Changing The Cloud Security Conversation

What are the pertinent questions banks should ask about security in the cloud?
November 08, 2013

Heed Contract Details


Matthew Neely, Director of Strategic Initiatives SecureState

The reality is that many businesses are not paying close attention to the contracts they sign with cloud providers, and don’t fully understand what the provider is responsible for and what they are responsible for.

It’s not really about the questions bank executives should be asking about cloud security, but rather the steps organizations should take.

The first step to take when you are looking to move processes or data to the cloud is to understand which controls must be in place to protect that business process or data.

Next, see if a cloud provider can implement the controls you require in order to protect your data. Depending on the size and maturity of your security program you may be able to get better security at a cloud provider then you can in house. However, these situations are rare for most financial institutions. For example, Amazon Web Services (AWS) CloudHSM allows you to implement hardware security modules (HSMs) to encrypt your data and protect the encryptions key. The ability to use HSMs to protect your data might not be an option in your current data center.

Once you have found a cloud provider that can meet your security requirements on paper, the next step is to perform an assessment to verify the controls are implemented properly.

If you do find a provider you are comfortable using, it is critical that your legal staff reviews the contract. The contract must include verbiage to ensure that it includes and implements the minimum list of controls.

Additionally, financial services institutions need to ensure they have the right to audit the cloud environment whenever they like. Organizations should perform follow-up audits at least annually to verify the required controls are still in place.

Bank Systems & Technology encourages readers to engage in spirited, healthy debate, including taking us to task. However, Bank Systems & Technology moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Bank Systems & Technology further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 
< Previous1 2 3 4 5 6 Next > 

< Previous1 2 3 4 5 6 Next >