Risk Management

04:12 PM
Mary Beth Hamilton, Eze Castle Integration
Mary Beth Hamilton, Eze Castle Integration
Commentary
50%
50%

Securing the Cloud From the Outside-In

Conducting extensive due diligence of a cloud provider’s technology, processes and track-record can help alleviate security concerns for companies looking to move into cloud computing.

Mary Beth Hamilton, Eze Castle Integration
Mary Beth Hamilton, director of marketing, Eze Castle Integration.

The cloud has gone mainstream, and as a result, it is tough for companies to not at least give it a look when undertaking a technology refresh or new application deployment. The benefits the cloud delivers around simplified management, rapid scalability and reduced capital expenditures are real. However, the thorn in cloud computing’s side are perceived security threats, especially in the investment management industry where data leakage is lethal.

As the security risk landscape continues to evolve, companies must take a proactive security posture to protect their environments. In reality, the threats facing on-premise IT systems are just as dangerous as those facing systems in the cloud, however, the cloud brings some unique security considerations since traffic is routed differently over virtual machines than it is with a traditional network. Another key (and fairly obvious) difference is that in the cloud a company must trust their security to a third party, which can add an element of the unknown.

Conducting extensive due diligence of a cloud provider’s technology, processes and track-record can help alleviate concerns. A key concept to ensure a cloud provider is using is defense in depth, which speaks to placing security safeguards at multiple layers.

The Outside Layer

Physical Security: Inspecting the foundation

First up, the data center facility housing the cloud environment must be highly redundant, built to house mission-critical systems and be SAS 70 Type II certified – a designation that indicates its control objectives and activities have been thoroughly audited and meet the AICPA standard.

To minimize concerns around downtime, the data center should be a Tier III (or greater) facility, have multiple active power and cooling distribution paths and employ an N+1 configuration throughout. You will also want to ask the cloud provider if the data center is in a region that could experience seismic activity, natural disasters (i.e. flooding) or other environmental threats that could disrupt service.

With the resiliency of the data center established, a careful review of the physical security is necessary. The data center should have professional security staff on-site 24x7x365 and surveillance cameras that cover all common areas as well as the cloud computing environment. Security logs for all visitors must be vigilantly maintained and reviewed. Beyond logs, a comprehensive, multi-level, biometric security system – pin-code access keypads, proximity card readers, and biometric iris scanners – should be in place to ensure only authorized personnel have access to critical systems.

Processes, and Policies and Controls! Oh my!

Rock solid controls and clearly defined policies that are regularly audited are essential to securing a cloud environment. Security policies a cloud provider should have in place include:

Access Control Policy: Who has access to the cloud infrastructure and client systems? Is there a separation of duties between individuals with access? Can a client request more restricted access? How is access logged and monitored? How often are controls reviewed?

Information Security Management Policy: What safeguards does the provider have in place to protect against physical and virtual threats? How are security violations and incidents reported and managed? What information does the provider collect about clients and how is it handled? Has the provider ever had a security breach and what was the outcome?

Employee, Visitor and Contractor Physical Security Policy: What background screening, verification and employee agreements does the provider have established? How are employees and visitors monitored while on premise (office or data center)?

Beyond reviewing written documentation, you should inquire about how employees are trained on the policies and held accountable. Also, be sure to ask the provider how often its policies are reviewed and how changes are incorporated.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
More Commentary
Donít Perform Surgery on Yourself: The Case for Managed IT Services
Instead of putting systems and solutions in the hands of experts who specialize solely in managing the security and integrity of IT assets, many financial services firms react to security incidents by insisting on total control.
Hacking the Hackers: The Legal Risks of Taking Matters Into Private Hands
Private groups are beginning to fight back against foreign sources of malware and credit fraud, but methodologies put these digital crusaders and their employers at serious legal risk.
Mobile Hot, Cloud Not in Financial Services
A survey conducted by the Harvard Business Review in conjunction with Verizon looked at technology trends in various industries.
Interactive Data Launches Continuous Fixed Income Pricing Service
Independent intra-day FI pricing is helping to shine light on the opaque fixed income market.
Gartner: 75% of Mobile Apps Will Fail Security Tests Through 2015
The rise of BYOD means enterprises must implement security testing and containment solutions, according to new Gartner research.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video
Inside Abel Noser's Trading Floor
Inside Abel Noser's Trading Floor
Advanced Trading takes you on an exclusive tour of Abel Noser's New York trading floor, where the agency broker known for transaction cost analysis, is customizing algorithms for the buy side, while growing its fixed income trading and transitions business.