Cloud concerns derive from its built-in risks as well as the development of cloud regulatory oversight.

The Israel-based Radware, for example, reported hackers could launch large-scale distributed-denial-of-service attacks using public cloud platforms such as those offered by Amazon, Google and Microsoft, which offer capabilities that hackers find attractive, such as the bandwidth and computing power to upload, store and test scripts in a camouflaged platform.

Federal agencies are also aware of the threats. According to the FFIEC, which the NCUA is a part of, examiners should help identify mitigation strategy gaps when a financial institution engages in cloud computing. This includes vetting intrinsic risks, identifying control instruments and assuring that remaining threats stay at adequate levels.

So what are the biggest cloud-based security threats against credit unions?

"The lack of transparency. More specifically, understanding where your data lives, knowing what your data is doing and awareness of who has access to your data," Xerex Bueno, chief technology officer at the Layton, Utah-based CUSO CUProdigy, said. He added credit unions also need to be aware of how cloud providers handle distributed denial of service attacks.

"That's an overlooked item," he noted.

In addition to DDoS attacks, hackers leverage cloud services to conduct phishing attacks along with other malicious activities such as application programming interface abuse.

"Cloud APIs are bad when they are weak. Most APIs are typically secure," Bueno said. Nevertheless, some providers will allow an unencrypted connection to drive APIs.

"With the cloud you have to become more aware that your data is outside your network," Dale said. Therefore, credit unions also need to ask vendors about data handling, he noted. Questions to ask include, "Is data segregated from other clients?" and "What controls is the vendor putting in place to mitigate risks following a compromise?"

Then there are some less obvious hazards.

"Ensuring your data stays where it needs to stay [is important]," Bueno pointed out.

Many cloud providers have the ability to push data from one location to another – without consent and without the user's knowledge.

"So an organization's data could end up being in an overseas data center," Bueno said.

Another item credit unions should consider when leveraging cloud technologies is encrypting their servers before they propel those workloads into the cloud. It adds another level of insurance and protection, Bueno explained.

"Don't expect the provider to do that for you. That is one [thing] a lot of credit unions miss," he said.

Some core providers not only offer cloud services but protect against cloud weaknesses.

CUProdigy offers robust cloud-based solutions, including its own core processing platform as well as core-agnostic, cloud-based IT infrastructure services including a virtual desktop framework to extend cloud benefits to the credit union's desktop.

CUProdigy's secure, private cloud offerings include infrastructure-as-a-service, firewall-as-a-service, desktop-as-a-service and disaster-recovery-as-a-service, which allow credit unions to protect all their services onsite by performing continuous, nearly real-time data replication into their own private cloud.

Using a private cloud rather than a public cloud improves data security and gives credit unions more control over cloud infrastructure access.

Bueno explained, "CU Prodigy invests heavily in security where some cloud providers provide you with a simple firewall that hopefully protects you. The problem is many threats can now hide inside legitimate network traffic."

CUProdigy partnered with Palo Alto Networks, which supplies next-generation firewalls to defeat the latest malware, even malware that is inside encrypted traffic.

The CUSO recently signed five cloud deals with credit unions of various sizes and said it is currently conducting trials with two others. One deal is with the $141 million Tucson (Ariz.) Old Pueblo Credit Union, which previously would lose $2,000 per hour during a natural disaster before migrating to CUProdigy's cloud-based DRaaS and IaaS.

Jack Henry & Associates' secure cloud computing environment, Gladiator Hosted Network Solutions, offers infrastructure management. This includes cataloging on premise networks and comparing their functionality to similar cloud platforms. Dale suggested by moving their infrastructure to Gladiator's private cloud, credit unions can free up internal resources.

Dale explained the malicious actors out there are advancing very rapidly, making yesterday's security defenses less effective.

"We are encouraging all of our clients to consider a very layered approach to security, even if they are in the cloud," he said.

The Brookfield, Wis.-based Fiserv offers Sentry Performance Solutions, managed technology infrastructure tools that provide cybersecurity protection from perimeter to endpoint. These include firewall services, intrusion detection and prevention, and the ability to monitor traffic across the network.

"Outsourcing security management might seem counterintuitive, but when we look at the security landscape that credit unions face today, there are compelling things that make it much more attractive," Fiserv Vice President of Sentry Performance Solutions Bill Johnson said. "It has become easier [for hackers] to launch an attack and significantly less expensive, while inversely the cost of defending the organization against those attacks is becoming increasingly more expensive."

Fiserv just added the CrowdStrike Falcon Platform, which provides endpoint protection against cyberattacks including malware and ransomware, to its Sentry portfolio.

"We have a multilayer approach of how we secure that cloud environment," Johnson stated. "One of the threat points is clearly the endpoint."

Con Mallon, senior director of products at Crowdstrike, explained, "We are about stopping the breach. Our focus is on catching the endpoint. That is where the valuable information and data resides. We leverage the power of the cloud and bring that to endpoint protection. That's a bit new and a bit novel."

It really comes down to the financial institutions understanding their current security environment and contrasting it with a possible cloud infrastructure. Dale explained institutions have to be mindful about their current vulnerabilities and find out if any of them would be remediated or reduced by moving to the cloud.

"Then once they move to the cloud, they need to be aware of what risks are there as well."