Home » Cloud Bank
, , Cyber Security, IT Infrastructure, 0
Cloud Bank

Cloud Bank

Today most people know that much of the content they get from the internet is stored in the Cloud. The Cloud, this ubiquitous non-descript technical elixir, appears to do it all with no one company responsible for it. Well that’s partially true, but ultimately the Cloud is simply made up of services running on servers housed in massive data centers distributed throughout the globe…sorry for the spoiler. Though most people trust the Cloud with their personal and business content; photos, email, documents and tax returns, there should be a degree of concern on how the information is protected; after all the Cloud excels in convenience not security. In response, encryption is touted as the solution, though to be honest that’s just part of what’s needed to safeguard data. Missing, or unknown, are the security policies and practices adhered to on the back end; those massive data centers and the teams managing the services. As it turns out that there have been quite a few advancements made in the past decade that can help assuage your concerns.

So you want to move to the Cloud. As with all data, it’s a risk based decision. Non-sensitive data probably could benefit from a Cloud-base service. These services often provide feature-rich capabilities at a reasonable fee that would otherwise be cost prohibitive for any organization to create on their own. In this regard I’m sure these low-risk Cloud services are already commonplace for many organizations.

So you want to move your sensitive data to the Cloud. Now that’s a significant challenge and one that deserves appropriate due diligence on risk and benefit. Anymore, the Cloud with all it’s IT technical and logical components has been reduced to a standard vendor management assessment. And why is this?The likelihood is very low that a Cloud Service Provider (CSP) or Managed Service Provider (MSP) is going to open up the kimono to demonstrate their cybersecurity bona fides. With this lack of transparency the remaining option is an assessment of the vendors finances, service history, derogatory history, and compliance attestations with known security frameworks. This arduous task is often made more difficult due to missing of information, weak information, and limited to no support from the vendor, especially from a patronizing one. Fortunately there are some security-based compliance standards that can help distinguish a secure service from technical geegaw.

First we start off the the stalwart compliance programs that have a proven record of delivering a secure infrastructure and management practices.

  • ISO/IEC 27001 – (Published in 2005) Certification to the ISO/IEC 27001 standard is recognized worldwide as proof that an organization’s information security management is best practice.
    • Cloud offerings certified as ISO 27001 is an independent attestation of the compliance with the framework.
  • PCI-DSS – (Published in 2004) The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally.
    • This is a must have for any Cloud vendor processing payment information.
  • GLBA – (Published in 1999). Protect the privacy, security, and confidentiality of non-public financial customer information.
    • GLBA is a much larger Act overseeing Financial Institutions that includes stipulations for information security.
    • GLBA precedes the Cloud in it’s creation and has recently begun to address Cloud security requirements in the standard. However, there are other standards that provide better rigor and coverage in information security.
  • SOC 2 – (Published in 2010) Service Organization Control 2 is a cybersecurity framework that helps organizations verify their data security and reduce the risk of a security breach. SOC 2 is a voluntary attestation that’s most commonly used by service organizations that have US-based customers, partners, and other stakeholders.
    • This is probably the most common framework used by vendors, especially CSPs. Note, this is not a pass/fail report, but rather an opinion from a 3rd party on the vendor’s controls. SOC 2 is non-specific about which information should be present in compliance reports. It leaves it mostly up to organizations to interpret the ways that the trust services criteria should be applied to their environments. Finally, a SOC 2 report is not a security certification.

Any CSP or MSP complying with one of these frameworks or any cybersecurity framework is preferable to one without. To be sure, this by no means the vendor assessment is complete. There is still the issue of data storage and distribution by the vendor. For example, many Cloud services are Software as a Service (SaaS) solutions, such as Box.com. These services operate atop a Platform as a Service (PaaS) or Infrastructure as a Service (IaaS) offered by hyperscalers like AWS and Azure. The question then becomes what type of security controls do these hyperscalers meet? The more that’s understood about the vendor’s technology and management stack the better the assessment will be. The next section on Cloud security can help answer that question.

The adoption and growth of the Cloud by the many, from individuals to large organizations, has served as agency for the creation of a better security mouse trap for the Cloud. This better mouse trap is named FedRAMP (Federal Risk and Authorization Management Program). This security program is required by law for all federal agencies using the Cloud to store, process or transmit sensitive citizen data. Cloud vendor services (IaaS, PaaS, SaaS) must satisfy 325 security controls and undergo a 3rd party assessment and positive attestation…annually. The success of this program is evident today as the major Cloud providers (AWS, Azure, Google Cloud) provide many FedRAMP authorized Cloud services for all to use, not just federal agencies. Here is an example of the list of authorized services from AWS.

FedRAMP’s success is now flowing down to the state level. A consortium of state organizations recently created StateRAMP that mirrors FedRAMP. StateRAMP will provide Cloud security assurances to state level agencies in securing state sensitive data. As of this writing there around 28 states participating in StateRAMP.

Perhaps the organization wants to outsource the majority of the IT infrastructure to a vendor. What security compliance standards should they meet? Unfortunately there is no specific security standard for this type of service, however there are some salient practices to look for to help you choose wisely.

  • Security Certifications – Does the vendor hold certifications or assessments such as ISO 27001 or PCI-DSS for their services? A SOC 2 is minimum requirement, but as stated it is not as rigorous a cybersecurity assessment compared to the others.
  • Shared Responsibility – The vendor should provide the organization a customer responsibility matrix (CRM) on how security responsibility will be distributed between the two. Make sure there aren’t gaps where neither group is responsible for security.
  • GLBA Proficiency – Does the vendor support and align with the GLBA program? The vendor should not only solve for the the technical requirements but should also know GLBA and the process for managing data under that program. This includes appropriate logging, identity management, network segmentation, report generation, auditor support and change management, just to name a few.
  • Business continuity and Disaster Recovery – Does the vendor provide an alternative site in a separate region to address outages and catastrophes? How often is it tested?
  • Cybersecurity Specialist – Does the vendor employ cybersecurity specialists that interface with the customer? A credentialed cybersecurity expert will understand and often anticipate and address compliance issues before they become a problem for the organization.
  • Data Disposition – What happens to the organizations data once the contract is terminated? How is data destruction verified?

Cautionary note; choosing a cloud vendor strictly on technical capability and budget could introduce a lot of unknowns into the infrastructure that can lead to the addition or expansion of security gaps, increased risk, and to less than satisfactory GLBA audits.

There is much still to be said about this topic, but this is not meant to be a dissertation on everything Cloud. For now establishing a vendor’s cybersecurity hygiene if paramount and these security frameworks can help you do that.

Many organizations that have successfully embraced the Cloud, including outsourcing the majority of IT, so it is a growing trend and one that makes sense…more about this in future articles. As with everything in banking due diligence and risk-based assessments are key.

Please let me know if I left something out or would like to explore some of these suggestions in detail.

Abel Sanchez (abel@staidworks.com) – BankSafeTech Contributor and Moderator

Related Articles
ISO/IEC 270001 - https://www.iso.org/standard/27001#:~:text=What%20is%20ISO/IEC%2027001,enshrined%20in%20this%20International%20Standard. PCI-DSS - https://www.pcisecuritystandards.org/ SOC2 - https://en.wikipedia.org/wiki/System_and_Organization_Controls CIS - https://www.cisecurity.org/controls

©2025 Edwards and Associates, LLC

Log in with your credentials

Forgot your details?