6/2/2010
12:06 PM

Matt Gunn
News

Connect Directly

50%

50%

Tweet

Recently Bank Systems & Technology spoke with cloud expert Tim Brown, senior vice president, distinguished engineer, chief architect Security Management at CA about what banks should be considering and doing as they experiment with cloud computing implementations. Here are ten recommendations compiled through a presentation Brown gave at the recent Cloud Computing Expo in New York, and through further discussion with BS&T. Read more about Cloud Computing and security in the June digital issue of Bank Systems & Technology, available now for download:1) Identify solutions that make sense for your business: evaluate people, process and technology both internally and at the vendor level.

2) Evaluate vendors on depth of solution, security, references and viability of their business model.

3) Understand the risks, create complete compliance plans and include the cloud vendor and its solutions. Map out what is required internally to meet compliance needs, and determine what services the vendor provides to ensure compliance.

4) Closely scrutinize vendor contracts, SLAs, and high availability/disaster recovery plans. "A cloud provider isn't going to eliminate your liability," Brown says. "You need to know when your liability starts and when it ends."

5) Become an auditor. What Brown means by this encompasses four steps: implement an inspection program, to asses both internal processes and those agreed upon by the vendor; test the data; trust the contracts, but continually verify; and independently audit critical systems and security, going as far as to test just how difficult is to compromise the security promised by providers.

6) Manage identities, roles and relationships. Brown recommends that banks extend existing identity systems rather than invent new ones. "Cloud computing brings together complex systems and allows for more collaboration," he notes. "More collaboration requires more control." But simple role systems are not sufficient for cloud environments, dynamic roles are necessary. He also advises banks to utilize claims-based "If we can raise the bar on identity and access, that's going to play a big part in raising the bar for all of cybersecurity."

7) Move security closer to the data.

8) Do not recreate the issues of the past; use the move to cloud to increase security. Bankers should make security a fundamental component, not an afterthought, he says.

9) Collaboration among staff and vendors on threats and issues in the cloud is critical for security and trust. "Look for more security. Look for more tools," he says. "As the cloud develops, we're going to need more services to protect and secure it."

10) Watch for technology advancement. "Security systems will morph to address security in the cloud," Brown says.