Having the capabilities to distribute processes via the cloud can help credit unions become more efficient. However, misunderstanding the cloud’s risks, regulatory oversight, and proper control mechanisms create serious consequences.
A cloud-computing platform allows credit unions to move technology to potentially affordable solutions. It takes away the struggle surrounding purchasing, developing and maintaining an internal technology infrastructure.
The cloud, however, does not remove all hazards.
“When anybody, not just financial institutions or credit unions, considers moving to a cloud, that doesn’t necessarily negate or takeaway any of the current security threats or methodologies that need implementing,” Scott Dale, technical product management, manager at Monett, Mo.-based Jack Henry & Associates, said.
Cloud concerns derive from the built-in risks as well as the developing regulatory oversight.
Israeli-based Radware, for example, reported hackers could launch large-scale distributed denial-of-service (DDoS) attacks using public cloud platforms such as those offered by Amazon, Google and Microsoft, which provide capabilities that hackers find attractive such as bandwidth and computing power to upload, store and test scripts in a camouflaged platform.
Federal agencies know the threats as well. According to the Federal Financial Institution Examination Council, which the NCUA is a part of, examiner’s should help identify gaps in mitigation strategies if a financial institution engages in cloud computing. This includes vetting of intrinsic risks, identification of control instruments, and assurance that threats remain at adequate levels.
So what are the biggest cloud-based security threats to credit unions?
“The lack of transparency, understanding where your data is, what your data is doing, who has access to your data,” Xerex Bueno, chief technology officer at Layton, Utah-based CUSO CUProdigy, said. He added credit unions also need awareness of how cloud providers are set up to handle DDoS attacks. “That’s an overlooked item.”
In addition to DDoS attacks, hackers leverage cloud services to conduct phishing attacks along with other malicious activity such as application programming interface abuse. “Cloud APIs are bad when they are weak. Most APIs are typically secure,” Bueno said. Nevertheless, some providers will allow an unencrypted connection to drive APIs.
Read the full story about cloud risks for credit unions members in the Nov. 9, 2016 print issue of CU Times.
