Things That Make You Go Hmmm…

Do you ever find yourself thinking about cloud computing on a weekday afternoon, wondering if you have considered the appropriate risks? Do you worry that the contracts or vendor due diligence with the cloud vendors might not be enough? If only you had more comprehensive guidance that could point you in the right direction. Well, you are in luck! The Federal Financial Institutions Examination Council (FFIEC) issued a Joint Statement on April 30, 2020, titled “Security in a Cloud Computing Environment.” 

The FFIEC’s Security in a Cloud Computing Environment Joint Statement addresses the use of cloud computing services and security risk management principles for the safe and sound use of cloud computing services. Security breaches involving cloud computing services highlight the importance of sound security controls and management’s understanding of the shared responsibilities between cloud service providers and their financial institution clients.

Then and Now

The previous FFIEC Statement on cloud computing, Outsourced Cloud Computing, was issued on July 10, 2012. The 2012 Statement discusses key risk considerations associated with outsourced cloud computing activities and identifies applicable (and still important today) risk mitigation considerations. At this time, “cloud” was a relatively new term and not completely understood, and, quite frankly, somewhat overused.

The 2012 Outsourced Cloud Computing Statement covered the following in a four-page document:

• Due Diligence, including data classification, data segregation, and recoverability
• Vendor Management
• Audit
• Information Security
• Legal, Regulatory, and Reputation Considerations
• Business Continuity Planning

The 2020 Security in a Cloud Computing Environment Statement expands upon these basic key elements to provide a better understanding of due diligence and sound management practices over cloud service provider relationships. The Statement categorizes risk management practices into the following sections:

• Governance
• Cloud Security Management
• Change Management
• Resilience and Recovery
• Audit and Controls Assessment

Financial Institution Responsibilities

Due diligence and sound risk management practices over cloud service provider relationships help management verify that effective security, operations, and resiliency controls are in place and consistent with the financial institution’s internal standards.

Management should ensure that effective security and resilience controls exist. The contractual agreement between the financial institution and the cloud service provider should define the service level expectations and control responsibilities for both the financial institution and provider. Additionally, management may determine that controls, other than those provided contractually, are needed to maintain security consistent with the financial institution’s standards.

The financial institution’s ongoing oversight and monitoring of cloud service providers are of utmost importance in gaining assurance that cloud computing services are being managed in a safe and sound manner and consistent with contractual requirements. Oversight and monitoring includes:

• Evaluating independent assurance reviews, including:
  • Audits
  • Penetration Tests
  • Vulnerability Assessments
• Assessing corrective actions to determine if adverse findings are appropriately addressed

Financial institutions may outsource the management of different controls over information assets and operations to the cloud service provider. However, management’s failure to understand the division of responsibilities for assessing and implementing appropriate controls over operations may result in an increased risk of operational failures or security breaches. Careful review of the contract between the financial institution and the cloud service provider, along with an understanding of the potential risks, is important to management’s understanding of the financial institution’s responsibilities for implementing appropriate controls.

Failure to implement an effective risk management process for cloud computing may be considered an unsafe or unsound practice and could result in potential consumer harm by placing customer-sensitive information at risk. Processes should be in place to identify, measure, monitor, and control the risks associated with cloud computing.

Risk Management

The FFIEC provides examples via the National Institute of Standards and Technology (NIST) regarding typical cloud service models. For each service model, there are differing shared responsibilities between the financial institution and the cloud service provider for implementing and managing controls.

These models and responsibilities include:

• Software as a Service (SaaS) – Traditional outsourcing in which a software application (or applications) operates on the provider’s cloud infrastructure.
  • Examples of SaaS include software applications such as Salesforce, Google Apps, Office 365, Slack, and Dropbox.
     
• Platform as a Service (PaaS) – This model deploys internally developed or acquired applications using programming languages, libraries, services, and tools supported by the cloud service provider. These applications reside on the provider’s platforms and cloud infrastructure. PaaS models necessitate similar risk management as the SaaS model.
  • Examples of PaaS include Microsoft Azure, Google App Engine, Salesforce Lightning Platform, and Amazon’s AWS Elastic Beanstalk.
     
• Infrastructure as a Service (IaaS) – This model deploys and operates system software, including operating systems and applications, on the provider’s cloud infrastructure. Like PaaS, the financial institution is responsible for the appropriate provisioning and configuration of cloud platform resources and implementing and managing controls over operations, applications, operating systems, data, and data storage.
  • Examples of IaaS include Amazon AWS, Microsoft Azure, Rackspace, Google Compute Engine, and Digital Ocean.

Figure 1: Differences between cloud models. 

