Addressing BNM’s Cloud & Data Risk Management in Technology (RMiT) in Malaysia

Regulation Overview

Bank Negara Malaysia (BNM)’s Risk Management in Technology (RMiT) policy intended to formalise the risk management programmes used when adopting cloud and other technological innovations in Malaysian financial institutions (FIs).

BNM issued an updated new Policy Document (PD) on Risk Management in Technology on 1 June 2023. All financial institutions shall implement robust risk management controls above the minimum regulatory standards to deliver efficient financial services securely and prevent the exploitation of weak links in interconnected networks and systems with robust cyber fortification to preserve public confidence in the financial system.

The key updates to the RMiT PD include:

• Additional guidance to strengthen financial institution’s cloud risk management capabilities
• A shift to a risk-based approach in cloud consultation and notification process with corresponding updates in the risk assessment and submission requirement. the use of multi-factor authentication (MFA) security control is denoted as a standard requirement.
• The Frequently Asked Questions document has been revised to aid the implementation of the revised policy requirements.

BNM’s RMiT policy document was come into effect on 1 January 2020. The updated PD is released and effective on 1 June 2023 and supersedes the previous policy document on 1 January 2020 except for paragraphs 10.49, 10.50, 10.51 and 10.52 which will remain applicable until 31 May 2024.

As the leader in digital security and identity, Thales can help organisations address and comply with respective mandates of BNM’s RMiT policy with our integrations with Cloud Service Providers, such as Microsoft Azure, Amazon Web Services (AWS); Google Cloud Platform (GCP), and more.

Our solutions support the RMiT policy categories under the following domains:

System Development and Acquisition:

• CipherTrust Tokenisation anonymises sensitive information in test data so that less privileged or third-party providers can process it without the risk of data loss.
• To secure structured and unstructured data such as source codes, CipherTrust Transparent Encryption can encrypt the entire source code to safeguard them from unauthorised access.

Cryptography:

• CipherTrust Data Security Platform offers the use of industry-standard based algorithms, hashing and signing with RNG in a centralised and secure platform.
• Ciphertrust Manager (CM) in the CipherTrust Data Security Platform provides the entire key lifecycle management as well as CipherTrust Cloud Key Management – the centralised multi-cloud key management solution. CM offers key rotation that can assist in case of recovery where cryptographic keys are compromised. It also provides robust role separation features. This can be taken further with Security Management Domains that combine this role-based administration with the ability to compartmentalise the management for policies, data encryption keys, agent configurations, and audit logs for a particular business group.
• CipherTrust Transparent Encryption allows automatic key rotation with no application downtime, enabling customers to easily migrate to newer cryptographic standards if and when required.
• Thales is the leading provider of Hardware Security Modules (HSM) globally and among banks in Malaysia. Thales HSMs are certified to international security standards such as FIPS-140-2 level 3, Common Criteria, EIDAS and PCI-PTS.

Data Centre Operations:

• Sensitive data in removable media can be secured with CipherTrust Data Security Platform that ensures the data is encrypted before being stored and transported. CipherTrust Key Management integrates with the leading backup solution vendors to manage the backup encryption keys and to separate the data from the keys. It also secures the data before it is backed up and stored in the removable media.

Cloud Services:

• With the Hold-Your-Own-Key (HYOK) technology of CipherTrust Cloud Key Management, Cloud Service Provider's customers retain full control and ownership of their data by controlling encryption key access, negating the risk of data being released to foreign powers.
• CipherTrust Data Security Platform helps financial institutions (FIs) to encrypt their data stored in cloud servers to protect against unauthorised disclosure and access, even from the Cloud Service Provider by using the Hold-Your-Own-Key (HYOK) technology.

Access Control:

• CipherTrust Transparent Encryption (CTE) enables the separation of duties between the security administrator and the system administrator inside servers, ensuring the system admins or privileged accounts do not have access to sensitive encryption keys, while the security administrators do not have access to the data. It logs all file activity by OS users to be forwarded to a syslog or SIEM.

Key Risks and Control Measures for Cloud Services: CipherTrust Data Security Platform, CipherTrust Tokenisation solutions, CipherTrust Transparent Encryption, CipherTrust Key Management, CipherTrust Cloud Key Management and HSM.

• CipherTrust Data Security Platform (CDSP) has various modules and approaches to help customers secure their data stored in the cloud, such as Bring-Your-Own-Encryption (BYOE), Hold-Your-Own-Key (HYOK), Bring-Your-Own-Key (BYOK) and also a centralised multi-cloud key management function to provide a complete and comprehensive data protection solution to cover all types of data and use-cases in the cloud. It allows encrypted data to be migrated between different clouds, removing any reliance on specific formats used by different cloud providers; customers are not locked to a single cloud. CDSP offers full assurance of data destruction when exiting a cloud by use of digital shredding and provides various encryption options and methods for data stored in the cloud.
• With CipherTrust Transparent Encryption (CTE) and CipherTrust Tokenisation, FIs can encrypt data before it is moved to the cloud, ie. Data anonymisation prior to ingress into cloud data lakes. CTE not only provides encryption but also enforces granular access control (separated from the OS access control) for privileged users to prevent misuse or abuse.
• Thales Luna HSMs offer tamper-evident hardware protection which is critical for digital signing solutions.
• CipherTrust Key Management (CCKM) integrates with VMware to enable VM image encryption and VSAN encryption, while CipherTrust Transparent Encryption enables data inside VMs and containers to be secured via encryption and access control transparently without any changes to the application. CCKM enables Hold-Your-Own-Key (HYOK) for cloud and multi-cloud environments where customers retain ownership of their encryption key and provides a comprehensive and centralised approach to multi-cloud key management, enabling multi-cloud generation, storage and distribution of keys securely. This reduces the complexity and high administrative costs attributed to the use of multiple clouds.