Guidelines on Technical Infrastructure hosting Gaming and Control System – Factsheet
Purpose and Background
Online gaming network infrastructures vary among online operators, whereby some operators may choose to locate their servers in jurisdictions other than the one in which the remote gaming operator is licensed. The infrastructure may be owned or outsourced thus, creating different control and different requirements with respect to the proper governance of an online gaming operation.
One of the core functions of the Malta Gaming Authority’s (MGA) is to ensure adequate supervision over an operator’s gaming and control system, whereby the main objective is the safeguarding of player and regulatory interests. The MGA must ensure that it conducts its supervisory functions, at pre-and post- licensing stages, thus in order to do this the MGA needs to have timely access to all the regulatory data.
The technical infrastructure located in Malta provides for timely audits and investigations which helps operators’ checks in support of improved compliance performance.
The guidelines are intended to update the MGA’s approach when implementing its regulatory requirements and procedures with respect to technical infrastructure. Operators and other providers will be guided as to what the Authority’s compliance objectives are, along with what the MGA takes into account when evaluating an applicant’s, or a licensee’s technical set-up.
A more principle-based approach that takes into account a risk evaluation, will be used. A proposal will be accepted and approved by the MGA after an assessment is made on the risks which, such proposal poses.
Principles and Regulatory objectives
The physical technical infrastructure and its location is an important means of ensuring that regulatory data, and the infrastructure on which it is hosted, is safe, secure and accessible at all times for compliance, consumer protection and business continuity purposes.
Integrity and security of regulatory data must be ensured at all times. Moreover, financial transaction logs must be accessible at all times. Personal, gaming and financial data must be in line with data protection rules.
Implementation and conformity with objectives
Integrity and security
Licensees/applicants are to provide details of the technical infrastructure including a network schematic, whereby all the hardware and virtual machines in operation with the respective internal IP addresses must be shown. Moreover, all the geographic locations and addresses of the premises where the technical infrastructure hosting gaming systems, control systems and regulatory data will be located must be provided.
In the event that a licensee/applicant has the intention of maintaining systems in a cloud environment, said applicant must provide the MGA with a complete list of all geographic locations and addresses of premises where the infrastructure may or will be used.
When assessing a proposal or application the MGA will take into account the geographic location of the critical components. A component of an operator’s system is considered to be ‘critical’ when an increased regulatory and/or business integrity, safety, privacy and compliance risk is present. The following are considered to be critical components:
- Random Number Generators (RNGs);
- Jackpot servers;
- Player database servers;
- Financial database servers; and
- Any other component deemed by the MGA to be critical within the system organisation of the operator.
Furthermore the MGA requires that the infrastructure must be located in Malta, and/or any EEA member state and/or in any other third country jurisdiction wherein the MGA is satisfied that the same principles can be obtained.
If operators wish to utilise a cloud environment for the hosting of all or part of their critical components, they would need to conduct a risk assessment within the framework and process of risk management described in the ISO 31000:2009, whereby the core elements of the risk management process as described in the mentioned standard should be included.
The MGA’s review will be primarily based on the submission of the operators risk assessment, especially with respect to the following risks:
- Loss of governance. This risk also takes into consideration the changes to the Cloud Service Provider’s (CSP) terms and conditions and service levels whilst an operator is making use of its services. Such changes may also be a result of the CSP being acquired by a third party.
- Inadequate maintenance of the systems and underlying infrastructure managed by the CSP.
- Leakage of data during transfer within the cloud: between the operator and the cloud or between player and the cloud.
- Insecure data storage.
- Information not being erased thoroughly or in a timely manner by the CSP’s systems following a command issued by the operator.
- Unauthorised access to data through the management interface or any other system within the cloud or interfacing with the cloud.
- Loss of privacy.
- Unreliable service engine /APIs (Application Programming Interface) as well as isolation failure.
- Loss incurred due to activities carried out by tenant(s) on the cloud.
- Malicious activities by other tenant(s) of the cloud or employees of the CSP.
- Failure by the CSP (or its providers) to provide an adequate level of service. This includes the risk of heightened dependency on the CSP as well as the complete cessation of a CSP service.
- Increased dependency on internet connectivity for the operator to manage its operation.
- Loss of intellectual property.
- Lack of IT resource capacity.
- Denial of service heightened due to use of the CSP services
The above-mentioned list is not an exhaustive one, therefore, operators should carry out the assessment based on their operational set-up.
When the critical components are hosted on a private cloud environment which is not shared with other tenants on the same cloud, then in this situation the MGA will be satisfied that the proposed infrastructure meets the principles contained in the guidelines.
Moreover, virtual private cloud environment will be allowed when the MGA is satisfied that the integrity and security of the critical components is not at risk.
Data Security at hosting locations, including cloud environments
Hosting locations wherein licensees/applicants locate their technical infrastructure should conform to a high level of information security, and should also be subject to an Information Security Management System (ISMS) throughout the gaming license term.
The MGA seeks the information security of ISO/IEC 27001:2013, and Cloud Service Provider are to be guided by ISO/IEC 27002:2013 Information Technology – Security techniques – Code of Practice, for information Security Management in implementing the Information Security Management System.
Besides the ISO standards mentioned above, the MGA shall seek PCI DSS Level 1 certification.
Availability, traceability and accessibility
The MGA requires access to real time information in order for it to carry out its regulatory function. In this respect an application proposal should include the following:
- Details about the replicated server including physical location, rack number and IP addresses;
- Details about the connectivity to the live servers, including details of the security protocols in place for the transmission of data;
- Details on the type of data being replicated and its transmission frequency including time lags, if any, between the processes taking place on the live servers and the replication servers. This should provide adequate assurances of real time replication, security, confidentiality and integrity of data.
- A fully-documented procedure, allowing MGA officials immediate and unhindered access to be able to conduct routine or ad hoc inspections on the replication server, (both physically and electronically) as may be required.
Given that each set-up is unique, the MGA has the right to request any further information it deems necessary, and also to require specific adaptations in order to comply with legislation at the time of review of the proposal.