One day last week, I was performing SSAE16 reviews of critical vendors for a financial institution and I realized something: Their core service provider is essentially a cloud offering.
Some may scoff at this idea, but take a closer look:
- You are on a shared system – Shared disk, processor, memory (Unless you are a large bank)
- You rely on third-party audits (and possibly site visits) to validate controls
- You receive an SSAE16 SOC1 – Type II report from them
- There is no on premises equipment
- Telecom circuits are relied upon for availability
- You don't really know exactly what is going on behind the scenes
… and this is for the core processor, where all of the super-sensitive data resides. We are talking customers, addresses, balances and account numbers!
I started to ask myself: Are bankers living by a double standard?
If I looked at Office 365 objectively, performed a proper vendor risk assessment and evaluated the risks, I couldn't imagine that an email system would be ranked nearly as high in Confidentiality Risk as the Core.
Consider Availability Risk Reduction when it comes to Office 365: The number of systems Microsoft has dedicated to keeping the system available is ridiculous.
Service providers for banking? They typically have a warm site backup on the other side of the country.
My experience in working with Office 365 over the past year has been enlightening. I've received SSAE16 reports, data center tours and have access to the Microsoft trust center which allows me to understand the security controls better. After working through some of the details - using information from a processor that I used to utilize - Microsoft has more visibility and controls built around the protection of data than my processor did.
