Skip to main content
HashiTalks 2025 Learn about unique use cases, homelab setups, and best practices at scale at our 24-hour virtual knowledge sharing event. Register
White Paper

APRA CPS 230 compliance with The Infrastructure Cloud from HashiCorp

In today's complex regulatory landscape, understanding and adhering to APRA CPS 230 regulation is crucial for Australian financial institutions. This comprehensive white paper provides guidance on addressing many of the compliance requirements leveraging The Infrastructure Cloud from HashiCorp.

»Legal Disclaimer

The technical advice and guidance provided herein by HashiCorp in relation to complying with the regulations of the Australian Prudential Regulation Authority (APRA) is intended for informational purposes only. HashiCorp does not warrant or guarantee the accuracy, completeness, or suitability of this information for compliance purposes. It is the sole responsibility of the user to ensure that their use of HashiCorp products and services meets all applicable legal and regulatory requirements, including those set forth by APRA. Users are strongly advised to seek independent legal and professional advice to ensure compliance with all relevant laws and regulations. HashiCorp disclaims all liability for any damages or losses arising from the use or reliance on this information.

»Executive Summary

In today's complex regulatory landscape, understanding and adhering to APRA CPS 230 regulation is crucial for Australian financial institutions. This comprehensive white paper provides guidance on addressing many of the compliance requirements leveraging The Infrastructure Cloud from HashiCorp.

HashiCorp offers a comprehensive suite of solutions to address challenges in APRA CPS 230 compliance and its related regulation, APRA CPS 234. From HashiCorp Terraform for infrastructure provisioning, to HashiCorp Vault for secrets management, and HashiCorp Packer for vulnerability, patching and image lifecycle management, these tools streamline operations and cybersecurity, fortifying cloud infrastructure and enabling visibility and auditability to meet regulatory requirements end to end.

CPS 230 makes mention of CPS 234 Information Security. In practice, information security risks are operational risks. In alignment with the key principles of the standard, management of information security risks should be integrated into operational risk profiles. This guide provides an overview of how HashiCorp can contribute to financial institutions achieving CPS 230 and CPS 234 compliance.

This guide also details how HashiCorp supports subsets of CPS 234 (aligned with APRA PPG CPG 234). The HashiCorp products discussed in this guide are the commercially available versions which are a significantly stronger fit to APRA regulations than community editions. 

Source documents:

APRA CPS 230 https://www.apra.gov.au/sites/default/files/2023-07/Prudential%20Standard%20CPS%20230%20Operational%20Risk%20Management%20-%20clean.pdf

APRA CPS 234 (PPG 234) https://www.apra.gov.au/sites/default/files/cpg_234_information_security_june_2019_0.pdf

»APRA CPS 230 overview

Prudential Standard CPS 230 Operational Risk Management is intended to ensure that an APRA-regulated entity (authorized deposit-taking institutions (ADIs), general insurers, private health insurers, life companies, and registrable superannuation entities) are resilient to operational risks and disruptions. An APRA-regulated entity must effectively manage its operational risks, maintain its critical operations through disruptions, and manage the risks arising from service providers. 

Key themes include being prepared for risk events, being resilient, and protecting the entity and the community. CPS 230 commences on 1 July 2025.

»Operational Risk Management

Critical operations are processes undertaken by an APRA-regulated entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on its depositors, policyholders, beneficiaries or other customers, or its role in the financial system.

»Strategic areas of focus

  • Operational Risk Management: regulated entities need to conduct operational risk assessments, and design, implement and embed internal controls, along with processes to periodically test and remediate any identified weaknesses, and report risk incidents and near misses;

  • Business Continuity Management: evolve BCP to focus on maintaining all critical operations for an entities’ customers, be able to respond to disruptions and maintain critical operations such as payments, deposit-taking and management and customer enquiries;

  • Service Provider Management: include service providers that APRA-regulated entities rely upon for critical operations or that expose them to material operational risk including downstream providers (i.e. fourth parties), and;

  • Enhanced reporting requirements.

