Many lotteries already use Software as a Service applications in their operations with a more limited but growing number using Infrastructure as a Service providers. This shift naturally prompts the question: What change in risk does migration to the cloud present?
The WLA Security Control Standard (SCS) gives requirements in this regard for lottery operators and lottery technology suppliers hosting in the cloud, to ensure the cloud environment (both provider and consumer aspects) is compliant with the ISO/IEC 27017 international security standard for cloud environments. Further guidance available in the WLA SCS Code of Practice details that compliance with the Cloud Security Alliance® Cloud Controls Matrix (CSA CCM) is an acceptable alternative to ISO/IEC 27017 and a great source of best practice on cloud security.
Things to consider
Why is this important? Doesn’t use of the cloud just mean you’re using someone else’s computer? Well, the paradigm of cloud computing is sufficiently different that it requires specific consideration from a security perspective.
Lottery operational teams will likely need different skills, have an increased requirement for those that can write code, and technology service delivery processes will probably need to be uplifted. Third party security risk management may also need to evolve to provide supply chain assurance, while the link between the security and legal teams will likely need strengthening to ensure appropriate legal agreements are in place.
If Lotteries choose to embrace modern ways of working, such as introduce devops or site reliability engineering roles into their teams, then the associated access required will break the separation of duties that might have traditionally been in place. This will lead to considerations about what compensating controls are required to maintain lottery game integrity.
Assessing risk according to cloud type
The extent to which the security risk needs to be managed depends on the type of cloud being leveraged and the data/service that is being run in the cloud. A private cloud being used to run data science models to identify potential responsible gaming issues has a very different risk profile from an instant ticket stock management system being run as Software as a Service. These are different again to a lottery digital channel and central gaming host being operated on Infrastructure as a Service.
As the Lotteries’ use of cloud computing evolves, so will the WLA Security Control Standard and associated best practice guidance to provide all stakeholders with assurance of the integrity of Lottery games whatever technology they are run from.