Author
Listed:
- Andries M.
- Cassin G.
- Bahhaouy A.
- Philippe F.
- Foratier Y.
- Lopez Vernaza A.
- Rigodanzo F.
Abstract
Information systems are of strategic importance in both the banking and insurance sectors. The development of cloud computing is a recent advance that has become a subject of attention. Cloud computing is defined as a "method of processing a client's data, which are exploited via the Internet in the form of services provided by a service provider. Cloud computing is a special form of information technology (IT) outsourcing, in which end users are not informed of the location or internal structure of the cloud." This topic is particularly current for a number of regulatory bodies. In France, the Agence Nationale de Sécurité des Systèmes d’Information (ANSSI – French Network and Information Security Agency) is working on regulation via a certification mechanism. In 2012 the Commission Nationale de l’Informatique et des Libertés (CNIL – French Data Protection Authority) issued recommendations for companies considering subscribing to cloud computing services. Abroad, many supervisory authorities have issued statements (the United States of America, Singapore, the Netherlands), or imposed a system of prior authorisation (Spain) for the use of this technology. In this context, the Secrétariat général de l’Autorité de contrôle prudentiel (SGACP – General Secretariat of the Prudential Supervisory Authority) conducted a short survey to engage in a dialogue with companies in the banking and insurance sectors on the scope, use and risks of cloud computing. A total of 14 companies from the insurance sector and 12 from the banking sector responded to a questionnaire at the beginning of this year, providing a representative view on these topics. The first idea that emerged from this dialogue was a need to clarify the concept of cloud computing by offering a multi-criteria definition, inspired by that given by the American National Institute of Standards and Technology (NIST). The SGACP therefore proposes to describe these services as follows: cloud computing consists in using remote servers to store and process data traditionally located on local servers or on the user's terminal; it enables on-demand and self-service network access to virtualised and pooled computing resources typically charged for on a pay-per-use model; three types of services are offered (IaaS – Infrastructure as a Service, PaaS – Platform as a Service, SaaS – Software as a Service), deployed according to four models (internal private cloud, external private cloud or community cloud, public cloud, hybrid cloud). The credit institutions and insurance undertakings (companies) responding to the questionnaire confirmed that cloud computing poses greater risks compared to conventional IT outsourcing. The numerous risks identified include data privacy, unavailability of data and data processing, loss of integrity (especially the risk of non-reversibility or lock-in) and finally the area of evidence and control. They agree on the need for a stronger legal environment, the need for certain technical security measures, the need to audit the service provider, the need for the provider to commit to continuity of service and, finally, the need to obtain a guarantee from the service provider on the reversibility of the service. However, opinions differ on the importance of the economic aspects surrounding cloud computing, with many companies claiming that security considerations should prevail in analysing its value. Moreover, it is noted that an overwhelming majority of companies use cloud computing in management areas considered outside the "core business", even if use in more sensitive areas is also beginning to emerge. It also appears that there are differences in the procedures for the adoption of cloud computing between the insurance and banking sectors. As a result of this initial analysis, which shall be refined as changes in the use and the risks of cloud computing are observed, the Autorité de contrôle prudentiel (ACP – Prudential Supervisory Authority) is encouraging the companies it supervises to take suitable risk management measures in respect of the following aspects: - Legal: by enforcing a mandatory contractual framework for cloud computing services; - Technical: by encrypting data during transport and storage (in the absence of anonymisation); - Supervision of the service provider: by ensuring audit capability and the right for the ACP to conduct audits; - Continuity of the service: by ensuring that the expectations of the client company can be formalised in service contracts; - Reversibility of the service: by defining the conditions of reversibility when subscribing to the service; - Integration and architecture of information systems: by adapting the organisation and governance of information systems to the use of cloud computing. These good practices form part of the broader framework defined for the supervision of outsourced services, including conventional outsourcing. The expectations of the ACP in terms of governance of decisions, risk analysis, contractual elements, monitoring and the internal control of cloud computing services are therefore similar to those currently in force in prudential supervision.
Suggested Citation
Andries M. & Cassin G. & Bahhaouy A. & Philippe F. & Foratier Y. & Lopez Vernaza A. & Rigodanzo F., 2013.
"The risks associated with cloud computing,"
Analyse et synthèse
16, Banque de France.
Handle:
RePEc:bfr:analys:16
Download full text from publisher
Corrections
All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:bfr:analys:16. See general information about how to correct material in RePEc.
If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.
We have no bibliographic references for this item. You can help adding them by using this form .
If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.
For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Michael brassart (email available below). General contact details of provider: https://edirc.repec.org/data/bdfgvfr.html .
Please note that corrections may take a couple of weeks to filter through
the various RePEc services.