The following sections are examples of relevant risk management practices for assessing risks related to and implementing controls for cloud computing services:

Governance

Include strategies for using cloud services as part of the financial institution’s IT strategic plan and architecture.
The financial institution’s plans for the use of cloud computing services should align with its overall IT strategy, architecture, and risk appetite. This includes determining the appropriate level of governance, the types of systems and information assets considered for cloud computing environments, the impact on the financial institution’s architecture and operations model, and management’s comfort with its dependence on and its ability to monitor the cloud service provider.

Cloud Security Management

Perform appropriate due diligence, ongoing oversight, and monitoring of cloud service providers’ security.
As with all third-party relationships, security-related risks should be identified during planning, due diligence, and the selection of the cloud service provider.
 

Review contractual responsibilities, capabilities, and restrictions for the financial institution and cloud service provider.
Contracts between the financial institution and cloud service provider should be drafted that clearly define which party has the responsibilities for:

• Configuration and management of system access rights,
• Configuration capabilities, and
• Deployment of services and information assets to a cloud computing environment, among other things.
   

Inventory systems and information assets residing in the cloud computing environment.
An effective inventory process for the use of cloud computing environments is an essential component for secure configuration management, vulnerability management, and monitoring of controls. Processes to select and approve systems and information assets that are placed in a cloud computing environment should be established to ensure that risks are appropriately considered.
 

Review security configuration, provisioning, logging, and monitoring.
Misconfiguration of cloud resources is a prevalent cloud vulnerability and can be exploited to access cloud data and services. System vulnerabilities can arise due to the failure to properly configure security tools within cloud computing systems. Financial institutions can use their own tools, leverage those provided by cloud service providers, or use tools from industry organizations to securely configure systems, provision access, and log and monitor the financial institution’s systems and information assets residing in the cloud computing environment.
 

Understand identity and access management and network controls.
Common practices for identity and access management for resources using cloud computing infrastructures include:

• Limiting account privileges
• Implementing multifactor authentication
• Frequently updating and reviewing account access
• Monitoring activity
• Requiring privileged users to have separate usernames and passwords for each segment of the cloud service provider’s and financial institution’s networks

Default access credentials should be changed, and management should be aware of the risk of overprovisioning access credentials.
 

Evaluate security controls for sensitive data.
Controls (e.g., encryption, data tokenization, and other data loss prevention tools) to safeguard sensitive data limit a malicious actor’s ability to exploit data during a breach. When using data encryption controls in a cloud computing environment, management should consider defining processes for encryption key management between the financial institution and the cloud service provider.
 

Implement information security awareness and training programs.
Training promotes the ability of staff to effectively implement and monitor necessary controls in the cloud computing environment. Management may also consider using product-specific training provided by cloud service providers to educate staff on product-specific security tools.

Change Management

Understand change management and software development life cycle processes.
Change management controls are important for effectively transitioning systems and information assets to a cloud computing environment. Management may augment existing change management processes and the software development life cycle (SDLC), as applicable, for cloud computing environments.
 

Review microservice architecture.
Cloud implementation often uses microservices to develop applications with smaller, lighter-weight code bases that facilitate faster, more agile application development. However, microservices have security, reliability, and latency issues, and having multiple microservices can increase the financial institution’s attack surface. Management should evaluate implementation options that meet the institution’s security requirements.

Resilience and Recovery

Evaluate Business Resilience and Recovery capabilities.
Management should review and assess the resilience capabilities and service options available from the cloud service provider. There may be several configurations available, and management should determine which options best meet the institution’s resilience and recovery requirements. Based on the cloud service model used, management should evaluate and determine how cloud-based operations affect both the business continuity plan and recovery testing plans.
 

Review Incident Response capabilities.
The financial institution’s Incident Response Plan should take into account cloud-specific challenges due to ownership and governance of technology assets owned or managed by the cloud service provider. The contract should define responsibilities for incident reporting, communication, and forensics. Cloud usage presents unique forensic issues related to jurisdiction, multi-tenancy, and reliance on the cloud service provider for a variety of forensic activities. Additionally, the service level agreement should identify specific activities for incident response and identify the cloud service provider’s responsibilities in the event of an incident.

Audit and Controls Assessment

Perform regular testing of financial institution controls for critical systems.
Processes should be in place for regular audit and testing of security controls and configurations commensurate with the risk of the operations supported by the cloud service. These processes can include the audit and testing of the financial institution’s security configurations and settings, access management controls, and security monitoring programs.
 

Perform oversight and monitoring of cloud service provider-managed controls.

