HERE - Lotteries and Gaming Authority

CLOUD SOLUTIONS
FOR REMOTE GAMING INDUSTRY
Cloud Solutions Guidelines for Remote Gaming Operators
Consultation Paper
Date: 31 October 2014
Foreword
Cloud technologies have started to move beyond the hype and into the very fabric of today’s
enterprise management. With the majority of organisations now claiming to have adopted cloud
solutions into at least part of their enterprise, we are now seeing the market mature to the point
that cloud solutions are being used for mission critical enterprise activities and services. Over
recent years, new lessons have been learnt, leading practices and challenges are emerging and
a body of knowledge is now taking shape.
The Lotteries and Gaming Authority of Malta (LGA) recognises the advantages and options
cloud solutions provide to the remote gaming industry in general. It allows for significant cut
in infrastructure and operational costs, better management and allocation of IT resources,
flexibility and scalability of operations. However, we are cognisant of the fact that changing from
one environment to another presents new challenges which operators and regulators alike are
doing their best to address both from a policy and operational standpoint. It is the intention of
the LGA to release guidelines for the Remote Gaming operators making use of cloud solutions.
It will also allow facilities to be used as cloud service providers in defined circumstances for
gaming transactions. This consultation is proposing a sharper focus on long-standing principles,
with a clearer explanation of why they are important from a policy and regulatory perspective.
These guidelines serve as a clear sign to the gaming industry that the LGA wants to be a
prime mover in innovation and policy and is well positioned to react to these trends in order to
safeguard the collective achievement of the gaming industry over the last 11 years.
I, therefore strongly encourage all stakeholders to actively participate in this consultation
document so that we make sure that the new policy on cloud solutions is well thought out and
forward looking. To this effect, your opinions and insights on this matter are critical to keep
Malta at the leading edge of technology and innovation.
Joseph Cuschieri
Executive Chairman
Lotteries & Gaming Authority of Malta
4
Contents
1.Introduction7
1.1 Background
7
1.2 Objectives
8
1.3 Pre-consultation activities
8
2.The Authority’s perspective on
Cloud Computing9
2.1 Cloud Computing – a definition
9
2.2 Deployment Models
9
2.3 Cloud Service Providers
11
2.4 The Current Situation
12
3.An overview of risks related to operating
on a Cloud environment13
3.1 Security
13
3.2 Confidentiality
13
3.3 Integrity
14
3.4 Availability
14
3.5 Compliance
14
3.6 Jurisdictional / Legal
14
4. Relevant standards15
5. The Authority’s proposal16
5.1 The Authority’s position
16
5.2 Scope
16
5.3 Establishing the context
16
5.4 Remote Gaming Components
16
6. Proposed Approval Process18
6.1 The Authority’s conformance kite mark 18
6.2 Geographic locations
18
6.3 Monitoring and review of the kite mark 18
6.4 Control of operational documents
& records
18
6.5 A Risk-based approach
18
6.6 Risks relating to the adoption of
Cloud Computing
19
6.7 Final Considerations
20
7. Consultation procedure22
7.1 Consultation period
22
7.2 Queries and contributions
22
7.3 Questions to be addressed by
stakeholders22
7.4 Direct interaction
22
7.5 Transparency register
22
7.6 Post-consultation
23
8.Data Protection Statement Data Protection Act (Chapter 440)24
Appendix A – Summary of
consultation questions25
Notes26
5
Definitions
6
Classes
As per the First Schedule to Regulation 3, Licences of
the Remote Gaming Regulations 2004, SL438.04
Cloud Computing
In this paper the Authority has adopted the Cloud
Security Alliance definition for Cloud Computing - see
Section 2.1 in this Paper
Cloud Service Provider
A Cloud Computing service provider, also referred to
as CSP in this Paper
Financial data
Any data pertaining to the financial activity of a player
Licensee
As per the definition of licensee in Remote Gaming
Regulations 2004, SL438.04
Player data
Any data which contributes or may contribute to the
identification of a player
Remote Gaming Operator/Operator
An economic operator registered in Malta and
licensed, or in the process of obtaining a license, to
operate as a Remote Gaming Operator in accordance
to the Remote Gaming Regulations 2004, SL 438.04
Saas
Software-as-a-Service is software which is deployed
over the internet and used by someone on a personal
computer or local area network.
Paas
Platform as a service is a category of cloud computing
services that provides a computing platform and a
solution stack as a service.
Iaas
The virtual delivery of computing resources in
the form of hardware, networking, and storage
services. It may also include the delivery of operating
systems and virtualisation technology to manage the
resources.
