Thales Blog

9 considerations for Hong Kong banks to address the STDB Guidelines

October 5, 2021

Wood Lam Wood Lam | Security Consultant More About This Author >

Cyber incidents pose a threat to the stability of the global financial system. The digital transformation initiatives have shifted the technology landscape and introduced new threats and risks. The World Economic Forum warns that “Malicious actors are taking advantage of this digital transformation and pose a growing threat to the global financial system, financial stability, and confidence in the integrity of the financial system. Malign actors are using cyber capabilities to steal from, disrupt, or otherwise threaten financial institutions, investors and the public.”

To address the escalating cyber risks, the Hong Kong Association of Banks (HKAB) developed and published guidelines for Secure Tertiary Data Backup (STDB). The STDB Guideline contains eight security principles, grouped under Governance, Design and Data Restoration, that financial institutions in Hong Kong should consider implementing to enhance their controls to ensure business continuity. These guidelines will help banks recover and restore critical data to facilitate the resumption of critical functions, services, and systems in a timely manner in the event of destructive cyber-attacks, such as ransomware attacks.

All retail banks and foreign bank branches with significant operations in Hong Kong are expected to submit a report containing the result of their assessment to the Hong Kong Monetary Authority (HKMA) by November 2021.

Characteristics of an STDB

When setting up an STDB, financial institutions should consider the following characteristics.

  • Immutable. Protect the integrity of STDB data and ensure that it is not changed or erased during the retention period. Ensure the validity of extracted records against authoritative records in the source systems.

  • Survivable. STDB contents should remain accessible to support the incident response and recovery activities and should be able to be recovered without relying on any part of the organization’s infrastructure that could be compromised.

  • Air-gapped. STDB should be disconnected logically and/or physically from the rest of the financial institution’s IT infrastructure, including production and disaster recovery sites, so that it can withstand targeted cyber-attacks.

  • Secure. Adequate access control, identity management, log monitoring and real-time alerts should be in place to protect the confidentiality, integrity and availability of the STDB contents.

  • Controlled. Proper controls and mechanisms should be established during data backup and restore to provide reasonable assurance that the contents are complete, accurate and free of malware or any other computer viruses.

  • Verifiable. Validate the status of the data throughout its lifecycle and detect tampering or other forms of data corruption.

  • Assurance. Establish controls and processes to mitigate false positive invocations (i.e., “two-man rule”).

  • Heterogenous. The design of the STDB should be different to the other production environments to reduce the likelihood of sophisticated adversaries exploiting similar vulnerabilities, design flaws, or misconfigurations.

  • High-performance. To ensure efficiency, the STDB should facilitate massively parallel processing (MPP) (e.g., using hash functions to combine critical data into a single unique representation of a business object) and the loading of live streaming data.

How Thales can help you

Thales CipherTrust Data Security Platform is the solution you should be looking at when considering the design and implementation of STDB. CipherTrust Data Security Platform unifies data discovery, classification, data protection, and unprecedented granular access controls with centralized key management – all on a single platform.

CipherTrust Manager is the central management point for the platform. It is an industry-leading enterprise key management solution that enables organizations to centrally manage encryption keys, provide granular access controls and configure security policies. CipherTrust Manager manages key lifecycle tasks including generation, rotation, destruction, import and export, provides role based access control to keys and policies, supports robust auditing and reporting, and offers development- and management-friendly REST APIs. CipherTrust Manager is available in physical and virtual form-factors that are FIPS 140-2 compliant up to level 3. The CipherTrust Manager can also be rooted to a hardware security module (HSM) such as Thales Luna and Luna Cloud HSM.

CipherTrust Data Discovery and Classification locates regulated data, both structured and unstructured, across the cloud, big data, and traditional data stores. A single pane of glass delivers understanding of sensitive data and its risks, enabling better decisions about closing security gaps, compliance violations and prioritizing remediation. The solution provides a streamlined workflow all the way from policy configuration, discovery, and classification to risk analysis and reporting, helping to eliminate security blind spots and complexities.

CipherTrust Transparent Encryption delivers data-at-rest encryption, privileged user access controls and detailed data access audit logging. The software agent protects data in files, volumes and databases on Windows, AIX and Linux OS’s across physical and virtual servers in cloud and big data environments. The Live Data Transformation extension is available for CipherTrust Transparent Encryption, providing zero-downtime encryption and data rekeying. In addition, security intelligence logs and reports streamline compliance reporting and speed up threat detection using leading security information and event management (SIEM) systems.

Thales CipherTrust Data Security Platform and High Speed Encryptor offers data protection no matter the state of your data - at rest or in motion. CipherTrust Transparent Encryption offers transparent encryption under all scenarios, even in an air-gapped environment. CipherTrust Manager offers KMIP connectivity to help manage keys from storage; and High Speed Encryptor protects your backup data move to disaster recovery site securely.

Download the CipherTrust Data Security Platform product brief and data sheet to learn more.