Callahan Clients, please log in for direct access to:
Learn What You're Missing
Upgrade Your Subscription
Thank you for your interest in reading the fantastic content we have on CreditUnions.com! However, the page you are trying to access is for subscribers-only. To learn more, select an option below.
All users must now log in to read, research, browse, and have fun on CreditUnions.com. Yes, we still offer freebies. And, yes, it’s worth the extra effort.
Print or PDF this article today because you won't have access to it later. Or, click here to learn how to get 24/7 access.
By Ongoing Operations
The Federal Financial Institutions Examination Council’s recent statement regarding cloud computing made headlines last week, but many of the due diligence and vendor management processes outlined are those that the NCUA already requires credit unions to perform withrb any vendor they choose for outsourcing. The benefits credit unions may experience from utilizing cloud solutions (including reduced cost, flexibility, scalability, and speed) are reviewed in the new statement and potential issues related specifically to cloud computing are identified.
While the current NCUA/FFIEC guidance on outsourcing also applies to cloud computing providers, the term cloud continues to be overused and can be downright confusing. While definitions still vary, here are two definitions that are helpful:
Gartner, the world’s leading information technology research and advisory company, defines the cloud as: A style of computing where massively scalable IT resources are offered as a service delivered across the internet and paid for on an as used basis.
Ongoing Operations, the leading business continuity and technology CUSO that serves hundreds of credit unions nationwide, defines cloud computing as: Off-site, scalable management of critical IT infrastructure, not owned or managed by the customer, with built-in disaster recovery, accessed securely via the internet.
Regardless of how credit unions define cloud computing, board and management teams must still do their part to ensure the vendors they choose are operating in compliance with applicable laws and regulations. The FFIEC statement specifically focuses on several aspects of due diligence and vendor management including: data classification, data segregation, and recoverability.
It is important that credit unions thoroughly evaluate and assess potential risks before choosing a third party provider. Toward that end, here are a few questions credit unions should address in the cloud vendor selection process specifically:
Additional questions are provided in OGO’s sample Credit Union Information Security Questionnaire.
The right cloud provider will help keep your data safe and improve on existing, internal data center security. Below are some of the potential benefits of utilizing an outsourced data center along with some tips on evaluating data center security through formal audit reports and test results.
Reputable cloud providers run their services from professionally designed and managed data centers to provide reliable computing 24/7, 365 days a year (or as the IT industry describes it, with 99.99% uptime). Data centers are measured by how well they provide power, bandwidth, cooling, and security. In fact, the industry has adopted a standard ─ ranging from Tier 1 through Tier 4 ─ to classify the type of data center based on how well prepared they are to provide these services. For more details on data center tiers, visit http://uptimeinstitute.org.
Higher-tier data centers will deploy physical security measures such as two factor authentication, biometric scanners, video surveillance, and in some cases onsite security personnel. This type of physical security as well as some of the environmental protection (power and cooling redundancy) is something a customer could easily evaluate. Credit unions should also be able to request an escorted tour of the data center. If a cloud provider isn’t willing to do this, it might just be logistically difficult, or it might be a red flag.
Another aspect of security that many customers overlook is environmental controls. Keeping data safe also means preventing it from being damaged or lost. Environmental controls such as reliable power and ample cooling are an important aspect of data protection. This is another benefit of a good data center. High-quality power includes redundant power feeds with redundant uninterrupted power supply (UPS) and often separate backup generators. Cooling is handled in a similar way. Each zone will have two separate coolers, each capable of cooling the area at peak loads.
Many experts feel that if a customer’s office network is connected to the outside world via an Internet connection, they share most of the same risks as a cloud provider. If the customer is better at network security than the cloud provider, then the customer should keep their data onsite. However, most small and mid-market businesses don’t have network security professionals on staff.
With an executed non-disclosure agreement, most cloud providers should be willing to provide details about how they secure their infrastructure. Another more objective source is an SSAE 16 report (SSAE 16 is the new audit standard that replaced SAS 70 in June 2011). An SSAE 16 audit is similar to a financial audit in that it involves a third-party auditor reviewing the internal processes and procedures of a firm and rendering an opinion. Cloud providers undergo these annual audits voluntarily. The result is an opinion rendered by a neutral third party that a customer and their auditors can review and evaluate.
Another document to request is the most recent set of results from a penetration test (pentest), which evaluates computer and network security by simulating a malicious attack. The test searches for potential vulnerabilities that could result from incomplete or incorrect system configuration, hardware or software flaws, or operational weaknesses. The test results are like a network security report card that helps a cloud provider measure their own security controls and helps a customer to validate them.
Among the benefits of cloud computing is the ability to augment the production computing environment with disaster recovery capabilities at significantly lower costs than doing it on your own.
One of the fundamental tenets of disaster recovery is to evaluate geographic risks. If a credit union does business in a location that is susceptible to natural disasters (e.g., earthquakes, tornadoes, hurricanes) it is prudent to keep the data or a copy of the data in a location that is not likely to be affected by the same event. Cloud-based backup is one way to address this requirement as it can place a copy of the data at a distant offsite location. Replication services provide additional protection by replicating data and applications in near real-time to an appliance at the credit union’s location and then, optionally, to a cloud-based data center as well. This protects the institution from minor problems such as a server failure as well as major events that disable the entire infrastructure.
The key question about cloud security is not whether it eliminates all risk, but whether the cloud provider helps the client manage risks better than what they are doing on their own.
By using targeted questions and verifying the responses through third-party audits and reports, credit unions can better evaluate cloud providers and the security they offer. For more information on Ongoing Operations’ cloud solutions, please visit www.ongoingoperations.com or contact us at firstname.lastname@example.org or 877-552-7892.
About Ongoing Operations
Ongoing Operations was formed in 2005 as a business continuity CUSO by a group of credit unions looking for better disaster recovery solutions. We have grown from serving a handful of local organizations to over 300 clients nationwide and are a recent winner of NACUSO’s Collaboration & Innovation Award. As credit union disaster recovery & business continuity have evolved, so have our solutions. Beyond traditional solutions such as business continuity planning, data backup and workspace, we have added cloud solutions to become both a business continuity and cloud CUSO.
This sponsored content article is provided to the credit union community for shared insights and knowledge from a recognized solutions provider in the industry. Please note that the views and opinions offered here do not reflect those of Callahan & Associates, and Callahan does not endorse vendors or the solutions they offer.
If you are interested in contributing an article on CreditUnions.com, please contact our Callahan Media team at email@example.com or 1-800-446-7453.
July 16, 2012
7/17/2012 04:58 AM
Great information in helping to make the decision to move to cloud computing.
Don Stewart, MBCP, MBCI, CCP
7/16/2012 09:51 AM
Wow! This is well put... great job Mike Eaton!!!
7/16/2012 08:54 AM
Submit your email address to receive daily industry updates and web-only features.
P: 800-446-7453 | F: 800-878-4712
1001 Connecticut Ave. NW Suite 1001
Washington, DC 20036