Examiners Get Onto Your Cloud
Matt Gerber said he’s gotten a lot of calls lately from credit unions with an immediate need they haven’t had before. The examiners are coming and his clients need to prove they have their heads in the clouds.
Gerber is CEO of IT-Lifeline in Spokane, Wash., a cloud-based disaster recovery and business continuity planning provider to about 110 customers, including nearly 40 credit unions.
He said his company is suddenly doing an unusually brisk business in DR and BCP testing for credit unions, and the NCUA confirmed it is now looking specifically at cloud computing, following up on guidance issued by the FFIEC this summer.
“Cloud computing infrastructures are vulnerable to threats and risks, the same as data centers operated by financial institutions,” said Catherine Yao, information systems officer for the agency’s Office of Examination and Insurance.
“When a financial institution relocates their resources, such as data, applications and services, to cloud computing facilities, the financial institution must ensure data integrity and recoverability of data, applications and services,” Yao said.
Cloud computing has come to mean many things. Here’s Gerber’s definition. “I liken it to an apartment building. You have multiple people sharing one building, but each and every apartment is separate. You’ve got your own door and lock but the building has its own infrastructure. You don’t have to own that to use it. You just rent the space you need.”
Proving that space is secure is now mandatory, according to the guidance issued in July by the Federal Financial Institutions Examination Council, which followed up on its much-publicized multi-factor authentication guidance of last year with a new set of rules aimed at cloud computing.
Credit unions are responsible for their third-party relationships, of course, and the NCUA said security testing, including penetration testing and vulnerability scanning, must be performed at least annually.
IT-Lifeline provides credit unions with what Gerber calls a private cloud, using its own equipment to backup noncore processing data that is nonetheless vital to a credit union’s operation, including Web applications, file management, SharePoint and more. The company also uses Amazon servers to store some client data, another iteration of cloud computing.
The company also has recently partnered with Jack Henry & Associates to offer its services to credit unions that use JHA’s Symitar core platform and that company’s transactional data backup and recovery centers.
Cloud computing, in all its forms, presents new challenges for data security as confidential information moves around the Internet and through private pipelines. That’s what the FFIEC guidance was intended to address, and the NCUA apparently is following through.
“The NCUA examiners have said they want to look at disaster recovery plans, which they always have, but now there’s more a dramatic difference,” Gerber said. “Last year, we did maybe 20 tests for that reason. This year we’ll probably double that.”
Yao said examiners are specifically focusing on eight areas:
- Quantity of risk present from outsourced cloud computing, including such specifics as available bandwidth and storage space;
- Service model and type of deployment used;
- Credit union’s due diligence process;
- Inherent risks evaluated and control mechanisms identified;
- Material subcontractor relationships;
- Vendor’s internal controls;
- Compliance with regulatory requirements; and
- Data recoverability.
“Information security implications are key considerations in the cloud computing service,” Yao said. “Recoverability is essential for a financial institution in terms of recovery, resumption and maintenance of the entire business, including outsourced cloud computing.”
Cognizant of that, Gerber at IT-Lifeline likes to point out that his business is located “in one of the most boring places you could ask for when it comes to natural disasters. No hurricanes, no floods.”
He said that helps assure nervous compliance officers from banks and credit unions who have to satisfy examiners that all is well on the backup front.
Although he advised regulators not try to be so specific and prescriptive because technology keeps changing the terms and tools, “basically, I think they hit the nail on the head,” he said of the new cloud guidance.
“You should be looking for the same level of standards from cloud providers as you would from any other outsourced provider,” he said.