Leveraging the Cloud to ‘Transform’ Cybersecurity at the Toronto Stock Exchange
By James Hayes
Bobby Singh, CISO and Global Head of Infrastructure Services at TMX Group, the technology provider at the heart of the Toronto Stock Exchange, is responsible for corporate IT systems and services, as well as all aspects of security, governance, risk and compliance. His role includes delivery of secure and highly available technology services across the organization, and as a member of its executive leadership team, he defines TMX Group’s cybersecurity vision and strategy. Singh brings a wide range of hands-on knowledge to his role, and holds CISSP, CISM, CISA and CPA designations.
Cloud Security Insights: There’s much buzz around enterprise “digital transformation” as both an IT vogue and a competitive enabler; arguably, we hear less discussion given over to how enterprise cybersecurity models should be reviewed/modified so that they are properly configured to protect newly digitalized business models.
Bobby Singh: It’s much easier to embed the right set of technology, processes and controls when you build something from scratch. That’s what the major cloud providers have done: built multilayer security controls into their offerings. By the time cloud was coming into existence, the major cybersecurity breaches — the likes of what Target and Sony experienced — were making headlines and cyber threats were gripping the media. This could have been a contributory factor in the development of secure cloud offerings.
However, it is important to note that all of this doesn’t excuse an organization from its cybersecurity responsibilities. Cloud providers may be giving us tools that are easy to use, but it is still up to us to properly design, test and maintain our security models. We are still ultimately responsible for the security of our systems and data.
In the drive to digitalize line-of-business platforms, do you see a risk of enterprises overlooking the need to embed security into the digital transformation process itself?
Singh: The risk of focusing on speed-to-market at the expense of security has always existed. However, organizations with the appropriate governance and right set of security processes and disciplines have managed this well. Organizations that lack key disciplines will not be able to become more secure just by moving to the cloud.
What is new with cloud solutions is the Shared Responsibility Model. Certainly, cloud providers have done well by providing a good set of security controls as part of their basic offering, plus additional optional controls that can be acquired at a cost. The availability of a broad menu of security controls makes it easier for organizations to consume the controls based on an organization’s risk appetite. But the success depends on the level of governance and management needed to ensure adequate oversight and assurance on the part of a cloud provider.
How does the TMX Group IT team build security into the DevOps process to allow for secure workloads for Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) models — and how are challenges around build and deployment solved?
Singh: Organizations with weak security principles and processes will struggle when they try to move to support security in DevOps. The expectation that projects be run using an Agile methodology, with a lack of segregation of duties, makes embedding security requirements much more difficult — but not impossible.
Some CISOs may look at this as an opportunity to develop and incorporate security that they were not able to in a traditional mode — so it represents a fresh start. TMX took a multi-prong approach. Our cloud team consists of SMEs that are well-versed in security and have a security background. We morphed our existing security processes to accommodate the agility of the DevOps model by providing the DevOps team with tools and the means to be self-sufficient. They are trusted to choose appropriate controls from a preapproved tool kit, as projects require. However, the security team maintains governance and provides training, patterns solutions to new security threats, and provides a “second pair of eyes” review of the solution.
What guidance would you recommend to other IT change leaders engaged in transformative projects that involve developing a cloud-based security stack while transitioning from a traditional on-premises security stack?
Singh: Foundational principles, such as vetting of third parties, having the right governance, and asking for an appropriate level of assurance are not to be forgotten. Cloud can provide a great deal of agility, a deployment model that can be very fast, and it can hold and process a depth of data.
But cloud can also be very unforgiving. Misconfiguration or noncompliance to security industry best practices can cause havoc for cloud users. The main mistake could be to expect that basic cloud security covers all the needs of an application. Lack of project- or application-specific controls in the cloud security stack can lead to a major data breach.
As a CISO, you will need to decide what cloud security stack you want to build — all in the cloud or the hybrid model. This will be different for every organization based on risk appetite, the type of data and services the organization wants to consume, and how fast it wants to move to the cloud. Once the model is decided, a thorough RACI [Responsible, Accountable, Consulted and Informed] chart between the key stakeholders, including the cloud provider, will certainly help clarify security roles and responsibilities.
Threat intelligence-led penetration tests are becoming common to enterprises with data centers and other IT resources that are on-premises. What role and value do you believe such pen-testing programs may also have for cloud services providers?
Singh: For Software-as-a-Service (SaaS) applications, the contracts with the respective application owners should include language about vendor responsibilities to test and maintain the security of their SaaS applications. For IaaS and PaaS services, the pen-test activities should continue. As much as we want to rely on assurance by the cloud provider, an organization, from time to time, needs to do its own validation tests. The tests should validate the effectiveness of both the basic controls offered by the cloud provider and the supplemental controls that organization is responsible for, under the Shared Responsibility Model.
Organizations should have a risk assessment plan for the cloud similar to what you will have for an on-prem deployment. This goes beyond threat intelligence, but in the event of a mistake or a hack, having a well-tested incident management plan between the cloud provider and the users is, I believe, a must.
You also are a CIO Association of Canada (CIOCAN) Blockchain Advisory Board member. From your perspective, what are the primary security challenges that having more global wealth exchanged as digital currencies (and cryptocurrencies) — via cloud platforms — present to national finance sector institutions, such as the Toronto Stock Exchange?
Singh: Blockchain and cryptocurrencies are truly bleeding-edge technologies. The experience of recent years indicates that, despite the proven security algorithms used in these technologies, the overall business solutions are not immune to security attacks. The main challenges are in developing bug-free smart contracts, and securing the cryptocurrency exchanges and the end points. Security concerns, however, are not an inhibitor for new business models. TMX Group, like other financial institutions, explores and studies these technologies, runs pilot projects, and develops new initiatives to enhance its service offering and meet the evolving needs of our clients.
Complete business solutions of the kind often defined as “disruptive technologies” will depend not only on enhanced security, but also on more clarity regarding the regulatory environment, legal framework, taxation models and — last, but not least — public understanding and appetite for the risks involved.
As a solutions provider, TMX Group has evolved from an exchange operator to constituting an ecosystem of markets and tools designed to support global businesses’ and investors’ needs and goals. In this journey, how far ahead does your purview as the company’s CISO and Global Head of Infrastructure Services extend — and what do you see?
Singh: Our corporate vision is “To be a technology-driven solutions provider that puts clients first.” In practical terms, this means that we develop solutions based on a two-track approach: we maintain continuous awareness of technology developments that have the potential to enhance the quality and efficiency of our services, and we consult with our clients to make joint decisions on which technologies and initiatives to adopt in order to strengthen the Canadian financial sector.
Given the speed of technology evolution, we tend to focus on three-year planning cycles, which are adjusted periodically through industry consultations. Certainly, cloud technology, artificial intelligence, big data analytics and blockchain are some of the domains that are likely to cooperate to give birth to new business models and opportunities.
James Hayes is a freelance editor and journalist covering enterprise ICT and business technology.