Regulators urge banks to monitor security of cloud service providers
WASHINGTON — Regulators issued a joint statement on the risks of cloud computing, summarizing years of guidance and rules as banks' reliance on cloud providers has become more and ubiquitous over the last decade.
The statement, issued by the Federal Financial Institutions Examination Council, covers a broad collection of matters regarding that relationship, including the basics of legal contracts, governance, security and auditing.
“Ongoing oversight and monitoring of a financial institution’s cloud service providers are important to gain assurance that cloud computing services are being managed consistent with contractual requirements, and in a safe and sound manner,” the statement said Thursday.
The statement emphasizes the responsibility of banks' management to carefully monitor cloud security, whether they use a public cloud — like one offered by Microsoft, Amazon, or Google — or an in-house private service.
“Management’s failure to understand the division of responsibilities for assessing and implementing appropriate controls over operations may result in increased risk of operational failures or security breaches,” the FFIEC wrote.
For third-party providers, in particular, the FFIEC said it was critical for banks not to play a passive role in ensuring cloud security.
Bank management should “evaluate and monitor the cloud service provider’s technical, administrative, and physical security controls that support the financial institution’s systems and information assets that reside in the cloud environment,” the FFIEC said.
The guidance pulls from recommendations developed across the government, including the National Institute of Standards and Technology, the National Security Agency, the Department of Homeland Security and the General Services Administration.
The statement also offers industry resources developed outside of government, including from the Cloud Security Alliance, Institute of Electrical and Electronics Engineers, and the Open Web Application Security Project.