Transcription
thalesgroup.comAddressing BNM’sCloud & Data RiskManagement inTechnology (RMiT)Policy for FinancialInstitutions inMalaysia1
thalesgroup.comContents030304IntroductionThe need for compliance and regulatory standardsAbout the BNM Risk Management in Technology (RMiT) Policy15Brief Overview of Thales Solutions19About Thales Cloud Protection & Licensing19References2
thalesgroup.comIntroductionThe need for compliance and regulatory standardsThe financial industry in Malaysia is now gearing up for change after the BankNegara Malaysia (BNM) released a Risk Management in Technology (RMiT)Policy for Financial Institutions. RMiT highlights the need to provide and enablea secure framework for technological innovation, as the country and businessesoperating in Malaysia shift toward digitization.i Banks able to adopt a cloudstrategy can move with agility to keep up with rapid market shifts, harnessmultiple cloud analytics solutions for smoother and faster operations, andpotentially scale-up their offerings while controlling cost.According to Bank Negara Malaysia (BNM) governor Datuk Nor ShamsiahMohd Yunus, the increasing reliance on technology and its associated riskscannot be ignorediv. With the future of Malaysia’s financial institutions at stake,it is imperative to understand how digitization will impact the financial industry,and how financial institutions, be they large or small, are able respond topresent and ongoing trends.A recent study found Malaysia was among the world’s top source countries forcredential stuffing over the past two (2) yearsii. Credential stuffing attacks areone of the region’s biggest culprits for bank account and identity theft.When all are interconnected, individuals, governments and companies willbe exposed to the threat of cyber attacks,” [Executive director-general ofCyberSecurity Malaysia Datuk Dr Amirudin Abd Wahab] said, adding thatcyber security was something that both the industry as well as individualusers needed.iii- Cloud, data security is always a concern whether on cloud or on-premise.3
thalesgroup.comAbout the BNM Risk Management in Technology (RMiT) PolicyWhat is it?The RMiT applies to the following entities:BNM’s Risk Management in Technology (RMiT) policy is intended to formalize therisk management programs used when adopting cloud and other technologicalinnovations in Malaysian financial institutions (FIs), such as banks, insurers, andprescribed development FIs, issuers of e-money, as well as Takaful insurers (type ofIslamic insurance). Whom will it impact?The policy affects the following that BNM refers to as financial institutions:1. A licensed person under the Financial Services Act (FSA) and the IslamicFinancial Services Act (IFSA), excluding branches of a foreign professionalreinsurer and a professional retakaful operator2. A prescribed development financial institution under the DFIA3. An eligible issuer of e-money, also known as an approved issuer ofelectronic money with substantial market presence based on the criteria setout in Appendix 1 of the policy document on Interoperable Credit TransferFramework.Licensed Banks Licensed Investment Banks Licensed Islamic Banks Licensed Insurers including Professional Reinsurers Licensed Takaful Operators including Professional Retakaful Operators Prescribed Development Financial Institutions Approved Issuers of Electronic Money Operators of a Designated Payment SystemWhy is there a need for this policy?The RMiT policy addresses the need to reduce the risks brought by the everincreasing use of technology in financial services and institutions. According tothe draft, “the growing sophistication of cyber threats also calls for the increasedvigilance and capability of financial institutions to respond to emerging threats.Critically, this should ensure the continuous availability of essential financialservices to customers and adequate protection of customer data.”The policy affects large financial institutions as well, referring to institutions withsignificant market share or a large network of offices located within or outsideMalaysia through operations of branches and subsidiaries.4
thalesgroup.comWhen will it come into effect?BNM’s RMiT policy document was issued in July, 2019. The policy is expected tocome into effect on January 1, 2020.Compliance to Data Security Regulations and Standards with ThalesWe are pleased to share highlights on the different areas where Thales CloudProtection & Licensing (CPL), and our integrations with Cloud Service Providers, suchas Microsoft Azure, Amazon Web Services (AWS); Google Cloud Platform (GCP),and others, can help organizations address and comply with respective mandatesof BNM’s RMiT policy.Specifically, Thales solutions support the policy categories under the followingdomains:Cloud Services: Data encryption, Thales Vormetric Ciphertrust Cloud KeyManager, and other Thales data security solutions Cryptography: Vormetric Data Security Platform Data Centre Operations: Thales encryption solutions System Development and Acquisition: Identity and access managementsolutions, tokenization solutions, and Thales encryption solutions to securestructured and unstructured data Security of Digital Services: End-to-end encryption solutions 5
