalised.
Traveloka’s own data and privacy standards are modelled after Singapore’s as well as the European Union’s General Data Protection Regulation (GDPR). “We take these controls and implement them with customisations (so they are relevant),” Hilal explained.
This Indonesian travel solutions unicorn founded in 2012, finds itself naturally evolving into offering fintech services. While these services are still in early concept phase, it is working to comply with the local regulator, Financial Services Authority (OJK) and is mapping its standards to the strictest possible data regulatory requirements.
Hilal admitted that the biggest challenge is to come onto a common platform with the government for standards to be created, enforced and complied with.
AIA Singapore’s Information Security, Antonius Ruslan shared, “When we outsource our operations to a cloud service provider, this falls under the scope of the Monetary Authority of Singapore (MAS) guidelines. The organisation must ensure that the proper governance, risk management and internal controls by the CSP, has been assessed.”
Before engaging the cloud service provider, these factors need to be aligned with the organisation’s own policies, and on top of that, the ultimate responsibility and accountability of the cloud, is still upon the organisation.
So, the organisation has to manage the CSP, and continuously assess risks against a risk management framework. There is also due diligence to be done with regards to identity access management, application security, disaster recovery, SLAs, data retention and more.
Antonius added, “We also have regulation not specific to cloud, like the personal data protection act, which governs collection, usage and disclosure of personal data. Regardless of on-premise or in the cloud, it is a crucial for the organisation to safeguard all data and protect them from unauthorised access.”