FFIEC's New Cloud Info 'Disappointing'Data Security Expert Says Cloud Services Pose Special Risks
An attorney who specializes in data security issues says a cloud computing resource document that the Federal Financial Institutions Examination Council issued July 10 falls short of providing useful insights about how banks and credit unions must address privacy and security risks.
In the four-page document, the FFIEC explains how banking institutions should apply existing guidance to deals they sign for outsourced FFIEC Addresses Cloud Risks).
But Francoise Gilbert, an attorney at the IT Law Group, says the resource is far too shallow to offer banks and credit unions any real insights about precautions they should take when considering cloud computing.
The FFIEC's insistence that institutions should apply the same standards to cloud providers that they apply to other service providers reveals a lack of knowledge on the part of banking regulators about the unique risks posed by cloud computing, Gilbert says.
"I find this document a bit disappointing," she says. "They view cloud computing as just another form of outsourcing, and that's a far too simplistic view."
The FFIEC suggests that when considering cloud computing, banks and credit unions continue to follow the same fundamental guidelines and risk strategies outlined in the FFIEC Information Technology Examination Handbook, especially the Outsourcing Technology Services Booklet.
"This document codifies what we should look to and for in the Outsourcing Technology Services Booklet," says William Henley, director of technology for the Federal Deposit Insurance Corp., one of the four regulatory bodies that make up the FFIEC. "The expectation of the principles, we feel, should be applied to any vendor or outsourcing relationship."
The National Credit Union Administration says the new resource was issued to address risks and expectations related to the cloud. "Our primary goal here is to ensure credit unions are aware of the potential risks and develop adequate risk management approaches as they integrate this technology," the NCUA says. "Clearly, this type of relationship is like many other outsourced relationships. As such, appropriate due diligence, and understanding both the technical aspects of a cloud relationship and the effectiveness of security and privacy around member data is paramount."
But Gilbert points to separate cloud security guidelines that other agencies have issued to illustrate the shortcomings of the FFIEC's new resource. For example, guidelines issued in December by the National Institute for Standards and Technology and on July 1 by the European Commission delve more deeply into the nuances of cloud computing and offer specific risk mitigation considerations organizations should consider, she notes.
"Compare what the FFIEC has issued with the guidance just issued by the European Commission," Gilbert says. "That document is nearly 30 pages long and is much more detailed about the cloud's unique risks."
In its resource, the FFIEC makes reference to NIST's "Guidelines on Security and Privacy in Public Cloud Computing," and suggests banking institutions refer to it for further clarification.
FFIEC issued the resource to meet a need, Henley says. "There may be vendors that are providing cloud services that are not familiar with financial institutions, so those vendors may not be aware of all of the requirements in the regulatory environment that apply to financial institutions, and this is why we issued the resource document," he says.
Gilbert points out three areas where the FFEIC resource should have been expanded:
- Unique Guidelines: Regulators should not encourage banking institutions to follow the same guidelines for cloud providers that they follow for other outsourced relationships. "When you start a paper with a statement that says cloud computing is like outsourcing, it tells me that you have not done your homework," she says. "I think doing so misses a number of important elements."
- Data Location: The FFIEC notes that banking institutions should consider varying international privacy mandates and compliance standards, based on where their cloud providers store data. But Gilbert says concerns surrounding the location of data are huge in cloud computing, and those concerns are touched upon far too lightly in the FFIEC resource. "Data location is the essence of cloud computing, and they barely address the issue."
- Risk: While the FFIEC's resource does highlight security risks unique to the cloud, such as the fact that data could be backed up and stored by multiple service providers and facilities, Gilbert again says it's not enough. "There should have been specific information included about risks related to data location and technologies institutions could invest in to address those risks," she says.
Gilbert also says the FFIEC should have included more details about how contracts with cloud providers should be handled. Most cloud providers rely on a number of subcontractors, so banking institutions must ensure all parties involved conform to the security and privacy mandates outlined in the contract.
"It's very important to understand who is managing all those different layers, especially the subcontractors," she says. "They should have stressed that more seriously."