An apparently small change in one authority could have important implications for financial services.
If you haven’t heard of the new Technology Risk Management (TRM) guidelines issued quietly by the Monetary Authority of Singapore (MAS), this is a good moment to ponder the way that apparently small regulatory changes in distant corners of the world can suddenly ripple across global IT security as if from nowhere.
On the face of it, Singapore’s TRM is a dry-sounding refresh of banking and financial sector risk management guidelines, the most recent version of which dates back to 2008. Back then things were bad enough as corporate security was beset by unfamiliar and unnerving uncertainties; five years and a long list of data breaches, bank Trojans and targeted DDoS attacks later and the word ‘crisis’ seems nearer the mark. The overhauled MAS guidelines are the city state’s reaction to that darkening landscape.
There’s a lot of what one might expect in the TRM, particularly around stress-testing, policy design, attack readiness, testing and assessment, awareness, and the implementation of no-holes barred data security at every conceivable level. Anyone studying the full compliance checklist will be clear that MAS has decided to set the bar as high as possible.
So far so good but here’s where it gets interesting. On the topic of access control, the guidelines break completely new ground by explicitly recommending that a privilege management regime be deployed, not just for risky departments but across the enterprise, including partners and the admins themselves.
This is an important inclusion because it demolishes years of outmoded assumptions at a stroke. It is a truism that attacks on a business can originate from inside as well as outside, but a lot of security thinking still functions on the belief that security’s most important perimeter faces outwards.
Anxiety over the actions of employees is a particular concern of the TRM. It demands segregation of duties (a way of firewalling insider risk by dividing it up into smaller amounts), the adoption of ‘never alone’ principles (a limit on the power of any one individual to do harm), and the handing out of access rights on the basis of a rational assessment of business need.
Nested within all this is the idea of least privilege that keeps the number of privileged accounts to a minimum while managing their creation, day to day use and eventual retirement in a way that minimizes risk. Privileges of all kinds, including those built into applications, should be handed out as and when they are needed, time limited where possible and relentlessly logged and audited.
The notion of visibility is absolutely key to the TRM; it is not enough to impose a security regime and then hope that it is working. Admins implementing and managing the regime must be able to demonstrate to themselves and management that it is functioning and that supervision is thorough at every level.
The larger question is whether a regime such as the MAS TRM has implications beyond the borders of the city state itself. Once new ideas might have taken years to percolate around the industry but the highly-globalized and pressured financial services industry has become rightly sensitive to best practice. Awareness of the MAS TRM among global CSOs is reportedly high and that alone is an interesting signal.
This is the first time that a compliance authority has put privilege management on the list of financial sector security requirements in such an explicit way but it won’t be the last.
Hitherto, privilege management in particular has tended to be seen as a solution for some companies in some sectors with particular problems. MAS is a warning that as far as the financial sector is concerned this will no longer be the case. It will be an issue that spreads to affect all organizations across the spectrum.
Long before the regulators get there, CSOs will have done their homework. The important thing is to be ready.