Risk Management

04:12 PM
Mary Beth Hamilton, Eze Castle Integration
Mary Beth Hamilton, Eze Castle Integration

Securing the Cloud From the Outside-In

Conducting extensive due diligence of a cloud provider’s technology, processes and track-record can help alleviate security concerns for companies looking to move into cloud computing.

Mary Beth Hamilton, Eze Castle Integration
Mary Beth Hamilton, director of marketing, Eze Castle Integration.

The cloud has gone mainstream, and as a result, it is tough for companies to not at least give it a look when undertaking a technology refresh or new application deployment. The benefits the cloud delivers around simplified management, rapid scalability and reduced capital expenditures are real. However, the thorn in cloud computing’s side are perceived security threats, especially in the investment management industry where data leakage is lethal.

As the security risk landscape continues to evolve, companies must take a proactive security posture to protect their environments. In reality, the threats facing on-premise IT systems are just as dangerous as those facing systems in the cloud, however, the cloud brings some unique security considerations since traffic is routed differently over virtual machines than it is with a traditional network. Another key (and fairly obvious) difference is that in the cloud a company must trust their security to a third party, which can add an element of the unknown.

Conducting extensive due diligence of a cloud provider’s technology, processes and track-record can help alleviate concerns. A key concept to ensure a cloud provider is using is defense in depth, which speaks to placing security safeguards at multiple layers.

The Outside Layer

Physical Security: Inspecting the foundation

First up, the data center facility housing the cloud environment must be highly redundant, built to house mission-critical systems and be SAS 70 Type II certified – a designation that indicates its control objectives and activities have been thoroughly audited and meet the AICPA standard.

To minimize concerns around downtime, the data center should be a Tier III (or greater) facility, have multiple active power and cooling distribution paths and employ an N+1 configuration throughout. You will also want to ask the cloud provider if the data center is in a region that could experience seismic activity, natural disasters (i.e. flooding) or other environmental threats that could disrupt service.

With the resiliency of the data center established, a careful review of the physical security is necessary. The data center should have professional security staff on-site 24x7x365 and surveillance cameras that cover all common areas as well as the cloud computing environment. Security logs for all visitors must be vigilantly maintained and reviewed. Beyond logs, a comprehensive, multi-level, biometric security system – pin-code access keypads, proximity card readers, and biometric iris scanners – should be in place to ensure only authorized personnel have access to critical systems.

Processes, and Policies and Controls! Oh my!

Rock solid controls and clearly defined policies that are regularly audited are essential to securing a cloud environment. Security policies a cloud provider should have in place include:

Access Control Policy: Who has access to the cloud infrastructure and client systems? Is there a separation of duties between individuals with access? Can a client request more restricted access? How is access logged and monitored? How often are controls reviewed?

Information Security Management Policy: What safeguards does the provider have in place to protect against physical and virtual threats? How are security violations and incidents reported and managed? What information does the provider collect about clients and how is it handled? Has the provider ever had a security breach and what was the outcome?

Employee, Visitor and Contractor Physical Security Policy: What background screening, verification and employee agreements does the provider have established? How are employees and visitors monitored while on premise (office or data center)?

Beyond reviewing written documentation, you should inquire about how employees are trained on the policies and held accountable. Also, be sure to ask the provider how often its policies are reviewed and how changes are incorporated.

1 of 2
Comment  | 
Print  | 
More Insights
More Commentary
A Wild Ride Comes to an End
Covering the financial services technology space for the past 15 years has been a thrilling ride with many ups as downs.
The End of an Era: Farewell to an Icon
After more than two decades of writing for Wall Street & Technology, I am leaving the media brand. It's time to reflect on our mutual history and the road ahead.
Beyond Bitcoin: Why Counterparty Has Won Support From Overstock's Chairman
The combined excitement over the currency and the Blockchain has kept the market capitalization above $4 billion for more than a year. This has attracted both imitators and innovators.
Asset Managers Set Sights on Defragmenting Back-Office Data
Defragmenting back-office data and technology will be a top focus for asset managers in 2015.
4 Mobile Security Predictions for 2015
As we look ahead, mobility is the perfect breeding ground for attacks in 2015.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Inside Abel Noser's Trading Floor
Inside Abel Noser's Trading Floor
Advanced Trading takes you on an exclusive tour of Abel Noser's New York trading floor, where the agency broker known for transaction cost analysis, is customizing algorithms for the buy side, while growing its fixed income trading and transitions business.