Consultation Feedback Summary

The Malta Gaming Authority (MGA) is publishing a summary of the responses received for the public consultation on Cloud Solutions for the Remote Gaming Industry, as submitted by respondents.

Click on the questions to view feedback received.

Respondent 2   

  • Same initial risks for running public cloud internally or own servers (human errors).
  • Reputable public cloud will give expertise not found locally.
  • Going to public cloud should be very controlled especially what will be stored.
  • Public cloud gives a new level of redundancy.

Respondent 3

  • Challenge the level of detail and/or differences between the various models.

Respondent 5   

  • Small scale operators are eager to utilise cloud technologies. Understood that momentarily cloud is fraught with risk.
  • Agree with the authority’s proposal for certification of CSPs.

Respondent 6   

  • Data location & jurisdiction risks.

Respondent 8   

  • Wrong impression that private cloud environments should be the default option for gaming operators.
  • Public cloud safer than private.
  • More important to have a reliable CSP rather than favour one cloud model over another.
  • Private cloud over public cloud have Financial (level of Investment) & Technical difficulties such as location, policies, business models, certifications, 3rd party validations security practices, level of experience, vulnerability due to scale and others.
  • Speed of development, access to resources and information, integrations with existing and future systems are all considerations for Hybrid Cloud.
  • CSP must be able to confirm where data is located.
  • Demonstrated ability of the SLAs provided to comply with applicable Maltese standards and laws.
  • Flexibility for Governance is not a relevant consideration. Large CSPs implement security mechanisms & procedures based on the most advanced, world class standards and practices. These should be applied in a consistent and standard manner, not subject to arbitrary modification.
  • Risk of data loss exists with all CSP models.
  • MGA needs to separate unjustified and unspecified fear of moving sensitive data to the cloud from fact.
  • Applicable law and jurisdiction determined contractually so the parties are clear on what is the governing legislation.
  • If the CSP gets sued, the owner of the data is and shall always remain the client.

Respondent 9   

  • Laudable & welcome.
  • Imposing controls on Cloud based operations need MGA monitoring.
  • Asks how many operators already use Virtual Machine or Cloud service?
  • Consultation will get some scepticism from abroad and from local experts.
  • Some B2B platforms host both licensed and unlicensed operators already – What happens here?
  • Referring to MGA HR, licence iGaming in cyberspace is unwise unless matched by strong real world controls.

Respondent 10

  • Risks mitigated security measures and separation of data to individual identified section of the cloud.

Respondent 13

  • Clearer explanation of each risk, data location & jurisdiction risks needs to be reconsidered.

Respondent 1   

  • Physical Location of data

Respondent 2   

  • Competence availability

Respondent 3   

  • Add “residual risk” – identified and retained
  • Indication on risk tolerance thresholds
  • Geographical location of the cloud service provider

Respondent 5   

  • Data Protection Risk due to servers residing in 3rd World Countries

Respondent 6   

  • Data tier residing in the jurisdictional scope of the Authority control of the customer data, the log files and actions is all under scope of the Authority

Respondent 8   

  • The overview did not address the significant, and demonstrated, risks of private cloud infrastructure models

Respondent 9   

  • Physical location of data (ex Data Centres in USA)
  • Risk of Cyber Warfare
  • Transit over the Internet by “tokenisation” – Sensitive Data
  • Environmental Events – ex Earthquake, Emergency backups routes is limited and slow
  • B2C “lock in” with B2B due to problems in migrating to a new service provider without loss of data
  • MGA should host an encrypted backup of all live licensees in a robust Private Cloud under its control
  • Consider licensing SaaS operators
  • Operators/licensees making use of the cloud should manage their data governance and operational risks

Respondent 10

  • Need to consider Reputation Risk that may be tarnished due to Licensee / Cloud failure

Respondent 11

  • Dependency risk of a SaaS Provider over other CSPs in the underlying layers (eg IAAS and/or PAAS) – Visibility Risk