• Management should evaluate and monitor the cloud service provider’s technical, administrative, and physical security controls that support the financial institution’s systems and information assets that reside in the cloud environment. Oversight and monitoring activities include requesting, receiving, and reviewing:
• Security and activity reports from the cloud service provider
• Reports of compliance with service level agreements
• Product validation reports
• Reports of independent assurance reviews (e.g., audits, penetration tests, and vulnerability assessments) performed on the cloud computing services
   

Evaluate controls unique to cloud computing services.
While many of the controls outlined in this statement also apply to more traditional network architectures, there are controls unique to the architectures of cloud computing services. Examples of such controls include:

• Management of the virtual infrastructure. The ability to create secure virtual infrastructures is managed through cloud security tools, such as the hypervisor or virtual host, and should be closely controlled by the cloud service provider. The cloud service provider should be able to provide assurance that it has appropriate controls over the hypervisor or virtual host, or other virtual infrastructure controls, to manage the cloud services provided to the financial institution.
   
• Use of containers in cloud computing environments. The advantages of using containers in a cloud-computing environment include portability and less memory utilization compared to using separate virtual machines (VMs). When using containers, management should consider:
  • Storing data outside of the container, so the data does not have to be re-created when updating and replacing containers
  • Verifying that configurations prevent containers from unintentionally interacting
  • Securing containers from applications within them
  • Securing the host from containers and vice versa
  • Monitoring containers for vulnerabilities and updating or replacing containers when appropriate
     

Traditional security controls, such as firewalls and intrusion detection systems, may not be effective because containers may obscure activities; therefore, container-specific security solutions should be implemented.
 

• Use of managed security services for cloud computing environments. Financial institutions may choose to leverage available security tools and services to assist with managing and monitoring security for cloud computing services.
   
• Consideration of interoperability and portability of data and services. When selecting or designing and building cloud computing services, management may consider interoperability and portability (the ability to work with or move to another provider) in the design of those services or application providers. A financial institution's interoperability and portability strategy will depend on the institution’s risk appetite and the contracted service model (i.e., SaaS, PaaS, or IaaS) employed.
  ​
• Data destruction or sanitization. Institutions should be aware of the processes that the cloud service provider uses for data destruction. The Service Level Agreement (SLA) should outline that adequate measures are taken to ensure data destruction is performed in a manner that would prevent unauthorized disclosure of information.

Now Let’s Get Started

Risk management considerations in this statement provide a summation of key controls management should consider as part of assessing and implementing cloud computing services. Specific risk management controls are dependent upon the nature of the outsourced services and the specifics of cloud services implementation. Management should determine who are their current cloud service providers and compare this statement to the institution’s current practices, policies, and due diligence procedures.

Big Picture Takeaways

Not only is Cloud Computing certainly here to stay, but your institution can gain many benefits from utilizing cloud-based software, platforms, or infrastructure. Leveraging cloud providers can reduce your costs, increase uptime, allow access to critical applications or data from anywhere, and leverage newer technologies much faster than building it yourself.

As with all new things, utilizing a cloud provider comes with additional risk; however, it’s risk that can be mitigated by understanding and leveraging the controls and described in this FFIEC Security in a Cloud Computing Environment Joint Statement. If you’re leveraging cloud applications, platforms, or infrastructure, use this FFIEC guidance to ensure you’re properly reviewing those cloud services and measuring the risk accordingly.

Written by: 
Laura Zannucci, CISA, CBSM
Information Security Consultant/ISO - SBS CyberSecurity, LLC

SBS Resources: 
SBS CyberSecurity has been helping organizations identify and understand cybersecurity risks to make more informed business decisions since 2004. If your organization is looking to better understand your cyber risk; build, maintain, or test your cybersecurity program; and make smarter, more informed cybersecurity business decisions, SBS can help.

• {Service} Office 365 Implementation Review: This review will assess your instance of O365 and provide insight on improving the overall security configurations based on recommendations and standards from Microsoft, NIST, and CIS. Learn more
• {Solution} TRAC™: Risk Management Software: Our integrated cybersecurity risk management solution developed to simplify cybersecurity risk management and assist users with tackling their cybersecurity challenges with ease. It automates the tedious risk assessment process and produces customized results that align with regulation, best practices, and your strategic goals. Learn more
• {Blog} Choosing a Managed Service Provider: As the cost of technology and cloud computing have decreased in contrast with the cost of hiring talented technology professionals, more organizations are looking at outsourcing the management of their IT infrastructure today than ever before. However, like any big decision, outsourcing the management of your network to a Managed Services Provider (MSP) should not be made quickly or without careful consideration. Read blog
• {Free Download} Microsoft Office 365 Security Suggestions: These suggestions are intended to provide ideas on improving the overall security of your instance of Microsoft Office 365. Some of these suggestions will also work on more traditional Microsoft Exchange Systems as well. Download

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.