The FDIC, in FIL-52-2020 on April 30, 2020, discussed the use of cloud computing services and security risk management principles in the financial services sector.
The FIL identifies responsibilities financial institutions would have when contracting with cloud computing providers.
The document provides examples of risk management practices for a financial institution’s safe and sound use of cloud computing services and safeguards to protect its customers’ sensitive information from risks that pose potential consumer harm.
Also included is a list of public and private sector resources and references that can assist financial institutions with managing cloud computing services.
The objective of this article is merely to outline key points. A detailed review of the FIL is a must read.
Background
The contractual agreement between the financial institution and the cloud service provider should define the service level expectations and control responsibilities for both the financial institution and provider. Management may determine that there is a need for controls in addition to those a cloud service provider contractually offers to maintain security consistent with the financial institution’s standards.
Ongoing oversight and monitoring of a financial institution’s cloud service providers are important to gain assurance that cloud computing services are being managed consistent with contractual requirements, and in a safe and sound manner. This oversight and monitoring can include evaluating independent assurance reviews (e.g., audits, penetration tests, and vulnerability assessments), and evaluating corrective actions to confirm that any adverse findings are appropriately addressed.
Cloud computing environments are enabled by virtualization technologies, which allow cloud service providers to segregate and isolate multiple clients on a common set of physical or virtual hardware. Financial institutions use private cloud computing environments, public cloud computing environments, or a hybrid of the two. For each service model, there are typically differing shared responsibilities between the financial institution and the cloud service provider for implementing and managing controls.
Regardless of the environment or service model used, the financial institution retains overall responsibility for the safety and soundness of cloud services and the protection of sensitive customer information.
Careful review of the contract between the financial institution and the cloud service provider along with an understanding of the potential risks is important in management’s understanding of the financial institution’s responsibilities for implementing appropriate controls. Processes should be in place to identify, measure, monitor, and control the risks associated with cloud computing.
Examples of relevant risk management practices for assessing risks related to and implementing controls for cloud computing services include:
Governance
· Strategies for using cloud computing services as part of the financial institution’s IT strategic plan and architecture. This includes determining the appropriate level of governance, the types of systems and information assets considered for cloud computing environments, the impact on the financial institution’s architecture and operations model, and management’s comfort with its dependence on and its ability to monitor the cloud service provider.
Cloud Security Management
· Appropriate due diligence and ongoing oversight and monitoring of cloud service providers’ security.
· Contractual responsibilities, capabilities, and restrictions for the financial institution and cloud service provider.
· Inventory process for systems and information assets residing in the cloud computing environment.
· Security configuration, provisioning, logging, and monitoring.
· Identity and access management and network controls.
· Security controls for sensitive data.
· Information security awareness and training programs.
Change Management
· Change management and software development life cycle processes. Change management controls are important for effectively transitioning systems and information assets to a cloud computing environment. Management may augment existing change management processes and the software development life cycle (SDLC), as applicable, for cloud computing environments.
· Microservice architecture. Management should evaluate implementation options that meet the institution’s security requirements.
Resilience and Recovery
· Business resilience and recovery capabilities. Management should review and assess the resilience capabilities and service options available from the cloud service provider.
· Incident response capabilities. The financial institution’s incident response plan should take into account cloud-specific challenges due to ownership and governance of technology assets owned or managed by the cloud service provider.
Audit and Controls Assessment
· Regular testing of financial institution controls for critical systems.
· Oversight and monitoring of cloud service provider-managed controls.
· Controls unique to cloud computing services.
o Management of the virtual infrastructure.
o Use of containers in cloud computing environments.
o Use of managed security services for cloud computing environments.
o Consideration of interoperability and portability of data and services.
o Data destruction or sanitization.
Again, a detailed review of FIL-52-2020 is a must read of an excellent reference source.