Respondent 13

  • Need more detailed explanation

Respondent 14

  • Increased complexity and costs associated to same complexity for any organisation that makes the leap onto a Cloud

Respondent 3   

  • Relevant to the scope of these guidelines
  • The possibility of a single certification of the integrated service is yet to be explored. The costs are likely to be more than cumulative and in essence duplicated when a service provider is already individually certified

Respondent 7

  • Relevant for some uses of cloud solutions and not at all for others; “Overreaching application of PCI standards”

Respondent 8   

  • Base its guidance on established, objective, independent and verifiable international standards – ISO 27018
  • Cloud service providers adopting the new standard must operate under a stronger, industry-wide framework of key principles: Consent, Transparency, Accountability, Communication, Compliance, and Control

Respondent 9   

  • Review the old SAS70 (later SSAE16) concept which has been internationally adopted in the Financial Services sector
  • Data Centre or CSP can be individually ISO-27001 or PCI DSS compliant and yet still fail to provide services that are secure

Respondent 11

  • Other standards or reporting mechanisms that are worth considering include: SOC Reporting: The SOC 1 Type 2 and Cloud Security Alliance

Respondent 13

  • Worth examine Cloud Certification Scheme List issued by ENISA
  • Certifications carry out deep in-depth analysis of data security (eg “Certified Cloud Service”) rather than certifications that focus on consistent approaches of managing quality, ie ISO/IEC 27001

Respondent 6, Respondent 10  

  • ISO27001:2013 and PCI DSS are established standards that have been applied to make similar systems secure

Respondent 1   

  • All standards should already be in place

Respondent 3   

  • The possibility of a single certification of the integrated service is yet to be explored. The costs are likely to be more than cumulative and in essence duplicated when a service provider is already individually certified.

Respondent 5   

  • The cost of compliance with both standards mentioned can be quite high
  • Review other standards same level or relatively same level of assurance without such impact on cost

Respondent 6   

  • Aim for licensees above a certain level

Respondent 7   

  • Need to know the scope

Respondent 8   

  • To include ISO 27018
  • Documented compliance with the European Data Privacy Directive and other similar international regulatory standards

Respondent 9   

  • Most B2C and B2B licensees of LGA would struggle to reach ISO-27001:2013 now
  • ISO-27001 certification scope can be restricted to just a part of the whole ICT system
  • Easier to obtain than to maintain certification
  • Little certainty of end-to-end security due to outsourcing
  • Lack of certifying skills in Malta for the ISO-27001 standard
  • MGA needs to also commit to certification of all its internal information systems

Respondent 10

  • “Industry standard” there should be little or no additional costs

Respondent 11

  • Standards already demanded by Financial Services

Respondent 13

  • Companies across industries strive to achieve such certification and reach a satisfactory level of compliance
  • Resources and time required to build processes and make alterations to the existing set-up
  • Audit checks and compliance reports are particularly lengthy and intrusive affecting every day operations
  • Extraordinary financial burden

Respondent 14

  • Manageable for existing licensee
  • Great test to uncertified organisation to verify if it is mature enough to be a Remote Gaming Operator

Respondent 1   

  • Fair and reasonable

Respondent 2   

  • Publicly available cloud for CDN (Content Delivery network), landing pages, informative websites etc
  • Websites – Closer to the players
  • Data for analytics- more capacity in a public cloud but used as anonymous data
  • Info Data ex Odds and events available for Sports betting

Respondent 3

  • The MGA is seeking to allow operators and CSP providers to adhere to the MGA’s policies and processes in the most suitable, feasible and appropriate method
  • Reverse the migration of more systems from Malta and encourage new companies to use local and similar ICT facilities
  • Proposals for guidelines to “regulate” cloud solutions, BMIT believes that apart from the risk logic that rightly underscores the policies; a regulatory objective logic should equally underscore this policy without stifling functionality and the exploitation of benefits cloud solutions provide for

Respondent 5   

  • Considering benefits of Cloud & Listening to need of iGaming

Respondent 8   

  • MGA should take a broader view of the business and technical aspects of the CSPs to have a balanced and appropriate assessment

Respondent 9   

  • Significant gap in the “Critical Components” listed i.e. all the metadata relating to controls!

