Security in a Cloud Computing Environment

The FFIEC recently released guidance regarding cloud computing. Our team at Finosec has spent a number of hours reviewing and digesting the expectations. The summary here is that there’s really no new guidance. However, there are a couple of key takeaways we wanted to highlight as you’re going through this process. This was released in May of 2020 and it clearly set some expectations of security in a cloud computing environment. If you think of May 2020, we’re right in the middle of trying to work and dealing with pandemic remote workers, remote usage, and cloud computing. At the same time, vendor management and vendors are continuing to leverage cloud computing. At its core, this document talks about effective risk management.

One of the things that was interesting is this concept of a shared responsibility and you’ll see this theme come through as we talk through this discussion between the cloud service provider and their financial institution clients, and they’re putting some clear expectations on the cloud service provider, but they have some hooks and expectations they want you to have in place as a financial institution as you’re going through that. Again, this statement does not contain any new regulatory expectations, but it highlights some of their expectations. Ultimately, the key takeaway is that management at your institution should not assume that they have the right things in place. You really need to manage and make sure that there’s effectiveness related to support security operations and associated resiliency controls.

The statement spends a considerable amount of time on the contractual agreement, such as SLAs and ways for you to hold the vendor accountable. They talk about some different types of services: Software as a service and platform as a service. One of the things that I took away here is: “the financial institution is responsible for user specific application configuration settings.” One of the things to note in a Software as a Service environment is that the institution is responsible for user access and identity management, and this component is specifically being highlighted.

Furthermore, in the future, they’re going to talk a little bit about the need for frequent user review. Ultimately, they say again that the financial institution retains overall responsibility of the safety and soundness of the cloud services. And really the lens is all around the crown jewels and protecting sensitive information. How do we make sure we’re protecting social security numbers, account numbers, usernames, passwords, and more?

Now you’ll talk about the risks. Again, we must complete a careful review of the contract. What’s your responsibilities to the institution? What’s the cloud service provider’s responsibilities? One of the things we see a lot with our customers when we’re having initial kickoffs and conversations is the lack of clarity on user access and permissions. So that’s one thing I would absolutely highlight. You need to make sure you get your arms around the idea of least privilege, making sure we have a validation of those access points, and so on.

Responsibilities

Now the contractor responsibilities are really interesting. They talk about the need for service level agreements, specifically detailing who is responsible for what. The typical cloud computing contracts that we have seen don’t always define the responsibilities of these activities in the contract, so that’s something I would take away as an important action item in your vendor management process. They also want to make sure that you have an inventory process, which I would equate to a system map of understanding where the information assets are and if they’re cloud or hosted and not an on premise. There’s some cool ways and unique things that we put in place that I’ve seen institutions leverage, and we would be happy to share those with you if you’re trying to figure out, “Hey, how do I track that? What does that process look like?”

They go on to talk about configuration, provisioning, logging, and monitoring. This gets into user access, permissions and, again, this identity access management and network controls. If you’ve seen my videos in the past, the FDIC and OCC put out a joint statement in January of 2020 (which is about four months before this new update came out) and their expectations were really clear around identity, access management, user authentication and validation. So again, they’re coming back to that same concept.

Now let’s review this one, frequently updating and reviewing account access. In all guidance we’ve had in the past, it was listed as periodic. However, in the January release and the FTC and OCC joint statement, we saw a change from periodic to regular and now they’re talking about frequent access, specifically focusing on a privileged user access and making sure that we have tools designed to detect security misconfigurations and network controls.

They also talk about your need for security controls of sensitive data, which is things like encryption validation, DLP, data loss tools, making sure those systems are finished. And another thing to put on your employee training list is information security and awareness training programs specifically for cloud services. This will cover things like “what do we allow, what do we not allow? What is the process if they’re a vendor management, how do we make sure that they understand the needs and the obligations that we need for them to make sure that they’re managing?” Another thing that we really haven’t seen specific components around is this concept of change management, which is difficult, especially in a cloud environment or a shared model.

In situations where the vendor or your partner has the ability to change things and expectations and you need to be able to make sure, if you’re in a managed service or a cloud services solution, how do you know when the vendor is making changes? How do you document those things? We don’t want to just have them have access and assume that they’re doing their things correctly. We want to be able to have a process and a mechanism to be able to validate changes on the system. That could be security updates, that can be configuration changes, that could be enhancements, that could even be support tickets and working with your team and provisioning and deprovisioning systems in a cloud environment.

Now, let’s discuss business resiliency and recovery. Candidly, from my perspective, I think this is where cloud services shine, but you need to have a process in place to make sure that your vendors and partners have correctly configured and outlined the process. Just because it’s in the cloud doesn’t mean business resiliency and recovery have been addressed, so we want to make sure we have a process for that. What’s the testing? What’s the validation process? As a senior manager, how do you facilitate that? Essentially, they also go on to incident response capabilities and they talk about the need as an organization for you to know what’s your responsibility and the cloud service provider’s responsibility.

For Example

In April of 2020 we actually had an attack that happened right in the middle of a workforce that was largely working from home during the COVID-19 pandemic. Finastra was hit with a broad scale ransomware attack. Now they were able to recover and protect the information, but I’m sure it created a lot of stress and anxiety on their teams, let alone the financial institutions that were managing those systems. But this example causes us to ask the question: what if your cloud service provider gets compromised, and what do you risk as a result? What are you supposed to do as an institution? What are they supposed to do? I would also say you must conduct regular testing and validation of that process.

Now let’s discuss the controls assessment and cloud service provider managed controls. There are two things that they highlight here: One is they want to make sure that the financial institution has controls and that they are checked. That is going to be your audit and your validation process. Next, they want you to have a service level agreement with the cloud service provider and then not just stop there, but also have a report from the vendor validating their adherence to that SLA. I haven’t seen really good reporting from an SLA perspective from the vendor community. I think this is one of the things to highlight as a FinTech banking technology association group; we need to start thinking about how we manage these things and this expectation from a regulatory guidance.

Additionally, they talk about background checks. Most vendors I see perform background checks, but are they doing security awareness training? What does the documentation on that look like? So again, there are a few things in here that are new and unique that we pulled out today. But the other component that they talk about is really what happens if you leave the vendor. This looks at elements like portability of the data and services. How do you unwind that partnership, and if they have your data, how can you make sure that they actually destroy in the event of a contract cancellation?

My hope is that this gives you a little bit of a summary. There’s some really good detail in here. Of course, this is written in a very broad nature. The FFIC is for the small community institutions all the way up to the larger companies, and there are challenges with that. But if you have any questions, please don’t hesitate to reach out to us here at Finosec for more information and details regarding this information.