cloud computing for financial institutions luc maquil luc ... · cloud computing for financial...
TRANSCRIPT
1BHS Services S.A.. All rights reserved.
Luxembourg, 9th May 2018
Cloud Computing for financial institutions
Luc Maquil
2BHS Services S.A.. All rights reserved.
EU-Wide harmonization effort with fast adoption in Luxembourg
Circular 17-654 (Cloud Circular)
May 2017 (13 months earlier)
EBA Cloud Recommendations
Published December 2017
Apply on 1st July 2018
1. Complement existing general outsourcing guidelines for the specific context ofcloud outsourcing
2. Promote guidance to institutions for the use of cloud services in Luxembourg(CSSF) and EU-Wide (EBA)
3. Harmonize supervisory expectations across the EU for institutions adopting cloudcomputing.
3BHS Services S.A.. All rights reserved.
Differences between General Outsourcing and Cloud Outsourcing
Customer Data
Cloud
Data
Application
Operation
System
Virtualization
Network
Physical
Customer Data
and
Infrastructure
General Outsourcing / 17-656 Cloud Outsourcing / 17-654
The outsourcing partner is in charge of
resource provision and operation and
generally needs access to the
customer data.
PSF License needed !
The Cloud Resource Provider does not
need access to the customer data.
No PSF License needed !
The Cloud Resource Operator has
access to the data. (a PSF license
needed if in Lux)vs
4BHS Services S.A.. All rights reserved.
We can finally unleash the public cloud !
5BHS Services S.A.. All rights reserved.
Outline of the 17-654 Circular
1. Applicable only to real clouds (as defined by NIST)
2. Strict separation between resource provision and cloud operation.
3. Governance, Risk, Business Continuity and Disaster Recovery, Information Security
4. Training is mandatory (Cloud Officer and trained team)
5. Contractual and legal terms (Right to Audit, SLA, Outsourcing Policy)
Materiality
Assessment
Notification
Approval
6BHS Services S.A.. All rights reserved.
Materiality Assessment
CSSF EBA
…shall be deemed to be "material” : Institutions should perform this assessment ofactivities' materiality on the bases the CEBS guidelinesand taking into account all of the following:
(a) Any activity necessary for sound and prudent riskmanagement
(b) The institutions ability to meet the regulatoryrequirements
(c) The ability to continue its operations
(a) The criticality and inherent risk profile of theactivities to be outsourced
(b) The direct operational impact of outages, andrelated legal and reputational risks
(c) The impact that any disruption of the activitymight have on the institution's revenue prospects
(d) The potential impact that a confidentiality breachor failure of data integrity could have on theinstitution and its customers
A materiality assessment can be realized as part of an outsourcing project (defined
by the Outsourcing Policy).
7BHS Services S.A.. All rights reserved.
Contractual terms and right to audit
Paragraph Description Comments
30
Jurisdiction EU
Datacenter Location in EU for at least 1 Datacenter
For world wide operators
Contract between ISCR and Operator If inside group, an inter group agreement is needed
Roles and Responsibilities defined
SLA defined
Data Deletion on contract termination A link to GDPR
Incident Management
Access to Documentation
28Customer Consent for Outsourcing of Data and or Processing.
It is advisable to change at the same time then GDPR
32Unconditional Right To Audit from Regulator and Customer
If information not available through available.
8BHS Services S.A.. All rights reserved.
1. The institution (ISCR) operates the cloud.
ISCR
(signatory of the Cloud Agreement and
software licensing agreement)
Cloud Resource Provider
1. Cloud Officer provided by the ISCR and as well resources skilled to run cloudoperations.
2. The ISCR is the signatory.3. The Cloud Services Provider can be in Luxembourg or abroad and does not need to
have a PSF license.
Best applicable to highly standardized workload !
9BHS Services S.A.. All rights reserved.
2. The institution mandates a support PSF to run cloud operations
Client (ISCR)
Signatory of IT Outsourcing
Cloud Operator PSF
Signatory of the Cloud Agreement
Cloud Resource Provider
In Lux
1. The ISCR outsources IT Cloud operations to the Operator.2. If in Luxembourg, the Operator needs to be PSF.3. The Operator or the ISCR may be the signatory of the cloud contract4. If the Operator is the signatory, a specific approval is needed by the CSSF.
10BHS Services S.A.. All rights reserved.
3. The cloud operator is abroad and non-PSF
Client (ISCR)
Signatory of IT Outsourcing (Operations)
Cloud Operator non-PSF
Signatory of the Cloud Agreement
- Cloud Resource Provider
Outside of Lux
1. The ISCR outsources operations to the Operator which is abroad (a non-PSFcompany) or a member of the group.
2. A thorough risk assessment is needed for the cloud operations.
3. The Operator or the ISCR may be the signatory of the cloud contract
11BHS Services S.A.. All rights reserved.
4. Usage of Expert resources abroad (Services Agreement)
Cloud Advisor (Expert)
Software Provider or IT Advisor
Client ISCRCloud Resource
Provider
Cloud Operator(Signatory of the Cloud
Agreement)
PSF if in Lux non PSF if abroad
An external cloud advisor such as a Software Provider or an IT Advisor may advise theoperator or the ISCR, as long that there is no delegation of responsibility.
12BHS Services S.A.. All rights reserved.
Approach
Actions
■ Collection of the Documentation and
Workshops.
■ Analysis of the Target Operating Model
including Business Model, Technology,
Organization and Processes.
■ Gap Analysis and creation of roadmap
/ Action List.
Actions
■ Assembling of the Approval or Notification
Document
■ Pre-Checking the Application File with the
CSSF (Only if needed).
■ Discussions and alignments with the Cloud
Resource Provider and/or Operator.
Actions
■ Hand-Over of the file to the CSSF.
■ Facilitating the Question and Answer
Process.
1 2 3
Deliverable
■ Proposed actions, recommendations
Deliverable
■ Approval or Notification Document
Analysis Writing Filing
13BHS Services S.A.. All rights reserved.
Thank You!
Luc Maquil