When it comes to cloud computing and risk management, there is no one-size-fits-all approach.
From the model used to risk appetite and the complexity of a financial institution’s operations, FIs need to understand how their specific cloud-computing circumstances impact risk management.
That’s the reminder coming from The Federal Financial Institutions Examination Council (FFIEC) in a joint statement on Security in a Cloud Computer Environment. The statement offers no new guidance—it emphasizes existing risk management principles and guidance for reducing cloud risk and data security breaches.
One major point: Management should understand the “shared responsibilities” of FIs and cloud providers.
This varies from model to model:
- Software as a Service (SaaS). The third-party vendor develops the application and controls the cloud. The FI is responsible for user settings, access, and identity management, and the vendor relationship. The vendor is responsible for application maintenance and infrastructure.
- Platform as a Service Provider (PaaS). The FI develops its applications (either developed or purchased) which reside on the vendor’s cloud. In addition to SaaS requirements, management also oversees applications. The vendor is responsible for supporting cloud infrastructure.
- Infrastructure as a Service (IaaS). The FI operates its system software on a vendor’s cloud. Responsibilities are similar to the PaaS model except the FI may need to design the software to align with the cloud vendor’s resilience and recovery process.
Regardless of the model, the FI is ultimately responsible for ensuring cloud systems are safe, sound, and protect sensitive customer data. That includes vendor risk management, including awareness of security controls.
“Failure to implement an effective risk management process for cloud computing commensurate with the level of risk and complexity of the financial institution’s operations residing in a cloud computing environment may be an unsafe or unsound practice and result in potential consumer harm by placing customer-sensitive information at risk.”
Risk Management of the Cloud
Understanding FI and cloud provider responsibilities makes it possible for FI’s to mitigate risk by reviewing the vendor contract, developing processes to identify, measure, and monitor the risks, and assessing and implementing appropriate controls.
Risk management should cover:
- IT Security. Is there appropriate vendor due diligence, oversight, and monitoring? Is the responsibility for security measures, system configuration, and operational resilience addressed by the contract? Is there an inventory process to decide and track what resides on the cloud? Are security configuration, provisioning, logging, and monitoring tested? Are there controls in place for identity and access management? How is data encrypted? What kind of training is there?
- Change management. Are there change management controls throughout the software development life cycle processes? Does the architecture (including microservices) meet security requirements?
- Resilience and recovery. Does the contract ensure that business resilience and recovery capabilities meet the FI’s requirements? Does it define responsibility for incident reporting, communication, and forensics?
- Audit and controls assessment. Are the FI’s critical systems controls regularly reviewed and tested? Is there oversight and monitoring of the cloud vendor’s controls? What about controls unique to cloud computing?
Why the Reminder on Cloud Computing & Risk Management?
As FI employees work from home during the COVID-19 pandemic, FIs may be relying more heavily on the cloud. Employees are remotely logging in and accessing work products and the information necessary to serve customers and keep operations running smoothly.
Weak controls can leave gaps in security measures, making it easier for increasingly determined cybercriminals to successfully launch a cyberattack or steal data. The FFIEC wants to remind FIs that proactive risk management reduces the risk of a cloud-related data breach.