The benefits of cloud storage — scalability, cost, reliability — are fairly clear. However, making the leap to these services can still represent a challenge for some institutions. Why? Data classification.
Data classification is a tricky subject for financial institutions looking to utilize the cloud.
As the Compliance Guru recently pointed out, the concept of data classification gets several mentions in the FFIEC Information Security Handbook. The idea being that, if an institution goes so far as to identify specific applications and data by their degree of sensitivity, it’s possible to then determine to what extent that information needs to be secured. At that point, one could theoretically separate out the bits and pieces that are safe enough to store within a vendor’s cloud offering, even if there are any questions as to how well that vendor’s product stands up to regulation.
In a perfect world, perhaps some of the consumer and enterprise solutions, be they Dropbox, Skydrive, Box or any of the others, might be OK to use. That is, if first you’ve gone so far as to do all the work on your end to go through a multitude of files, applications and information to first determine what is or is not OK to store in those places. As the Compliance Guru states:
… once that data leaves your protected infrastructure everything changes…and nothing changes. Your policies still require (and regulators still expect) complete data security, privacy, availability, etc., but since your level of control drops considerably, so should your level of confidence. And you likely have sensitive data combined with non-sensitive, critical combined with non-critical. This would suggest that unless the cloud vendor meets the highest standard for your most critical data, they can’t be approved for any data.
So here’s the thing: it’s basically impossible for a financial institution to classify its data that cleanly. Not to mention that would take a tremendous amount of time.
Within one particular system, say email, you can’t simply go in and determine which messages contain customer information and which ones don’t, and then separate out the safe stuff for archival or backup in the cloud. If you can’t separate your data — sensitive from non-sensitive — then all data must be treated as sensitive. Thus, you have to limit your choice of service provider to those which are the most secure. If a vendor can’t meet the criteria for storing your most sensitive data, then you can’t use it for all of your data.
That being the case, the only option left for a financial institution moving to the cloud is to select secure vendors for storage.
RELATED: The 5-Minute Guide to Compliance in the Cloud