MADISON, Wis. (10/21/13)--There's no way to eliminate all risks involved with cloud computing, but those risks certainly can be mitigated, Rick Roy, senior vice president/chief information officer for CUNA Mutual Group, told Credit Union Magazine.
(This article, which originally appeared in the September issue of Credit Union Magazine, is adapted from the October issue of the Credit Union National Association's Director newsletter.)
For starters know the cloud provider: Is it a startup business or does it have a proven track record? Has it invested sufficiently in the security measures needed to protect sensitive data?
"Many companies have aspirations to be cloud providers of something--they might be software or hardware companies that feel the need to transform their own businesses because of this trend," Roy said. "Don't get into an arrangement with someone who aspires to do this but doesn't have a clue how."
Also, don't delegate responsibility for the relationship. Sometimes credit unions have a tendency to "hand the keys over to someone else so they don't have to worry about it," Roy said. "But you still need to worry and pay attention. There aren't too many autopilot solutions out there; they tend to need care and feeding."
This is where ongoing due diligence comes in. Roy comparedvendor selection to dating, when "everyone has their best foot forward. But once you're in the relationship, make sure, through ongoing dialogue and audit discussions, that the security standards continue and the vendor continues to protect your information."
Equally important is making sure the vendor continues to invest in its infrastructure so it provides a high level of service and availability, he added.
CUNA Mutual conducts a "formal business check point" each quarter with its cloud providers to examine the relationships, investments in infrastructure, new product releases, and other elements, Roy said. "It's definitely a business conversation, and security is part of that conversation." The company also administers a security-specific review and questionnaire annually to ensure all parties "are doing what they signed up for," he added.
Even a contract doesn't absolve credit unions from ongoing due diligence. "When it comes to data privacy, you're getting at the core of a trust issue between yourself and the member," Roy said. "It's the difference between a financial risk and a reputational risk. Don't underestimate the reputational risk of something bad happening--because your business is built on a foundation of trust. There's not enough contractual language on the planet to overcome that."