1.Introduction
In 2004, Malta was the first country in Europe to identify the potential of this industry and enact
the appropriate legislative framework to position the country as a leading global player in
remote gaming regulation. With the regulatory and financial incentives in place, the portfolio
of companies setting up their operations in Malta started to grow at a fast pace. Today, the
Lotteries and Gaming Authority, hereafter referred to as “the Authority”, hosts a remote gaming
industry that directly contributes 11% of GDP, employs more than 7,000 people and has direct
and indirect economic benefits that have created a multiplier effect impacting many business
sectors, including property, hospitality and corporate services. Over 250 remote gaming
companies and 400 licenses are currently on the LGA’s books, and the numbers keep growing
steadily.
Malta’s huge success is underpinned by a package of incentives and other factors that make
Malta a unique gaming jurisdiction of international repute. Our package includes corporate
and personal tax incentives, a robust ICT infrastructure, an English-speaking population, a
strong educational system and a regulatory framework that focuses on consumer protection,
fairness of games, strict compliance and the prevention of money laundering and other crimes.
In fact, other European jurisdictions have been looking at Malta as a role model to develop their
national legal frameworks for remote gaming.
Malta’s reputation in this sector needs to be maintained and one way of achieving this is by
being responsive to technological developments which bring with them benefits to stakeholders
in the sector. However, developments such as Cloud Computing/Services, also present new or
heightened levels of risks which need to be addressed and managed, in order to safeguard the
jurisdiction’s reputation and adequate levels of player protection.
With this in mind, the Authority is launching this public consultation process in respect of Cloud
Computing Solutions adoption by Remote Gaming Operators, with a view to gather insights
and feedback from relevant stakeholders, industry experts, and other interested parties, on its
proposals as set out in this consultation paper.
1.1 Background
A number of remote gaming operators have, or are considering, leveraging the opportunities
offered by the adoption of Cloud Computing Solutions in order to take advantage of the extensive
benefits that may be achieved, including; better management and allocation of IT resources,
flexibility, scalability and cost savings.
The Authority recognises the advantages that cloud computing provides to licensees. It also
recognises the fact that the adoption of cloud computing by operators may also provide
competitive advantages to the Remote Gaming sector in Malta.
However, migrating from the traditional environment to a cloud environment presents some
disadvantages as well, in the form of new or heightened risks. The Authority believes that by
setting out good practice, operators will be able to mitigate the risks that cloud computing
introduces, meet the level of security and standards required by the Authority as well as attain
the benefits offered by cloud computing.
7
1.2 Objectives
It is the Authority’s objective to establish guidelines and to set good practice requirements on
the industry in respect of the use of cloud services for remote gaming. These guidelines should:
a)Offer additional clarity on the use of cloud services, placing the obligations on the correct
party. Therefore, making it clear as to who is responsible for what in the security process;
b)Stipulate those ‘reasonable steps’ which must be taken to protect the information from
misuse, loss, unauthorised access, modification and other security breaches, regardless of
where it is stored.
1.3 Pre-consultation activities
The Authority has already received submissions on the subject matter from the Malta Remote
Gaming Council Working Group and the Malta Chamber Remote Gaming Business Section
and has taken these into consideration in arriving at its position and in compiling this this
consultation paper.
8
2.The Authority’s perspective on Cloud Computing
2.1 Cloud Computing – a definition
According to the Cloud Security Alliance, cloud computing is defined as “… a model for enabling
ubiquitous, convenient, on-demand network access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications, and services). Cloud computing is
a disruptive technology that has the potential to enhance collaboration, agility, scaling, and
availability, and provides the opportunities for cost reduction through optimized and efficient
computing. The cloud model envisages a world where components can be rapidly orchestrated,
provisioned, implemented and decommissioned, and scaled up or down to provide an ondemand utility-like model of allocation and consumption”.
2.2 Deployment Models
Several security and privacy concerns within the cloud computing environment are similar to
those of traditional non-cloud services, however amplified by external control over operators’
assets. Cloud computing also introduces new risks, which vary according to the deployment
model and setup utilised by the operator. Moreover Cloud Service Providers (hereinafter
referred to CSPs) offer a range of services to their customers such as Software as a Service
(SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).
The following is a summary of the different deployment models and some of the key elements
that characterises each model.
2.2.1 Private Cloud
This cloud infrastructure is for the exclusive use of a single licensee. No interaction with other
entities is allowed within this type of cloud computing deployment model.
In this case, physical or location-related considerations can still be closely controlled by the
Authority as this particular cloud infrastructure can be located either on the operator’s premises
or at a Data Centre with dedicated servers. Building a private cloud seems to be the best option
in terms of security.
2.2.2 Community Cloud
In a community cloud, services are shared by a number of licensees with similar security
requirements and need to store or process data of similar sensitivity. In some cases, all the
entities are subject to common security policies. These security components in a community
cloud make the level of risk lower than in a public cloud, however it remains higher than in a
private cloud.
