Outsourcing services to the public cloud
can be risky due to the potential for loss of control over an array of elements,
including risk exposure, security governance and privacy laws. “Many providers
offer services geared toward the consumer market and not individual business
verticals,” said Travis Sales, new CIO of Breakthrough Technology Group
(BTG) and former staff engineer for VMware. This makes risk-assessment especially
important when companies are evaluating the feasibility of outsourcing to a
cloud service provider.
For financial institutions, risk-assessment associated
with moving to the public cloud is even more critical because not all cloud
providers are familiar with the regulatory requirements that apply to financial
institutions. The FFIEC (U.S. Federal Financial Institutions Examination
Council) recently released a resource document titled Outsourced Cloud Computing to help financial institutions better understand and address unique
risks posed by outsourced cloud-based services. The recommendations outlined in
the report are also relevant to Canadian institutions since Canadian customers
share a common need to define regulatory requirements when considering a cloud
provider or solution.
“When evaluating the feasibility of
outsourcing to a cloud-computing service provider, it is important to look
beyond potential benefits and to perform a thorough due diligence and
risk-assessment of elements specific to that service,” the report states.
According to the FFIEC document, financial institutions should focus on due
diligence, vendor management and audits.