Solving financial services regulatory challenges in Australia with Puppet
The recent record-breaking fine of $1.3 billion for money-laundering breaches exposed the dangers of poor systems in the banking industry. Now is the time to get compliance right. In my role, I regularly speak with FS&I clients about their security and compliance challenges, including vulnerability remediation. It’s a complex topic with many pieces that must coalesce to create a holistic solution.
What’s happening in the current state of compliance and how can you use Puppet to address some of those challenges?
State of Security
In The Office of Australian Information Commissioner’s (OAIC) most recent report, malicious or criminal attacks across all industries remain the leading source of data breaches, with 61% of notifiable data breaches made in the first half of the year. Phishing, stolen credentials, ransomware and brute force attacks were the main causes, with social engineering or impersonation contributing to a 47% increase in data breaches. The impact of the COVID-19 pandemic has meant individuals are more vulnerable to phishing attacks and disclosing their credentials.
Some examples of data breaches in Australia in 2020, include the Canva data breach where a hacker acquired the details of 139 million users. Stolen data included customer usernames, real names, email addresses, and city and country information. In the NAB data breach, approximately 13,000 customers had information -- such as date of birth, driver’s license number, name and contact -- accidentally shared with two data service companies.
Forrester’s research on the state of data security and privacy 2020 reports that external attacks remain the most common cause of data breaches at 33%, with internal incidents increasing at 25%. In addition, privacy regulations such as GDPR and CCPA are driving new security technology adoption.
How Australia is Responding
The Federal Government released Australia’s Cyber Security Strategy on 6 August 2020. The Strategy replaces its 2016 strategy and provides for $1.67 billion in funding (including the CESAR funding) towards initiatives aimed at enhancing Australia’s cyber security as a foundation for transitioning to a digital society. The new Strategy “seeks to create a more secure world for Australians and businesses, ensuring that cyber readiness becomes a fundamental part of everyday life.” The Strategy sets Government, Business and Community as three pillars to support the initiative. Businesses are required to improve baseline security for critical infrastructure, grow a skilled workforce and ensure products and services are protected from cyber attacks.
The Australian Prudential Regulation Authority (APRA) is an independent statutory authority that supervises institutions in banking, insurance and superannuation. They license organisations, establish prudential standards in relation to financial soundness, risk management and governance. Post license financial organizations are subject to supervision to identify operational weaknesses early and if need be, through enforcement.
APRA regulates financial organizations in line with the Prudential laws of the commonwealth, setting standards, monitoring compliance with those laws and standards intervening early to resolve issues. APRA has two approaches:
Supervisory methods that include thematic reviews, financial analysis, heightened engagement and reporting standards. Enforcement through court-based action and imposing license conditions within which an organization can operate.
APRA provides guidance through Prudential Practice Guides (PPG’s) giving APRA’s view of sound practice in particular areas. They aim to assist senior management, risk management and IT security specialists in regulated institutions in managing security risk IT.
One of the key PPG’s is the Prudential Practice Guide CPG 234 – Management of Security Risk in Information and Information Technology May 2013. It includes key guidance on:
- IT asset life-cycle management controls at all stages of configuration management controls, environment deployment controls and patch management controls.
- IT security technology solutions such as segregation of duties and regular assessment of both continued effectiveness as well as identification of any unauthorized changes.
- Controls to manage change to IT assets with the aim of maintaining confidentiality, integrity and availability. This includes changes to hardware, software (including associated configurations) and data fixes.
- Change management including registration of proposed changes, impact assessment, change scheduling, and approval of changes prior to deployment into the production environment.
Puppet Supports APRA’s Practice Guide
Puppet plays a major role in addressing all of these through its software solutions. Puppet does this through making infrastructure actionable, scalable, and intelligent. Today, infrastructure as code is no longer a nice-to-have; it’s becoming the leading approach in today’s hybrid environments to drive efficiencies and increase flexibility. Compliance and security are mandatory and Puppet automation addresses how to make compliance more continuous.
A summary of the solutions involved include:
Impact Analysis and Continuous Delivery:
- What if you could see the impact of configuration changes before you pushed them to production?
- What if you could lower the barrier to entry to everyone committing code?
- What if you could release quality code the first time and therefore spend less time fixing some of the issues?
Remediate an automated process for the vulnerabilities found by Qualys or Tenable scanning tools. Why risk fines from ASIC or APRA?
CIS compliance: Get an assessment of compliance status and guidance to bring your estate under compliance with Puppet’s scanning solution, a service to help you address what we find.
Elizabeth Williams is a Principal Account Director for Puppet. The views and opinions expressed in this article are her own and do not necessarily reflect those of Puppet.