Auditing the cloud

Cloud computing this, distributed computing that. People hate buzzwords. Cloud computing however, is one you will have to put in your dictionary eventually, if you haven’t already. We’re big fans of cloud computing. It can dramatically change the way that financial institutions leverage infrastructure and their capital. But, cloud computing is still in its infancy. One of the first things most people ask about the cloud is, “Is it secure?” Most of the time, the answer is yes. But for financial institutions, that isn’t good enough. We have to prove it and that’s where it gets a little tricky.

Most financial institutions have robust policies in place allowing their supervisory committee, external auditors, or other vendors access to reports and analysis on the security measures in place. Not just alarms and panic buttons, but also teller and cash drawer controls, dual-custody policies, password policies, remote access policies, and board bylaws. As cloud computing becomes more of the norm, IT will need to demonstrate the security measures in place surrounding their cloud infrastructure.

Windows Azure LogoThe Windows Azure Platform is one of the newer entries into the cloud computing market. Created and run by Microsoft, Azure will be come a very popular selection for cloud computing needs simply because it is owned and operated by Microsoft. They claim to have completed a SAS 70 Type I and Type II audit on their “cloud platform”, which is one of the key factors for financial institutions, but they don’t specify that it is for their Azure platform, nor is it available for download. Either of those factors could be a stumbling block for credit unions or banks.

SQL Azure LogoSQL Azure, Microsoft’s database cloud offering, provides some excellent alternatives for database hosting. Rather than paying expensive licensing fees or hosting fees, a company can use Microsoft’s very robust and redundant infrastructure to host their databases. Even Microsoft’s cloud is still an infant though. Currently, their SQL Azure offering has no server level auditing in place. While logical, as many people are sharing a virtualized database and access restrictions are need, it also prevents users from verifying that no one else is logging in to or otherwise gaining access to their resources. Very few auditing choices exist today for SQL Azure, as demonstrated in this article.

Rackspace LogoRackspace, on the other hand, has a very descriptive page detailing their expertise and certifications, including their SAS 70 Type II and their PCI compliance. Their SAS 70 is able to be downloaded and their PCI compliance also presents a unique security offering to financial institutions, helping them be more confident in their choice of a cloud provider.

Cloud computing is going to become the norm in the financial industry. It may take the form of private clouds or stay public, but technology infrastructure is going to become a utility. Just like we pay for electricity now, we’ll pay for computing resources as well. If your FI is looking to make the move into cloud computing, start with baby steps. Don’t put member information up there quite yet. Start with your public facing website then move your intranet. Start experimenting, but keep in mind the many security and auditing concerns that exist today.

Don’t be so serious

In my recent quest to clean up the website and try to squeak out some performance gains, I have been looking at different CDN (Content Delivery Network) providers to host all of my static files, like images.  Rackspace has a service they call Cloud Files that enables you to save files to the proverbial “cloud” for $.15 per GB, exactly like Amazon’s S3 offering.  Rackspace, however, has a CDN built in to their online file storage.  Long story short, I went to their site to sign up and try it out.

What in the world does this have to do with credit unions?  Well, I never finished the sign-up process and the next day I received this email:

How cool is that!  Not only can they tell that I didn’t finish the setup process, but they are providing me an incentive to come back and finish.  Credit unions are just beginning to get into opening accounts online, but they can take a page out of the Rackspace playbook.  First off, they have the technology to make this happen, so make sure your online account vendor can do this.  Secondly, they don’t take any kind of holier-than-thou attitude about why the potential member didn’t finish.  Finally, they provide an incentive to come back.  “Outbound calling”, aka hounding indirect auto loan customers, would do well with some like this.

Here’s my version:

Hey Joe,

We noticed that you didn’t complete your online (insert product name here) application yesterday.  If you have any questions about the process or just need someone to talk to, feel free to give me a call directly at 888-888-8888 or call into our Member Service Center at 888-8888-7777.  Oh, and by the way, we really value the business of all of our members, so if you’d like to finish the application online or come into a branch, enter in your discount code of ALMOSTGOTAWAY and we’ll give you another .5% on your (insert product name here).

Robbie Wright

ABC Credit Union