No caffeine is needed when you are in a meeting with intense, focus and organised discussion with cloud security professionals. We never get bored and cloud not stop your brain from working. Jet-lag is not a problem.
When capturing and storing technology are so cheap, it is tempting for Gov to store everything. In this case, car plate images.
I guess car rental business has another marketing theme to explore! Soon we will see computer rental and mobile phone rental. When trust is gone, people are willing to try extreme measures.
There is a book offers a critical review on the abundance of surveillance technology.
Critical Issues in Crime and Society : Surveillance in the Time of Insecurity.
New Brunswick, NJ, USA: Rutgers University Press
You are being tracked. How license plate readers are being used to record Americans’ movements (ACLU, July 2013) – A little noticed surveillance technology, designed to track the movements of every passing driver, is fast proliferating on America’s streets. Automatic license plate readers, mounted on police cars or on objects like road signs and bridges, use small, high-speed cameras to photograph thousands of plates per minute. The information captured by the readers – including the license plate number, and the date, time, and location of every scan – is being collected and sometimes pooled into regional sharing systems. As a result, enormous databases of innocent motorists’ location information are growing rapidly. This information is often retained for years or even indefinitely, with few or no restrictions to protect privacy rights.
In last post I mentioned an analysis done by a group of VCPs. In their ppt, one slide is worth more discussion which is the 4 hours RTO defined in MAS notice to banks.
Recovery time objective is a well established concept and has been seeing it in large scale project design documents and also procurement RFPs. Wiki has this definition “The recovery time objective (RTO) is the duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.”
The reader has to distinguish between recover to full services and recover to a service level. When disaster happens, everything has to be prioritized. Not all program are the same when you have limited resources and time. We may not expect to pay telephone bill via ATM when there is serious flooding but you expect the ATM shall still let you draw money.
The slide (shown below) highlighted the time differences between event happen and disaster is declared. Due to complexity of current system and network, the time to fully assess an system malfunction may take hours. Usually the incident handling procedure will require a few clarification (if not finger pointing) until senior staff is informed about the major outage. How a bank response to outage is now a critical element in meeting MAS requirement on RTO. The authors of this slide contended that it is far less than four hours and manual steps are not going to meet this requirement. I believe they do have a point.
Will the MAS TRM requirements and notice makes 24×7 internet banking a white elephant? Let us wait until the 2104 DBS annual report and found out their cost ratio.
Since Singapore MAS released the TRM guideline last month, I believe many people are studying them (including me). Big Four accounting firms are usually most active in publishing explanatory reports and article with a purpose to generate more business leads.
However, a group of Vmware certified professionals are taking the lead this time. They worked together and published a MAS TRM analysis report focusing on DR and visualization. Some of the observations are valid. The document could be found at Vmware website
A few I like to share
- Process and Committee oriented. No Agile and rapid innovation.
- All social media sites, cloud-based storage, web-based emails are classified as “unsafe internet services”. No technical fact given to support why they they are all insecure.
- Trust no employee :Sys Admin must be tracked.
The essence of the new risk management is to produce the governance and regulation of unknowable uncertainties via a distinctive kind of organizational proceduralization which prioritizes the auditability of process.
The concept of risk, unlike that of danger and uncertainty, implies a domain for decision making about the future and a corresponding allocation of responsibility for the that decision
Last post discussed the complication when running multiple bank applications on the same computing platform and need to decided when to report “a relevant incident” within one hour upon discovery.
This part will discuss on how this requirement going to affect Services Level Agreements in Singapore banking IT operations. Before this MAS notice come into effect, IT operations usually design system uptime or availability requirements according to business needs. System supporting real-time financial transactions has the higher uptime requirements. Even market data feed and AML systems which are not auxiliary to financial transactions requires high availability. Infrastructure system and monitoring services are usually regarded as secondary when availability is concerned. Failure of network monitoring system will not directly impact user or cause direct financial loss.
The MAS requirement on incident reporting within one hour upon discovery will change the importance of infrastructure system and monitoring services. Although it is possible for a bank to discover data breach or system malfunction weeks after the actual event happened, it is not what this MAS notice is designed for. The one hour upon discovery requirement is based on the bank has sound and robust monitoring infrastructure. Monitoring systems will need to run with similar availability requirement as the core financial system that requires monitoring services. Real log aggregation system like ArchSight and Splunk are important tool to discover network attacks and system malfunctions. If a bank relies on these systems to detect attacks and provide real-time intelligence, their uptime will directly impact the bank’s capability to fulfill one hour reporting upon discovery requirement. For example, when ArchSight is used to monitor 200 servers and it is down due to an error when an SQL injection attack happened. The DB server log will still record the event happened at the correct time. When the ArchSight error is fixed, it will start processing server logs and the SQL injection attack will be identified. The time discovering this attack will be much later than the server log recorded. Could the bank claim the discovery is at the later time when the ArchSight is recovered from error ? Or MAS will deem the discovery happened when DB server recorded the attack?
The actual response and judgement will need to consider specific details of each case. However, the SLA of monitoring systems will need to improve in order to show the bank is committed to meeting MAS notice.
When attending a PWC Singapore meeting on new MAS guideline, there are many questions in my head regarding how the 1 hour incident reporting requirement could be fulfilled.
The requirement requires banks operating in Singapore to report to MAS within one hour when relevant incident ( security breaches and malfunction) is discovered.
There are a few levels of complexity. One is boundary of application issue. The other is SLA issue.
Most international bank system are located in multiple time zone. Trading system maybe in London and centrally managed. Singapore application is running side by side with other regions applications. If only Japan application is under attack, shall MAS be informed taking the consideration that the affected JP application is running on same hardware platform as SG? If yes, MAS will be a central info hub of security incident globally. Also with time zone issue, international banks in Singapore will need to respond global incidents and be able to decide if the incident happening in London should be reported to MAS, not to mention the one hour requirement.
Systems are no longer running localized version. Virtualization and cost saving already change the old system to centralized and shared platforms. A clear boundary could not be easily draw when a component is affected.
I believe this question is already considered by relevant parties and MAS. One possible solution is focus on whether the remote incident materially impact Singapore operation. There should be some mutual understanding between regulator and banks on how to limited the catch all possibility of incident reporting requirement. Will talk about SLA later