The risks associated with cloud computing

Information systems are of strategic importance in both the banking and insurance sectors. The development of cloud computing is a recent advance that has become a subject of attention. Cloud computing is defined as a "method of processing a client's data, which are exploited via the Internet in the form of services provided by a service provider. Cloud computing is a special form of information technology (IT) outsourcing, in which end users are not informed of the location or internal structure of the cloud." This topic is particularly current for a number of regulatory bodies. In France, the Agence Nationale de Sécurité des Systèmes d’Information (ANSSI – French Network and Information Security Agency) is working on regulation via a certification mechanism. In 2012 the Commission Nationale de l’Informatique et des Libertés (CNIL – French Data Protection Authority) issued recommendations for companies considering subscribing to cloud computing services. Abroad, many supervisory authorities have issued statements (the United States of America, Singapore, the Netherlands), or imposed a system of prior authorisation (Spain) for the use of this technology. In this context, the Secrétariat général de l’Autorité de contrôle prudentiel (SGACP – General Secretariat of the Prudential Supervisory Authority) conducted a short survey to engage in a dialogue with companies in the banking and insurance sectors on the scope, use and risks of cloud computing. A total of 14 companies from the insurance sector and 12 from the banking sector responded to a questionnaire at the beginning of this year, providing a representative view on these topics. The first idea that emerged from this dialogue was a need to clarify the concept of cloud computing by offering a multi-criteria definition, inspired by that given by the American National Institute of Standards and Technology (NIST). The SGACP therefore proposes to describe these services as follows: cloud computing consists in using remote servers to store and process data traditionally located on local servers or on the user's terminal; it enables on-demand and self-service network access to virtualised and pooled computing resources typically charged for on a pay-per-use model; three types of services are offered (IaaS – Infrastructure as a Service, PaaS – Platform as a Service, SaaS – Software as a Service), deployed according to four models (internal private cloud, external private cloud or community cloud, public cloud, hybrid cloud). The credit institutions and insurance undertakings (companies) responding to the questionnaire confirmed that cloud computing poses greater risks compared to conventional IT outsourcing. The numerous risks identified include data privacy, unavailability of data and data processing, loss of integrity (especially the risk of non-reversibility or lock-in) and finally the area of evidence and control. They agree on the need for a stronger legal environment, the need for certain technical security measures, the need to audit the service provider, the need for the provider to commit to continuity of service and, finally, the need to obtain a guarantee from the service provider on the reversibility of the service. However, opinions differ on the importance of the economic aspects surrounding cloud computing, with many companies claiming that security considerations should prevail in analysing its value. Moreover, it is noted that an overwhelming majority of companies use cloud computing in management areas considered outside the "core business", even if use in more sensitive areas is also beginning to emerge. It also appears that there are differences in the procedures for the adoption of cloud computing between the insurance and banking sectors. As a result of this initial analysis, which shall be refined as changes in the use and the risks of cloud computing are observed, the Autorité de contrôle prudentiel (ACP – Prudential Supervisory Authority) is encouraging the companies it supervises to take suitable risk management measures in respect of the following aspects: - Legal: by enforcing a mandatory contractual framework for cloud computing services; - Technical: by encrypting data during transport and storage (in the absence of anonymisation); - Supervision of the service provider: by ensuring audit capability and the right for the ACP to conduct audits; - Continuity of the service: by ensuring that the expectations of the client company can be formalised in service contracts; - Reversibility of the service: by defining the conditions of reversibility when subscribing to the service; - Integration and architecture of information systems: by adapting the organisation and governance of information systems to the use of cloud computing. These good practices form part of the broader framework defined for the supervision of outsourced services, including conventional outsourcing. The expectations of the ACP in terms of governance of decisions, risk analysis, contractual elements, monitoring and the internal control of cloud computing services are therefore similar to those currently in force in prudential supervision.