FFIEC: Managing Cloud VendorsEnsuring Data Security Is Bank's Responsibility
Cloud vendors must constantly be vetted, banking regulators warn. According to guidelines for vendor management issued by the Federal Financial Institutions Examination Council in 2012, cloud vendors pose special risks, says Troy Wunderlich of Washington Trust Bank, a $4 billion institution based in Spokane.
In July 2012, the FFIEC issued a resource for banking institutions to follow when choosing a cloud vendor.
Wunderlich's bank recently moved a portion of its data to the cloud, which allowed the institution to leverage business continuity and disaster recovery in the event of a crisis.
"It [allows] us to recover data at different locations with reasonable recovery timeframes that we were looking for, as well as a cost-savings over trying to back up data within our environment and restore that out to multiple locations if necessary," says Wunderlich, Washington Trust's operational risk manager, during an interview with Information Security Media Group [transcript below].
Now Washington Trust tests its recovery capabilities on a quarterly basis, Wunderlich says.
"We're always doing a restore of data, restore of the server and restore of the system, to ensure that functionality is working," he says. "Then, we also measure our recovery times for that which feeds into our business continuity plan."
Washington Trust has a robust risk management program, Wunderlich says, which ensures the institution looks very closely at all of its vendors. Plus, it conduced extra due dillegence for the cloud vendor. "We wanted to understand where our data was being housed and how it was going to be encrypted."
During this interview, Wunderlich discusses:
- Benefits the cloud offers for disaster recovery and business continuity;
- How working with a third-party vendor can improve efficiencies; and
- Why ongoing and regular testing of cloud recovery capabilities must be part of an institution's due diligence.
At Washington Trust, Wunderlich oversees IT and physical security and manages the bank's anti-money-laundering practices and fraud-prevention compliance programs. He also is responsible for risk management and internal controls as well as vendor management, business continuity planning and policy-review oversight. Wunderlich is a certified information security manager.
The Cloud for Recovery
TRACY KITTEN: What spurred the bank to move some of its data to the cloud?
TROY WUNDERLICH: Moving some of our data to the cloud allowed us to take advantage and leverage the recovery capabilities that the cloud offers, allowing us to recover data at different locations with reasonable recovery timeframes that we were looking for as well as a cost-savings over trying to back up data within our environment and restore that out to multiple locations if necessary.
KITTEN: What were your overall goals for turning to the cloud?
WUNDERLICH: A lot of it was just trying to have that recovery time objective that we were looking for to move some of the technology out of our environment to a location that's further away from our operations center. Then, the cost savings really spurred a lot of what we were trying to do.
KITTEN: Before you made this decision to move to the cloud, how were you managing data and business continuity?
WUNDERLICH: We were doing back-ups internally. As we had grown, the amount of data that we were trying to manage really became unmanageable.KITTEN: Can you tell our audience a little bit about the cloud services you use?
WUNDERLICH: IT-Lifeline is a vendor in the Liberty Lake area. We have used them for a couple of years now. They manage our data back-ups. That's one of the services they provide. They recently came out with a new service, which was their BlackCloud offering, which we were one of the early adopters of. It really helped us to better manage the large volume of data that we have here. We also utilized their disaster recovery capabilities. With our data out there, we have the ability to recover that either at their facility and recover operations there, or choose a different location if we wanted to and be able to back up data to one of our other facilities. We have a lot of redundancy out to them. They also have a co-location ability, so we've got some of our equipment actually out there as well. That aids us in that disaster and data recovery capability.
Hybrid Cloud Model
KITTEN: Are you relying on a hybrid cloud model?
WUNDERLICH: We're utilizing a community cloud model, and then we also leveraging a private cloud that we have. Between the two of those, we do have a hybrid type of a model. That's what allows us to really take advantage of how we manage our data and are able to recover data from different facilities.
Prepping for DDoS Attacks
KITTEN: Over the last year, we've seen a number of distributed-denial-of-service attacks waged against banking institutions. How is the cloud assisting your institution there?
WUNDERLICH: We actually host some of our main websites in the cloud, so we kind of split the traffic between our operations center and IT Lifeline.. ... If there's a denial-of-service, it doesn't impact our operations center as much. We also have another vendor that we utilize that helps to monitor the activity, looking for what potentially could be a DDoS attack, and dropping that data so that it doesn't take down our website, for example, or impact any of our operations. We've been able to set up an infrastructure that allows us to do that.
Managing Cloud Providers
KITTEN: Can you explain some of the considerations that your institution reviewed when looking for a cloud provider that could ensure conformance with the FFIEC's cloud guidelines?
WUNDERLICH: The FFIEC guidelines did talk a little bit about cloud technology, but I think they also referred heavily to their outsource guidance that they had issued before, and a lot of that had to do with your vendor due-diligence, understanding the security risks in general and how to mitigate those. We have a pretty robust risk management program that we look very closely at all of our vendors. When it comes to IT-Lifeline, we did extra due diligence. We wanted to understand where our data was being housed and how it was going to be encrypted.
Security Reservations, Concerns
KITTEN: Were there any particular security reservations or concerns that you had to overcome before you made this move to the cloud?
WUNDERLICH: I don't feel like there were really any reservations. We knew IT-Lifeline very well. We've had a relationship with them. We did do some extra due diligence with regard to BlackCloud, understanding the technology, how the infrastructure was set up, where our data would sit, what location, and the encryption of the data. Because it's a community and partially private cloud, we were able to overcome some of the potential security concerns or risks that the cloud does introduce.
Protecting Data in the Cloud
KITTEN: What about the encryption and protection of data? How do you ensure that the vendor you're working with in the cloud space is actually protecting and securing this data?
WUNDERLICH: Partly [it's] talking with the vendor, understanding that architecture, looking at the audit and control testing that has been done as part of SSAE 16, for example, and just really understanding the type of encryption, where our data sits and how it's protected.
KITTEN: How is reliance on cloud assisting with your business continuity and disaster recovery planning?
WUNDERLICH: As I mentioned earlier, it really allows us to recover our data at multiple location points if we need to. Having that ability really shortens our recovery timeframe and allows us to recover operations very quickly.
KITTEN: Is relying on the cloud helping you with testing some of your data recovery and systems?
WUNDERLICH: Yes. We do actually test our recovery capabilities on a quarterly basis, so we're always doing a restore of data, restore of the server and restore of the system on a quarterly basis, to ensure that functionality is working. Then, we also measure our recovery times for that which feeds into our business continuity plan.
KITTEN: How have you been able to cut your expenses?
WUNDERLICH: I think a lot of the savings comes from just not trying to manage the data internally and utilizing the cloud technology. I don't have exact numbers in front of me, but we've been able to save thousands of dollars a year by utilizing the cloud with IT-Lifeline.
Advice to Banking Institutions
KITTEN: What security concerns should other banking institutions take into consideration?
WUNDERLICH: I think [it's] really understanding the vendor that they're going to be working with and going through that due diligence process. I think the guidance from the FFIEC is really on your data classification, segregation of your data and how recoverable it is. If you're looking at those things, understanding how the vendor has addressed those, looking for a vendor who really understands what financial institutions, from a regulatory perspective, are expected to do, would be very beneficial. Looking for ones that have the SSAE 16 compliance I think goes a long way as well. I think a vendor like IT-Lifeline that's really focused on the FI space and knows what regulations and compliance we have to follow is very beneficial.