When Peoples Bank & Trust's email system crashed earlier this summer, it turned to a hosted solution to ensure future continuity, and thus triggered an emerging and muddled compliance challenge many banks face.
"The email crash took us down a couple of days. Email is very important to the function of the bank, so we couldn't take that risk of a crash again," says Robert Porter, vice president and IT director at the bank, a $275 million-asset community bank based in Hazard, Ky. The bank moved its entire email system to a hosted Safe Systems solution called SafeSysMail. It's also using an email archiving and encryption service from Safe Systems. For a bank that only has two IT workers, the move to a hosted environment is expected to save about $80,000 over the next three years.
But in so doing, the bank is also putting itself under the purview of a new statement from the FFIEC that's designed in part to address the growing use of cloud computing services by banks. While the bank says it's confident that it's in compliance, the guidance has come under fire in the bank tech industry for an alleged lack of precision in defining cloud computing and specific risks that could create security gaps.
"The FFIEC guidance does not spell out what you need to do, it's a document that talks about things to be concerned about," says Rod Nelsestuen, a senior research director at CEB TowerGroup.
The FFIEC defines cloud computing as a migration from owned resources to shared resources in which a client receives information technology services on demand from third party service providers via the "internet cloud."
While definitions of cloud computing vary, the FFIEC's definition is on the broader end of the spectrum. Since Peoples' email outsourcing deal is being hosted, managed and delivered electronically to the bank's staff by an external provider, the bank is making sure the program adheres to the FFIEC's new cloud guidance. Safe Systems' email hosting carries the new certifications often used to vet cloud providers.
The FFIEC statement, issued earlier this summer, says banks need to perform a risk assessment of the providers of cloud services as per its definition of the cloud. That includes vetting how the provider classifies data sensitivity, and what controls are in place to protect data. Other issues such as data segregation and disaster recovery are also included in the guidance, as well as whether the service provider is sharing facilities with other firms. The FFIEC is stressing the importance of ensuring data can be protected and securely removed from all locations where it is stored outside of the bank.
There have also been other attempts to define cloud computing and its risks. Last year, the Open Data Center Alliance - which includes large banks such as JPMorgan Chase, UBS and BBVA - adopted security and transparency guidance that the institutions use to vet cloud vendors. The European Commission, a regulatory body tied to the European Union, also recently issued guidance that includes a list of more than a dozen issues that should be covered in contracts between banks and cloud vendors - including data erasure protocols, security practices, and guarantees that the cloud provider and all subcontractors only act on instructions form the cloud client.
Shirley Inscoe, a senior analyst at Aite Group, says the criticisms of the FFIEC suggest the U.S. guidance is "high level" and treats cloud computing like another kind of outsourcing. "There's not even a general consensus of what the term cloud means. There are a lot of [cloud] vendors that say they can do everything under the sun for a low cost."
Inscoe says the guidance touches on most issues, "but you have to anticipate that bankers will read between the lines and they really have to be knowledgeable about the issues connected to cloud computing that aren't spelled out in the guidance. That's fine when you are talking about large financial institutions, but for smaller institutions and credit unions where they can't afford the in-house expertise, it's a disappointing document," Inscoe says.
She says that for smaller banks that may not be particularly knowledgeable about cloud computing, it would be wise to consult with an internal or external consultant who has expertise in outsourcing.
Inscoe says data segregation - or keeping data from one bank distinct from another firm - is a particular risk, and banks should ensure that service providers aren't using third parties in countries where it's legal to co-mingle non-public data, or sell data (both of those practices are illegal in the U.S.). "As you start using the cloud, it becomes tougher to make sure data is segregated. That's another huge issue that you aren't hearing as much about right now...banks don't want another party using their client data for things the bank wouldn't approve of." An OCC spokesperson (the OCC is one of the agencies included as part of the FFIEC) said the statement is on outsourced cloud services, and references existing FFIEC guidance on outsourcing and use of third parties to deliver services. The new statement pertains to data and systems that are being stored or hosted independently from the bank's internal network. The OCC spokesperson said that as new providers of data and tech hosting enter the market, that increases the need for U.S. banks to ensure that data is in a known location, with verifiable protections. That includes ensuring that the potential for data to be accessed by unauthorized parties in other countries - including foreign governments - has been addressed.
AUDITS AND RFPS
Tower's Nelsestuen says the standard approach to ensure cloud security has been to require assurances for data protection in the request for proposal. There are also firms such as GSX and LogicMonitor that monitor private cloud messaging environments, tracking information and data flow within a cloud environment. But there isn't a universal standard to ensure data integrity within a cloud environment. "Unless someone has a model for evaluating cloud computing, there's not going to be a standard way to approach this," Nelsestuen says.
Darren Bridges, president of Safe Systems (Peoples' provider), says the tech firm's servers are hosted in facilities in Utah and Georgia, and the firm has passed a SOC 2 audit. SOC 2 reports cover security, availability, processing integrity, confidentiality and privacy. SOC 2, produced by the American Association of CPAs, is an auditing standard designed to allow firms that outsource data collection, processing and operation to check the governance at those third parties - a large piece of the FFIEC cloud computing guidance pie, since it gives cloud provides a "stamp" of sorts that demonstrates adherence to data protection protocols.
To provide added security for data in flight, Bridges says Safe Systems uses an email encryption technique from ZixMail that's similar to format preserving encryption, in which the encrypted content is in a similar format - in terms of coding - as the protected content. The encryption is designed to make the security protection easier to integrate with the email system. "Under the FFIEC guidance you must know where data is and the path that it takes to get to and from your bank," says Bridges.
Porter says that regarding the FFIEC guidelines, he's happy to have the system hosted externally by a firm whose core business includes keeping abreast of changing outsourcing protocols and regulations. The geographic diversity of the data storage facilities also provides piece of mind regarding business continuity, he says. "If you do have resources on premises, there's always the chance that you can have a problem, no matter how redundant you are or how many backup systems you have. By hosting it outside, we can recover if we need to," Porter says. "It takes away a lot of worry."
For its new hosted check deposit system, Hosted POD (proof of deposit) Computer Services Inc. says it uses a mix of tracking and an internal FFIEC reporting tool to review each deposit for validity, with a rules-based flagging mechanism for transactions to be reviewed. Hosted POD is a new version of the tech firm's existing Summit.net check image platform that leverages virtualization to provide needs-based allocation of the processing service. Hosted POD uses an open platform that enables it to interface with the bank's existing core processing system to retrieve and process checks. The virtual servers are maintained within the CSI data centers in Kentucky, and the fee to the bank is based on item volume and length of storage requirements - a model designed to reduce the upfront cost of deployment, with recurring costs based on need rather than a fixed rate.
David Hanighen, chief information officer of the $944 million-asset Covina, Calif.-based Kaiser Federal Bank, one of the initial users of the product, says the bank reviewed CSI's FFIEC compliance measures, and is confident in the hosted image system. "They do a good job of staying up on regulatory requirements, it wasn't a difficult decision," he says.
For concrete guidance on cloud security, banks need to look beyond the FFIEC's advice.