thalesgroup.comCloud ServicesNameDescriptionThales Solution10.49A financial institution must fully understand theinherent risk of adopting cloud services. In thisregard, a financial institution is required to conducta comprehensive risk assessment prior to cloudadoption which considers the inherent architectureof cloud services that leverages on the sharingof resources and services across multiple tenantsover the Internet. The assessment must specificallyaddress risks associated with the following:Not applicableb) migration of existing systems to cloudinfrastructure;When making a move into the public cloud, there is a real risk of carrying flawed datasecurity practices forward into an environment that may be even more unforgiving than anon-premises system. Thales can help prepare you to move to public clouds with a varietyof solutions that will allow you to:Control privileged user and super/admin access Guard against potential unauthorized copying Overcome the lack of visibility Mitigate the exposure of raw data Maintain ownership of your encryption keys Establish standard identity and data protection policies Demonstrate definitive proof of access and data control in compliance audits 6
thalesgroup.comNameDescriptionThales Solutionc) location of cloud infrastructure;Most public cloud infrastructures are located in various regions around the globe, sodata sovereignty has and always will be a concern for financial institutions (FIs) that holdand process their customer’s data, because digital information is subject to the laws andregulations of the country where the data is being stored.It is therefore critical for sensitive data migrated to the cloud to be secured with theassumption that it can be disclosed to foreign entities at any given time.The solution to this is data encryption. Thales can assist FIs to encrypt or tokenize clouddata efficiently to allow the FIs to take advantage of cloud benefits, while still beingprotected from foreign jurisdiction. With encryption, data can be stored in any cloudlocation worldwide, but the encryption keys are kept on-premises within the FI’s datacentre under control of Malaysian sovereignty.d) multi-tenancy or data co-mingling;One of the risks from multi-tenancy in cloud environments is the loss of data isolation.Virtualization layers are complex software systems. This complexity can lead to vulnerabilitiesthat could allow a virtual machine user to gain control of the virtualization layer and fromthere gain control of all other virtual machines running on the same physical host.Data encryption mitigates the risk of these vulnerabilities by ensuring tenants have thecapability to issue and revoke specific encryption keys used per cloud instance. The Thalesdata security portfolio provides cloud-ready encryption solutions that are easy to deploywhile requiring negligible compute overhead.e) vendor lock-in and application portability orinteroperability;The Thales range of data security solutions utilize widely accepted industry standards-basedencryption algorithms like AES, ensuring encrypted data can be accessed by any othercloud/application as long as the encryption keys are available.7
thalesgroup.comNameDescriptionThales Solutionf) ability to customise security configurations of thecloud infrastructure to ensure a high level of dataand technology system protection;The Thales data security platform offers granular administrative control of securityconfigurations and policies that can be tailored to a variety of system requirements andprotection levels.g) exposure to cyber-attacks via cloud serviceproviders;Cloud infrastructures are exposed not only to cyber-attack risks similar to those of onpremises infrastructures, but to others as well. A common avenue of cyber attacks, such asdata breaches, is misconfigured access controls on cloud services. This happens due tothe ease with which cloud services can be provisioned.Thales helps reduce the risk of such cyber attacks by providing data encryption andaccess management solutions. By properly encrypting the data in the cloud, the risk of adata breach occurring is significantly contained, as the attacker would only gain accessto encrypted data and not the keys that are securely stored in a separate facility. Accessmanagement further helps to mitigate the risk of cyber-attacks by enforcing multi-factorauthentication for cloud users and ensuring visibility into access events.h) termination of a cloud service provider includingthe ability to secure the financial institution’s datafollowing the termination;In the event of a contract termination between the FI and a cloud service provider (CSP),a concern would be the FI’s data that exists in the CSP infrastructure. The FI can rely on thecontract that might state that data will be erased upon termination, but the FI has no meansto ensure that this erasure is done.To ensure this data cannot be reused by the CSP, the FI can instead utilize encrypteddata. Upon contract termination, the cached encryption keys in the cloud environment arerevoked so the FIs have certainty that the data in the cloud will be inaccessible to the CSPor any other cloud tenant.The use of cached encryption keys can be provided by the Thales data security platform.j) ability to meet regulatory requirements andinternational standards on cloud computing on acontinuing basis.Regulatory requirements and international standards like PCI-DSS can be achieved onpremises or in the cloud by the Thales data security range of products.8
