Publications & Resources

July/August 2010
Regulatory Changes & Restructuring

The Future of Cloud Computing Regulation

By Dan Holt & Paul Reymann

Financial institutions are at the forefront of using cloud services. They have used cloud computing – in some form – for over a decade. Some of the existing uses include:

Off-site host of operational support (e.g., payroll and human resources processing)
Off-site hosting of core services (e.g., item and check processing)
Off-site hosting for sensitive computers and data as part of the institution’s disaster recovery and business continuity plan
Managed services for hosting and maintaining email, web, and application servers
Managed services for firewall, router, and security monitoring and reporting.

Today, cloud service providers are expanding the offerings available to financial institutions. Banks are finding that cloud service providers offer additional opportunities to reduce cost of operations, keep pace with complex technology and security challenges, deploy new services in a cost-effective manner, and create new efficiencies in day-to-day operations. Examples of such expanded services from cloud service providers include:

Managed security
Managed compliance
Managed performance of the network
Backup-as-a-Service
Disaster recovery
Mission-critical application hosting

With the increasing number of services moving to a cloud-computing model, vendor management and due diligence have become a heightened focus for bank examinations. The right strategy, partner, and solutions will establish the foundation for successfully managing risk and enabling security and compliance in the cloud. As institutions expand the use of these and other managed or hosted services, they must look for service providers that have financial industry domain expertise, network infrastructure, security, compliance, and risk management practices that are comparable to a well run financial institution.

A New Audit and Examination Focus in the Cloud

The existing FFIEC regulatory guidance emphasizes the need for each institution to take full responsibility for managing its risk, especially when outsourcing to a third party. The institution cannot outsource its risk management responsibilities. It will be held ultimately accountable in the event of a security event. Therefore, cloud computing will take vendor management due diligence to new heights.

While current examinations and audits focus on the adequacy of risk-based controls to protect sensitive information and assets, the cloud vendor’s security controls will increasingly become a primary focus. Both the institution and the cloud vendor have a responsibility to ensure data integrity, confidentiality, and availability of sensitive information and assets are protected and maintained.

It is reasonable to expect that adoption of cloud computing may also result in new examination and audit practices. For example, tomorrow’s examiners:

Will need to know where the data is located within the cloud
Will want to know where the controls are located within the cloud
Will make vendor management the primary focus within the cloud. They will concentrate on the location of assets and core processes (e.g., item and check processing and management of the network security and performance in the cloud).

The banking regulators recognize the need for guidance on how to address many of the cloud computing security risks. In November 2009, they coordinated a symposium to explore the need for cloud computing guidance or potential regulations. From this symposium, numerous issues were discussed such as:

Trust and transparency of the service provider’s controls
Identify and access management
Data loss prevention for exposure of the institution’s sensitive data in a multi-tenant environment where the data is separated logically, not physically
Encryption of sensitive data in storage, transit, at rest, and in use
Compliance with various federal and state laws that will vary among clients in a single cloud environment
E-discovery of email and other data stored in the cloud
Cross-border data transfer and use
Collection and retention of log data segregated out for each institution customer in the cloud
Incident response handling in the event of a security event.

Until new regulatory guidelines are published by the FFIEC agencies, institutions and cloud vendors must apply the existing regulatory mandates to the cloud computing environment. We offer the following recommended practices to help the institution and the cloud vendor apply existing regulatory mandates and other recognized security best practices to secure the cloud.

Recommended Cloud Computing Practices

Cloud service providers should:

Communicate their information security program and IT risk management practices to the cloud customer.
Conduct thorough IT audits such as SAS 70 Type II or ISO type audit of controls and share security audit reports with customers. Cloud service providers may need multiple audit reports from various sources to validate and accredit the whole cloud ecosystem of the provider. The audits should include:
- All components and practices that were evaluated.
- All deficiencies found with each component and practice and compensating controls in place that will reduce risks identified from the deficiencies.
- Detailed methodology and work papers for how each component and practice was evaluated (more detailed methodologies will decrease the risks of errors and oversights).
- Holistic evaluation on every component and practice in the cloud environment. This includes:
  - Confidentiality, integrity, and availability controls for each technology component, administrative practice, and physical security control in the cloud ecosystem.
  - Preventive, detective, and corrective controls for each technology component, administrative practice, and physical security control in the cloud ecosystem.
Allow on-site inspection (security-savvy cloud customers may want to use their own auditing team to evaluate the cloud service provider security controls).
Encrypt sensitive data in storage, in transit, in use, and at rest.
Ensure:
- Application security controls – applications should be validated by qualified application security assessors using some form of application security best practices, such as the Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVP) located at http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project.
- Application layer logging.
- Application level firewalls, proxies, and other logging tools.
- Automation of security controls – all controls should be automated, where feasible.
- Data loss prevention – controls should be in place to prevent, detect, and correct unauthorized access or distribution of data.
- Notification and remediation controls.
- Virtualization security controls – conduct virtualization security audits following best practices, such as the Center for Internet Security Benchmarks for Virtualization (http://www.cisecurity.org/benchmarks.html).
- Identity management controls.
- IT governance controls – all practices and controls should be defined in writing and performed and enforced according to the governance policy. A popular framework for IT governance controls is the Information Technology Infrastructure Library (ITIL) located at www.best-management-practice.com/IT-Service-Management-ITIL.
- Network access controls – security zones and perimeters should be defined with controls in place to authenticate people and components within the cloud ecosystem.
- Network and host-based intrusion prevention systems – network and hosts should detect and stop malicious activities.
- Secure configuration management – implement and manage secure configurations based on industry recognized best practices such as those published in the Center for Internet Security (CIS) secure configuration guidelines (http://www.cissecurity.org).
- Security information event management – system and application logs should be audited and correlated to prevent, detect, and correct potential and real security events.
- Storage controls (e.g., archiving/retention, retirement/destruction, encryption).
- Enhanced third-party due diligence and oversight – share with customer all outside parties that will support the cloud environment.

Financial institutions should:

Define an acceptable risk-based cloud computing strategy and framework. It should document the business case for the cloud delivery and deployment model that it has chosen. This should include management’s awareness of the cost savings, data security risk, cloud vendor financial and domain expertise due diligence, geographic risk (e.g., e-discovery, encryption laws, legal jurisdiction), etc.
Conduct a cloud risk assessment – perform a gap analysis to determine the institution and Cloud vendor security posture and responsibilities for protecting sensitive information.
Negotiate clear contracts and service level agreements with measurable and enforceable metrics for success – refer to the Cloud Security Alliance (“Security Guidance for Critical Areas of Focus in Cloud Computing”) guidance for additional guidance on cloud service level agreements.
Audit the cloud vendor information security and IT risk management practices. A qualified cloud vendor should be willing and able to comply with specific requirements defined in the FFIEC IT Examination handbook and other recognized best practice guidelines and standards. Any push back from these requirements is a clear signal that the vendor does not possess the appropriate level of domain expertise and security capabilities. It should be viewed as the cost-of-doing business with a federally regulated financial institution.

Dan Holt is CEO and Paul Reymann is strategic adviser for HEIT. In addition, Reymann was a co-author of the GLBA data protection rule. They can be reached at dan.holt@goheit.com and paul.reymann@goheit.com, respectively.