2.2.2.1 Security
Although different classes of licensed remote gaming entities operate in the same sector, they
may have adopted different security measures or security requirements. Consequently, other
third party users hosted on the same CSP as that engaged by a remote gaming operator may
have inferior security standards, security levels, procedures or Service Level Agreements
(hereinafter referred to SLAs) for the same category of data exposing remote gaming operators
to related risks.
9
2.2.2.2 Jurisdictional/Legal
Compliance with garnishee orders, search warrants and seizures served to companies could
be difficult to enforce if a particular operator hosts its business in a cloud shared by other
companies.
2.2.3 Public Cloud
In a public cloud, the CSPs share their infrastructure and resources among various unrelated
enterprises and individuals. Public Cloud Services are generally considered as more ‘risky’,
although the security related investment and the resources available to major Public Cloud
Service Providers often exceed those of a typical licensee.
Transition to a public cloud requires a transfer of responsibility and control to the cloud provider
over information as well as system components that were previously under the organisation’s
direct control.
This cloud infrastructure is shared by multiple tenants of the cloud service provider. These
tenants have no relation to each other in the same space, therefore no common interest and
concerns for security. A malicious attack on one tenant could have adverse impacts on other
tenants of the same cloud environment, even if they are not the intended target.
2.2.3.1 Isolation Failure
Multi-tenancy and shared resources are defining characteristic of both the Public and
Community Cloud. High degrees of multi-tenancy over large numbers of platforms are needed
for cloud computing to achieve the benefits of scale economies. The threats of these deployment
models include the failure of mechanisms separating storage, memory, routing and even
reputation between different tenants; the so-called guest-hopping attacks.
2.2.3.2 Security
Security depends not only on the correctness and effectiveness of many components but also
on the interactions among them. The challenge exists in understanding and securing these
applications. Having to share an infrastructure with unknown outside parties can be a major
drawback and requires a high level of assurance pertaining to the strength of the security
mechanism used for logical separation.
An attacker could pose as a consumer to exploit vulnerabilities from within the cloud
environment, overcome the separation mechanisms, and gain unauthorised access. Access to
organisational data and resources could also inadvertently be exposed to other consumers or be
blocked from legitimate consumers through a configuration or software error, although this is a
risk that is present also amongst non-cloud based deployments.
2.2.3.3 Governance
Loss of control over both the physical and logical aspects of the system and data diminishes the
organisation’s ability to effect changes in security and privacy that are in the best interest of the
operators. The ability to reduce capital investment for computing resources and simultaneously
satisfy computational needs through reductions in operational costs is one of the main
advantages of cloud computing. However, policies and procedures for privacy and security could
be overlooked and the organisation put at risk.
10
2.2.3.4 Physical location
On a public cloud, the physical location of the infrastructure is determined by the cloud provider
as is the design and implementation of the reliability, resource pooling, scalability, and other
logic needed in the support framework.
2.2.4 Hybrid
Hybrid cloud is a model that allows enterprises to create a mixture of public, community and
private clouds, depending on the level of ‘trust’ required for their information assets.
2.3 Cloud Service Providers
The flexibility, lower costs and scalability that cloud services can provide for remote gaming
companies, are more than promising. This is even more so for global cloud service providers
which have high resources and capabilities, providing services at considerable low costs also
through economies of scale. Whether a CSP is a start-up with a small set up or one of the global
cloud service providers, the security and privacy concerns are still considerable and the risks
relevant to the Authority must be addressed, independently of the size and the popularity of
the CSP. Strong privacy and security guarantees is what the industry and what the Authority
demands.
The following are further risks that large and international CSPs may introduce within the
gaming industry.
2.3.1 Physical Security
A major stumbling block to adopt cloud computing within the remote gaming industry seems
to be the difficulty in establishing the geographical location of the physical servers. Use of an
in-house computing centre allows an organisation to structure its computing environment and
to know precisely where data is stored and what safeguards are used to protect the data. In
contrast, a characteristic of many cloud computing services is that data is stored redundantly
in multiple physical locations and detailed information about the location of an organisation’s
data is unavailable or not disclosed to the service consumer. This situation makes it difficult
to ascertain whether sufficient safeguards are in place and whether legal and regulatory
compliance requirements are being met.
2.3.2 Security Features
Cloud service operators provide a number of features that are commonly used in any server
environment to ensure adequate security. Nevertheless, many of them provide additional
configurable options and for this reason it is the operator’s responsibility to implement them in
the most appropriate manner.
2.3.3 Governance
CSPs may allow operators to make use of a private and isolated portion of the cloud without
disclosing the physical location of the data and how it is processed. The Authority recognises
that a cloud customer may find it difficult to exercise any meaningful control over the way
a large (and perhaps global) cloud provider operates. The ‘take it or leave it’ SLAs do not
provide any opportunity for negotiations. However, it the Authority’s view that simply because
an operator chooses to contract for cloud computing services on the basis of the provider’s
standard terms and conditions, this does not exonerate the operator from its responsibilities in
11
this regard. The operator’s deployment logical architecture - whether it is on physical or virtual
servers - will still need to be approved by the Authority as is the current practice.
