Auditing the cloud

Cloud computing this, distributed computing that. People hate buzzwords. Cloud computing however, is one you will have to put in your dictionary eventually, if you haven’t already. We’re big fans of cloud computing. It can dramatically change the way that financial institutions leverage infrastructure and their capital. But, cloud computing is still in its infancy. One of the first things most people ask about the cloud is, “Is it secure?” Most of the time, the answer is yes. But for financial institutions, that isn’t good enough. We have to prove it and that’s where it gets a little tricky.

Most financial institutions have robust policies in place allowing their supervisory committee, external auditors, or other vendors access to reports and analysis on the security measures in place. Not just alarms and panic buttons, but also teller and cash drawer controls, dual-custody policies, password policies, remote access policies, and board bylaws. As cloud computing becomes more of the norm, IT will need to demonstrate the security measures in place surrounding their cloud infrastructure.

Windows Azure LogoThe Windows Azure Platform is one of the newer entries into the cloud computing market. Created and run by Microsoft, Azure will be come a very popular selection for cloud computing needs simply because it is owned and operated by Microsoft. They claim to have completed a SAS 70 Type I and Type II audit on their “cloud platform”, which is one of the key factors for financial institutions, but they don’t specify that it is for their Azure platform, nor is it available for download. Either of those factors could be a stumbling block for credit unions or banks.

SQL Azure LogoSQL Azure, Microsoft’s database cloud offering, provides some excellent alternatives for database hosting. Rather than paying expensive licensing fees or hosting fees, a company can use Microsoft’s very robust and redundant infrastructure to host their databases. Even Microsoft’s cloud is still an infant though. Currently, their SQL Azure offering has no server level auditing in place. While logical, as many people are sharing a virtualized database and access restrictions are need, it also prevents users from verifying that no one else is logging in to or otherwise gaining access to their resources. Very few auditing choices exist today for SQL Azure, as demonstrated in this article.

Rackspace LogoRackspace, on the other hand, has a very descriptive page detailing their expertise and certifications, including their SAS 70 Type II and their PCI compliance. Their SAS 70 is able to be downloaded and their PCI compliance also presents a unique security offering to financial institutions, helping them be more confident in their choice of a cloud provider.

Cloud computing is going to become the norm in the financial industry. It may take the form of private clouds or stay public, but technology infrastructure is going to become a utility. Just like we pay for electricity now, we’ll pay for computing resources as well. If your FI is looking to make the move into cloud computing, start with baby steps. Don’t put member information up there quite yet. Start with your public facing website then move your intranet. Start experimenting, but keep in mind the many security and auditing concerns that exist today.