Singapore’s MAS and the Role of Confidential Computing in a Regulated Financial Industry

Published on
Mar 23, 2023
As the regulatory body overseeing financial institutions in Singapore, the Monetary Authority of Singapore (MAS) has set an ambitious goal of transforming Singapore into a "Fintech Nation.”

As the regulatory body overseeing financial institutions in Singapore, the Monetary Authority of Singapore (MAS) has set an ambitious goal of transforming Singapore into a "Fintech Nation.” To achieve this goal, the MAS has implemented measures such as developing a large talent pool, creating an open architecture economy, strengthening cybersecurity measures, and fostering innovation. As a result, Singapore's financial services industry has experienced rapid growth, with public cloud technologies being a key contributing factor according to industry experts. However, this growth has also increased the need for stronger security measures to protect sensitive data.

Part of the MAS’s regulatory work is its Technology Risk Management (TRM) Guidelines, which recommend principles and best practices for financial institutions to establish a robust technology risk management framework. This includes ensuring the security, reliability, resiliency, and recoverability of the financial institutions' systems and deploying strong authentication processes to protect customer data, transactions, and systems.

In June 2021, the MAS issued new guidelines on Data Security and Cryptographic Key Management recommending specific security measures when using the public cloud to protect data in all three states, including the implementation of Confidential Computing solutions for protecting data in use.

Screenshot from page seven of the MAS guidelines
Screenshot from page seven of the MAS guidelines

While protecting data at rest and data in motion with encryption technologies is nothing new, MAS’s recommendation of protecting data in use with Confidential Computing solutions is a novel approach and one that the MAS should be commended for. However, it is also a reminder that in a cloud environment, security is a shared responsibility between the provider and the customer, which introduces new risks. While more traditional security methods are essential, they are insufficient if people external to your organization have root access to the compute layer, making it possible for them to extract code, data, and secrets and launch secondary attacks on encrypted data.

Other government agencies across the globe have also advised the implementation of Confidential Computing technologies to protect sensitive data. The European Union Agency for Cybersecurity (ENISA) states in its Data Protection Engineering report that "Trusted execution environment (TEE) can play a key role in protecting personal data by preventing unauthorized access, data breaches, and use of malware." Similarly, the US Cybersecurity & Infrastructure Security Agency advises organizations to "consider running (5G) containers in TEEs to reduce the attack surface for containers, and to keep service providers and malicious insiders outside the Trusted Computing Base." As guidelines like these become more widespread, they are likely to be included in regulations, such as those of MAS.

Confidential Computing is an emerging approach to data security that protects data while it is being processed. This is made possible by new CPU hardware available with all cloud providers that allows computation inside isolated and attested Trusted Execution Environments. These “secure enclaves” prevent unauthorized access or modification of applications and data while in use regardless of infrastructure access privileges, increasing security assurances for financial institutions storing sensitive and regulated data in the cloud.

While advancements in hardware have made Confidential Computing possible, Anjuna Confidential Computing Platform offers a solution that makes the implementation of Confidential Computing easy across applications, clouds, and chipsets. With Anjuna, applications, legacy or cloud-native, can be protected on any cloud without the need for code changes. As a result, Anjuna can help financial institutions achieve a range of business goals, including:

  • Migrating sensitive core banking functions to the cloud to improve agility and scalability
  • Modernizing mainframes with cloud-hosted ODS layers to increase elasticity and dramatically reduce costs on MIPS
  • Analyzing customer data in the cloud to uncover valuable insights and drive growth
  • Building new, inherently secure cloud services that delight customers
  • Simplifying and ensuring compliance with data privacy regulations, such as that of MAS

The MAS plays a vital role in safeguarding the financial services sector in Singapore through its guidelines, notices, and regulations. MAS's recent guidelines on Confidential Computing and its role in protecting data in use serve as an admirable step towards promoting stronger security measures. With Anjuna Confidential Computing Platform, financial institutions have an “easy button” solution to embrace this model, enhance security and ensure compliance.

If you want to learn more and see Anjuna in action, watch our live demo.

More like this

Regulatory compliance

Get Started