»Areas for Action

  • Additional Board Reporting*

  • Additional APRA Reporting Requirements*

  • Amended Contractual Agreements with Service Providers

  • Enhance Operational Risk Management*

  • Enhance Business Continuity Planning*

  • Enhance Management of Service Providers*

HashiCorp can support the actions noted with an asterisk.

»HashiCorp guidance: APRA CPS 230 Operational risk management

The opening sections of CPS 230 discussed authority, application and commencement, interpretation, adjustments and exclusions, key principles, risk management framework, and roles and responsibilities. Therefore this guidance commences from paragraph 25, Operational risk management. The section numbers correspond to the paragraph in the regulation.

»Monitoring, notifications and review

CPS 230 imposes substantial new reporting requirements (CPS 230 [16 (d), 22 (c), 27 (a), 30, 41, 58 and 60), although CPS 234 reporting requirements are not duplicated in CPS 230 and are covered separately in this document.

In alignment with the reporting requirements of CPS 234, and the substantial new reporting requirements of CPS 230, HashiCorp products facilitate consistent reporting across multi-cloud environments, including workflow compliance, visibility into how and when changes are made, redundant audit trails, and security controls across infrastructure and application environments:

  • HashiCorp Terraform Enterprise & HCP Terraform offerings provide audit logging capabilities that record all actions taken within the Terraform environment, including who made the change, what change was made, and when it occurred. These audit logs can be exported and analysed to generate compliance reports for internal or regulatory purposes. Terraform code is typically stored in version control systems such as Git, allowing organisations to track changes to their infrastructure configurations over time. By reviewing commit history and pull requests, auditors can gain insight into how infrastructure changes are made and ensure that they adhere to compliance requirements. Terraform integrates with various compliance tools and frameworks, allowing organisations to incorporate compliance checks directly into their Terraform workflows. For example, organisations can use Terraform's integration with the Sentinel policy as code framework or other policy enforcement tools to enforce compliance policies and automatically prevent non-compliant changes from being applied.

  • Sentinel (part of HashiCorp Terraform licensed editions) is a policy as code framework that enables organisations to define custom policies that specify compliance requirements, such as access controls, data encryption, cost controls, security policies and audit logging. These policies are written as code and can be tailored to meet the specific compliance standards, such as CPS 230, that the organisation needs to adhere to. Sentinel can generate custom compliance reports, providing detailed insights into compliance status, including violations, remediation actions taken, and overall compliance posture to meet the specific reporting requirements of CPS 230.

  • HashiCorp Vault Enterprise and HCP Vault offerings integrate with security information and event management (SIEM) systems and logging solutions, allowing organisations to aggregate and analyse Vault's audit logs alongside logs from other security-relevant systems. This centralised logging approach simplifies compliance reporting by providing a single source of truth for security-related events. Vault enforces strict access controls, allowing organisations to define policies that govern who can access which secrets and under what conditions. Vault also provides comprehensive audit logging, recording all interactions with secrets, including access attempts, modifications, and deletions. These audit logs can be used to demonstrate compliance with CPS 230/234 requirements by providing a detailed record of who accessed what information and when.

  • HashiCorp Boundary provides comprehensive audit logging and session recording capabilities that capture all user actions and interactions with resources. Organisations can review audit logs and session recordings to monitor user activity, detect security incidents, and demonstrate compliance with CPS 230/234 requirements for audit logging and monitoring.

  • HashiCorp Nomad provides comprehensive audit logging and monitoring capabilities that capture all user actions and system events. Banks can review audit logs and monitor performance metrics to track containerised workload activity, detect security incidents, and demonstrate compliance with CPS 230/234 requirements for audit logging and monitoring.

  • HashiCorp Packer provides audit logs and version control capabilities that enable organisations to track changes to their machine image configurations over time. Auditors can review Packer configuration files and audit logs to verify compliance with CPS 230/234 requirements related to secure configuration management and change control.