2.3.4 Legal Issues
Such CSP’s are many times transborder, and different jurisdictions have different legal
requirements, especially concerning personal private information. The CSP will need to host its
service in a manner that is fully compliant with EU data protection and other applicable laws.
2.4 The Current Situation
The Authority must ensure that it has the right policy framework to mitigate any risks and to
seize the full benefits of cloud computing. The Authority’s current practice require that requests
for the use of public or private cloud are dealt with on a case by case basis during the licensing
process of a remote gaming operator.
Operators argue that the current practices which require the tagging of servers run counter
to the agility and benefits of a cloud environment. Tagging of servers is considered to be a
redundant and obsolete requirement by operators. The Authority is at present considering the
feasibility of alternative mechanisms or systems with a view to address this concern.
There are a number of challenges that need to be addressed to ensure that the Authority’s
licensees maximise the benefits to be derived from adoption of a cloud computing environment
whilst ensuring that the risks are mitigated.
The six main areas set out in section 3, sub-sections 3.1 to 3.6, are some of the critical areas
to be addressed if the Maltese jurisdiction is to become cloud-friendly and cloud-active. An
additional and non-exhaustive list of risks introduced or amplified by the adoption of cloud can
also be found in section 6.6.
12
3.An overview of risks related to operating on a Cloud
environment
Cloud computing promises to have far-reaching effects on the systems and work practices of
the licensees and the Authority.
Emphasis on the cost and performance of cloud computing should be balanced with the
fundamental security and privacy concerns the Authority and licensees have with these
computing environments. Many of the features that make cloud computing attractive can also be
at odds with traditional security models and controls.
The first question to ask when evaluating a cloud environment is: “Which information assets will
a remote gaming operator migrate to the cloud environment?” Information assets in the remote
gaming industry can be broadly categorised as; data, applications and processes. These assets
are commonly subjected to the threats set out in this section. In view of the generic nature of
these risks, the Authority recognises that most of them can be mitigated with the adoption of
adequate controls.
3.1 Security
Information security is possibly the biggest concern for cloud users. Whilst security frameworks
already exist, these are not sufficiently adopted across all the cloud deployment models. Illegal
activities affecting cloud computing environments such as (identity and/or data) theft, fraud and
malicious systems and data interference are threats to cloud users and service providers and
can undermine their trust. Threats to data security include the ability of hackers to infiltrate
cloud computing platforms and use cloud infrastructure to attack other machines which could
lead to sensitive data leakage and data loss.
If a multi-tenant cloud service database is not designed properly, a single flaw in one client’s
application could allow an attacker to get at not only that client’s data, but all other clients’ data
as well.
Another key risk in a cloud computing environment is data loss: the prospect of having valuable
data disappear without a trace.
Loss of governance is also an issue when using cloud infrastructure. The operator necessarily
cedes control to the cloud provider on a number of issues which may affect security. At the same
time, the SLAs or controls implemented by CSPs may not provide the security levels required by
the operator, thus leaving a gap in security defences.
3.2 Confidentiality
There is a fear of moving sensitive data to the cloud. The confidentiality of specific data –
personal, gaming and financial - may be at greater risk where remote gaming functions are
placed under the control of cloud systems, when compared to a traditional system. Cloud
computing may increase the risk of account or data traffic hijacking depending on the CSPs
inherent security design and confidentiality processes.
13
3.3 Integrity
The integrity of transaction logs and gaming functionality may be at a heightened risk when
remote gaming functions are under control of cloud systems. Technology vulnerabilities are
a threat that needs to be addressed appropriately in any cloud based remote gaming service.
Cloud service providers share infrastructure, platforms and applications to deliver their services
in a scalable way. If an integral part is compromised, it exposes the entire environment to the
potential of compromise and breach.
3.4 Availability
The Authority considers the availability of gaming and financial transaction logs and customer
accounts at heightened risk where remote gaming functions are under the hosted on cloud systems.
Data are commonly the most valuable assets and the most probable targets of attacks. However,
it is important not to overlook the risk relating to applications and processes.
3.5 Compliance
Investment in achieving certifications (such as ISO 27001 and PCI DSS) as well as the licence
granted to an operator by the Authority may be put at risk by migrating to the cloud if the CSP
cannot:
a)Provide evidence of compliance with the relevant requirements, or
b)Does not permit audits by the operators.
3.6 Jurisdictional / Legal
Cloud computing by its very nature, operates across national boundaries and across territories
with different legal jurisdictions, within and beyond Europe. Legal and Jurisdictional issues
associated with cloud computing could pose additional challenges including:
a)Jurisdictional issues which may impair the Authority’s ability to exercise its functions and
powers as permitted by relevant laws and regulations;
b)Inconsistencies/incompatibilities in laws and regulations across different jurisdictions in
respect of Data Protection and Privacy rights of players and obligations on remote gaming
operators arising there from;
c)Ambiguity in determining who has the burden of preserving data when a client of a cloud
computing provider gets sued;
d)Compliance with garnishee orders, search warrants and possible seizures;
e)Disaster recovery implications.
