Although not specific to the financial industry, the new guidelines provide a comprehensive overview of the privacy and security challenges of this increasingly popular computing model. It’s worth a look by both financial institutions considering cloud-based services, as well as service providers, because NIST guidelines often wind up as the basis for new or updated regulatory guidance.
They start by defining the concept of cloud computing as characterized by the “…displacement of data and services from inside to outside the organization” and by correctly observing that “…many of the features that make cloud computing attractive, however, can also be at odds with traditional security models and controls.” This pretty accurately summarizes the challenges faced by financial institutions as they consider, and try to manage, the risks of cloud computing…data and services are out of their direct control, but risks of privacy, security, confidentiality, data integrity and availability must be controlled.
NIST offers the following guidelines for overseeing cloud services and service providers:
- Carefully plan the security and privacy aspects of cloud computing solutions before engaging them.
- Understand the public cloud computing environment offered by the cloud provider.
- Ensure that a cloud computing solution satisfies organizational security and privacy requirements.
- Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing.
- Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.
For financial institutions, all these guidelines should be addressed in your existing policies. The privacy and security elements are mandated by GLBA, and should already be present in your information security program. One of the required, but often overlooked, elements of your vendor management program is the requirement to strategically justify your decision to engage a cloud services provider, and periodically review and reaffirm that decision. Understanding the cloud provider environment is indeed a challenge for financial institutions, and I have already addressed this, and some possible solutions, here. I’ve also discussed why increased adoption of cloud-based services will likely make vendor management a topic of increased regulatory scrutiny in 2012 here. Additionally I think that the new SOC 2 report will directly address many of the concerns facing institutions employing cloud-based services.
As for the FFIEC, I was surprised to see that a search of the word “cloud” on the IT Examination InfoBase turned up not one single mention. The Handbooks are getting a bit dated…perhaps, given the importance of managing outsourced relationships, plus the increased challenges of cloud computing, they should address this next? Or do you think the existing guidance on managing outsourced technology and vendors is sufficiently broad?