Blog

Keeping lotteries secure in the cloud

Like all industries, lotteries have been starting to adopt cloud services to enable their operations. This represents a great opportunity for the sector to break free from the constraints of the normal technology investment cycles where ten years between significant upgrades is not uncommon. The cloud also presents other opportunities including to increase resilience, burst capacity for big draws or other events and to benefit from the expertise of companies who specialise in running lower layers of the technology stack.

Many lotteries already use Software as a Service applications in their operations with a more limited but growing number using Infrastructure as a Service providers. This shift naturally prompts the question: What change in risk does migration to the cloud present?

The WLA Security Control Standard (SCS) gives requirements in this regard for lottery operators and lottery technology suppliers hosting in the cloud, to ensure the cloud environment (both provider and consumer aspects) is compliant with the ISO/IEC 27017 international security standard for cloud environments. Further guidance available in the WLA SCS Code of Practice details that compliance with the Cloud Security Alliance® Cloud Controls Matrix (CSA CCM) is an acceptable alternative to ISO/IEC 27017 and a great source of best practice on cloud security.

Things to consider

Why is this important? Doesn’t use of the cloud just mean you’re using someone else’s computer? Well, the paradigm of cloud computing is sufficiently different that it requires specific consideration from a security perspective.

Lottery operational teams will likely need different skills, have an increased requirement for those that can write code, and technology service delivery processes will probably need to be uplifted. Third party security risk management may also need to evolve to provide supply chain assurance, while the link between the security and legal teams will likely need strengthening to ensure appropriate legal agreements are in place.

If Lotteries choose to embrace modern ways of working, such as introduce devops or site reliability engineering roles into their teams, then the associated access required will break the separation of duties that might have traditionally been in place. This will lead to considerations about what compensating controls are required to maintain lottery game integrity.

Assessing risk according to cloud type

The extent to which the security risk needs to be managed depends on the type of cloud being leveraged and the data/service that is being run in the cloud. A private cloud being used to run data science models to identify potential responsible gaming issues has a very different risk profile from an instant ticket stock management system being run as Software as a Service. These are different again to a lottery digital channel and central gaming host being operated on Infrastructure as a Service.

As the Lotteries’ use of cloud computing evolves, so will the WLA Security Control Standard and associated best practice guidance to provide all stakeholders with assurance of the integrity of Lottery games whatever technology they are run from.

About

By David Boda

Chief Information Security Officer for Camelot UK Lotteries Ltd., UK and member of the WLA Security and Risk Management Committee. David can be reached at david.boda@camelotgroup.co.uk

Legal notice

Media inquiries