Respondent 10

  • Support position – ensure the online gambling industry is able to take advantage of technological developments and continue to innovate; operators must be able to develop their use of cloud computing

Respondent 13

  • Risk specific-oriented approach
  • Exact position on cloud computing
  • Properly regulated framework for all technological options including Cloud, would credit the Authority as having a much more flexible framework

Respondent 14

  • Position is well-balanced and reasonable
  • The division of components are pragmatic and progressive

Respondent 1   

  • Agree add systems/applications processing financial transactions

Respondent 2   

  • Agree only player data in the public cloud must be anonymous

Respondent 3   

  • The ‘logic’ that will govern the new perimeter/s and subject to assessment is not defined
  • MGA must also issue minimum standards for co-location

Respondent 9   

  • Agree that Personal Player “Core Data” that needs to be protected
  • “Game engine” software & associated pay-out tables – Should be Cloud Computing
  • Problem for future RNG aimed at mobile devices
  • Regulators must ensure that Licence conditions do not render legal services less attractive than the illegal competition

Respondent 10

  • Mostly Agree, Disaster Recovery Databases should not be included here

Respondent 13

  • Terms described are fairly generic

Respondent 14

  • Component D redundant falls under B&C
  • Debating whether to include general operational log data or not

Respondent 1   

  • Disagree – Public cloud carries more risk, but it should not be ruled out entirely

Respondent 2   

  • No immediate need to run Cloud Computing from a public cloud today

Respondent 3   

  • Geographical location of any CSP is extremely critical
  • Develop a regulatory and fiscal environment which actually promotes the applicability of specific incentives

Respondent 5   

  • Critical data should be stored on Private Cloud due to Location, Legislation

Respondent 6   

  • All clouds must either be a Private cloud or a Hybrid of Cloud and locally DC centred elements within the Authorities control

Respondent 8   

  • “Hosted on Private Cloud; “Not appropriate and not in the interest of the Authority or its clients

Respondent 9

  • Avoid discriminating against those operators with an existing investment in traditional infrastructure who are not yet willing to move to a Private Cloud environment
  • Position needs clarification in terms of the definition of “Private Cloud” to be applied
  • Defined the difference between Control System and Gaming System in the existing RGR
  • Consider the costs of excessive segregation

Respondent 10

  • Tenant separation is an essential component of security and must be pursued

Respondent 13

  • Disagree – As long as they have certification, other models should be allowed

Respondent 14

  • No Objection

Respondent 1   

  • Non-critical components can be hosted on other cloud types, without a separately defined security standard

Respondent 2   

  • Website, Registrations, Payment (deposits and withdraws) will still exclusively be run from private servers in Malta

Respondent 3   

  • The location of infrastructure and systems in Malta will assist in attracting much more investment to Malta

Respondent 4   

  • The operators’ web front end servers can now be in a shared cloud whilst back end in a dedicated one

Respondent 5

  • No Objection to use the cloud for other components

Respondent 7   

  • Needs further consideration

Respondent 8   

  • Public CSP that have the resources, ability and business interest in ensuring the highest levels of security and compliance required

Respondent 9   

  • Commercial issue which the Regulator should avoid having any opinion on

Respondent 10

  • Critical components should be secure and regulated operators should be able to assess the risks of using other cloud computing technologies and employ them accordingly

Respondent 13

  • The individual demands of the business should be allowed to be used for non-critical components

Respondent 14

  • “Web servers, displaying informative web pages, landing pages and application servers” also be hosted in private, non-Cloud infrastructures? Restricted to External Public cloud?

