< Return to The Balance Sheet Articles

Cloud Computing for Financial Institutions: With the Benefits Come Security Concerns

Friday, November 04, 2011 - Trevor Foo, CISA, CISM, CRISC

Trevor Foo

Many financial institutions are finding that they can obtain significant cost savings and operating efficiencies by using cloud computing, in which they share servers and various processes with other businesses that are part of a pool of configurable computing resources.

However, security concerns continue to be an important factor for banks and other financial institutions that are considering cloud computing. While there are many benefits, such as reduced infrastructure costs and pay-for-service savings, there are important security issues, such as increased dependency on a third-party service provider and uncertainty as to who owns the information that is stored and processed.

Because of the cost savings and efficiencies that can be obtained, financial institutions will very likely still find it worthwhile to consider using cloud technology outsourcing, at least on a partial basis, within their strategic plans for Information Technology. The planning can start with a decision about which IT processes should be kept in-house and which should be outsourced. Financial institutions and their IT advisors should then determine if the benefits associated with cloud technology outweigh the potential risks.

Cloud computing can be defined as any subscription-based or pay-per-use service that is available in real time over the Internet. It is more precisely defined by the National Institute of Standards and Technology (NIST) and the Cloud Security Alliance as:

"A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

The word "cloud" is used to refer to the space outside the firewall - in other words, the Internet.

The NIST is an agency of the U.S. Department of Commerce. The diagram below is based on information from the NIST. It highlights cloud computing from a service model perspective and provides some specific examples.


Possible Advantages

The advantages of cloud computing include on-demand network access to information by way of PCs, tablets, smartphones and other computing devices. The idea is not entirely new. Web-based email systems such as Hotmail can be thought of as a "use of the cloud."

A primary advantage is that a financial institution or other user has its outsourced data in one location - thus making it easier to retrieve information. The overall costs can be lower because payments for retrieval are on an on-demand basis.

Savings is also realized from the shared cost of ownership for the entire infrastructure, thus providing benefits from an economy of scale perspective. This benefit comes not only from the reduced cost of infrastructure, but also from the use of technical resources to develop and maintain these services.

Some financial institutions keep certain IT processes on-site, while moving others, such as a "black box" back-up, to a provider of cloud computing. In each process area, management should determine if the organization has the internal expertise to ensure efficiency and success, or if outsourcing might be more effective.

Possible Risks

There is also the issue of who is responsible for the security of the data when it is at various states (in transit, in processing, or in storage).

The specific risks in cloud computing include:

  • The cloud provider often takes responsibility for information handling, which is a critical part of the business. Therefore, it is the financial institution's responsibility to ensure that it understands the controls that are in place to safeguard the integrity of the bank's information, including customer data, at the cloud service provider.
  • The dynamic nature of cloud computing may result in confusion as to where information actually resides, since multiple data centers can be involved in the process.
  • Third-party access to sensitive information creates a risk of compromising confidential information.
  • There is potential for co-mingling of information assets with other cloud customers, including competitors.
  • Information may not immediately be located in the event of a disaster.

Financial institutions should consider the following additional issues, because cloud computing providers rely on the Internet as the primary conduit to a client's data:

  • Security issues within a public environment
  • Availability issues of Internet connectivity
  • The location of the processing facility, which may change according to load balancing
  • The processing facility location, which may be across international boundaries
  • Operating facilities that may be shared with competitors
  • Legal issues (liability, ownership, etc.) relating to differing laws in hosting countries, which may put data at risk

Other Issues

To provide protections and liability coverage, it is important for a financial institution to have a service level agreement with its cloud computing provider.

This agreement should ensure adequate protection of information and have details on joint control frameworks. It should also define expectations regarding handling, usage, storage and availability of information, and it should specify each party's requirements for business continuity and disaster recovery.

On several fronts, research is being done that could result in the introduction of standards that would reduce users' risks in cloud computing. The NIST is working with other government agencies and computer industry organizations on a Cloud Computing Program with a goal that it calls developing "systems and practices that support interoperability, portability, and security requirements that are appropriate and achievable for important usage scenarios. The Information Systems Audit and Control Association (ISACA) is coordinating research with other IT organizations with a goal of developing guidelines and standards for operations of cloud technology platforms.

Without adequate planning, there is an increased risk that users might utilize cloud computing products and services on the institution's networks, unnoticed, without undergoing an adequate security or operational risk assessment. Therefore, financial institutions should work with legal, security, product and assurance professionals to ensure that the appropriate levels of security are achieved while delivering quality service to customers.

Our Technology Consulting specialists can advise you in carrying out the risk assessment that is essential before an entry or any expansion in cloud computing.

To contact Trevor Foo, e-mail tfoo@mbafcpa.com or call 1-800-239-1474.

The purpose of this newsletter is to provide general information on tax, audit and other issues related to the financial services industry. The information contained herein may not apply to all institutions or organizations and their specific circumstances. Financial services organizations are encouraged to consult directly with an accounting expert before making tax and accounting decisions.