While IT professionals at banks generally have physical control over staying compliant – from guaranteeing the server is locked to having access to the cameras in the room – when consumers’ data is in the cloud, financial institutions may not even know where that data actually is. Although cloud compliance is newer to the industry and many banks are focused on the cost of the move, ensuring the institution’s IT department is compliance-focused can make all the difference when the data is not physically in their hands.
Banks must adhere to so many rules and regulations – whether it is the Federal Financial Institutions Examination Council’s (FFIEC) guidelines or meeting security compliance from the Gramm-Leach-Bliley Act (GLBA) – maintaining compliance is not an easy task. According to CIO Dive, in 2019, 62 percent of breached data came from the financial services industry.
In fact, maintaining compliance is so difficult, companies like Microsoft and Deloitte even provide guides and outlooks to help financial institutions navigate compliance management, break down federal regulations and provide tips on how to continue innovation while also adhering to regulatory changes.
Before moving to the cloud, compliance programs had procedures in place, but employees, processes and technology will all be affected by the relocation of data to the cloud. These challenges can range in size and scope. For example, with the migration to the cloud, employees may need new or more training, guidelines on which rules and regulations apply to each job function, and the structure of the compliance program may need to be modified.
However, while this changes what banks formerly knew about their compliance program, moving to the cloud often means dividing some of the responsibility between the financial institution and the provider. Of course, operating in a cloud environment means banks need a stronger compliance program because processes are happening faster – there are more access points and usage changes quickly. To combat these challenges and achieve compliance in the cloud, programs need to focus on these six areas.
- Governance and Policy: Luckily, cloud providers are implementing standards for compliance and security within its infrastructure. Institutions must transfer security requirements to the cloud providers, trusting the cloud provider with their consumers’ data.
Deloitte offers a cloud compliance risk map to help institutions understand each and every aspect of working with cloud providers. And, the cloud’s service level agreement will also help institutions understand the role of the cloud provider and the role of the institution in security and compliance controls.
2. Asset Management: Managing assets is also split between the user and the cloud provider. The provider is responsible for managing infrastructure assets, and the institution is responsible for managing operating systems and applications. Institutions should manage assets by logging all changes through a change control process, assigning ownership of each asset and monitoring all accounts through the cloud provider’s management console.
3. Access Control: Role-based security is paramount regardless of the data’s location – on-premise or in the cloud. It is key for institutions to have processes to audit, review and control access based on role-based access controls (RBAC), which restrict access according to an individual’s role within the cloud’s infrastructure.
4. System Development and Maintenance: According to the Center for Internet Security, “CIS Benchmarks help you safeguard systems, software and networks against today’s evolving cyber threats.” These are a great place to start when applying configuration standards to a cloud-based environment.
Additionally, the center continued to explain that CIS Hardened Images are “flexible, on-demand computing solution that can be quickly deployed to cost-effectively perform routine computing operations.” These images apply to a variety of platforms and technologies to help institutions save time, explaining how to deploy already compliant systems. This is especially useful for banks that are required to follow a plethora of rules and regulations.
5. Incident Response: Understanding the role of the institution and the role of the cloud provider continues to play a significant part throughout the compliance program, and it is no different when dealing with an incident in the cloud. Whether it’s regarding the logging capabilities, the access to the system or reporting, ensuring that both parties know their roles is key for the institution’s IT department. This helps track down every step of the incident and helps the institution know how to respond.
6. Business Continuity: A business continuity plan is important when using cloud-based environments. Before moving to the cloud, if a system fails, you could lose a huge amount of consumer data, but a benefit of using a cloud infrastructure is that data can be quickly shifted depending on your needs. For instance, when choosing a cloud provider, institutions should consider making the provider a part of their business continuity strategy.
As banks move to the cloud, compliance programs have had to change, too. While institutions are subject to hundreds of rules and regulations, making the switch to cloud-based environments can either be detrimental or painless for IT departments.
However, processes, training and technology have all been affected by the change. Banks can still uphold compliance through a strong compliance program focused on six main areas – governance and policy, asset management, access control, system development, incident response and business continuity – in order to be successful in a cloud environment and ultimately, protect their customers.
Ben Fishbune is Sales Engineer at Xamin, a leading provider of managed IT services for highly regulated and reputation-sensitive companies. For more information, please visit www.xamin.com.