Yaniv Avidan December 12, 2017
Hybrid cloud models are designed to allow institutions to simultaneously store and process certain data in the cloud, while a portion of the processing or storage is done locally on premise. For example, the application may reside in the cloud, but the customer data is stored locally. This may make the decision easier, but only makes classification of data more important, as the decision to utilize a “hybrid” cloud must be justified by your assessment of the privacy and criticality of the data.
Could financial institutions still justify using a cloud vendor even if they don’t seem to meet all of the regulatory requirements? Yes…if you’ve first classified your data. The most relevant reference for financial institutions looking for guidance about moving data to the Cloud is a single mention in the FFIEC Outsourcing Technology Services Handbook, Tier 1 Examination Procedures section: “If the institution engages in cloud processing, determine that inherent risks have been comprehensively evaluated, control mechanisms have been clearly identified, and that residual risks are at acceptable levels. Ensure that…(t)he types of data in the cloud have been identified (social security numbers, account numbers, IP addresses, etc.) and have established appropriate data classifications based on the financial institution’s policies.”
So although data classification is a best practice even before you move to the cloud, the truth is that most institutions aren’t doing it (more on that in a moment). However examiners are expected to ensure (i.e. to verify) that you’ve properly classified your data afterwards…and that regardless of where data is located, you’ve protected it consistent with your existing policies.
Once that data leaves your protected infrastructure everything changes…and nothing changes. Your policies still require (and regulators still expect) complete data security, privacy, availability, etc., but since your level of control drops considerably, so should your level of confidence. And you likely to have sensitive data combined with non-sensitive, critical combined with non-critical. This would suggest that unless the cloud vendor meets the highest standard for your most critical data, they can’t be approved for any data.
1. You’ve clearly defined data sensitivity and criticality categories, and…
2. You’re able to segregate one data group from another, and…
3. You’ve established and applied appropriate protection profiles to each one.
So back to square one… can a company justify utilizing the cloud even if the vendor is less than fully compliant? Yes, if data is properly classified and segregated, and if cloud vendors are selected based on their ability to adhere to your policies (or protection profiles) for each category of data.