August 17, 2023

Cloud Solutions – Vendor Management to Security Management

Proper due diligence of your vendors is an important part of your information security program. When one of your vendors is also a cloud solutions provider, managing this vendor comes with additional expectations. When you “enter the cloud”, these solutions become a critical part of your information technology environment and often process and manage critical customer data. As such, you need to think about your policies for data and systems management and your business continuity plan when you determine how to manage these vendors/solutions.

To begin, you need to understand what cloud service model you are using (or planning to use) and where your responsibilities lie. There are three types of service models:

  • Infrastructure-as-a-Solution – The cloud provider is responsible for the underlying infrastructure and the institution can deploy and run software, which can include operating systems (OS) and applications. (e.g., AWS EC2, Azure Virtual Machines)
  • Platform-as-a-Service – The underlying platform is provided as a managed service and controlled by the cloud provider and the institution can create or acquire and manage applications using programming languages, libraries, services, and tools supported by the cloud service provider. (e.g., AWS RDS, AWS Elastic Beanstalk, Azure SQL Database)
  • Software-as-a-Service – Applications are provided by the cloud vendor and includes the management of the applications or the environment including the network, servers, OS, storage, or individual application capabilities. The institution may have limited ability to customize the user interface of the cloud service, except for some user-specific application configuration settings. (e.g., hosted Core vendor solutions, Microsoft 365, Dropbox, Zoom)

Next consider the type of deployment model: private (managed service provider data centers), community (hosted Core providers), public (AWS, Azure), and hybrid (any option combined with your own data center). FFIEC AIO Cloud Computing guidelines state: “Regardless of the environment or service model used, the entity retains overall responsibility for the safety and soundness of cloud services and the protection of sensitive customer and entity information.”

Consider what process, procedures or controls you need to establish to properly manage the various cloud environments? Specify, within your policies, your role in server management, vulnerability management, configuration, software upgrades, user management, data management, and data protection. Consider business continuity testing and overall resiliency of your cloud solutions. Assess threats, vulnerabilities, and risks as part of your risk management program. Ensure proper due diligence in your third-party assurance reviews (e.g., SOC reviews, penetration tests, and vulnerability assessments) as this can provide an understanding of the cloud service provider’s control environment and their ability to meet your control expectations. Understand their architecture well enough to know what vendors are critical in the management of information security. You may even need to review what third-party vendors that your cloud vendors use and how they are performing their own due diligence.

Do not forget you are responsible for implementing, maintaining, and reporting on the use of the controls including breaches or incidents related to the controls or the cloud computing infrastructure. All cloud service-related components should be addressed as part of your IT Committee meetings and reported to the board of directors via the annual Information Security Policy report. Cloud solutions offer many benefits but remember you have a shared responsibility for security management of your cloud solutions.

Authored by: Renee Keffer, CBISO

You May Want to Read More:

The Next Best Seller? FFIEC BSA Exam Manual Updates - WST

August 10, 2023

It’s been a hot minute, but last week the FFIEC rolled out updates to BSA/AML Examination Manual....

MFA Notification Fatigue Attacks - WST

August 3, 2023

I can still recall my first horror movie starring a werewolf. The bad news was that a scary monster was coming. The good news, there...

Cybersafe Travel - WST

July 27, 2023

Whether you are traveling for business or going on vacation, information security should always be part of the itinerary. Here are several tips to ensure you....

Keep your institution off the evening news.


Contact Us