How to regulate the cloud

How to regulate the cloud

Jeff Bullwinkel, Microsoft's director of legal for the Asia Pacific, explains why a complance benchmark would help assure firms that they can adopt the cloud without flouting the region’s maze of regulations

A benchmark of compliance would reassure financial service firms in the Asia Pacific that they can adopt the cloud without flouting the region’s maze of regulations

It is still common to hear talk about perceived regulatory barriers, and even prohibitions, to the adoption of cloud computing in the financial services industry (FSI). But recent feedback suggests a greater barrier to adoption is insufficient clarity around how exactly an FSI could move to the cloud and maintain regulatory compliance. There is also uncertainty as to what cloud solutions or cloud service providers (CSP) are the right fit for the highly regulated financial sector.

In the face of this uncertainty, and with a genuine desire to balance technical advances with due caution and safeguards, it's clear that CSPs need to work in partnership with FSI customers and regulators. The parties should collaborate to provide education, tools, solutions, and most usefully, a clear benchmark of regulatory expectations. A benchmark could validate the types of cloud solutions or CSPs that are capable of delivering a cloud best suited to the financial sector. For FSI companies, this collaboration could unlock the huge commercial benefits that cloud computing offers, while satisfying the regulators' mandate of a safe, secure and trusted FSI.

Asia regulation

FSIs operating in multiple Asia Pacific jurisdictions which want to adopt cloud solutions do face certain challenges. This is not because regulators prohibit the cloud, but rather because each country has a different set of rules and issues they deem important. Each country also has different regulatory processes and approval requirements that must be followed. And there are different levels of advancement in terms of regulatory oversight. Some, but by all means not most, countries have developed cloud-specific guidelines. Most Asian countries rely on existing outsourcing regulations and guidelines to set the framework for the take up of cloud services. Many of these guidelines were drafted decades ago.

The draft Safe Cloud Principles

1. Service provider reputation and competence

FSIs must carry out, and CSPs must assist in facilitating, a risk assessment and due diligence on the CSP to ensure it and its cloud services meet the relevant legal, regulatory, contractual and business requirements. FSIs should have in place a risk management plan that includes measures to address the risks associated with the use of cloud services.

2. Review, monitoring and control

Compliance does not end at signing of the contract. CSPs must provide regular reporting and information to demonstrate continued compliance with the legal, regulatory, contractual and business requirements for as long as the service is provided. FSIs and CSPs must meet regularly to review the reports and performance levels. The contract must provide for an effective mechanism for remedial actions arising from any issues that emerge.

3. Audit

CSPs must provide applicable financial regulators with audit rights.

4. Confidentiality and certified security standards

CSPs must be certified to have and maintain robust security measures and comprehensive security policies that meet or exceed international standards (ISO27001 accreditation should be a minimum). CSPs should use encryption technology that meets or exceeds international standards to protect and secure the FSI's data at all times.

5. Resilience and business continuity

The cloud service must be reliable. CSPs must have an effective business continuity plan with appropriate service availability, and regularly tested and updated procedures and systems. The risks of downtime should be minimised through good planning and a high degree of system resilience.

6. Location choice and transparency

CSPs must be transparent as to the location of customer data and geographic location of the data centres from which the cloud services will be provided. This transparency will enable FSIs and their regulators to perform due diligence on the government policies, economics and legal conditions of the identified locations.

7. Limits on data use

CSPs should not use FSIs' data for any purpose other than to provide the cloud service. The contract should clearly prevent CSPs from using customer data for any secondary purpose.

8. Data segregation and isolation

CSPs must segregate, and at all times be able to identify and distinguish, FSI customer data from other data they hold.

9. Conditions on subcontracting

CSPs should use subcontractors only if they are subject to controls equivalent with the CSP. The CSPs must clearly remain liable and accountable for their subcontractors.

10. Conditions on termination

FSIs must have appropriate exit provisions in the contract with the CSP. To the extent that the FSI requires, on termination the CSP must work with the FSI to return their data. The CSP must then permanently delete the data from its systems. Any data that does not need to be returned to the FSI must be permanently deleted by the CSP.

In many Asian countries, FSI companies must also consider privacy and data protection legislation. given the surge in new laws in this area in recent years. This brings into play additional issues including the often-complicated subject of cross-border data transfers. In general terms, as in Europe, the legislation across Asia does not prevent such transfers provided certain protections are assured – most notably the continuity of security and confidentiality of such data. But unlike in Europe, since the legislation is generally new, FSI companies often do not have the benefit of clear guidance and precedent around the level of protection they must have in place. For example, there are no white list countries or standard model clauses for data transfers. This can lead to additional uncertainty. Navigating the differences, and in some cases working through the underlying regulations to determine which may be relevant or what protections an FSI must have in place, can be time-consuming and complicated.