Respondent 1

  • Fair and reasonable

Respondent 3   

  • Rigorous risk assessments, coupled by low risk tolerance threshold, are in themselves the best approach to mitigate jurisdictional/reputational risks at this stage of policy formulation

Respondent 5   

  • This would delay the operator’s approval and make Malta uncompetitive as a jurisdiction

Respondent 6   

  • Focus on ISO
  • Preferred List should be created

Respondent 7   

  • Reasonable

Respondent 8   

  • MGA should define its policies based on already established internationally recognized standards and regulations

Respondent 9   

  • This seems a reasonable and inexpensive requirement
  • MGA own senior staff are comfortable with Risk Management and apply these concepts internally in order to gain experience
  • Risk assessment must not become just another “compliance task”

Respondent 10

  • There should be no concerns about sharing that assessment with the regulator as long as it is confidential

Respondent 12

  • MGA should provide a checklist

Respondent 13

  • Welcome the initiative of MGA to consult before any large financial or resource investments are made by the interested party
  • Proposal would depend on the timeframes and expediency expected for this process
  • Adopt a more flexible outlook of cloud computing solutions

Respondent 14

  • Safeguard before jumping onto a Cloud

Respondent 1   

  • KM will speed up the overall approval process

Respondent 3   

  • Agree, must be also upgraded & reviewed in time

Respondent 7   

  • Concerned that ISO 27001 and PCI DSS compliance will become a requirement for everything

Respondent 8   

  • Advantageous for CSPs to be designated by the Authority as complying with its requirement
  • “Pre-approved” entities which will assist operators in obtaining the MGA’s approval

Respondent 9   

  • Re-Inventing the wheel
  • Find existing standards: SSAE16, ISACA (CObIT)

Respondent 10

  • Awarding a kite-mark should be transparent and accessible
  • Should be awarded by MCA as a non-gaming regulator

Respondent 11

  • Kite mark might be too generic or may not be in the MGA’s interest to have a blanket application

Respondent 12

  • Keep kite-mark process as transparent as possible

Respondent 13

  • Other international respected standard certificates should be regarded equally to the LGA kite mark
  • Avoid multiple redundant certifications

Respondent 14

  • Great initiative through which you would show that you take responsibility of the whole industry

Respondent 1   

  • Follows the standard recertification process of ISO/PCI

Respondent 5

  • This security audit should be incumbent upon CSPs

Respondent 7   

  • Difficult to answer without knowing who is a CSP
  • Same administrative burden in terms of monitoring and review of the kite mark

Respondent 8   

  • Unnecessary for the Authority to define separate policies relative to Monitoring and Review of CSPs

Respondent 9   

  • Risky! There is not enough maturity in the operators or the CSPs yet

Respondent 10

  • Welcome & Essential

Respondent 11

  • Already in place with reputable CSP though the SOC 1/2 reporting mechanisms
  • Assurance should be provided by service providers to operators and regulators

Respondent 13

  • Important elements for the sustainability and respect of the standard
  • A situation of overly burdensome certification and audit should be avoided

Respondent 14

  • Operators favour the CSPs awarded Kite-marks over unmarked competitors

Respondent 3   

  • Yes, however this should not compromise the safety, security and integrity of whole system

Respondent 5

  • Prefer to see that all operators are on a level playing field

Respondent 7   

  • Fast track seems reasonable

Respondent 8   

  • Advantageous for applicants to benefit from

Respondent 9   

  • Kite-mark is less important than a data sharing agreement and secure interface between the parties

Respondent 11

  • Applicable if the operator completes the risk assessment effectively

Respondent 13

  • The licensing process of an operator should not be affected by the processes, standards, security settings etc of the cloud service provider

Respondent 14

  • Listening to your Licensees and what CSPs might show an interest with and consider those for risk assessment

Respondent 1   

  • Agreed, but with the addition of data storage location

Respondent 3   

  • Not all identified risks pose the same extent of threat to the gaming operation
  • Such weighting system and definition of risk thresholds and/ or indeed the criteria on which these are established should be published in advance

Respondent 7   

  • Mostly be addressing risks with public cloud computing

Respondent 9

  • The Risk Register proposed is well articulated and comprehensive
  • Inability to prosecute any licensee
  • Data loss due to delayed payment of the CSP
  • Synchronisation errors
  • Human errors
  • Accidental Hosting- ex USA
  • Disruption of MGA licensees operations by hostile governments

Respondent 11

  • Need of more detailed exercise
  • Through Cloud Security Alliance or ISO 27017

Respondent 13

  • Good first step
  • Should be elaborated

Respondent 14

  • Good start
  • Would presence in the Cloud really increase the dependency on internet connectivity for operators making their living on the Internet?

