Following a publication of the National Institute of Standards and Technology (NIST), Guidelines on Security and Privacy in Public Cloud Computing, the Federal Financial Institutions Examination Council (FFIEC) published an addendum for the financial sector, FFIEC Guidance: What Banks are Missing. Most banks today not only deal with risks around handling customer data, but also understand the financial sector is vulnerable towards fraudulent disruptions, especially in operational systems like Internet banking.
It is evident that banks may not embrace, due to the aforementioned risks, the ‘outsourced cloud strategy.’ However, cost-wise, it is still a very interesting option to consider.
What are the recommendations of the FFIEC?
Is this new?
Yes and no. Most of the documents come from early 2000 and look a bit outdated. But there are developments within specific banking domains that give hope. For the card payment domain most of the topics above are tackled within the Payment Card Industry / Data Security Standard (PCI/DSS) 2.0 specifications. There is a special outsourcing aspect to this, like transferring security responsibilities to a third party data center.
So are these recommendations valid for the banking sector?
Absolutely! Current Security Policies will have to be reviewed against the proposition of the Cloud. A good analysis gives insight in the gaps and things which need to be done.