The Singapore and the Philippine financial regulators, for example are notable in having developed clear and detailed questionnaires which they require FSIs to complete before moving to the cloud. These questionnaires act as a useful checklist for the various terms an FSI should be thinking about and specific protections it should have in place with its cloud service provider.

In contrast, in some territories such as Thailand, there is uncertainty as to how IT – let alone cloud computing – is characterised for the purposes of outsourcing regulations. This leaves FSIs in a position of relative uncertainty compared with countries like Singapore or the Philippines.

FSI regulators in Australia, Hong Kong, Japan and New Zealand have published detailed guidance on outsourcing and IT. While not specifically targeted at cloud services, outsourcing guidelines have been confirmed as being relevant when FSIs are looking at moving to the cloud. Interestingly, these countries' guidelines focus on different areas. The guidance in Japan and New Zealand generally focuses on issues such as risk management, whereas in Australia and Hong Kong the focus is more on technical and operational requirements.

The net result is that FSIs in theAsia Pacific are faced with a myriad of regulations and guidelines, each of which needs to be considered and complied with. Needless to say, this makes regional or global deals challenging.

How the industry can help

So what solutions are there? From a CSP perspective, the old adage that one must know one's customer very much applies. In the context of the cloud and FSI, this may mean the CSP has to navigate the difficult regulatory path by performing due diligence of the complex legal frameworks and processes that FSI customers are subject to. For example, in Malaysia and Japan an FSI must assess and then address a number of mandatory requirements, which then need to be reflected in the CSP contract. In the Philippines, parties to a cloud deal need to be mindful that it may take an FSI longer to move forward because it must obtain regulatory approval before moving to the cloud.

An FSI should rightly expect its CSP not only to have an appreciation of the regulatory landscape, but also to anticipate these requirements by building appropriate mechanisms or terms into its contracts and solutions. This would make it as easy and efficient as possible for the FSI to meet the applicable regulatory requirements. It may, for example, be that an FSI company will seek some form of audit or inspection right, given that regulators could expect that in the majority of countries across Asia and indeed around the world.

Supporting an FSI customer is also about giving choice and being able to explain how different technical options function. An example is how customers can choose a multi-tenanted cloud solution yet still achieve data segregated by technical means, such as logical separation. Microsoft has undertaken an outreach programme in the region which has involved one-to-one meetings and roundtable discussions with FSI customers. This has been an incredibly useful tool in helping us understand the industry's concerns and, importantly, what our customers in the sector want and need from their CSP.


"A set of Safe Cloud Principles could help achieve greater certainty in the cloud industry"


However, this is not the only way in which the cloud industry can help. Given the fragmentation of regulation and lack of clarity across Asia, there is also a role for CSPs and FSIs to educate and guide regulators on the technical strengths of cloud and for that reason we have extended our outreach to include regulators. After all, no single cloud solution or provider is the same, and as with all services, not all solutions will address the genuine concerns and requirements of the FSI as a whole. Industry discussion forums, demonstrations, sharing and collaboration are all important tools to help inform, guide and build clearer regulatory frameworks based on facts rather than conjecture. Industry can help develop important benchmarks and commonality across the region regarding key issues and protections, and also demystify some of the potential concerns with particular types of cloud offerings.

One initiative that could help achieve greater certainty in the cloud industry is the formation of a set of Safe Cloud Principles. Still in their infancy and still being tweaked and formalised by a working group of different stakeholders, these principles could prove a key initiative in providing some transparency and parameters for FSIs and those that regulate or provide services to them.

Safe Cloud Principles

These proposed principles are a unified, condensed and clarified set of best practices to help FSIs, regulators and CSPs benchmark compliance. The Safe Cloud Principles cover key requirements such as confidentiality, availability and integrity and are derived from the very laws, regulations and guidelines with which FSIs must comply. In this way, they help navigate the complexities of existing regulations while also filling in gaps where certain jurisdictions have not yet developed their own guidelines. As mentioned above, there are a variety of types of cloud solutions and a great many CSPs, not all of which will be the right fit for the FSI. The principles should therefore provide a useful tool to validate a CSP and its offering as being right for an FSI customer.

In their existing, proposed form (see boxout), the principles serve a useful guide for what FSIs considering a move to the cloud should consider from a regulatory perspective.

No one-size-fits-all

It is important not to make assumptions or treat all cloud solutions and CSPs in the same way. Any decision to move to the cloud should be based on an in-depth understanding of any differences among cloud providers, and an assessment of how the technology works to establish and enforce a framework that strikes the right balance between enabling innovation and protecting FSI interests. This will happen only if all stakeholders work together to help foster a better understanding of the cloud, and in particular, take a principles-based approach to determining what is the right type of cloud for the FSI.

By Jeff Bullwinkel, Microsoft's director of legal and corporate affairs for the Asia Pacific

Gift this article