Changing The Cloud Security Conversation
Heed Contract Details
Matthew Neely, Director of Strategic Initiatives SecureState
The reality is that many businesses are not paying close attention to the contracts they sign with cloud providers, and don’t fully understand what the provider is responsible for and what they are responsible for.
It’s not really about the questions bank executives should be asking about cloud security, but rather the steps organizations should take.
The first step to take when you are looking to move processes or data to the cloud is to understand which controls must be in place to protect that business process or data.
Next, see if a cloud provider can implement the controls you require in order to protect your data. Depending on the size and maturity of your security program you may be able to get better security at a cloud provider then you can in house. However, these situations are rare for most financial institutions. For example, Amazon Web Services (AWS) CloudHSM allows you to implement hardware security modules (HSMs) to encrypt your data and protect the encryptions key. The ability to use HSMs to protect your data might not be an option in your current data center.
Once you have found a cloud provider that can meet your security requirements on paper, the next step is to perform an assessment to verify the controls are implemented properly.
If you do find a provider you are comfortable using, it is critical that your legal staff reviews the contract. The contract must include verbiage to ensure that it includes and implements the minimum list of controls.
Additionally, financial services institutions need to ensure they have the right to audit the cloud environment whenever they like. Organizations should perform follow-up audits at least annually to verify the required controls are still in place.