Moving Beyond the Basics
And while Barker acknowledges that the caution on the part of smaller banks has mostly been warranted over the past few years, he says, "It's time to start taking a serious look at options that are out there." According to Barker, the FFIEC's recent guidelines will be helpful for banks traversing into cloud services for the first time, but he wishes the organization would have gone a bit further. "The guidelines were a bit light, but they did capture the salient points, especially about due diligence when choosing a cloud provider," he says. "They are covering the basics, but there's a lot more they should be covering. Cloud providers have certainly matured, but you really have to do your research."
One of the most important questions a bank searching for a cloud provider needs to ask, says Barker, is if it can pull its data out of the cloud immediately if necessary. "Can I physically pull my data back and use it in the event of some breach or failure [on the part of the cloud provider]?"
Another critical issue for banks is a lack of standardization among cloud providers, Barker adds, noting that different providers have different data formats. But in general, banks should use the same diligence they use when choosing to outsource any services, he says, sounding a similar note to the FFIEC. "It's no different than any other outsourcing agreement with any company," Barker contends. "It's the same issues as with anyone else running the technology for your bank."
Like Barker, Chris Richter, VP of security services for St. Louis-based Savvis, a cloud infrastructure and hosted IT services provider, believes the FFIEC's guidelines only scratch the surface of what banks need to consider when choosing a cloud services provider. "A lot of it was common sense," he says. "They need to go deeper and provide more guidelines."
Richter notes, however, that there are services and organizations that are available to banks to help them research options and make the right decisions when choosing cloud providers. According to Richter, the National Institute of Standards and Technology, a non-regulatory federal agency, has issued its own cloud computing guidelines. He also points to the the Cloud Security Alliance, an industry association that provides education and promotes best practices for cloud computing, as another tool for banks seeking help choosing a cloud provider.
"No two clouds are created equal," asserts Richter, which is why it is so important for banks to do the proper research into cloud providers and know exactly what type of cloud services they are looking for. But, he adds, all banks can benefit from using the cloud in some capacity. "When you look at efficiency and staying competitive by reducing costs," Richter says, "banks really need to consider cloud computing."
Sidebar: Welcome to the Neighborhood
The difficulty of making sure data is secure in a multi-tenant environment such as a cloud is pushing some banks to rethink current cloud computing models. Rather than take their chances in a public cloud or build an expensive internal cloud, many financial institutions are moving toward a "community cloud" model, in which all of the tenants are fellow banks, according to Jon Ramsey, chief technology officer for SecureWorks, a Dell subsidiary based in Atlanta that provides managed security services.
"One of the inhibitors to adopting cloud-based services in banks is data security, specifically: How do you guarantee the authenticity of that data when it's not within your direct control?" he says. "Having fellow banks being the only tenants is one way to mitigate that."