  • HashiCorp Consul integrates with commonly used monitoring and reporting tools to track and report on infrastructure performance and compliance. Organisations can integrate Consul with their existing monitoring and reporting workflows to streamline the collection, analysis, and presentation of data for CPS 230 reporting purposes. Consul can be used to define health check monitors that periodically assess the health of services and report any anomalies or failures. Consul's health checking capabilities monitor the operational status of critical systems and applications, enabling issues to be reported on, but also to address issues proactively.

Observability Tools (OT) establish an enterprise-wide monitoring standard, delivering end-to-end visibility across each layer of cloud applications by unifying telemetry data, including from HashiCorp products. HashiCorp products provide an API to stream audit events to OTs such as:

  • Terraform policy checks can be reported to the OT, including ensuring all infrastructure changes are compliant with CPS 230 regulations, including enforcing cloud zones, adherence to security policies, and all configuration changes including when and by whom.

  • Vault logs can be streamed to the OT, including monitoring user and machine access to sensitive resources, whether data is encrypted in transit or at rest for PII / PCI data. Policy checks can enforce zero trust principles by verifying access controls are based on user identity, device posture, and other contextual factors.

  • Consul can be monitored by an OT including network visualisation, verify network traffic is properly segmented, firewalls are configured correctly, and communication between services follows established security protocols.

  • Nomad can be monitored from the OT to check container security-related configurations such as network isolation, container runtime security settings, and access controls.

  • Boundary streams audit events to the OT Monitoring Platform to allow administrators to track user activity and enable security teams to ensure compliance in accordance with regulatory requirements. 

Security vulnerability examples that can be reported from HashiCorp tools to OTs include:

  • Access Control Issues: Audit logs can reveal instances of unauthorised access attempts or successful accesses to sensitive resources. This could include attempts to bypass authentication mechanisms or unauthorised changes to access policies.

  • Configuration Changes: Any unauthorised or unexpected changes to the configuration of Vault, Boundary, or Consul could indicate a security vulnerability. This includes changes to encryption settings, access control policies, or network configurations.

  • Authentication Failures: Logs can highlight repeated authentication failures, which may indicate brute-force attacks or misconfigured authentication settings. Observing patterns of failed authentication attempts can help in detecting and mitigating potential security threats.

  • Anomalous Behaviour: Deviations from normal usage patterns, such as unusual API calls or access requests, could indicate suspicious activity. By analysing logs for abnormal behaviour, security teams can identify potential security breaches or insider threats.

  • Certificate and Key Management: Vault is often used for managing certificates and cryptographic keys. Logs related to certificate issuance, renewal, and revocation can help ensure the integrity and security of TLS communications and other cryptographic operations.

  • Network Security: Consul provides service discovery and network automation capabilities. Logs from Consul can reveal anomalies in network traffic, unauthorised service registrations, or misconfigurations that could lead to security vulnerabilities or service disruptions.

  • Boundary Access Logs: Boundary provides secure access to infrastructure and applications. Access logs from Boundary can help identify unauthorised access attempts, unusual session activity, or potential privilege escalation attempts.

»HashiCorp guidance: APRA CPS 234 Information Security

This section provides an overview of how HashiCorp helps organisations achieve APRA’s guidance on information security, in the document “APRA Prudential Practice Guide, CPG 234 Information Security”. HashiCorp’s aim is to assist regulated entities in achieving information security and being able to report on compliance.

Source: https://www.apra.gov.au/sites/default/files/cpg_234_information_security_june_2019_1.pdf 

More resources like this one

4/11/2024FAQ

Introduction to HashiCorp Vault

Vault identity diagram
12/28/2023FAQ

Why should we use identity-based or "identity-first" security as we adopt cloud infrastructure?

3/15/2023Presentation

Advanced Terraform techniques

3/15/2023Case Study

Using Consul Dataplane on Kubernetes to implement service mesh at an Adfinis client