23 August 2019
Communiqué

Reseller access to a cloud computing infrastructure

The CSSF would like to warn professionals of the financial sector of a practice to avoid when outsourcing on a cloud computing infrastructure.

When a professional of the financial sector uses a reseller of a cloud computing solution for an outsourcing project, the reseller may have administrator access to the client interface at the beginning of the project. This access allows the reseller to perform the complete management of cloud computing resources. The professional of the financial sector can thus call on this reseller for the initial configuration of the solution and subsequently take over the complete management.

However, in this configuration, it is possible that the reseller retains access to the customer interface after having transferred the management to the professional of the financial sector. The CSSF informs professionals of the financial sector that this practice should be avoided because it generates unauthorised access to their cloud computing resources. In addition, this practice creates an increased risk for the financial sector if a reseller retains access to the cloud computing resources of several professionals of the financial sector, without this being authorised (particularly in the event of a cyber-attack on this reseller).

The CSSF therefore asks professionals of the financial sector to restrict access to the client interface to the resource operator only, and to ensure that resellers’ accesses are removed if they are not authorised to operate the resources (for example, by deleting the account that was initially used by the reseller or at least by recovering ownership of this account and changing its password).