What is the Malta Gaming Authority’s position with regards to Cloud Computing and Cloud Service Providers for IGaming?
The Malta Gaming Authority (MGA) recognises that cloud computing systems provide many commercial advantages to online Gaming operators and licensees. Similarly, such systems provide benefits to the MGA as an online gaming regulator (in particular the “availability” attribute of security). However, cloud computing systems also bring commercial and regulatory risk (particularly to the “integrity”, “confidentiality” attributes of security, and “jurisdictional” considerations). As with all online gaming operators that apply for an online Gaming License from Malta, online gaming in cloud computing systems also requires the MGA approval.
Which type of cloud? Public vs. Private vs. Virtual Private (Hybrid)
The public cloud is based on shared physical hardware which is owned and operated by a third party provider, the Cloud Service Provider (CSP). Such clouds are ideal for small to medium enterprises or those with fluctuating demands. Primary benefits of the public cloud include the speed with which you can deploy further resources such as RAM, CPU or bandwidth and the pay per use.
A private cloud can be either hosted on-site or in a cloud service provider’s data centre. Such clouds are ideal for larger businesses or those with strict data regulation and governance obligations, for example requiring data residing in a particular location or without having other tenants in the same environment.
Virtual Private Cloud (Hybrid)
A Virtual Private Cloud is a more common type of private cloud computing solution hosting a multi-tenant environment where companies can still achieve network isolation while keeping the costs at a minimum by buying hardware portions and creating private subnets. The hybrid cloud allows you to combine public with private cloud, leveraging what each type has to offer and getting the best of both. The public cloud can be used for non-sensitive operations while the private cloud can be used for the business critical operations.
The MGA requires that hosting locations wherein licensees/applicants locate their technical infrastructure should conform to a high level of information security and should be subject to an Information Security Management System (ISMS) throughout the term of a gaming licence. When approving hosting in these locations, the MGA seeks an information high standards and security levels such as the ISO/IEC 27001:2013 and the ISO/IEC 27002:2013.
Various combinations of private, public and hybrid clouds are accepted by the MGA as long as the proposed architecture meets the principles contained in the MGA guidelines. It has been noted that virtual private cloud environments are the best option to go for, since they can cater for a hybrid of private and public environments depending on the type of activity. Such environments will be allowed when the Authority is satisfied that the integrity and security of the critical components is not at risk.
Replication of data to a Maltese Data Centre
Should a licensed operator opt to utilise a cloud environment for the hosting of the main critical components in a data centre which resides out of Malta, should have a real time replication of the data being generated under the Maltese license to a Maltese data centre.
Any application proposal submitted to the MGA should include the following:
A. Details about the replicated database server including physical location, rack number and IP addresses;
B. Details about the connectivity to the live servers, including details of the security protocols in place for the transmission of data and a network schematic depicting the full picture;
C. Details on the type of data being replicated and its transmission frequency including time lags, if any, between the Master Database and the Replicated database in Malta. Such details should provide adequate assurances of real time replication, security, confidentiality and integrity of data.
For avoidance of any doubt, regulatory data that is to be replicated should comprise of the player details, financial transactions and the game-play transactions.