Out of sight out of mind feels pretty good, doesn’t it? Especially with not only is it out of sight, it is off the ground. Your organization’s data is so far out of reach not only does it feel like you can’t get to it, but there’s an illusion that no one else can either. But it is just that, an illusion. Even if you are partnering with a reputable vendor with large market share, there is still risk that needs to be considered and mitigated. Recently, the Federal Financial Institutions Examination Council (FFIEC) published a press release discussing security recommendations for how to mitigate this risk. Let’s take a few minutes to walk through it.
From a high level, the FFIEC talked about the following three areas first:
- Establish a good contract.
Its easy to go along with a strong vendor and assume you’re getting the security you deserve with a basic contract, but you need to be sure to read the fine print and establish very specific service level expectations and control responsibilities for both yours organization and the provider.
- Perform ongoing oversight and monitoring of the cloud provider.
Depending on the complexity of your relationship, this oversight can range from evaluating the providers’ independent audits (SOC reviews) and following up on any exceptions they may have, to reviewing the service levels they agreed to and holding them to those expectations yourself.
- Implement appropriate risk management
This step is where the rubber meets the road. This is where you actually have to apply the knowledge you have about your provider and begin to truly understand what’s at risk and what you need to do about it. The FFIEC suggests several types of controls that are critical to help secure your information in the cloud and mitigate the risk of that information being accessed, even if you don’t have direct control over it.
The FFIEC continues by describing processes and controls that are critical to ensuring security with cloud service providers.
As mentioned above, governance is key when it comes to strategies around cloud computing. An organization’s plan for monitoring all controls related to vendors will determine the impact of a breach and serve as the foundation for the effectiveness of all other controls. Naturally, the next area the FFIEC mentions is cloud security management. This process includes risk identification and implementing appropriate controls to mitigate those risks. These controls should include requirements for contracts defining the responsibilities of the service provider and financial institution as well as the processes for monitoring these responsibilities. Several areas to consider monitoring for resilience include:
- Incident response
- Use of subcontractors
- Data ownership
- Data disposal procedures
- Data location restrictions
One of the key areas that is gaining visibility with examiners is activity logging and monitoring for internal and external users. This can mean using your own tools or even the service providers to assist in logging sensitive transactions and monitoring this activity, even in the cloud environment. This process can be different from your network architecture, which makes the auditing and testing of these controls even more critical to ensure they are effective. These processes go hand-in-hand with identity access management and reviewing roles and responsibilities to confirm all individuals only have the access they need.
Depending on the complexity of your environment and the information you have in the cloud, change management controls are essential to your structure. From the transition process to your cloud environment to the development of internal processes and changing everyday configurations, a solidified procedure that includes documentation and required approvals are key aspects for more secure changes.
Resilience and Recovery
Resiliency in the recovery process is one of the most critical areas to consider when establishing a procedure to restore your data in the case of a disaster. The FFIEC warns that these services cannot be assumed to be included in cloud service provider contracts and need to be explicitly added by the institution. This includes responsibilities and detailed plans that align with both parties’ processes. It is then important to update the institution’s business continuity plans to ensure they cover all necessary responsibilities and include key contacts at the vendor.
This also brings up a discussion regarding business impact analysis procedures and performing a data classification. Many clients we work with haven’t seen the immediate need to perform these functions or have the classification informally. Having a formally documented data classification is critical to determine what requirements are needed from the service provider related to the data they hold and what information the organization is responsible to restore in a required timeframe. This classification exercise leads naturally to the business impact analysis as a part of the business continuity plan but is often overlooked. Incorporating these two processes could help expedite the data recovery process in the event of a disaster and ensure the most critical data is prioritized, as necessary.
Unique Cloud Environments
The last piece of the statement includes the FFIEC making a distinction of specific controls that are unique to cloud environments. Many organizations are familiar with virtual infrastructures, containers, managed security services, interoperability and portability of data and services, and the different processes for data destruction and sanitization. However, these can become complex with cloud providers or be used differently within a contract and should always been reviewed in detail when agreements are established.
Overall, the most important things to remember when transitioning to a cloud service provider for the first time (or a reminder if you’ve been doing this for years) is to practice consistent, detailed monitoring of your provider and ensure the established agreements are being met. Always establish security on your end by implementing sound internal controls such as access management, change controls, and recovery and resilience processes and procedures.
Hopefully, this was helpful and always let someone on our team know if you have any questions about these processes.