Auditing the cloud

Cloud computing this, distributed computing that. People hate buzzwords. Cloud computing however, is one you will have to put in your dictionary eventually, if you haven’t already. We’re big fans of cloud computing. It can dramatically change the way that financial institutions leverage infrastructure and their capital. But, cloud computing is still in its infancy. One of the first things most people ask about the cloud is, “Is it secure?” Most of the time, the answer is yes. But for financial institutions, that isn’t good enough. We have to prove it and that’s where it gets a little tricky.

Most financial institutions have robust policies in place allowing their supervisory committee, external auditors, or other vendors access to reports and analysis on the security measures in place. Not just alarms and panic buttons, but also teller and cash drawer controls, dual-custody policies, password policies, remote access policies, and board bylaws. As cloud computing becomes more of the norm, IT will need to demonstrate the security measures in place surrounding their cloud infrastructure.

Windows Azure LogoThe Windows Azure Platform is one of the newer entries into the cloud computing market. Created and run by Microsoft, Azure will be come a very popular selection for cloud computing needs simply because it is owned and operated by Microsoft. They claim to have completed a SAS 70 Type I and Type II audit on their “cloud platform”, which is one of the key factors for financial institutions, but they don’t specify that it is for their Azure platform, nor is it available for download. Either of those factors could be a stumbling block for credit unions or banks.

SQL Azure LogoSQL Azure, Microsoft’s database cloud offering, provides some excellent alternatives for database hosting. Rather than paying expensive licensing fees or hosting fees, a company can use Microsoft’s very robust and redundant infrastructure to host their databases. Even Microsoft’s cloud is still an infant though. Currently, their SQL Azure offering has no server level auditing in place. While logical, as many people are sharing a virtualized database and access restrictions are need, it also prevents users from verifying that no one else is logging in to or otherwise gaining access to their resources. Very few auditing choices exist today for SQL Azure, as demonstrated in this article.

Rackspace LogoRackspace, on the other hand, has a very descriptive page detailing their expertise and certifications, including their SAS 70 Type II and their PCI compliance. Their SAS 70 is able to be downloaded and their PCI compliance also presents a unique security offering to financial institutions, helping them be more confident in their choice of a cloud provider.

Cloud computing is going to become the norm in the financial industry. It may take the form of private clouds or stay public, but technology infrastructure is going to become a utility. Just like we pay for electricity now, we’ll pay for computing resources as well. If your FI is looking to make the move into cloud computing, start with baby steps. Don’t put member information up there quite yet. Start with your public facing website then move your intranet. Start experimenting, but keep in mind the many security and auditing concerns that exist today.

Credit unions need their head in the clouds

Cloud computing is the wave of the future for all things data related.  Amazon started it with EC2 and S3.  Microsoft is in it.  Salesforce is doing it too.  Credit unions are just starting to realize the benefits of virtualization and as more CU’s struggle with income generation, expense control, and capital expenditures, virtualization is going to take off.  But why use your members’ capital to acquire VMWare or Citrix servers, additional bandwidth, etc when you can “outsource” the hardware and infrastructure to providers that are much more efficient at it than the CU could ever be and do it cheaper?

Credit unions love to have control of their infrastructure and data, many IT departments love new projects and new technologies.  And they are pretty much required to.  Just look at the NCUA’s guide for doing third-party due diligence.  They don’t make it very easy to use new technology or unproven (read: new and innovative) vendors or products. Cloud computing is where we’re moving but how can credit unions make that jump while satisfying the NCUA’s security and vendor requirements?