topic Regulators highlighting Multi-Cloud Benefits in Cloud Security https://community.isc2.org/t5/Cloud-Security/Regulators-highlighting-Multi-Cloud-Benefits/m-p/55147#M260 <P>We see more and more regulatory comments on multi-cloud solutions. As a result, particularly financial institutions are asking for multi-cloud workflows (e.g. AWS and Azure), instead of single-cloud providers. If you also experience increased requests by regulatory bodies on multi-cloud deployments (or just would like to provide some comments), please share your feedback.</P><P>&nbsp;</P><P>Examples of regulator statements:</P><P>&nbsp;</P><P>In July, the <STRONG>Bank for International Settlements</STRONG> said that the financial sector‘s increased resilience on cloud computing was ‘<EM>forming single point of failure</EM>’ and ‘<EM>creating new forms of concentration risk at the technology services level</EM>’.</P><P>The <STRONG>Federal Reserve Bank of New York</STRONG> also warned about the ‘<EM>transmission of a shock throughout the network</EM>’ should financial services be ‘<EM>connected through a shared vulnerability</EM>’.</P><P><STRONG>Monetary Authority of Singapore</STRONG>&nbsp;states: ‘<EM>Cloud workloads could also be deployed in multiple geographically separated data centers (e.g. ‘zones’ or ‘regions’) to mitigate location-specific issues that may disrupt the delivery of public cloud services. ’&nbsp;</EM>Furthermore, it is stated: ‘<EM>To mitigate CSP concentration risks, FIs may consider implementing vendor diversity.’</EM></P><P>&nbsp;</P><P><STRONG>EU</STRONG>&nbsp;passed&nbsp;<A href="https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0595&amp;from=EN" target="_blank">Digital Operational Resilience Act (DORA)</A>, defines ICT Concentration Risk:&nbsp;<EM>‘ICT concentration risk means an exposure to individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of the latter may potentially endanger the ability of a financial entity, and ultimately of the Union’s financial system as a whole, to deliver critical functions, or to suffer other type of adverse effects, including large losses. ’</EM></P><P>Moreover, the following is stated:&nbsp;<STRONG><EM>‘</EM></STRONG><EM>Financial entities shall weigh the benefits and costs of alternative solutions, such as the use of different ICT third-party service providers, taking into account if and how envisaged solutions match the business needs and objectives set out in their digital resilience strategy.’</EM></P> Mon, 14 Nov 2022 12:02:02 GMT PeterHainz 2022-11-14T12:02:02Z Regulators highlighting Multi-Cloud Benefits https://community.isc2.org/t5/Cloud-Security/Regulators-highlighting-Multi-Cloud-Benefits/m-p/55147#M260 <P>We see more and more regulatory comments on multi-cloud solutions. As a result, particularly financial institutions are asking for multi-cloud workflows (e.g. AWS and Azure), instead of single-cloud providers. If you also experience increased requests by regulatory bodies on multi-cloud deployments (or just would like to provide some comments), please share your feedback.</P><P>&nbsp;</P><P>Examples of regulator statements:</P><P>&nbsp;</P><P>In July, the <STRONG>Bank for International Settlements</STRONG> said that the financial sector‘s increased resilience on cloud computing was ‘<EM>forming single point of failure</EM>’ and ‘<EM>creating new forms of concentration risk at the technology services level</EM>’.</P><P>The <STRONG>Federal Reserve Bank of New York</STRONG> also warned about the ‘<EM>transmission of a shock throughout the network</EM>’ should financial services be ‘<EM>connected through a shared vulnerability</EM>’.</P><P><STRONG>Monetary Authority of Singapore</STRONG>&nbsp;states: ‘<EM>Cloud workloads could also be deployed in multiple geographically separated data centers (e.g. ‘zones’ or ‘regions’) to mitigate location-specific issues that may disrupt the delivery of public cloud services. ’&nbsp;</EM>Furthermore, it is stated: ‘<EM>To mitigate CSP concentration risks, FIs may consider implementing vendor diversity.’</EM></P><P>&nbsp;</P><P><STRONG>EU</STRONG>&nbsp;passed&nbsp;<A href="https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0595&amp;from=EN" target="_blank">Digital Operational Resilience Act (DORA)</A>, defines ICT Concentration Risk:&nbsp;<EM>‘ICT concentration risk means an exposure to individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of the latter may potentially endanger the ability of a financial entity, and ultimately of the Union’s financial system as a whole, to deliver critical functions, or to suffer other type of adverse effects, including large losses. ’</EM></P><P>Moreover, the following is stated:&nbsp;<STRONG><EM>‘</EM></STRONG><EM>Financial entities shall weigh the benefits and costs of alternative solutions, such as the use of different ICT third-party service providers, taking into account if and how envisaged solutions match the business needs and objectives set out in their digital resilience strategy.’</EM></P> Mon, 14 Nov 2022 12:02:02 GMT https://community.isc2.org/t5/Cloud-Security/Regulators-highlighting-Multi-Cloud-Benefits/m-p/55147#M260 PeterHainz 2022-11-14T12:02:02Z