Respondent 3   

  • MGA needs to raise the bar and set the standard for other jurisdictions to follow suit

Respondent 5   

  • Positive – good compromise can be reached

Respondent 7   

  • Overuse of standards would mean administrative burden in that cloud services would become impractical

Respondent 8   

  • Preference for private cloud is inappropriate and not in the interest of the Authority or its client
  • No need for riveting of previously approved services of entities

Respondent 9   

  • Licensees must compete with unlicensed operators

Respondent 12

  • What happens if a previously known-good cloud provider is acquired by an aggressive competitor with known-bad reputation or inadequate processes?

Respondent 13

  • Other international respected affiliated standard certificates require similar or stronger measures
  • The cost of obtaining the kite mark would be further exacerbated if internal investments will need to achieve compliance

Respondent 14

  • Too early

Respondent 1

  • Appropriate security standards are met for connectivity between CSP and operator
  • All client requests outside of a secure connection should be encrypted

Respondent 3

  • Does not think that at this stage one could add standards certification
  • Security, in due time follow EU Level as they are not yet finalised

Respondent 8

  • ISO 27018, documented compliance with the EU Data Protection legislative requirements

Respondent 9

  • Centralise all logs in a single 24×7 operations centre where events can be reviewed by analysts and experts

Respondent 12

  • Requirements for migrating gaming operations between cloud providers

Respondent 13

  • Any additional measures might undermine the flexibility of cloud computing environment set-ups

Respondent 14, Respondent 10

  • update the Guidelines regularly

Respondent 3   

  • Regulatory objective logic
  • Residual Risk

Respondent 9   

  • Capacity Planning by CSP
  • Lack of digital forensic skills in Malta
  • Over-reliance on storage / transmission Encryption
  • Lack of CSIRT support / awareness in Malta

Respondent 11

  • The exit process should the operator decide to switch CSP or terminate the services of CSPs completely

Respondent 13

  • Need further explanations on some of the individual risks and how comprehensive it will be as part of the risk assessment process

Respondent 14

  • Risk of an operator overestimating the profits
  • Underestimating the cost of increased complexity by extending one’s business to the cloud

Respondent 5   

  • Data protection issues are to be considered, unless they are local clouds

Respondent 7   

  • Different regulations, conflicting requirements from different regulatory authorities

Respondent 8   

  • The implementation is subjective

Respondent 9   

  • iGaming operators might not be welcome by all CSPs!

Respondent 10

  • If the kite-mark provider is the gambling regulator then the value might be diminished

Respondent 13

  • Consider the licensing and compliance requirements in other jurisdictions

Respondent 3   

  • The risk assessment to be required addresses also the migration process, separately, and under the same safety, security and integrity objectives defined by the authority

Respondent 8   

  • Should be more neutral and not show preference for private CSPs
  • Best Practice – leveraging and building upon the evolving and advancing body of international standards and regulations

Respondent 9   

  • No “Best practice” and “Next Practice” are not the same
  • Technical limitations that still apply: Encryption
  • Virtualisation tends to inflate the gross system storage required by tenfold
  • Orchestration slows processing

Respondent 13

  • Great step

Respondent 6, Respondent 10, Respondent 14 

  • Must be actively updated

Respondent 1   

  • Guidelines in the consultation are high-level
  • Best Practice: standard ISO/PCI guidelines

Respondent 3   

  • Well defined – refining later

Respondent 4   

  • Good definition of difference between Shared Cloud and Dedicated Private Cloud

Respondent 5   

  • Measures to be taken by operators who wish to reside on the cloud should be more clearly defined