thalesgroup.comNameDescriptionThales Solution10.51A financial institution is required to consult the Bankprior to the use of public cloud for critical systems.The financial institution is expected to demonstratethat specific risks associated with the use of cloudservices for critical systems have been adequatelyconsidered and addressed. The risk assessmentshall address the risks outlined in paragraph 10.49as well as the following areas:Not applicableb) the availability of independent, internationallyrecognised certifications of the cloud serviceproviders, at a minimum, in the following areas:(i) information security management framework,including cryptographic modules such as used forencryption and decryption of user data; and(ii) cloud-specific security controls for protectionof customer and counterparty or proprietaryinformation including payment transaction data inuse, in storage and in transit.Cryptographic modules used for encryption and decryption are commonly certified instandards like FIPS-140-2 and Common Criteria. The CSP may or may not have achievedthese certifications, but the FI can use their own cryptographic modules instead of relyingon the CSP’s cryptographic services.A financial institution must implement appropriatesafeguards on customer and counterpartyinformation and proprietary data when using cloudservices to protect against unauthorised disclosureand access. This shall include retaining ownership,control and management of all data pertaining tocustomer and counterparty information, proprietarydata and services hosted on the cloud, includingthe relevant cryptographic keys management.With the Thales Vormetric Ciphertrust Cloud Key Manager, the use of cloud services issecured by providing the FIs the ownership, control and management of cloud encryptionkeys even in multi-cloud environments.10.53Thales provides FIPS-140-2 and Common Criteria certified cryptographic modules suchas the Vormetric DSM and the Luna SA HSM.9
thalesgroup.comCryptographyItemDescriptionThales Solution10.16A financial institution must establish a robust andresilient cryptography policy to promote theadoption of strong cryptographic controls forprotection of important data and information. Thispolicy, at a minimum, shall address requirementsfor:Not applicablea) the adoption of industry standards for encryptionalgorithms, message authentication, hash functions,digital signatures and random number generation;The Vormetric Data Security Platform offers the use of industry standard based algorithms,hashing, and signing with RNG in a centralized and secure platform.b) the adoption of robust and secure processesin managing cryptographic key lifecycles whichinclude generation, distribution, renewal, usage,storage, recovery, revocation and destruction;The Vormetric Data Security Platform provides the entire key lifecycle managementvia various methods including the Key Management Interoperability Protocol (KMIP)standards, PKCS #11 as well as our own centralized multi-cloud key management.c) the periodic review, at least every three years,of existing cryptographic standards and algorithmsin critical systems, external linked or transactionalcustomer-facing applications to preventexploitation of weakened algorithms or protocols;and (refer to next page)The Vormetric Data Security Platform allows for automatic key rotation with no applicationdowntime, enabling customers to easily migrate to newer cryptographic standards if andwhen required.10
thalesgroup.comItem10.17DescriptionThales Solutiond) the development and testing of compromiserecovery plans in the event of a cryptographickey compromise. This must set out the escalationprocess, procedures for keys regeneration, interimmeasures, changes to business-as-usual protocolsand containment strategies or options to minimisethe impact of a compromise.The Vormetric Data Security Platform can assist in situations where cryptographic keys arecompromised. Keys can be rotated on demand to minimize the impact of key compromise.A financial institution shall ensure clear seniorlevel roles and responsibilities are assigned forthe effective implementation of the cryptographicpolicy.The Vormetric Data Security Platform provides robust role separation to alloworganizations to securely leverage the Data Security Manager infrastructure.Security administration can be broken down into responsibilities, so that one person mightadminister the creation of data encryption keys, while a different person would administerthe hosts and policies applied to that key.This can be taken further with Security Management Domains that combine this role-basedadministration with the ability to compartmentalize the management for policies, dataencryption keys, agent configurations, and audit logs for a particular business group.11
thalesgroup.comItemDescriptionThales Solution10.19A financial institution must ensure cryptographiccontrols are based on the effective implementationof suitable cryptographic protocols. The protocolsshall include secret and public cryptographic keyprotocols, both of which shall reflect a high degreeof protection to the applicable secret or privatecryptographic keys. The selection of such protocolsmust be based on recognised internationalstandards and tested accordingly. Commensuratewith the level of risk, secret cryptographic key andprivate-cryptographic key storage and encryption/decryption computation must be undertaken in aprotected environment, supported by a hardwaresecurity module (HSM) or trusted executionenvironment (TEM).Thales is the leading provider of Hardware Security Modules (HSMs) for the banks inMalaysia and around the world. HSMs are certified to international standards such asFIPS-140-2, Common Criteria, eIDAS and PCI-PTS.12
