Risk Management

04:12 PM
Mary Beth Hamilton, Eze Castle Integration
Mary Beth Hamilton, Eze Castle Integration

Securing the Cloud From the Outside-In

Conducting extensive due diligence of a cloud provider’s technology, processes and track-record can help alleviate security concerns for companies looking to move into cloud computing.

Mary Beth Hamilton, Eze Castle Integration
Mary Beth Hamilton, director of marketing, Eze Castle Integration.

The cloud has gone mainstream, and as a result, it is tough for companies to not at least give it a look when undertaking a technology refresh or new application deployment. The benefits the cloud delivers around simplified management, rapid scalability and reduced capital expenditures are real. However, the thorn in cloud computing’s side are perceived security threats, especially in the investment management industry where data leakage is lethal.

As the security risk landscape continues to evolve, companies must take a proactive security posture to protect their environments. In reality, the threats facing on-premise IT systems are just as dangerous as those facing systems in the cloud, however, the cloud brings some unique security considerations since traffic is routed differently over virtual machines than it is with a traditional network. Another key (and fairly obvious) difference is that in the cloud a company must trust their security to a third party, which can add an element of the unknown.

Conducting extensive due diligence of a cloud provider’s technology, processes and track-record can help alleviate concerns. A key concept to ensure a cloud provider is using is defense in depth, which speaks to placing security safeguards at multiple layers.

The Outside Layer

Physical Security: Inspecting the foundation

First up, the data center facility housing the cloud environment must be highly redundant, built to house mission-critical systems and be SAS 70 Type II certified – a designation that indicates its control objectives and activities have been thoroughly audited and meet the AICPA standard.

To minimize concerns around downtime, the data center should be a Tier III (or greater) facility, have multiple active power and cooling distribution paths and employ an N+1 configuration throughout. You will also want to ask the cloud provider if the data center is in a region that could experience seismic activity, natural disasters (i.e. flooding) or other environmental threats that could disrupt service.

With the resiliency of the data center established, a careful review of the physical security is necessary. The data center should have professional security staff on-site 24x7x365 and surveillance cameras that cover all common areas as well as the cloud computing environment. Security logs for all visitors must be vigilantly maintained and reviewed. Beyond logs, a comprehensive, multi-level, biometric security system – pin-code access keypads, proximity card readers, and biometric iris scanners – should be in place to ensure only authorized personnel have access to critical systems.

Processes, and Policies and Controls! Oh my!

Rock solid controls and clearly defined policies that are regularly audited are essential to securing a cloud environment. Security policies a cloud provider should have in place include:

Access Control Policy: Who has access to the cloud infrastructure and client systems? Is there a separation of duties between individuals with access? Can a client request more restricted access? How is access logged and monitored? How often are controls reviewed?

Information Security Management Policy: What safeguards does the provider have in place to protect against physical and virtual threats? How are security violations and incidents reported and managed? What information does the provider collect about clients and how is it handled? Has the provider ever had a security breach and what was the outcome?

Employee, Visitor and Contractor Physical Security Policy: What background screening, verification and employee agreements does the provider have established? How are employees and visitors monitored while on premise (office or data center)?

Beyond reviewing written documentation, you should inquire about how employees are trained on the policies and held accountable. Also, be sure to ask the provider how often its policies are reviewed and how changes are incorporated.

1 of 2
Comment  | 
Print  | 
More Insights
More Commentary
Bankrolling Technical Debt: A Financierís Guide
Technical debt represents the effort required to fix source code or application problems that put the business at risk.
Staying Ahead of the Game With Continuous Delivery
The need to develop better software faster is leading financial organizations to continuous delivery (CD), a practice pioneered by SaaS companies like Salesforce.
Shore Up Cyber Security Now
Knowing that a data breach can and will happen at some point, asset management firms can manage new operational and regulatory risk with a layered approach to cyber security.
Is Big Data a Problem or an Opportunity?
When it comes to data, financial services firms are, as a rule, quite circumspect. They fear cyberattacks, data theft, data loss, security breaches, data privacy, and human error.
Data Integrity: A Necessity, Not an Option
Financial institutions that have taken on the data integrity task in the past now have to spend more money on hardware, software, and people just to keep up with the demand.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - July 2014
In addition to regular audits, the SEC will start to scrutinize the cyber-security preparedness of market participants.
Inside Abel Noser's Trading Floor
Inside Abel Noser's Trading Floor
Advanced Trading takes you on an exclusive tour of Abel Noser's New York trading floor, where the agency broker known for transaction cost analysis, is customizing algorithms for the buy side, while growing its fixed income trading and transitions business.