Risk Management With Cloud Computing Services For Financial Institutions
Are you doing your due diligence in keeping sensitive cloud-stored data secure? Utilizing the cloud assumes a certain degree of risk – make sure you’re fulfilling your responsibility to mitigate it.
As convenient and beneficial as the cloud may be for financial institutions, it exposes these organizations to several risks if it’s not managed correctly. At the core of this issue is the fact that using the cloud necessitates cooperation with and trust in a third-party cloud vendor.
Especially when it comes to sensitive financial data that are subject to compliance regulations, and held to a high-security standard, these relationships can be challenging to navigate. Do you know what your responsibilities are when it comes to the security and management of your cloud-based data?
In a recent Financial Institution Letter (FIL-52-2020), The Federal Financial Institutions Examination Council (FFIEC) outlined your responsibilities and the key risks which need to be mitigated when using the cloud. While this document does not introduce any new regulatory expectations, it does provide useful guidance for managing ongoing cloud environments in the financial sector.
Financial Institutions’ Data Management Responsibilities By Cloud Service Model
- Software as a Service (SaaS): This is a software licensing and delivery model. The software is centrally hosted, licensed, and offered on a monthly or annual basis. SaaS is the standard delivery model for most applications. Your institution is likely not expected to manage, maintain, or control the underlying cloud infrastructure or individual application capabilities.You are, however, responsible for user-specific application configuration settings, user access, and identity management, and for managing the risk of the relationship with the cloud service provider.
- Platform as a Service (PaaS): PaaS provides a platform for users to develop, run, and manage applications. It eliminates the complexity of building and maintaining the infrastructure for the applications.While this model largely introduces the same responsibilities and risks as SaaS, the critical difference to note is that in managing the service, you’re also responsible for appropriate provisioning and configuration of cloud platform resources and implementing and managing controls over the development, deployment, and administration of applications residing on the provider’s cloud platforms. The provider is only responsible for the foundational infrastructure and platforms.
- Infrastructure as a Service (IaaS): This model allows you to access an IT infrastructure on an outsourced basis and provides hardware, storage, servers, data center space, and software if needed. It’s used on-demand, rather than requiring you to purchase your equipment. That means you don’t have to expend the capital to invest in new hardware.Similar to PaaS, you would be responsible for provisioning and maintaining the platform and applications, as well as any necessary controls. The provider manages all aspects, security and otherwise, related to the physical infrastructure they’re providing. However, you may also need to make sure your platform integrates with the provider’s recovery and resilience processes. As with the other models, you’re responsible for managing the risk of the relationship with the cloud service provider.
Risk Management Best Practices
- IT Alignment & Governance: Make sure your use of cloud services aligns with your overall IT strategies and processes. The way you govern and manage data internally should be applied to any cloud-based data.
- Oversight Of Cloud Provider Security: As mentioned above, it’s your responsibility to manage the inherent risk of the relationship with the cloud provider. That means dictating processes for oversight and monitoring their security regularly.
- Documented Responsibilities: Yours and the provider’s responsibilities need to be clearly laid out, documented, and contractually agreed upon. This can and should include anything from the management of system access rights to vulnerability scanning to notification of or approval requirements for the use of a subcontractor.
- Data Inventory: You should have a clear picture of correctly which data reside in the cloud, who has access rights to it, and how it is protected. This will provide a clearer understanding of how your organization is integrated into the cloud and will help with any future transitions between cloud providers.
- Security Configuration: You need to make sure cloud resources are appropriately configured to prevent unauthorized access to your cloud data. Whether you are managing this on your end, the cloud provider is on their end, or you’re using tools from industry organizations, you need to make sure it’s configured securely.
- Identity And Access Management: You need to make sure access management is being securely maintained, which includes limiting account privileges, implementing multifactor authentication, frequently updating and reviewing account access, monitoring activity, and requiring privileged users to have separate usernames and passwords for each segment of the cloud service provider’s and financial institution’s networks.
- Security Awareness Training: You must make sure your staff is fully aware of their role in cybersecurity as the user. How they use the cloud service in question can significantly impact the degree of risk posed to your institution.
- Change Management: Any change management and software development life cycle practices you have in place need to be adapted to suit the cloud environment.
- Recovery And Resilience: As storing data in the cloud both provides a contingency for recovery, as well as a range of new opportunities for data loss and compromise, you must make sure your data continuity processes are carried over to the cloud environment. Not all cloud providers offer the same capabilities for recovery and resilience, and so, it’s your responsibility to make sure they meet your needs.
- Incident Response: Your internal and local incident response strategies need to include considerations for the cloud, especially due to the fact that you have shared responsibility with the cloud provider. Your contract needs to dictate responsibilities for incident reporting, communication, and forensics.
- Regular Auditing: Given the risks associated with utilizing cloud services, you need to audit the way your data is secured and managed regularly. This can include the audit and testing of the financial institution’s security configurations and settings, access management controls, and security monitoring programs.
- Cloud-Specific Controls: Whether it’s a virtual infrastructure or containers, any cloud-specific services need to be managed with the same degree of security and care as conventional IT environments. Make sure your cloud provider is handling your data, integrated into whichever service, in line with your security requirements.
- Data Destruction: Don’t forget to dictate transparent processes for how data is to be destroyed to prevent any unauthorized disclosure of that information.
Need More Insight Or Assistance Win Managing Cloud Risk?
The Financial Institution Letter (FIL-52-2020) also lists an extensive range of resources to help financial institutions like yours to strategize their cloud security and management practices, with documents from FFIEC, NIST, NSA, the Department of Homeland Security and more. Be sure to check out this NSA information release on cloud vulnerabilities. Microsoft 365 users are encouraged to consult this recent CISA Analysis Report on the platform’s security particulars.
If you require expert assistance with assessing and mitigating your cloud-based risks, Kraft Technology Group is available to help. Kraft Technology Group has been proudly serving the financial services industry for many years, providing them with expert insight and extensive experience in the field.
Like this article? Check out the following blogs to learn more: