- Community Home
- >
- Software
- >
- Enterprise Security
- >
- Following the Wh1t3 Rabbit - Practical Enterprise Security
- >
- Quick Summary: FFIEC statement on Cloud Computing
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Email to a Friend
- Printer Friendly Page
- Report Inappropriate Content
Quick Summary: FFIEC statement on Cloud Computing
I'm just getting caught up on some reading, and one of the things that I finally got a chance to read is the July 10th FFIEC "statement" on outsourced cloud computing. I'm going to provide a full analysis later this coming week, but something that struck me as I read this necessitated me writing this down, before it passes out of my brain.
First and foremost - what we've all been talking about: the FFIEC considers cloud computing just another form of outsourced IT.
Sure, this may be a big "no kidding!" thought to you, but maybe it'll lend some calm to the discussions currently going on about what wondrous new things 'the cloud' brings us. The FFIEC acknowledges increased flexibility, recoverability and other critical things, but in the end acknowledges that this cloud thing isn't really a full-scale invention of something new.
I think the most powerful statement in the entire 4-page document, which I encourage you to read for yourself, is this one:
"A financial institution’s use of third parties to achieve its strategic plan does not diminish
the responsibility of the board of directors and management to ensure that the third-party
activity is conducted in a safe and sound manner and in compliance with applicable laws
and regulations."
If your organization is going to go through with outsourcing (which is in effect what cloud computing is), then your organization isn't magically absolved from due diligence necessary and proper when doing other types of daily outsourcing. The FFIEC is basically chipping away at the "but they got hacked, it's not our fault" excuse that I suspect they anticipate organizations will start to use when their poorly designed, poorly secured applications are hacked in the cloud. I'm actually pretty excited about this.
Look for a break-down of the entire document later this week ... until then, ponder what this means to the financial services sector, which essentially was just told - you own the risk, whether you push the execution of the IT onto someone else or not - you're still on the hook for making sure they're doing the right things according to your risk-management practices.
Fascinating.
More soon...
- Mark as Read
- Mark as New
- Bookmark
- Highlight
- Email to a Friend
- Report Inappropriate Content
Coming from the financial services industry (for about 15 years), this is the same discussion we had about 10+ years ago regarding Application Service Providers, Hosting Facilities, etc. I recall one discussion with a sourcing manager regarding a company that was going to manage the network, her comment (filled with frustration) was "but you don't understand, THEY own the network", of which I replied "yes, however, WE still own the data on the network and it is OUR responsibility to ensure THEY have an adequate information security program to protect OUR data!" The phone went silent as that finally sunk in. My concern with cloud computing is (at least a few years ago) the large cloud providers had (maybe still have) ToS that do not provide any conditions for the client company to obtain information about the providers information security program (other than a 1 page high-level doc that says "we're good, nothing to see here") and absolves them from any liability if they fail to adequately protect the environment, which many financial institutions considered to be unacceptable. I haven't looked into this recently, so that may have changed, but I would recommend that any company (regulated or not) closely look at the ToS of prospective cloud providers for 1) the ability to adequately assess the providers info sec program; and 2) what liability the provider will be responsible for in the event a security breach occurs due to lack of adequate controls that the provider is responsible for.