thalesgroup.comData Centre OperationsItemDescriptionThales Solution10.31With regard to paragraph 10.30, a financialinstitution should also adopt the controls asspecified in Appendix 1 or their equivalent tosecure the storage and transportation of sensitivedata in removable media.Sensitive data stored in removable media can be protected by Thales solutions byensuring the data is encrypted before being stored and transported.Thales solutions can be integrated with leading backup solution vendors to manage thebackup encryption keys and to separate the data from the keys.Thales can also help provide the encryption solution necessary to secure the data beforebeing backed up and stored in removable media.System Development and AcquisitionItemDescriptionThales Solution10.8A financial institution must establish a soundmethodology for rigorous system testing priorto deployment. The testing shall ensure that thesystem meets user requirements and performsrobustly. Where sensitive test data is used, thefinancial institution must ensure proper authorisationprocedures and adequate measures to preventtheir unauthorised disclosure are in place.Thales provides identity and access management solutions to help ensure properauthorized use of sensitive test data.In relation to critical systems that are developedand maintained by vendors, a financial institutionmust ensure the source code continues to be readilyaccessible and secured from unauthorised access.Thales provides solutions to help secure structured and unstructured data, such as sourcecodes, by encrypting the entire source code to protect it from unauthorized access.10.11Thales also provides tokenization solutions to anonymize sensitive information in test dataso that it can be processed by third-party providers with lower privileges without the risk ofdata loss.13
thalesgroup.comSystem Development and AcquisitionItemDescriptionThales Solution10.67A financial institution must implement controls toauthenticate and monitor all financial transactions.These controls, at a minimum, must be effective inmitigating man-in-the-middle attacks, transactionfraud, phishing and compromise of applicationsystems and information.Thales provides end-to-end encryption solutions to ensure data is encrypted from the pointof creation to the point of storage without being exposed inside insecure systems, webservers, application servers or network devices. Man-in-the-middle attacks are completelyprevented when employing end-to-end encryption.14
thalesgroup.comBrief Overview of Thales SolutionsIn this final section, we briefly review the products and provide links to more information on each.Thales Cloud Protection & Licensing (CPL) is a leader in digital security, and,having helped hundreds of enterprises comply with regulatory regimes aroundthe world, we recommend critical data protection technologies called for invirtually every set of regulations. These include:Data access control Encryption and tokenization (pseudonymisation) of data at rest Encryption of data in motion Encryption key management Keeping and monitoring user access logs The use of hardware security modules for protecting encryption keys andexecuting encryption processes Image above: Thales CPL use cases and product offerings15
thalesgroup.comData access controlThales CPL’s Vormetric Data Security Manager (DSM) enables the organizationto limit user access privileges to information systems that contain sensitiveInformation and orchestrates the Vormetric Data Security Platform, which makesit easy to manage data at rest security across your organization.With SafeNet Authentication and Access Management solutions (SAS),you can leverage a unified authentication infrastructure for both on-premisesand cloud-based services—providing a centralized, comprehensive way tomanage all access policies. Users can log into enterprise cloud services suchas Office 365, Salesforce.com, or GoogleApps through their existing SafeNetauthentication mechanisms.SafeNet Trusted Access (STA) is a cloud-based access management servicethat combines the convenience of cloud and web single sign-on (SSO) withgranular access security. By validating identities, enforcing access policies, andapplying Smart Single Sign-On, organizations can ensure secure, convenientaccess to numerous cloud applications from one easy-to-navigate console.Adding Thales’s SafeNet certificate-based authentication (CBA) smart cardsolution as an integral part of IT infrastructure significantly improves client logonsecurity by requiring multi-factor authentication. Adding multiple factors ensuressecure login to workstations and enterprise networks, eliminates complex andcostly passwords, and significantly reduces help desk calls.16
thalesgroup.comEncryption and tokenisationLocal Data SourceSecurity PlatformCloud Data SourceDR Data SourceData ProtectionApplicationApplicationKMSDB TablesPEM SystemDB TablesRoot of TrustDB OSHSMCertificate suthoritySSL offloadingDigital signingeDocBlockChainTDE EKMData in MotionStorageHSEDB OSStorageImage above: The Thales Data Security Platform consists of the following components: Data Protection (for Data at Rest) Root of Trust Secure Data at Rest from multiple environments, structured or unstructured data, onpremise or in the cloud via encryption and centralized key management. Rely on a Root of Trust platform as a secure source of trust for centralized key Data in Motion Tighten the security for Data in Motion with proven high-assurance network securityfor sensitive data to move from a data center to another location, or multiple sites forback up and disaster recovery, or on-premises to support a hybrid cloud solution.management, as well as other trust sensitive systems such as Public Key Infrastructure(PKI), Internet of Things (IOT), and Blockchain etc,.17