Operators that are planning to adopt or that have adopted cloud computing must have a clear
understanding of which rules apply, where and how. Among the EU directives and regulations
that may impact Cloud services, the Privacy or Data Protection Directive is one of the most
relevant and important. While there is no question that these requirements are designed to
improve privacy in general, they may create barriers to the provision of cloud services.
Consultation Questions
Q1.
Do you agree with the Authority’s overview of risks in relation to cloud computing
environments?
Q2.
Do you believe that there are other risks that need to be addressed?
14
4.Relevant standards
In compiling its proposals for the purposes of this consultation, the Authority has identified
relevant standards that have been taken into consideration. These include:
a)ISO 27001: 2013: “ISO/IEC 27001 is the best-known standard in the family providing
requirements for an information security management system (ISMS).” (International Standards
Organisation: http://www.iso.org/iso/home/standards/management-standards/iso27001.htm);
b)PCI DSS: “The PCI Security Standards Council offers robust and comprehensive standards
and supporting materials to enhance payment card data security” (Payment Card Industry
Security Council: https://www.pcisecuritystandards.org/security_standards).
Consultation Questions
Q3.
Do you agree with the standards which the Authority has identified as relevant and
within the scope of these guidelines?
Q4.
What are your views, in terms of costs and feasibility, for compliance obligations
arising from the need to obtain and maintain ISO 27001certifications andPCI DSS
Level 1 standards?
15
5.The Authority’s proposal
5.1 The Authority’s position
“An external publicly available cloud, provided from outside the Authority’s approval
process may be used for simple web servers, displaying informative web pages, landing
pages and application servers. However any part of regulated game play, financial
or registration process where personal, financial or game transaction information is
processed and/or stored, may only be handled within a cloud environment, if these
systems are considered by the Authority to be safe and secure under these guidelines”.
5.2 Scope
All personnel, products and processes which may affect the safety, security, fairness or legal
status of any remote gaming operations if these are placed within a cloud infrastructure, shall
be included in the Authority’s standards and guidelines for operators making use of cloud
computing.
5.3 Establishing the context
The regulatory and jurisdictional risk appetite is low compared to commercial entities, so these
standards and guidelines should be consistent with regulatory and jurisdictional risk threshold
and objectives.
Under the cloud computing paradigm, an operator relinquishes direct control over many aspects
of security and privacy and in doing so, confers a high level of trust onto the cloud provider.
At the same time, the Authority has the responsibility to protect information and information
systems commensurate with the risk and magnitude of the harm resulting from unauthorised
access, use, disclosure, disruption, modification or destruction.
5.4 Remote Gaming Components
Challenges exist in understanding and determining the suitability of those cloud systems,
and understanding the context in which the licensees operate and the consequences from
the plausible threats it faces. This section categorises those remote gaming components that
demand a secure and reliable platform.
Critical components are:
a)Random Number Generators (RNG’s);
b)Players’ Data – see Definitions;
c)Financial Data – see Definitions;
d)All instances of databases containing player and financial data intended for disaster recovery
purposes.
These components should be hosted on a Private Cloud environment model and shall be subject
to the proposed approval process set out in section 6
16
Other components can be hosted on any other type Cloud environment model and shall also be
subject to the proposed approval process also set out in section 6.
Consultation Questions
Q5.
What are your views on the LGA’s position on cloud computing?
Q6.
What are your views on the scope and definition of the “critical components” as
proposed?
Q7.
What are your views on the Authority’s position on the hosting location of the critical
components, i.e. “…be hosted on a Private Cloud environment…” as opposed to any
other of the cloud computing models presented in this paper?
Q8.
What are your views on the hosting location of other (non-critical) components?
17
6.Proposed Approval Process
6.1 The Authority’s conformance kite mark
Making use of a cloud computing environment requires a change in mind set. To realise the
benefits of a cloud environment, it is necessary to accept that perimeters become logical rather
than physical, dynamic rather than fixed.
Whereas within a traditional computing model, rights/monitoring were tied to a physical
machine and its location, the policies and privileges assigned to a virtual machine must change.
This requires a re-think of new policies, new tools and new or updated operating practices.
Certification is a proven technique for establishing trust. CSPs may either obtain a kite mark
issued by the Authority or have their systems and controls assessed and/or inspected by the
Authority on a case-by-case basis to verify that their setup meets the criteria established in
the Authority’s guidelines; in the latter case, all expenses will be incurred by the operator. The
ISO 27001 and PCI DSS Level 1 standards will be used as a guideline standard for cloud service
providers.
