Pub. 11 2020 Issue 4

www.wvbankers.org 32 West Virginia Banker Ongoing management and monitoring of the cloud service provider’s overall service is critical for the financial institu- tion’s overall risk management process. Cloud computing environments utilize virtualization in the delivery of cloud services. Different cloud computing envi- ronments are used by financial institutions, including private cloud computing environments, public cloud computing environments or a hybrid of the public and private computing environments. There are three cloud service models: • Software as a Service (SaaS) — The software applica- tion used by the financial institution (i.e., the applications) operates on the cloud service providers cloud infrastruc- ture. The financial institution’s primary responsibility is for the user-specific application configuration settings, user access, risk management of the overall relationship, etc. The application updates and cloud infrastructure mainte- nance is the responsibility of the cloud service provider. • Platform as a Service (PaaS) — The PaaS model adds additional responsibilities to the financial institution. The PaaS model is used when the financial institution “de- ploys internally developed or acquired applications using programming languages, libraries, services, and tools supported by the cloud service provider,” as indicated in the FFIEC joint statement. In addition to the risk man- agement that exists with SaaS, the financial institution is responsible for providing and configuring the cloud plat- form resources. The financial institution’s responsibilities include controls over the development, deployment and administration of the applications. The cloud service pro- vider’s primary responsibilities include network, servers, operating systems, storage, etc. • Infrastructure as a Service (IaaS) — The cloud service provider supplies the IaaS model’s infrastructure. The financial institution implements the system software, including the operating system. The financial institution is responsible for most of the items related to the solution, including the cloud platform resources configuration. The financial institution is also responsible for implementing and managing controls over operations, applications, operating systems, data and data storage. The cloud service provider is primarily responsible for the overall infrastructure, including the physical data center. When entering into a cloud service provider relationship, the financial institution and the cloud service provider share the responsibilities. However, the protection of customer information resides with and is the responsibility of the financial institution. Risks Management. When a financial institution executes outsourcing arrangements, it is critical that the financial institution clearly understand the roles and responsibilities of both the outsourced vendor (i.e., cloud service provider) and the financial institution. The understanding of the duties will assist the financial institution with its overall risk management program. As indicated previously, the overall responsibility of protecting customer information is with the financial institution. Several areas should be included in the risk management process when utilizing a cloud service provider. Many controls need to be considered, some of which are common in other areas, including: • Governance — The overall cloud computing services strategic plan should support and work in conjunction with the overall strategic plan. • Cloud Security Management — As indicated previously, ongoing oversight and monitoring of the cloud comput- ing service provider is part of the financial institution’s vendor management program. The monitoring should be based upon the terms of the contract with the cloud service provider that was negotiated and reviewed in de- tail before executing the contract. Other areas of Cloud Security Management include:  Inventory process for systems and information assets residing in the cloud computing environment  Security configuration, provisioning, logging and monitoring  Identity and access management and network controls  Security controls for sensitive data  Information security awareness and training programs • Change Management  Change management and software development life cycle processes.  Microservice architecture — Utilizes smaller, light- er-weight code to facilitate faster software develop- ment and ultimate deployment. The financial institu- tion needs to ensure that they understand the overall security requirements and concerns with microservices. Continued from page 30 When entering into a cloud service provider relationship, the financial institution and the cloud service provider share the responsibilities. However, the protection of customer information resides with and is the responsibility of the financial institution.

RkJQdWJsaXNoZXIy OTM0Njg2