FFIEC guidance requires CUs to ensure providers meet requirements for cost, quality of service, compliance and risk management.
Today’s technology marketplace is charging at breakneck speed down the path of end-user computing—supporting individual technology users taking their laptops on the road or working from home. The continued proliferation of new devices, such as tablets and smartphones—with the accompanying need to secure and update them—also is putting a strain on information technology executives and top managers.
Such vendors as VMware and Citrix are developing mature products designed to support a shift to a centralizedcomputer model—or so-called “cloud computing”—that may help relieve this burden. The software allows end users to work on their local computers or devices using software and processing power that is being dished up from the server room down the hall—or across the world.
What exactly is cloud computing? According to a U.S. Federal Financial Institutions Examination Council resource document released in July, cloud computing is “a relativelynew term used to describe a variety of established business strategies, technologies and processing methodologies. Although the term cloud computing is gaining in usage, there is no widely accepted definition, and numerous business strategies, technologies and architectures are represented as cloud computing. In general, it is a migration from owned resources to shared resources in which client users receive information technology services, on demand, from third-party service providers via the Internet “cloud.”
As part of its ongoing campaign to provide guidance on adopting new technologies, the FFIEC issued the resource document Outsourced Cloud Computing to help financial institutions better understand and address the unique risks posed by outsourcing cloud-based services.
The FFIEC’s document discusses key risk considerations associated with outsourced cloud computing and identifies applicable risk mitigation considerations. According to the report, “When evaluating the feasibility of outsourcing to a cloud-computing service provider, it is important to look beyond potential benefits and to perform a thorough due diligence and risk assessment of elements specific to that service. … Financial institutions should focus on due diligence, vendor management and audits.”
Public or Private Cloud?
Cloud computing is a very good thing for credit unions. It not only can cut costs and streamline operations, but also opens the door to new technologies and services, such as desktop virtualization.
A credit union could choose to implement a public, private or hybrid cloud. According to TechTarget, “A public cloud is one based on the standard cloud computing model, in which a service provider makes resources, such as applications and storage, available to the general public over the Internet. Public cloud services may be free or offered on a pay-per-usage model.”
“The term ‘public cloud’ arose to differentiate between this standard model and the ‘private cloud,’ which is a proprietary network or data center that uses cloud-computing technologies, such as virtualization. A private cloud is managed by the organization it serves. A third model, the hybrid cloud, is maintained by both internal and external providers.”
While a public cloud is often less expensive to implement and maintain, the myriad outages and privacy breaches dominating the headlines almost every day underscore the idea that a private cloud is most often going to be the best option for credit unions and other financial institutions