Operators choosing a CSP which has the Authority’s kite mark, may have their application for a
licence placed on a fast-track.
6.2 Geographic locations
Any operator on a cloud infrastructure must include a list of the premises and the geographic
location of all sites where infrastructure used in a cloud system affects its remote gaming
functionality and data, unless using a CSP that has been pre-approved by the Authority.
6.3 Monitoring and review of the kite mark
CSPs shall conduct, at least annually, a detailed security audit of its cloud service performed by
an independent third party and will be required to provide a copy of the assessment to the cloud
customers and the Authority. The assessment can also be presented to new clients as it will
be sufficiently detailed to allow the cloud customers to make an informed choice as to whether
the provider’s security is appropriate and will, in turn, help the operator to comply with these
guidelines.
The assessment shall include the physical, technical and organisational security measures that
are in place. This audit is a pre-requisite to obtain the kite mark.
6.4 Control of operational documents & records
Transition to a cloud service entails a transfer of the implementation of securing portions to the
cloud provider. To fulfil the obligations of continuous monitoring, the Authority requires the full
cooperation of the cloud provider.
6.5 A Risk-based approach
The transition to an outsourced, public cloud computing environment is in many ways an
exercise in risk management. Risk management entails identifying and assessing risk, and
taking steps to reduce it to an acceptable level.
18
Assessing and managing risk in cloud computing systems requires continuous monitoring of
the security state of the system, and can prove to be challenging, since significant portions of
the computing environment are under the control of the cloud provider and likely beyond the
organisation’s preview.
By virtue of the Remote Gaming regulations, the licensing requirements of the Authority, and the
license conditions, a remote gaming operator, licensed by the Authority, may be obliged to carry
out a system audit as well as a compliance audit. The existing comprehensive process to obtain
and maintain a remote gaming licence remains unchanged.
However where the use of a cloud computing infrastructure is being proposed, a risk
assessment should be undertaken to assess whether cloud platform will meet the licensees’
needs and the authority’s policies. Licensees using pre-approved cloud platforms may be able to
fast track parts of the risk assessment of their application.
A risk assessment should be a requirement as it is a cornerstone to the requirements of these
guidelines. As a minimum the risk assessment submitted by the operator must address the
risks listed in section 6.6. During the licencing process as well as during a licensee’s operation,
the Authority may require further information on how certain risks relating to cloud are being
treated. As part of its licence application the operator shall also include the risk assessment
methodology applied, the acceptable risk level from its point of view, a clear description of what
information is being stored and processed on the cloud and what are the control measures in
place to protect such information.
These areas have been identified as important to assess:
a)Logical isolation techniques employed in the multi-tenant software architecture of the cloud;
b)Facilities for backup and recovery of data, and for sanitisation of data;
c)Capabilities and processes for electronic discovery;
d)Mechanisms used to control access to data, to protect data while at rest, in transit, and in use,
and to expunge data when no longer needed;
e)Mechanisms for secure authentication, authorisation, and other identity and access
management functions;
f) Facilities for incident response and disaster recovery.
6.6 Risks relating to the adoption of Cloud Computing
The following is a non-exhaustive list of risks that an operator may face when making use of
cloud computing. These risks shall be part of a risk assessment that needs to be submitted
together with the policies and procedures made available as part of the licencing process.
During the licencing process as well as during a licensee’s operation, the Authority may require
further information on how certain risks relating to cloud are being treated.
The risk assessment shall take into consideration, as a minimum, all the risks mentioned in
Table 1 as this shall assist the Authority in gauging how well prepared the operator is in using
cloud computing services.
If an operator is making use of a CSP that has obtained the Authority’s kite mark than the
operator would not need to provide an explanation of how some of these risk have been treated.
19
Table 1
Risk # Risk Description
1.
Loss of governance. This risk also takes into consideration the changes to the CSP’s
terms and conditions and service levels whilst an operator is making use of its
services. Such changes may also be a result of the CSP being acquired by a third
party.
2.
Inadequate maintenance of the systems and underlying infrastructure managed by
the CSP.
3.
Leakage of data during transfer within the cloud; between the operator and the cloud
or between player and the cloud.
4.
Insecure data storage.
5.
Information not being erased thoroughly or in a timely manner by the CSP’s systems
following a command issued by the operator.
6.
Unauthorised access to data through the management interface or any other system
within the cloud or interfacing with the cloud.
7.
Loss of privacy.
8.
Unreliable service engine / APIs as well as isolation failure.
9.
Loss incurred due to activities carried out by tenant(s) on the cloud.
10.
Malicious activities by tenant(s) of the cloud or employees of the CSP.
11.
Failure of the CSP’s (or its providers) to provide an adequate level of service. This
includes the risk of heightened dependency on the CSP as well as the complete
cessation of a CSP’s services.
12.
