Lately, the terms "cloud computing" and "cloud-based" are being used to describe a wide array of technology products with varying service models. Because of this, it might seem the meaning of cloud computing is actually up in the air. On July 10th, 2012 the FFIEC Information Technology Subcommittee published some of the first regulatory guidance specifically addressing outsourced cloud computing. This new guidance defines cloud computing generally as "the migration from owned resources to shared resources in which client users receive information technology services, on demand, from third-party service providers via the Internet 'cloud.'" This is a broad definition and it's likely most banks are utilizing at least a few technology solutions would fall into the "outsourced cloud computing" category.
Inside a security-centric paper entitled Outsourced Cloud Computing, an IT professional might expect technical details concerning virtualization, encryption algorithms, multi-tenant architectures, scalability, elasticity, and security mechanisms. You're not going to find discussion of specific technologies or controls in this document. What you are going to find is a non-technical viewpoint focused on the risk management of outsourced cloud computing arrangements in relation to the existing FFIEC Information Technology Examination Handbook. The FFIEC considers cloud computing to have the same basic risk characteristics and risk management requirements as traditional forms of outsourced technology addressed in the FFIEC's Outsourcing Technology Services Booklet. Essentially, the FFIEC expects the same fundamental risk management requirements that should be implemented for other technology outsourcing arrangements. However, the document does identify key elements specific to cloud computing.
The new guidance discusses the following six key implementation and risk management topics related to outsourced cloud computing:
- Due Diligence
- Vendor Management
- Information Security
- Legal, Regulatory, Reputational Considerations
- Business Continuity Planning
Each topic contains several items a financial institution should consider when selecting and managing a cloud computing solutions. These considerations are not specified as requirements for every cloud computing outsourcing arrangement. In fact, the document describes itself as being published for informational purposes only. There are definitely some important considerations identified in the document, but their applicability and importance will vary between individual technology solutions. The cloud computing definition, provided in the guidance, encompasses such a wide variety of service and deployment models (e.g. infrastructure as a service, software as a service, etc.) that financial institutions will have to make their own judgments. For example, some of the more stringent controls mentioned might not be feasible in some situations based on the sensitivity and importance of data being processed. Of course, systems processing non-public personal information (NPPI) will always require a higher level of risk management.
In conclusion, the fundamentals of managing the risk of cloud computing remain the same as other technology outsourcing arrangements. Outsourced cloud computing can provide many strategic advantages for a financial institution including: cost savings, flexibility, scalability, and performance. However, the complexity of some of the cloud computing environments can create unique challenges. The new FFIEC guidance identifies good examples of challenges that must be considered when selecting cloud computing service providers and managing these relationships. I encourage you to read the entire document and analyze it yourself. I also suggest reviewing the Guidelines on Security and Privacy in Public Cloud Computing published by the National Institute of Standards and Technology (NIST) and the FFIEC's Outsourcing Technology Services booklet for more in-depth guidance related to cloud computing risk management.