Banks, Beware of the Cloud!

Following a publication of the National Institute of Standards and Technology (NIST), Guidelines on Security and Privacy in Public Cloud Computing, the Federal Financial Institutions Examination Council (FFIEC) published an addendum for the financial sector, FFIEC Guidance: What Banks are Missing. Most banks today not only deal with risks around handling customer data, but also understand  the financial sector is vulnerable towards fraudulent disruptions, especially in operational systems like Internet banking.

It is evident that banks may not embrace, due to the aforementioned risks, the ‘outsourced cloud strategy.’ However, cost-wise, it is still a very interesting option to consider.

What are the recommendations of the FFIEC?

1. Cloud Provider. Perform thorough due diligence on the Cloud Provider. Investigate the company profile of the provider that fits within the goals of the bank. Think especially on how data is being treated operationally. How is it being secured? The gap analysis will give you the option of finding another provider if it does not fit your requirement.
2. Vendor Management. Inspect the provider as much as possible on all kind of aspects, including knowledge of financial processes and legal liability issues.
3. Audit process controls. Examine how the bespoke service provider implemented those controls. Do this on a regular basis and make sure your audit department is well-trained on this.
4. Information Security. Keep a tab on information Security by encrypting everything and maintaining bookkeeping of all data sources. And whenever data is being deleted, make sure that it is really deleted and not sleeping in a quite cloud corner.
5. Legal affairs. Ideally there should be a “dashboard” indicator to see how compliant is an outsourced Cloud. By the way, there are some tools on the market that cover this but the FFIEC does not mention any.
6. Continuity planning. This security risk will be found in most of the corporate security handbooks. Test the provider on the continuity aspect according to the plans they have in place. Pull the plug, literally.

Is this new?

Yes and no. Most of the documents come from early 2000 and look a bit outdated. But there are developments within specific banking domains that give hope. For the card payment domain most of the topics above are tackled within the Payment Card Industry / Data Security Standard (PCI/DSS) 2.0 specifications. There is a special outsourcing aspect to this, like transferring security responsibilities to a third party data center.

So are these recommendations valid for the banking sector?

Absolutely! Current Security Policies will have to be reviewed against the proposition of the Cloud. A good analysis gives insight in the gaps and things which need to be done.

---