Increased dependency on internet connectivity for the operator to manage its
operation.
13.
Inability for the Authority to confiscate hardware and carry out an investigation.
14.
Loss of intellectual property.
15.
Lack of IT resource capacity.
16.
Denial of Service heightened due to use of the CSP’s services.
17.
Inability to achieve compliance with the Authority’s requirements and other standards
that an operator adheres to.
18.
Non-compliance with legal requirements that both the CSP and operator have to
follow.
19.
Risk of the CSP moving to another jurisdiction that is deemed less safe than the one
previously used.
6.7 Final Considerations
Cloud computing is not a one-size-fits-all product and in many cases it needs to be tailored to fit
the specific needs of an operator or market sector. The compliance issues that arise will depend
on the type of cloud service in question.
Any remote gaming operator considering a move to the cloud must have a clear understanding
of its needs and compliance obligations in order to ensure that the services of cloud providers
are engaged in a manner which adequately mitigate the identified risks.
20
Consultation Questions
Q9.
What are your views on the proposal that operators should submit a risk assessment
to assess whether the cloud platform will meet the LGA’s policies?
Q10.
What are your views on the Authority’s proposal of introducing a kite mark which
will be awarded by the Authority to those Cloud Service Providers that satisfy the
Authority’s requirements on risk assessment?
Q11.
What are your views on the Monitoring and Review of Kite-mark requirements on
CSPs?
Q12.
Do you agree that a license application submitted to the Authority by a remote gaming
operator should be fast-tracked if the cloud service provider has been approved by the
Authority and granted the Kite-mark?
Q13.
Do you believe that the risk register adequately identifies the new or heightened risks
that cloud computing adoption brings with it?
Q14.
Do you consider any of the measures proposed too onerous on the operators or on the
CSPs?
Q15
Are there any other measures that the LGA should introduce in these Guidelines that
can enhance the level of protection to operators’ and player data?
Q16
Are you aware of any other potential risk(s) that has not been covered in the risk
register?
Q17
Are you aware of other constraints that could limit the wider adoption of these
guidelines?
Q18
Do you believe that these recommended guidelines can be considered to be best
practice to help operators protect data when migrating on to cloud environments?
Q19
Do you think that the scope and applicability of the guidelines is clearly defined?
Q20
Should the LGA consider any operators to be excluded from or outside the scope of
these Guidelines?
Q21
Do you think that the Authority’s proposals adequately address the need to strike a
balance between safeguarding the jurisdiction’s reputation, player protection, and the
needs of remote gaming operators?
Q22
Do you think that the guidelines provide enough guidance to Remote Gaming
Operators to adequately assess their obligations arising from these Guidelines?
Q23
Do you think that the critical components, as defined in this Paper, are sufficient to
mitigate the new risks/heightened risks of cloud environments?
Q24
Do you think that the risk register compiled in this paper adequately addresses the
new risks/heightened risk levels in relation to Cloud Computing adoption in the
sector?
Q25
Do you have any other comments or suggestions, which could help make these
Guidelines as comprehensive and clear as possible?
21
7.Consultation procedure
In this section of the consultation paper, the Authority has set out a relevant information about
the process and related information.
7.1 Consultation period
This period of consultation will be for 6 weeks from launch, as follows:
Opening date of consultation
Closing date of consultation
Friday, 31st October 2014
Friday, 12thDecember 2014 at noon
7.2 Queries and contributions
The Authority has set up a dedicated electronic mailbox for the purposes of this consultation.
The Authority will receive queries/requests for clarifications that contributors may have in
respect of the contents of the paper and proposals, and contributions/feedback from interested
parties on the following email address: [email protected]. All queries and contributions will
be acknowledged within 2 working days from receipt.
The Authority will consider only those contributions which clearly identify the originator of the
contribution, contact information, and a clear statement of which interest they represent.
7.3 Questions to be addressed by stakeholders
The Authority is keen to seek the views of stakeholders and has set out a series of questions
throughout this Paper which should be addressed by contributors. Appendix A contains a
consolidated list of the consultation questions. Other comments on the Authority’s position and
proposals will be welcome.
7.4 Direct interaction
Depending on the scope, extent and quality of contributions, the Authority may decide to provide
additional opportunities for contributors to interact directly with Authority via one-to-one
meetings, and/or events.
All one-to-one meetings will be recorded on the transparency register and documented. Any
events which the Authority may decide to organise for the purposes of direct interaction with
relevant stakeholders will be announced on the consultation website and, where applicable,
invitations may also be sent by the Authority to stakeholder groups.
7.5 Transparency register
The Authority will maintain a register containing details of all contributions received. This
register will be published on the Authority’s website following the closing date of the
consultation and not later than Friday, 9th January 2015. The following information will be
published in the register; names of respondents, and all related documents, meeting minutes,
individual contributions.
