"The email crash took us down a couple of days. Email is very important to the function of the bank, so we couldn't take that risk of a crash again," says Robert Porter, vice president and IT director at the bank, a $275 million-asset community bank based in Hazard, Ky. The bank moved its entire email system to a hosted Safe Systems solution called SafeSysMail. It's also using an email archiving and encryption service from Safe Systems. For a bank that only has two IT workers, the move to a hosted environment is expected to save about $80,000 over the next three years.
But in so doing, the bank is also putting itself under the purview of a new statement from the FFIEC that's designed in part to address the growing use of cloud computing services by banks. While the bank says it's confident that it's in compliance, the guidance has come under fire in the bank tech industry for an alleged lack of precision in defining cloud computing and specific risks that could create security gaps.
"The FFIEC guidance does not spell out what you need to do, it's a document that talks about things to be concerned about," says Rod Nelsestuen, a senior research director at CEB TowerGroup.
The FFIEC defines cloud computing as a migration from owned resources to shared resources in which a client receives information technology services on demand from third party service providers via the "internet cloud."
While definitions of cloud computing vary, the FFIEC's definition is on the broader end of the spectrum. Since Peoples' email outsourcing deal is being hosted, managed and delivered electronically to the bank's staff by an external provider, the bank is making sure the program adheres to the FFIEC's new cloud guidance. Safe Systems' email hosting carries the new certifications often used to vet cloud providers.
VETTING PROVIDERS
The FFIEC statement, issued earlier this summer, says banks need to perform a risk assessment of the providers of cloud services as per its definition of the cloud. That includes vetting how the provider classifies data sensitivity, and what controls are in place to protect data. Other issues such as data segregation and disaster recovery are also included in the guidance, as well as whether the service provider is sharing facilities with other firms. The FFIEC is stressing the importance of ensuring data can be protected and securely removed from all locations where it is stored outside of the bank.
There have also been other attempts to define cloud computing and its risks. Last year, the Open Data Center Alliance - which includes large banks such as JPMorgan Chase, UBS and BBVA - adopted security and transparency guidance that the institutions use to vet cloud vendors. The European Commission, a regulatory body tied to the European Union, also recently issued guidance that includes a list of more than a dozen issues that should be covered in contracts between banks and cloud vendors - including data erasure protocols, security practices, and guarantees that the cloud provider and all subcontractors only act on instructions form the cloud client.
Shirley Inscoe, a senior analyst at Aite Group, says the criticisms of the FFIEC suggest the U.S. guidance is "high level" and treats cloud computing like another kind of outsourcing. "There's not even a general consensus of what the term cloud means. There are a lot of [cloud] vendors that say they can do everything under the sun for a low cost."
Inscoe says the guidance touches on most issues, "but you have to anticipate that bankers will read between the lines and they really have to be knowledgeable about the issues connected to cloud computing that aren't spelled out in the guidance. That's fine when you are talking about large financial institutions, but for smaller institutions and credit unions where they can't afford the in-house expertise, it's a disappointing document," Inscoe says.
She says that for smaller banks that may not be particularly knowledgeable about cloud computing, it would be wise to consult with an internal or external consultant who has expertise in outsourcing.
Inscoe says data segregation - or keeping data from one bank distinct from another firm - is a particular risk, and banks should ensure that service providers aren't using third parties in countries where it's legal to co-mingle non-public data, or sell data (both of those practices are illegal in the U.S.). "As you start using the cloud, it becomes tougher to make sure data is segregated. That's another huge issue that you aren't hearing as much about right now...banks don't want another party using their client data for things the bank wouldn't approve of." An OCC spokesperson (the OCC is one of the agencies included as part of the FFIEC) said the statement is on outsourced cloud services, and references existing FFIEC guidance on outsourcing and use of third parties to deliver services. The new statement pertains to data and systems that are being stored or hosted independently from the bank's internal network. The OCC spokesperson said that as new providers of data and tech hosting enter the market, that increases the need for U.S. banks to ensure that data is in a known location, with verifiable protections. That includes ensuring that the potential for data to be accessed by unauthorized parties in other countries - including foreign governments - has been addressed.
AUDITS AND RFPS
Tower's Nelsestuen says the standard approach to ensure cloud security has been to require assurances for data protection in the request for proposal. There are also firms such as GSX and LogicMonitor that monitor private cloud messaging environments, tracking information and data flow within a cloud environment. But there isn't a universal standard to ensure data integrity within a cloud environment. "Unless someone has a model for evaluating cloud computing, there's not going to be a standard way to approach this," Nelsestuen says.
