Where is your data? “It’s in the cloud.” This is becoming a more and more common response to this highly important question.
Cloud storage has gone mainstream and is in high demand for storing information across most industries, including the financial sector. The way it works is data is stored on remote servers accessed from the internet, or “cloud” and is maintained and managed by a cloud storage service provider. Yet, however easy and cost-effective the cloud can be, there are common security risks including loss of sensitive data, violation of regulatory controls, malware infections, hacking, the data not being available due to technical outages and Distributed Denial-of-Service (DDOS) attacks, and hijacking of accounts. This underscores the need for organizations to vet their cloud storage service providers that they are entrusting with their sensitive information.
Eighty-six percent of organizations use multiple cloud storage systems for storing information. The surge of data breaches and hackers has attracted increased scrutiny about the cloud’s security and reliability. Before entrusting sensitive data to third-party storage facilities, bankers will want to be reassured that their information is going to be stored safely and reliably. When it comes to data security, organizations should approach the cloud with caution.
“CIOs must change their line of questioning from ‘Is the cloud secure? to ‘Am I using the cloud securely?’” according to Jay Heiser, research vice president at Gartner. Gartner predicts that 95 percent of cloud security failures will be the customer’s fault. This reinforces the importance of developing a cloud strategy. Gartner recommends implementing and enforcing policies on cloud ownership, responsibility, and risk acceptance. They should also be sure to follow a life cycle approach to cloud governance and put in place central management and monitoring planes to cover the inherent complexity of multi-cloud use.
Recommendations to keep your cloud data safe
When it comes to the cloud, there is a lot at stake in the financial services industry: protecting sensitive information, regulations to adhere to, and maintaining a good reputation among customers and shareholders. Here are recommendations to keep your cloud data safe:
Understand the regulators you must please and ensure your cloud service provider will also meet those regulatory obligations. Be it National Credit Union Administration (NCUA), Federal Financial Institutions Examination Council (FFIEC), Homeland Security and Patriot Act, the PCI Council, and Gramm-Leach-Bliley Act (GLBA), financial services are subject to regulatory requirements and state and national privacy laws. Organizations must know their regulatory obligations and if the vendor will provide sufficient assurances that they will meet those regulatory obligations imposed on you.
Get buy-in from internal auditor departments and risk departments on the regulatory liability, exposure and risk the organization faces. Make the executive team understand the underlying technologies and who will manage them. Your entire executive team should be able to state clearly who is responsible for what on cloud resources and what problems this solution will solve. Make sure they are able to express what data will go on the cloud and what will stay in house as this will increase their security awareness. If they can’t communicate this, then the vendor and the IT team will not secure long-term management support and strategic oversight. This will ensure good long-term communication of vendor expectations and the executive team will know exactly what they are purchasing. It will also force vendors and IT staff to prepare sufficiently to avoid any surprises.
Do your due diligence. Go beyond the standard reports and assurances. Ask about the cloud storage providers latest penetration test and external audit. Review their references, test their demo’s, ask for their lead competition. Be a difficult customer! Ask the tough questions, check assumptions, factcheck bold sales statements, and get concrete proof before you proceed. Get into the details with your technical team. If the vendor can’t handle your questions from your technical crew, they may not be able to handle your business.
Use cloud services that encrypt data. Look for cloud storage service providers that provide local encryption for your data when it is “at rest.” What does this mean? Encryption scrambles text to make it unreadable by unless you have the keys to decode it. This will provide additional security to your sensitive information, as the data will need to be decrypted in order to gain access.
Take precautionary measures, such as stronger passwords. You hear it regularly, but password management is important. Complex, difficult to guess passwords can help prevent access and minimize exposure to your sensitive information.
Understand breach responsibilities. Who is responsible for a breach of your protected data if it lives in the cloud? If the cloud security storage vendor is failing to keep up with security best practices, patches, secure encryption platforms, and regulatory standards, it is time to reevaluate. Questions for you to ask:
How much will it cost to move the protected data securely to a different vendor and get copies for on-site retention?
What are the technical credentials of the IT department and those in charge of digital security at the organization?
What responsibilities does the vendor avoid through indemnification?
What if the vendor goes out of business?
How can the organization securely and confidently cancel the relationship while protecting their confidential data?
It’s important for banks to know how their data will be secured and how their data will meet and comply with stringent security regulations and requirements. Cloud service providers must be able reassure you and ensure that their infrastructure is secure and that your data will be protected with concrete and measurable metrics and documentation.
This article was originally published in the Oregon Bankers Association’s publication, Banking Matters. Complete issue available for OBA members here.