PLAINSVILLE, Ohio-As more credit unions look to the clouds for information storage and access, issues surrounding security and best practices become more pronounced.
For Lake County Educational Federal Credit Union, the move to cloud computing required due diligence, meetings with attorneys and a measured process that would support the $18 million CU during and after the transition.
"We are a small credit union with one branch," said Lake County FCU CEO Miranda Puthoff. "We don't have an IT department or in-house resources, so we have to look to third-party vendors to assist in storage and security."
The call for increased cloud security was underscored by Microsoft's recent report, "Trends in Cloud Security." The report examined various organizations around the globe using its Cloud Security Readiness Tool (CSRT). To better understand IT security maturity levels, the survey analyzed 5,700 responses to 27 questions between October 2012 and March 2013. The report concluded that many IT departments are not handling cloud-related IT concerns to the best of their abilities.
"Sixty-five percent of organizations indicated that they have only run risk assessments after a major incident or that they use loosely managed processes," the report stated. "And 70% of organizations do not have a basic risk management framework in place to manage risk at acceptable levels."
A non-community credit union, Lake County Educational FCU serves approximately 3,000 teachers and students. Two years ago it began the cloud search process. "Like many new technologies, cloud was new and scary, but we had an existing relationship with Encompass Group and decided to work with them," said Puthoff.
Matt Wilhelm, a partner at the Cleveland-based Encompass Group LLC, works with roughly 25 credit unions on IT and cloud-related services. "Cloud services providers are not always held to the same security and disaster-recovery requirements as credit unions," said Wilhelm. "Institutions often onboard with cloud providers without fully understanding security concerns, have proper disaster relief expectations or meet regulatory requirements."
Puthoff explained that Encompass essentially serves as the credit union's IT department noting that the cloud services are overseen by Encompass but relegated to a third party. "We feel that working with them and their vendor would be an easier step-easier to comprehend." The credit union is more than half way through it first two-year contract and Puthoff said the annual fee is based off the amount of gigabytes used.
Lake County Educational FCU information currently in the cloud includes disaster recovery data and the majority of internal documents such as Word and Excel. The credit union's teller platform, which includes sensitive member data, is not stored in the cloud. Instead, that information is securely backed up on network-attached storage (NAS) servers.
When seeking a cloud provider and migrating from an internal system, it is important to understand that a cloud-based service can change how and where employees connect from, according to Wilhelm. "This is often an overlooked consideration. When services are accessible outside the walls of the credit union, the credit union's IT environment expands, sometimes placing security responsibility in the hands of employees and often adding risk considerations."
If a cloud contract is nearing renewal, Wilhelm strongly suggests that CUs conduct an independent review of the vendor's "Statement on Standards for Attestation Engagements" (SSAE) No. 16. "A good sign that a cloud services provider is responsible is through a recent SSAE16 audit," he noted.
As part of its contract using Encompass' AutoPilot Managed IT Service, Lake County FCU receives remote 24/7 network monitoring, updated antivirus for all servers and workstations, threat monitoring and a complete test restore of backup data to ensure backups are usable in the event of a disaster.
"We receive a 12- to 15-page report each month and it's a nice tool to have because the executive summary informs us with everything from upcoming license renewals to compliance issues," said Puthoff. When asked if there have been a security breaches since using this system, she responded: "We had been fortunate that there has been no problems-knock wood."