thalesgroup.comEncryption and tokenisationThales CPL’s Vormetric Transparent Encryption (VTE) solution protects data withfile and volume level data-at-rest encryption, access controls, and data accessaudit logging without re-engineering applications, databases or infrastructure.Deployment of the transparent file encryption software is simple, scalable andfast, with agents installed above the file system on servers or virtual machinesto enforce data security and compliance policies. Policy and encryption keymanagement are provided by the Vormetric Data Security Manager.Vormetric Vaultless Tokenisation with Dynamic Data Masking (VTS) dramaticallyreduces the cost and effort required to comply with security policies andregulatory mandates. The solution delivers capabilities for database tokenisationand dynamic display security. Enterprises can efficiently address their objectivesfor securing and pseudonymising sensitive assets—whether they reside in datacentre, big data, container or cloud environments.Vormetric Application Encryption (VAE) delivers key management, signing, andencryption services enabling comprehensive protection of files, database fields,big data selections, or data in platform-as-a-service (PaaS) environments. Thesolution is FIPS 140-2 Level-1 certified, based on the PKCS#11 standard andfully documented with a range of practical, use-case based extensions to thestandard. Vormetric Application Encryption eliminates the time, complexity,and risk of developing and implementing an in-house encryption and keymanagement solution. Development options include a comprehensive,traditional software development kit for a wide range of languages andoperating systems as well as a collection of RESTful APIs for the broadestplatform support.The Vormetric Application Crypto Suite (VACS) is a set of products that streamlinedevelopment efforts to add encryption, tokenisation, masking and othercryptographic functions to applications. The job of the developer is made easyand fast by leveraging sample code and APIs that are best for their environment,while key management functions are kept separate and secure in a FIPS 140-2hardware or virtual appliance that is operated by IT or SecOps. Securing dataat the application, with separation of duties for key management, provides thehighest levels of protection and compliance. The Vormetric Application CryptoSuite also includes applications and utilities that leverage the core components toadd security layers to databases and other structured data stores.Encryption of data in motionA powerful safeguard for data in motion, SafeNet High-Speed Encryptorsdeliver high-assurance certified data in motion encryption capabilities that meetsecure network performance demands for real-time low latency and near zerooverhead to provide security without compromise for data on the move acrossthe network.Encryption key managementThales CPL’s Vormetric Enterprise Key Management unifies and centralizesencryption key management on premises and provides secure key managementfor data storage solutions. Cloud Key Management products include theCipherTrust Cloud Key Manager for centralized multi-cloud key life cyclevisibility and management with FIPS-140-2 secure key storage, and Cloud BringYour Own Key.18
thalesgroup.comUser access logsVormetric Security Intelligence Logs let your organization identify unauthorizedaccess attempts and build baselines of authorized user access patterns. VormetricSecurity Intelligence integrates with leading security information and eventmanagement (SIEM) systems that make this information actionable. The solutionallows immediate automated escalation and response to unauthorized accessattempts. It also provides all the data needed to specify behavioural patternsrequired to identify suspicious use by authorized users, as well as for training.Hardware security modulesSafeNet Hardware Security Modules provide the highest level of encryptionsecurity by always storing cryptographic keys in hardware. SafeNet HSMsprovide a secure crypto foundation, because the keys never leave the intrusionresistant, tamper-evident, FIPS-validated appliance. Strong access controlsprevent unauthorized users from accessing sensitive cryptographic material,since all cryptographic operations occur within the HSM. In addition, Thales CPLimplements operations that make the deployment of secure HSMs as easy aspossible, and our HSMs are integrated with SafeNet Crypto Command Centerfor quick and easy crypto resource partitioning, reporting and monitoring.About Thales Cloud Protection &LicensingToday’s enterprises depend on the cloud, data, and software to makebusiness-driving decisions. That’s why the most respected brands and largestorganisations in the world rely on Thales to help them protect and secure accessto their most sensitive information and software, wherever it is created, sharedor stored – from the cloud and data centers to devices and across networks.Our solutions enable organizations to move to the cloud securely, achievecompliance with confidence, and create more value from their software indevices and services used by millions of consumers every .my/index.php?ch en speech&pg en speech&ac 826iiiThe award winning SafeNet Data Protection On Demand solution is a cloudbased platform providing a wide range of cloud HSM and key managementservices through a simple online marketplace. These include HSM on Demandand Key Management on Demand.19
thalesgroup.comContact UsContact UsContact UsWebsiteTHALES Cloud Protection & Licensing, 12 Ayer Rajah Crescent, Singapore 139941 E-mail: infoapac@gemalto.com
Islamic insurance). Whom will it impact? The policy affects the following that BNM refers to as financial institutions: 1. A licensed person under the Financial Services Act (FSA) and the Islamic Financial Services Act (IFSA), excluding branches of a foreign professional reinsurer and a professional retakaful operator 2.