Respondent 6   

  • Exception Jurisdictional Control

Respondent 8   

  • No, CSP models are subjective and arbitrary in favour of private cloud models
  • Redundant with established international standards

Respondent 9   

  • Good but Definition of “Player Data” and “Private Cloud” require amplification

Respondent 13

  • Aspects of the proposal will have to be developed further

Respondent 7   

  • Based on how they use cloud services, rather than based on who they are

Respondent 8   

  • More detail needed

Respondent 9   

  • Keeping Live Casinos under more traditional controls may prove wise

Respondent 11

  • Should be flexible enough to allow the Regulator to apply such terms consistently

Respondent 13

  • Certain jurisdictions are infamous regarding their licensing and operational standards and procedures

Respondent 1   

  • Embrace the benefits of Cloud Computing, while maintaining the standards

Respondent 3   

  • Regulatory objective logic could and should be further underscored

Respondent 4   

  • Flexible Approach to the operators yet it maintains a level of control on the back-end
  • This policy plays an important role in Data Sovereignty

Respondent 5   

  • More flexible and accepting of cloud set-ups but not at the cost of player protection

Respondent 8   

  • ‘Potential risks involved’ in cloud computing should not unnecessarily delay or even preclude the obtaining of a gaming license
  • Doc focused more on potential risks rather than benefits of Cloud Computing
  • Cloud Service Providers themselves should be considered as an important stakeholder in the process

Respondent 9   

  • Moving technical operations into the Cloud may well clarify duties and improve professionalism
  • MGA must also tackle Non-Cloud issues

Respondent 13

  • Although further info is needed, the aim of striking concessions is achieved

Respondent 14

  • MGA trying to keep abreast with the evolving times

Respondent 1   

  • Those documented are high-level It’s the addition of ISO/PCI requirements that offer detailed guidelines

Respondent 3   

  • Rightly focus on the process to be followed in assessing risk associated with cloud solutions but a case by case approach needs to be adopted
  • More information on: MGA Objectives re Cloud Computing uniform level of protection, safety and security is attained irrespective of environment the operator employs for its operations

Respondent 4   

  • Perfect Balance, the idea of assessing the Data centres with the KYTE Certificates is very positive

Respondent 5   

  • Operators should be handed better defined guidelines

Respondent 8   

  • Guidelines do not contain sufficient information on the benefits and advantages of cloud computing and in particular, Public Cloud services

Respondent 9   

  • Good start, awaiting for feedback

Respondent 10

  • Questions will arise, like separation and protection of customer data

Respondent 13

  • Further discussion needed

Respondent 3   

  • Identification of ‘critical components’ should be tied to the regulatory objectives and outcomes
  • Risk assessment and its appraisal by the MGA on a case by case basis

Respondent 8   

  • Any risks inherent in cloud computing will depend very much on the CSP in question – Doc should focus onto CSPs crucial distinction

Respondent 9   

  • No, MGA needs to be more pro-active and have access to live data

Respondent 11

  • Additional critical components are identified depending on the type of cloud deployment of a CSP

Respondent 13

  • Once clearer definitions are provided for critical components we would access

Respondent 14

  • One has to do a deep analysis of what data would flow to and from services in the Cloud

Respondent 6   

  • Yes apart from security and jurisdictional control of Data

Respondent 7   

  • The scope needs to be properly defined

Respondent 8   

  • Consultation needs further refining

Respondent 13

  • Will need more info on the use of the risk register as incorporated in the process

Respondent 14

  • Register needs to be actively added

Respondent 7   

  • Is anybody with a hypervisor or running a Virtual Server a CSP?
  • Will everything virtual be subject to ISO 27001 and PCI DSS?

Respondent 8   

  • Can help discuss in person

Respondent 13

  • Any guideline should be designed in accordance with the international standard description

Respondent 14

  • Clarify that it is perfectly OK to keep the critical components completely outside the Cloud

Respondent 15

  • Agree with the security recommendations

Respondent 6, Respondent 10  

  • A number of regulators have issued guidelines on the use of cloud technologies