The transition to cloud computing services is at a high in the hedge fund industry and will continue to increase throughout 2012 and beyond. Efficiencies, scalability and cost-savings are three of the most commonly listed benefits of moving to the cloud, while concerns around security remain one of the biggest perceived risks.
The reality is that cloud security is a real consideration across all industries – not just financial services – and must be a critical focus area when conducting due diligence on cloud infrastructures and cloud providers. The Cloud Security Alliance recently released the third version of its “Security Guidance for Critical Areas of Focus in Cloud Computing” report, which delivers actionable best practices around cloud security. The report is 177 pages, so consider this article a much abbreviated Cliffs Notes version to help frame your questions on cloud security for hedge fund environments.
Defense in depth is a security methodology long followed for on-premise infrastructures where layers of security (office building to desktop to server to firewall to router) help ward off threats and provide redundancy should one layer of protection fail or become compromised. This strategy is also applicable to cloud infrastructures, with a key difference being the cloud includes virtual assets along with physical assets.
Physical security includes the data center facilities that house the cloud infrastructure as well as the physical network components. The cloud should reside in a Tier III (or greater) class data center that is composed of multiple active power and cooling distribution paths as well as redundant components throughout. Be sure to ask the cloud provider if the data center is in a region that could experience seismic activity, natural disasters (i.e. flooding) or other environmental threats that could disrupt service.
Beyond location, the cloud data center should be secured with practices including:
- 24x7x365 manned lobby with visual verification of identity
- Two-phase (card and biometric) authentication of visitors
- Secured entry points (doors and elevator banks), including sensors and cameras
- Monitored security cameras
- Visitor logs for cages, which are periodically reviewed and cross-checked
- Key-locked cages and cabinets
Isolation & Security
Virtualization is a core element of a cloud infrastructure and brings unique security considerations as traffic travels differently over virtual machines than it does with a traditional network. A cloud provider should combine traditional network-based security controls alongside virtual machine security tools for an added layer of security. In addition to security protocols, all network interfaces within the virtualized environment should be configured in a redundant manner, and the infrastructure should be backed up and replicated to multiple data centers to ensure resiliency and uptime.
Another often-voiced cloud security concern is that of data co-mingling across different clients. A cloud must be architected in such a way that clients have secure, isolated environments for their data, resources and applications to reside. It is critical that data be securely separated to eliminate the risk for cross-contamination of data or access to other client environments. Consider asking a provider to explain their reporting mechanism for ensuring evidence of isolation and identifying a breach of isolation.
Finally, cloud providers should follow best practices for securing cloud inter-site transmissions and offer clients the option to encrypt sensitive messages in accordance with regulatory legislation including SOX, GLBA, PIPEDA and the European Union Data Directive.
Policies, Policies, Policies
As part of your due diligence, ask for specifics on your service provider’s security policies including:
- Access Control Policy: How is access to and control of the storage, virtualization and network infrastructures managed? What protocols are in place for monitoring, granting access and logging changes to client information systems?
- Information Security Management Policy: What physical and virtual security safeguards does the provider have in place to protect against breaches? How does the provider manage information security violations and incidents? What are the procedures for incident reporting, resolution and corrective action?
- Employee, Visitor and Contractor Physical Security Policy: What practices are in place for monitoring employees, visitors and contractors while on premise (office or data center)? What background verification, screening agreements and employment agreements are established?
Beyond reviewing the policies, inquire about how employees are trained on the policies and when the company last tested its internal policies. It is worthwhile to request a summary of results to ensure a passing score was achieved and any identified vulnerabilities were addressed.
Security threats exist in both traditional networks and cloud environments. The reality is that either deployment scenario is only as strong as its weakest link. The key is working with a provider that understands the unique security threats, looks at the infrastructure holistically and implements the appropriate safeguards to mitigate risks.
About the Author
Mary Beth Hamilton is director of marketing for Eze Castle Integration (www.eci.com), a leading provider of IT and cloud computing services, technology and consulting to hedge funds and alternative investment firms. She has over a decade of technology and marketing experience and holds an MBA from Boston College.