By Chris Joseph, Arnett Carbis Toothman
Introduction. Cloud computing services have been a part of financial institutions for several years. The reasons for utilizing cloud computing services have been discussed over those years, so we are not going to address the reasons in this article. We are going to focus on the security considerations, as the use of cloud computing services has increased significantly in the delivery of products and services in the financial services industry.
With the increased use comes risk. Recognizing the risks, the FFIEC recently issued a joint statement titled “Security in a Cloud Computing Environment.” The statement indicated, “Financial institution management should engage in effective risk management for the safe and sound use of cloud computing services. Security breaches involving cloud computing services highlight the importance of sound security controls and management’s understanding of the shared responsibilities between cloud service providers and their financial institution clients.” The statement does not contain new regulatory expectations but addresses risk management practices that should be considered.
Background. As with other vendor arrangements, when engaging a cloud service provider, the financial institution should conduct effective vendor management over the relationship. As indicated by the FFIEC, “Due diligence and sound risk management practices over cloud service provider relationships help management verify that effective security, operations, and resiliency controls are in place and consistent with the financial institution’s internal standards. Management should not assume that effective security and resilience controls exist simply because the technology systems are operating in a cloud computing environment.” The vendor management entails the contract review that documents the services, expectations, uptime requirements, controls, etc. Ongoing management and monitoring of the cloud service provider’s overall service is critical for the financial institution’s overall risk management process.
Cloud computing environments utilize virtualization in the delivery of cloud services. Different cloud computing environments are used by financial institutions, including private cloud computing environments, public cloud computing environments or a hybrid of the public and private computing environments. There are three cloud service models:
- Software as a Service (SaaS) — The software application used by the financial institution (i.e., the applications) operates on the cloud service providers cloud infrastructure. The financial institution’s primary responsibility is for the user-specific application configuration settings, user access, risk management of the overall relationship, etc. The application updates and cloud infrastructure maintenance is the responsibility of the cloud service provider.
- Platform as a Service (PaaS) — The PaaS model adds additional responsibilities to the financial institution. The PaaS model is used when the financial institution “deploys internally developed or acquired applications using programming languages, libraries, services, and tools supported by the cloud service provider,” as indicated in the FFIEC joint statement. In addition to the risk management that exists with SaaS, the financial institution is responsible for providing and configuring the cloud platform resources. The financial institution’s responsibilities include controls over the development, deployment and administration of the applications. The cloud service provider’s primary responsibilities include network, servers, operating systems, storage, etc.
- Infrastructure as a Service (IaaS) — The cloud service provider supplies the IaaS model’s infrastructure. The financial institution implements the system software, including the operating system. The financial institution is responsible for most of the items related to the solution, including the cloud platform resources configuration. The financial institution is also responsible for implementing and managing controls over operations, applications, operating systems, data and data storage. The cloud service provider is primarily responsible for the overall infrastructure, including the physical data center.
When entering into a cloud service provider relationship, the financial institution and the cloud service provider share the responsibilities. However, the protection of customer information resides with and is the responsibility of the financial institution.
Risks Management. When a financial institution executes outsourcing arrangements, it is critical that the financial institution clearly understand the roles and responsibilities of both the outsourced vendor (i.e., cloud service provider) and the financial institution. The understanding of the duties will assist the financial institution with its overall risk management program. As indicated previously, the overall responsibility of protecting customer information is with the financial institution.
Several areas should be included in the risk management process when utilizing a cloud service provider. Many controls need to be considered, some of which are common in other areas, including:
- Governance — The overall cloud computing services strategic plan should support and work in conjunction with the overall strategic plan.
- Cloud Security Management — As indicated previously, ongoing oversight and monitoring of the cloud computing service provider is part of the financial institution’s vendor management program. The monitoring should be based upon the terms of the contract with the cloud service provider that was negotiated and reviewed in detail before executing the contract. Other areas of Cloud Security Management include:
- Inventory process for systems and information assets residing in the cloud computing environment
- Security configuration, provisioning, logging
and monitoring - Identity and access management and network controls
- Security controls for sensitive data
- Information security awareness and training programs
- Change Management
- Change management and software development life cycle processes.
- Microservice architecture — Utilizes smaller, lighter-weight code to facilitate faster software development and ultimate deployment. The financial institution needs to ensure that they understand the overall security requirements and concerns with microservices.
- Resiliency and Recovery
- Business resilience and recovery capabilities — The business resilience and recovery should be appropriate for the cloud computing service’s risk.
- Incident response capabilities, including the challenges introduced in a cloud computing services arrangement (how to address technology assets owned and managed by the cloud service provider).
- Audit and Controls Assessment
- Regular testing of financial institution controls for critical systems (should be included in the standard
audit schedule). - Oversight and monitoring of cloud service provider-managed controls. The financial institution should evaluate and monitor the cloud service provider’s applicable controls. As in other vendor management arrangements, while the responsibility to perform controls can be outsourced, the accountability for protecting customer information is with the financial institution.
- Regular testing of financial institution controls for critical systems (should be included in the standard
There are also some controls unique to cloud computing services, including:
- Management of the Virtual Infrastructure — Secure virtual infrastructure is managed through cloud security tools. The control over those tools is the responsibility of the cloud service provider. The financial institution should gain an understanding and verify the cloud service provider controls are working as intended.
- Use of Containers in Cloud Computing
Environments — Use of containers provides many advantages, including portability and less demand on resources. However, containers share the same kernel presenting potential security risks. - Use of Managed Security Services for Cloud Computing Environments — Consider leveraging other security tools and services.
- Consideration of Interoperability and Portability of Data Services — Interoperability and portability capabilities should be considered related to the financial institution’s overall strategic plan and risk appetite.
- Data Destruction or Sanitization — Financial institutions should ensure the data destruction and sanitization policies and procedures follow their policies and documented in the service level agreement.
Conclusion. With the continued increase in cloud computing services, financial institutions should ensure that their overall risk management program considers the services outsourced and the various risks associated with the cloud computing service. Understanding the controls at both the financial institution and the cloud service provider should be understood, tested and monitored.
Chris Joseph is a partner of Arnett Carbis Toothman LLP, located in the Charleston, West Virginia office. A Certified Public Accountant, Certified Information System Auditor, certified in Risk and Information Systems Control and certified as an Information Technology Professional, Mr. Joseph has over 35 years of experience in information technology audit and security services in the financial institutions industry.Mr. Joseph can be contacted at 800-642-3601 or through email: chris.joseph@actcpas.com.
This story appears in Issue 4 2020 of the West Virginia Banker Magazine.
