We talked the other day about the cloud and compliance issues, and after writing that, we came across an item that drives that point home.
According to this article at the Bank Info Security website, the Federal Financial Information Examination Council is casting a wary eye at the cloud model, in light of past and potential data breaches. It has produced a four-page resource document designed to help financial institutions "better understand and address (the) unique risks posed by outsourced cloud-based services."
Suggesting the need for more robust controls due to the nature of the cloud, the council recommends that organizations "look beyond potential benefits and perform a thorough due diligence and risk assessment." We'd be surprised if any decent organization in what is one of the most heavily regulated industries in the country didn't perform that sort of due diligence, but we suppose it never hurts to be reminded.
The document focuses on this necessary due diligence, as well as ongoing vendor management, information security, audits, legal and regulatory compliance, and business continuity planning. It also raises some cloud-specific concerns such as data classification – how sensitive is the data and what controls, such as encryption, need to be in place for proper protection. And data segregation, determining whether the financial institution's data will share any resources with other clients of the cloud provider. And recoverability, in case of disasters or any other service interruption.
While the council focuses in this document on the cloud provider, regular readers here know that the network that connects the enterprise with its provider is equally important. Some of the key recommendations in areas such as business continuity could not be achieved without the capability and scaling capacity of strong network providers such as Sprint.
"Just using the Internet" is hardly a valid option when the data really matters, and particularly when it is highly confidential as in the case of financial institutions. Network security and reliability are absolutely critical anytime an organization's data is at stake.
By the way, if you missed our earlier post on compliance, you can read it here.