Understanding Monetary Authority of Singapore’s (MAS) Guidance: Safeguarding Your Financial Institution’s Cloud Environment

TL; DR:

As a major financial hub in Asia and globally, Singapore is very aware of the challenges facing the financial industry, especially the accelerated digital transformation that stemmed from the COVID-19 pandemic. 

In response to the sector’s increased exposure to cloud technology, the Monetary Authority of Singapore (MAS) has released a guideline to address cybersecurity risks associated with the adoption of public clouds. The MAS/TCRS/2021/03 advisory breaks down how Singaporean financial institutions (FIs) should manage cyber risks and strengthen cyber resilience as they onboard software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS) solutions.

To help FIs securely take advantage of the cloud, I’ll break down for you how cybersecurity challenges have evolved, major considerations called out by the guidelines and what solutions to consider.

The threat surfaced has expanded exponentially

FIs have long topped the list of high-value targets for cyber adversaries due to the assets and sensitive data they hold. But these organizations have become more exposed than ever. While digital transformation has been going on for many years, FIs had the luxury of taking it slowly. But just like other industries, the financial industry had to rapidly adopt SaaS and IaaS to continue operating and service their customers due to the pandemic.

Unfortunately, while remote work and virtual services were relatively easy to set up, legacy security tools remained in place. Compared to when everything was neatly housed inside a network perimeter, FIs no longer have visibility nor control over their data. Employees now work from anywhere, accessing sensitive information with unmanaged networks and endpoints, including bring-your-own devices (BYOD) like tablets and smartphones.

What did the MAS advisory recommend?

Cognizant of work-from-anywhere becoming the norm for most organizations, the MAS advisory provides detailed recommendations on what FIs should do before adopting public cloud services.

At a high level, here are some key takeaways:

  1. Developing a public cloud risk management strategy that takes into consideration the unique characteristics of these apps and services.
  2. Implementing strong controls in areas such as Identity and Access Management (IAM), cybersecurity, data protection and cryptographic key management.
  3. Incorporating public cloud into security operations, ensuring IT and security teams are able to handle risks and workloads from SaaS apps. 
  4. Develop strategies for managing concentrated risks from outsourcing and vendor lock-in as it relates to SaaS and IaaS.
  5. Train or onboard SaaS experts to ensure the proper management of public cloud-related workloads and risks.

How do I start aligning to these recommendations?

There are countless security vendors out there that solve unique challenges of cloud environments, but they often don’t work well with each other. This is why I encourage FIs to look for an integrated solution that is able to meet all the MAS recommendations. Not only will this streamline operations and costs, it also enable your organizations to have integrated insights and controls over your cloud-related activities.

Here are key capabilities to look for when onboarding a solution to safeguard your organization:

Full visibility, control and assessments

To safeguard SaaS apps, you need a cloud access security broker (CASB) that has integrated capabilities to assess security postures and resolve security gaps. Lookout CASB has native Cloud Security Posture Management (CSPM), which performs automated assessments of your cloud environments to prevent misconfigurations. The solution includes auto-remediate issues and reduces operational complexity. It also integrates seamlessly with security information and event management (SIEM) solutions to work with existing threat monitoring workflows. 

Identity and context awareness

To support MAS’s recommendation of strong controls, FIs should have the ability to continuously assess risks from its users — including information from IAMs — the endpoints they use, as well as the sensitivity level of the apps and data they seek to access. Lookout Secure Access Service Edge (SASE) platform has telemetry from all of these entities. As a result, we enable organizations to make smart and granular access decisions that safeguard sensitive data without hindering productivity.

Encryption and key management 

Ensuring that sensitive data isn’t intentionally or unintentionally leaked, you need encryption options on all levels. Lookout SASE solutions, including its CASB, have advanced data protection capabilities that include data loss prevention (DLP) and enterprise digital rights management (E-DRM) as well as exact data match (EDM) and optical character recognition (OCR). 

Lookout also provides encryption key management capabilities, enabling organizations to have full control over who has access to its encrypted data.

Incident and analysis response

To fully safeguard your data and cloud adoption, organizations also need to have a deep understanding of how its users behave, and to spot high risk activity. Lookout SASE has native user behavior and entity analytics (UEBA), enabling security operations teams to swiftly detect insider threats and compromised-account activities.

Embracing the cloud requires an integrated approach

Regulations and compliance standards can be overwhelming for any organization. As FIs increase their reliance on SaaS and IaaS, I encourage them to use the MAS advisory as a guidance and look for security solutions that are able to support all of its recommendations.


Here at Lookout, we have built an integrated platform that includes CASB, Zero Trust Network Access (ZTNA) for private cloud and on-premises apps and endpoint security. With everything converged, we enable organizations to deploy a Zero Trust architecture and regain the visibility and controls they once had.


You’re not alone on this journey to secure your cloud-first organization. Download our MAS Compliance Brief to learn more about how Lookout can help.

Lookout delivers endpoint-to-cloud Security