"We have to cut IT costs!"
The problem is multi-faceted. Whether you need to add another IT professional, re-model and expand the server room, upgrade your servers or buy new software technology – IT has grown like a monster in the closet.
That's when someone brings up "the cloud."
The FFIEC defines cloud computing as "a migration from owned resources to shared resources". For the first time since you bought your first server, the cloud has presented a real solution to stop the ever-expanding nature of bank IT and bank IT costs.
So how do you go about leveraging the power and savings of the cloud?
The answer lies in who you choose to host your cloud. A simple web search for "cloud hosting" will reveal pages of companies soliciting cloud hosting business. They each offer unlimited services from application hosting to disaster recovery. Their pricing menus are as varied as their flashy logos and websites. Do you choose based on pricing structure, location, company history, network options…? The jargon involved is complex and many times contradictory.
The most important question for your bank in finding a cloud hosting provider is this –
Who can I trust with our data?
Hosting any data function of your bank will require you to trust and know that organization like an employee. A company hosting your data should be considered a business partner, not simply a third-party vendor. After all, they will have your data and your customer's data. They will have your very livelihood as a banking institution. The FFIEC report on Cloud Hosting explained it this way –
A financial institution's use of third parties to achieve its strategic plan does not diminish the responsibility of the board of directors to ensure that the third party activity is conducted in a safe and sound manner and in compliance with all applicable laws and regulations.
That means you are still responsible for the security and protection of your data even though you have hired another business to manage it. You are still accountable as the primary recipient and manager of the data.
A cloud hosting provider needs to be chosen like you were hiring a bank president: they need to be inter-viewed multiple times, they must have a proven track record in your industry, their references must be verified and you must feel you can trust them. If you can, choose someone you know.
Your third party vendor must also hold credentials. And their controls should be validated by an independent party. The standard for this type of review is an SSAE 16. An SSAE 16 (formally SAS 70) engagement is an internationally recognized third-party assurance examination designed for service organizations to report on controls relevant to user entities' internal control over financial reporting.
This exam ensures that your provider has controls in place to address physical security, unauthorized access and service disruptions. Make sure your provider has been audited and has a complete SSAE 16 under their belt.
Moving banking resources to the cloud can improve your bottom line. Rising IT costs can be frozen and scaled back. However, you must choose the right partner to maximize the benefits and keep your bank secure. Having a relationship with your cloud provider is the most important factor for long-term IT management success.