The Federal Financial Institutions Examination Council’s recent statement regarding cloud computing made headlines last week, but many of the due diligence and vendor management processes outlined are those that the NCUA already requires credit unions to perform withrb any vendor they choose for outsourcing. The benefits credit unions may experience from utilizing cloud solutions (including reduced cost, flexibility, scalability, and speed) are reviewed in the new statement and potential issues related specifically to cloud computing are identified.
Defining Cloud Computing For Credit Unions
While the current NCUA/FFIEC guidance on outsourcing also applies to cloud computing providers, the term cloud continues to be overused and can be downright confusing. While definitions still vary, here are two definitions that are helpful:
Gartner, the world’s leading information technology research and advisory company, defines the cloud as: A style of computing where massively scalable IT resources are offered as a service delivered across the internet and paid for on an as used basis.
Ongoing Operations, the leading business continuity and technology CUSO that serves hundreds of credit unions nationwide, defines cloud computing as: Off-site, scalable management of critical IT infrastructure, not owned or managed by the customer, with built-in disaster recovery, accessed securely via the internet.
Regardless of how credit unions define cloud computing, board and management teams must still do their part to ensure the vendors they choose are operating in compliance with applicable laws and regulations. The FFIEC statement specifically focuses on several aspects of due diligence and vendor management including: data classification, data segregation, and recoverability.
Evaluating Potential Vendors
It is important that credit unions thoroughly evaluate and assess potential risks before choosing a third party provider. Toward that end, here are a few questions credit unions should address in the cloud vendor selection process specifically:
How does the vendor’s security model compare with that of the credit union?
What type of service level agreement (SLA) would be acceptable for the credit union and members for this application?
How does the SLA proposed by the vendor compare with internal downtime the credit union currently experiences?
Is the vendor familiar with credit unions and the multiple third-party connections they require (e.g., the Federal Reserve, core processor, online banking vendors, debit and credit card processors)?
Is the vendor familiar with the security requirements for credit unions required by the NCUA and spelled out in the FFIEC IT Examinations Handbook?
Do the vendor’s financial records and history suggest long-term viability? This is a critical consideration if the credit union plans to shift from an internal infrastructure to cloud-based solutions.
How would staff levels be affected internally? What other initiatives could the credit union move forward if the data center functions were outsourced?
What impact, if any, might this solution and vendor relationship have on member service?
Will the credit union’s data be segregated from other customers?
What controls are in place to ensure that data is properly protected?
Does the vendor have adequate disaster recovery/business continuity plans in place?
Additional questions are provided in OGO’s sample Credit Union Information Security Questionnaire.
The right cloud provider will help keep your data safe and improve on existing, internal data center security. Below are some of the potential benefits of utilizing an outsourced data center along with some tips on evaluating data center security through formal audit reports and test results.
The Centralized Data Center
Reputable cloud providers run their services from professionally designed and managed data centers to provide reliable computing 24/7, 365 days a year (or as the IT industry describes it, with 99.99% uptime). Data centers are measured by how well they provide power, bandwidth, cooling, and security. In fact, the industry has adopted a standard ─ ranging from Tier 1 through Tier 4 ─ to classify the type of data center based on how well prepared they are to provide these services. For more details on data center tiers, visit http://uptimeinstitute.org.
Higher-tier data centers will deploy physical security measures such as two factor authentication, biometric scanners, video surveillance, and in some cases onsite security personnel. This type of physical security as well as some of the environmental protection (power and cooling redundancy) is something a customer could easily evaluate. Credit unions should also be able to request an escorted tour of the data center. If a cloud provider isn’t willing to do this, it might just be logistically difficult, or it might be a red flag.
Another aspect of security that many customers overlook is environmental controls. Keeping data safe also means preventing it from being damaged or lost. Environmental controls such as reliable power and ample cooling are an important aspect of data protection. This is another benefit of a good data center. High-quality power includes redundant power feeds with redundant uninterrupted power supply (UPS) and often separate backup generators. Cooling is handled in a similar way. Each zone will have two separate coolers, each capable of cooling the area at peak loads.
Evaluating Network Security
Many experts feel that if a customer’s office network is connected to the outside world via an Internet connection, they share most of the same risks as a cloud provider. If the customer is better at network security than the cloud provider, then the customer should keep their data onsite. However, most small and mid-market businesses don’t have network security professionals on staff.
With an executed non-disclosure agreement, most cloud providers should be willing to provide details about how they secure their infrastructure. Another more objective source is an SSAE 16 report (SSAE 16 is the new audit standard that replaced SAS 70 in June 2011). An SSAE 16 audit is similar to a financial audit in that it involves a third-party auditor reviewing the internal processes and procedures of a firm and rendering an opinion. Cloud providers undergo these annual audits voluntarily. The result is an opinion rendered by a neutral third party that a customer and their auditors can review and evaluate.
Another document to request is the most recent set of results from a penetration test (pentest), which evaluates computer and network security by simulating a malicious attack. The test searches for potential vulnerabilities that could result from incomplete or incorrect system configuration, hardware or software flaws, or operational weaknesses. The test results are like a network security report card that helps a cloud provider measure their own security controls and helps a customer to validate them.
Among the benefits of cloud computing is the ability to augment the production computing environment with disaster recovery capabilities at significantly lower costs than doing it on your own.
One of the fundamental tenets of disaster recovery is to evaluate geographic risks. If a credit union does business in a location that is susceptible to natural disasters (e.g., earthquakes, tornadoes, hurricanes) it is prudent to keep the data or a copy of the data in a location that is not likely to be affected by the same event. Cloud-based backup is one way to address this requirement as it can place a copy of the data at a distant offsite location. Replication services provide additional protection by replicating data and applications in near real-time to an appliance at the credit union’s location and then, optionally, to a cloud-based data center as well. This protects the institution from minor problems such as a server failure as well as major events that disable the entire infrastructure.
Safety Of The Cloud
The key question about cloud security is not whether it eliminates all risk, but whether the cloud provider helps the client manage risks better than what they are doing on their own.
By using targeted questions and verifying the responses through third-party audits and reports, credit unions can better evaluate cloud providers and the security they offer. For more information on Ongoing Operations’ cloud solutions, please visit www.ongoingoperations.com or contact us at firstname.lastname@example.org or 877-552-7892.
About Ongoing Operations
Ongoing Operations was formed in 2005 as a business continuity CUSO by a group of credit unions looking for better disaster recovery solutions. We have grown from serving a handful of local organizations to over 300 clients nationwide and are a recent winner of NACUSO’s Collaboration & Innovation Award. As credit union disaster recovery & business continuity have evolved, so have our solutions. Beyond traditional solutions such as business continuity planning, data backup and workspace, we have added cloud solutions to become both a business continuity and cloud CUSO.