The Authority will consider contributions which include a request for anonymity on a case-by22
case basis. However, for such requests to be considered, they must include a clear indication
of the interest group which the contributor represents/belongs. Where such requests will
be granted, the contributors information will be anonymised and will clearly indicate the
stakeholder/interest group.
7.6 Post-consultation
The Authority will consider all responses carefully when finalising its proposals, but will
only alter its position if it believes there is a sound basis to do so. Following the end of the
consultation the Authority will prepare a summary of responses, which it will publish alongside
the finalised documents.
23
8.Data Protection Statement - Data Protection Act
(Chapter 440)
As part of this consultation, individuals are invited to forward their recommendations, views and
opinions which will enhance the process. We intend to collect the following information: name of
the organisation or individual responding to the consultation, the contact details of the individual
(e-mail and telephone number). The contact details provided will enable us to contact the
person to clarify their contributions – if the moderator of this consultation needs to seek such
clarifications.
The recommendations will be analysed and placed, in full or in part, on the LGA website after
the consultation has been concluded. The comment of the organisation or the individual will
be accompanied by the ‘Display Name’ as listed at the time when the comment was entered
by the individual. If an individual chooses to have his name removed from the comments, the
moderator will categorise these comments according to the following stakeholders’ list:
• Remote Gaming operators;
• Industry experts;
• Sector associates;
• Citizens;
• Others.
The personal data collected will be processed by the people involved in the consultation process
according to the provisions of the Data Protection Act (Cap 440) and will not be accessed or
disseminated to third parties.
Contributors may request for modification or deletion of their submitted contribution to this
consultation process, by sending their request via e-mail to: [email protected].
In addition, please be aware of:
• Disclosure under the Freedom of Information Act (Chapter 496)
As we are a public authority all documents we hold, including documents related to this
public consultation process, may be released following a request to us under the Freedom of
Information Act (Chap. 496), unless such request may be subject of an exemption arising from
the same Act.
24
Appendix A – Summary of consultation questions
Consultation Questions
Q1.
Do you agree with the Authority’s overview of risks in relation to cloud computing
environments?
Q2.
Do you believe that there are other risks that need to be addressed?
Q3.
Do you agree with the standards which the Authority has identified as relevant and within
the scope of these guidelines?
Q4.
What are your views, in terms of costs and feasibility, for compliance obligations arising
from the need to obtain and maintain ISO 27001certifications and PCI DSS Level 1
standards?
Q5.
What are your views on the LGA’s position on cloud computing?
Q6.
What are your views on the scope and definition of the “critical components” as proposed?
Q7.
What are your views on the Authority’s position on the hosting location of the critical
components, i.e. “…be hosted on a Private Cloud environment…” as opposed to any other of
the cloud computing models presented in this paper?
Q8.
What are your views on the hosting location of other (non-critical) components?
Q9.
What are your views on the proposal that operators should submit a risk assessment to
assess whether the cloud platform will meet the LGA’s policies?
Q10.
What are your views on the Authority’s proposal of introducing a kite mark which will be
awarded by the Authority to those Cloud Service Providers that satisfy the Authority’s
requirements on risk assessment?
Q11.
What are your views on the Monitoring and Review of Kite-mark requirements on CSPs?
Q12.
Do you agree that a license application submitted to the Authority by a remote gaming
operator should be fast-tracked if the cloud service provider has been approved by the
Authority and granted the Kite-mark?
Q13.
Do you believe that the risk register adequately identifies the new or heightened risks that
cloud computing adoption brings with it?
Q14.
Do you consider any of the measures proposed too onerous on the operators or on the
CSPs?
Q15
Are there any other measures that the LGA should introduce in these Guidelines that can
enhance the level of protection to operators’ and player data?
Q16
Are you aware of any other potential risk/s that has not been covered in the risk register?
Q17
Are you aware of other constraints that could limit the wider adoption of these guidelines?
Q18
Do you believe that these recommended guidelines can be considered to be best practice to
help operators protect data when migrating on to cloud environments?
Q19
Do you think that the scope and applicability of the guidelines is clearly defined?
Q20
Should the LGA consider any operators to be excluded from or outside the scope of these
Guidelines?
Q21
Do you think that the Authority’s proposals adequately address the need to strike a balance
between safeguarding the jurisdiction’s reputation, player protection, and the needs of
remote gaming operators?
Q22
Do you think that the guidelines provide enough guidance to Remote Gaming Operators to
adequately assess their obligations arising from these Guidelines?
Q23
Do you think that the critical components, as defined in this Paper, are sufficient to mitigate
the new risks/heightened risks of cloud environments?
Q24
Do you think that the risk register compiled in this paper adequately addresses the new
risks/heightened risk levels in relation to Cloud Computing adoption in the sector?
Q25
Do you have any other comments or suggestions, which could help make these Guidelines
as comprehensive and clear as possible?
25
Notes
26
27

Download Report