Risk Management

04:12 PM
Mary Beth Hamilton, Eze Castle Integration
Mary Beth Hamilton, Eze Castle Integration
Commentary
50%
50%

Securing the Cloud From the Outside-In

Conducting extensive due diligence of a cloud provider’s technology, processes and track-record can help alleviate security concerns for companies looking to move into cloud computing.

Mary Beth Hamilton, Eze Castle Integration
Mary Beth Hamilton, director of marketing, Eze Castle Integration.

The cloud has gone mainstream, and as a result, it is tough for companies to not at least give it a look when undertaking a technology refresh or new application deployment. The benefits the cloud delivers around simplified management, rapid scalability and reduced capital expenditures are real. However, the thorn in cloud computing’s side are perceived security threats, especially in the investment management industry where data leakage is lethal.

As the security risk landscape continues to evolve, companies must take a proactive security posture to protect their environments. In reality, the threats facing on-premise IT systems are just as dangerous as those facing systems in the cloud, however, the cloud brings some unique security considerations since traffic is routed differently over virtual machines than it is with a traditional network. Another key (and fairly obvious) difference is that in the cloud a company must trust their security to a third party, which can add an element of the unknown.

Conducting extensive due diligence of a cloud provider’s technology, processes and track-record can help alleviate concerns. A key concept to ensure a cloud provider is using is defense in depth, which speaks to placing security safeguards at multiple layers.

The Outside Layer

Physical Security: Inspecting the foundation

First up, the data center facility housing the cloud environment must be highly redundant, built to house mission-critical systems and be SAS 70 Type II certified – a designation that indicates its control objectives and activities have been thoroughly audited and meet the AICPA standard.

To minimize concerns around downtime, the data center should be a Tier III (or greater) facility, have multiple active power and cooling distribution paths and employ an N+1 configuration throughout. You will also want to ask the cloud provider if the data center is in a region that could experience seismic activity, natural disasters (i.e. flooding) or other environmental threats that could disrupt service.

With the resiliency of the data center established, a careful review of the physical security is necessary. The data center should have professional security staff on-site 24x7x365 and surveillance cameras that cover all common areas as well as the cloud computing environment. Security logs for all visitors must be vigilantly maintained and reviewed. Beyond logs, a comprehensive, multi-level, biometric security system – pin-code access keypads, proximity card readers, and biometric iris scanners – should be in place to ensure only authorized personnel have access to critical systems.

Processes, and Policies and Controls! Oh my!

Rock solid controls and clearly defined policies that are regularly audited are essential to securing a cloud environment. Security policies a cloud provider should have in place include:

Access Control Policy: Who has access to the cloud infrastructure and client systems? Is there a separation of duties between individuals with access? Can a client request more restricted access? How is access logged and monitored? How often are controls reviewed?

Information Security Management Policy: What safeguards does the provider have in place to protect against physical and virtual threats? How are security violations and incidents reported and managed? What information does the provider collect about clients and how is it handled? Has the provider ever had a security breach and what was the outcome?

Employee, Visitor and Contractor Physical Security Policy: What background screening, verification and employee agreements does the provider have established? How are employees and visitors monitored while on premise (office or data center)?

Beyond reviewing written documentation, you should inquire about how employees are trained on the policies and held accountable. Also, be sure to ask the provider how often its policies are reviewed and how changes are incorporated.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
More Commentary
Chief Data Officers: Organization Strategy & Cultural Change
Chief data officers are new to the financial services C-suite, but they are facing a number of challenges, including the need for new data governance and execution strategies, staffing, and new organizational structures to enable cultural change.
New York FinTech Innovation Lab Calls for New Entrepreneurial Applicants
Wells Fargo joins 14 other major financial institutions providing mentoring and guidance to the six chosen startups.
Micro Data Challenges in an Era of Macroprudential Regulation
Research and statistical analysis experts at central banks are tasked with developing sophisticated forecasts and models to identify systemic risk. Yet they are spending most of their time acting as data entry clerks, rather than developing these models.
The Perks of 'SmartSourcing' Shared Services in Financial Industry
A breadth of vital but undifferentiated business processes are still being replicated across the industry. They are all candidates for centralization.
Managing Social Media Risk Strategy: Technology Can Only Go So Far
Advanced analytical technologies are an important part of a social media risk management strategy, an Accenture report says, but the technology must be balanced with training and procedures.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video
Inside Abel Noser's Trading Floor
Inside Abel Noser's Trading Floor
Advanced Trading takes you on an exclusive tour of Abel Noser's New York trading floor, where the agency broker known for transaction cost analysis, is customizing algorithms for the buy side, while growing its fixed income trading and transitions business.