The emergence of cloud computing has opened the door for financial institutions to take advantage of the many benefits offered by emerging technology. Perhaps the driving force is a result of the cost savings which can be realized from streamlined processes, enhanced data sharing, compliance checks, mobility features, ability to work remotely, and even platform scalability. While these are certainly compelling benefits to drive stakeholders to transition to the cloud environment, it is also important to consider the inherent risks. The implications become clear when one considers the damage caused by the Capital One cloud breach, which compromised over 80,000 bank account numbers, 1 million government identification numbers, and tens of millions of credit card applications. According to the New York Times, this incident was expected to cost Capital One up to $150 million for impacted customers and was the result of an improper cloud migration. This example, and many more like it, reflect the importance of risk management to protect against such occurrences. Against this backdrop, the Federal Financial Institutions Examination Council (FFIEC)[1] recently issued a joint[2] statement on cloud computing services and security risk management principles in the financial services sector.
Statement Overview
The purpose of the FFIEC’s recently issued statement is to highlight the importance of implementing security controls for cloud-based applications such as Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). Special attention is given to understanding the shared responsibilities between cloud providers and financial institutions. Included within are examples of best practices for a financial institution’s use of cloud computing services and important security practices to ensure sensitive customer data is protected. It reiterates that management should not assume effective security controls exist because the system operates in a cloud environment. The statement does reinforce that no regulatory changes have been made, but highlights important issues to consider over: (1) governance, (2) cloud security management, (3) change management, (4) resilience and recovery, as well as (5) audit and controls assessments.
Focusing Efforts
Since the joint statement does not reflect any new regulatory changes it may be difficult to know how this information applies to your institution. To help focus efforts, our team has summarized below three important concerns for management to consider and develop a plan of action over.
- Ensure that service level expectations and control responsibilities are clearly defined from the outset of a new cloud vendor relationship. This is not only important for standard security maintenance, but also for other situations such as incident response management. The more clearly expectations can be set in the beginning the less likely confusion and gaps will occur in the future.
- Make ongoing oversight of all cloud providers a part of the standard process. Pay special attention to understanding key service provider controls and controls, which need to be implemented by the institution.
- Finally, consider what strategy your institution has if a relationship needs to be terminated with a cloud vendor. Consider issues like moving infrastructure and ensuring proper data sanitization or destruction.
Governance
Implementing relevant risk management practices includes special consideration over governance strategies, with the following suggested recommendations for financial institutions to consider:
- Align overall IT strategic plan and architecture with plans for use of cloud computing services.
- Identify management’s risk appetite or comfort with its dependence on and its ability to monitor the cloud service provider.
- Determine the appropriate level of governance over the cloud service provider.
Cloud Security Management
There are several steps identified in the document to help financial institutions determine the scope of cloud security necessary.
- Conduct due diligence and ongoing oversight and monitoring of cloud service providers security methods.
- Identify the contractual responsibilities, capability and restrictions for the financial institution and cloud service provider.
- Create an inventory process for systems and information assets residing in the cloud.
- Review the security configuration, provisioning, logging and monitoring policies.
- Review the security controls in place designed to specifically protect sensitive client data.
- Conduct employee training on security awareness and data protection.
Change Management
In addition to security, it is important for financial institutions to implement specific policies when migrating to a cloud environment. It is suggested this should include careful consideration around the following:
- Policies and procedures governing change management and the software development life cycle (SDLC).
- Outline of the components and functions of various applications within your technology environment to enable decision making on the best options for recovery and resiliency.
- Review the security controls in place designed to restrict and monitor administrator access, as well as the ability to apply changes to the production environment.
Resilience and Recovery
Although a financial institution may move to a cloud-based environment, they are still responsible for that data. Therefore, careful considerations must be in place around not only business resilience and recovery capabilities, but also incident response capabilities, as defined below:
- Review the resilience capabilities and service options available from the cloud service provider.
- Resilience and recovery capabilities are not necessarily included in cloud service offerings; therefore, management should perform due diligence up-front and proactively review the contract to ensure it:
- (A)) Outlines the resilience and recovery capabilities required by the financial institution,
- (B) Identifies the cloud providers responsibilities and capabilities in the event of an incident, and
- (C) Defines responsibilities for incident reporting, communication, and forensics. (Pro tip: Cloud usage presents unique forensic issues related to jurisdiction, multi-tenancy, and reliance on the cloud service provider.)
- Assess periodically how cloud-based operations affect both the business continuity plan and recovery testing plans.
- Review and update business continuity plans as needed to reflect changes to cloud computing configurations and operations, as well as regularly test and validate resilience and recovery capabilities.
- Outline cloud-specific challenges within incident response plan, and take advantage of monitoring and alerting tools offered by the cloud service provider
Audit & Controls Assessment
Institutions also need to ensure they can audit and assess security controls for each cloud service provider, which they do business with. Examples of this include gaining an understanding of the following critical components:
- Policies and procedures governing the management of the virtual infrastructure.
- Leveraging the use of containers in cloud computing environments. (Pro Tip: Simply put, a container consists of an entire runtime environment: an application plus all its dependencies, libraries, configuration files, etc. needed to run the application, bundled into one package. By containerizing the application platform and its dependencies, any differences in operating system distributions, security policies, network topology, or any other types of underlying infrastructure differences that may cause a problem if the supporting software environment is not identical are removed from the equation.)
- Implementation of managed security services for cloud computing environments.
- Outline of data destruction and sanitation practices.
- Consideration of interoperability and portability of data services and devices.
The recently issued statement serves as a reminder about the roles and responsibilities of both the provider and the financial institution in maintaining a secure cloud environment.
Financial institutions that want to assess their cloud security management controls or have questions on the recently issued FFIEC statement should contact PBMares anytime.
[1] The FFIEC comprises the principals of: The Board of Governors of the Federal Reserve System, Bureau of Consumer Financial Protection, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and State Liaison Committee.
[2] This joint statement also contains references to other resources, including the National Institute of Standards and Technology (NIST), National Security Agency (NSA), Department of Homeland Security (DHS), International Organization for Standardization (ISO), Center for Internet Security (CIS), and other industry organizations (e.g., Cloud Security Alliance).