Cybersecurity is a hot topic -- and rightfully so -- as headlines tout new vulnerabilities or incidents with increasing frequency. In the fight to prevent attacks, technology safeguards are typically the focus. A firm must have layers of security that include, but are not limited to, anti-virus, firewalls, intrusion detection systems and Internet monitoring and reporting, as well as procedures that restrict and monitor access.
However beyond technology, the role employees play cannot be underestimated. The reality is that employees can be one of a firm’s best lines of defense or weakest link. The deciding factor in which way it swings often comes down to access control policies and cybersecurity training.
Getting the Access Right
Employees require access to the data necessary to complete their job functions. But beyond that, firms should be limiting what data employees have access to. It’s not about not trusting your employees, but more so about not trusting the technology behind those employees. The less data employees can get to, the less damage can be done via an internal breach or external hack.
The SEC Cybersecurity Risk Alert issued in April 2014 highlights the importance of access control by asking about the controls a firm maintains to “prevent unauthorized escalation of user privileges” and how firms “restrict users to those network resources necessary for their business functions.”
Part of a firm’s cybersecurity planning must be defining how company data is protected, where it is located and who has and needs access. Once access levels are defined, they must be reviewed at least annually to ensure adherence firm wide.
Security has been THE topic of 2014 thus far and was amped up last week when many A-list celebrities’ phones were hacked and racy photos released. The hack was allegedly the result of an iCloud infiltration, prompting many Apple users to question the company’s privacy settings. In response, Apple CEO Tim Cook released a letter to consumers, and the company’s website will now feature a privacy section:
Apple’s privacy site includes details on both the built-in security features within Apple devices as well as how users can manage their own privacy settings and tailor them to individual needs. Here is a brief snapshot of some security functions highlighted:
Built In Privacy
iMessages and FaceTime calls are protected with end-to-end encryption
iMessages and SMS messages are backed up to iCloud, but can be turned off by the user
All iCloud content is encrypted in transit and when stored (in most cases)
iCloud Keychain allows users to create strong passwords and stores them securely without giving Apple access
Safari blocks third-party cookies on all devices and offers private browsing
Last week our SVP of client technology, Steve Schoener, presented at a hedge fund due diligence event on the topic of protections in the cloud.
Since cloud security and ensuring a hedge fund’s data is protected is such a hot topic we thought we’d share his presentation. In a nutshell, the presentation looks at the layers of security that should be built into a cloud environment, which includes deep and detailed practices around:
Principle of Defense in Depth
Principle of Least Privilege
Audit & Logging
Secure User Authentication Protocols & Encryption
Check out the complete presentation for more details:
We all make mistakes, but when it comes to technology and hedge fund operations, mistakes aren’t an option. So let’s look at seven common cloud mistakes we see hedge fund firms making and talk about how to avoid them.
Mistake #1: Not Sizing Bandwidth to Business Needs
Determining the right amount of bandwidth comes down to the types of services being delivered and user expectations. Nothing ruins a cloud or really any computing experience like sluggish application and Internet performance.
Beyond bandwidth, firms must also consider latency. While latency issues don’t impact all applications (i.e. email is relatively insensitive) for others it is a killer. Latency has little place in trading applications or voice over IP services. When moving to the cloud, have a realistic conversation with the hedge fund cloud provider about the amount of bandwidth your firm really needs.
Mistake #2: Not Planning for Applications
Not all cloud platforms are equal especially when it comes to supporting hedge fund specific applications such as Order Management Systems or Portfolio Accounting Systems. While a hedge fund may not launch day one with one of these applications, there is a good chance they will require one in the future. To help mitigate future growing pains a hedge fund should plan for the future when evaluating cloud providers. Being shortsighted can result in future disruptions and integration pains.
Last month we covered the five myths about Voice over IP (VoIP) in preparation for the general availability of our next generation Eze Voice service. In case you don’t recall, the myths we debunked were:
MYTH 1: Poor Call Quality – Everyone Will Know I’m on VoIP
MYTH 2: VoIP is Unreliable – I’ll Experience Downtime
MYTH 3: I’ll Lose Critical Functionality Required by My Investment Firm
MYTH 4: I Can’t Keep My Phone Number
MYTH 5: Someone May Hack My Phone System
Now that Eze Voice is officially here and already being used by many clients, we wanted to give it a little shout-out, so here goes. Eze Voice is an innovative hosted voice solution that combines high levels of redundancy and quality of service with the communication features financial firms require.
The newest version of the Eze Voice service leverages Eze Castle Integration’s premier global cloud platform, Eze Private Cloud, and is ideal for firms that want to benefit from the flexibility, scalability and cost-effectiveness offered with a cloud-based voice service. Featured benefits of Eze Voice include:
If there’s one thing we’ve learned over the years when it comes to security, it’s that there’s a whole lot more to creating a secure hedge fund (or any business for that matter) than robust technology. Before identifying infrastructure components and implementing operational policies, a firm must first be clear on what its attitude is toward security. This attitude will filter through the company from the top down, and will therefore dictate how employees and the business as a whole operate on a daily basis.
To give you a clearer understanding of what we mean, we’ve created three security profiles that cover a wide spectrum in terms of security attitudes and practices.
Under the Radar: Low Security
If you’re attitude toward security is low, odds are you’re barely scraping the surface in terms of what practices and policies you should be employing to maintain proper security firm-wide. You likely rely on quick fixes to solve problems instead of looking at the bigger picture and thinking strategically about how security can both benefit and protect your business. You’ve employed minimal preparedness efforts and could be in for a difficult task if faced with a serious security incident. You probably take a “it won’t happen to me” attitude and don’t take security seriously enough – a stance that could endanger your firm in the long term.
Categorized under: Security Launching A Hedge Fund Cloud Computing Disaster Recovery Hedge Fund Due Diligence Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Business Continuity Planning Trends We're Seeing Videos And Infographics
Voice over IP has come a long way especially in the business world, but many investment firms still have hesitations about making the switch. In honor of our recently enhanced Eze Voice service, which runs over the Eze Private Cloud Network, we decided to tackle five common myths about Voice over IP.
MYTH 1: Poor Call Quality – Everyone will know I’m on VoIP
Call quality is a key concern and can be impacted by a number of items including the network, available bandwidth and even the type of phones being used. However, a well-designed business-caliber VoIP system can deliver quality of service comparable to an in-house phone system. In business settings, where calls are made over private IP connections, Quality of Service (QoS) can be monitored and guaranteed because the entire IP connection is controlled by the party making the call.
When evaluating VoIP services, it is important to inquire about the underlying network and how voice traffic is prioritized and routed. You want a provider that has full control over network traffic and can ensure high quality of service. For added confidence, ask to speak with existing VoIP customers (over the phone!) to hear about their experiences first-hand.
MYTH 2: VoIP is Unreliable – I’ll Experience Downtime
A natural extension of the call quality concern is the reliability concern. While consumer-grade VoIP services work over the Internet to deliver low cost services, Business-grade VoIP services often use the Internet as a backup and have private IP point-to-point lines for primary connections. If Internet is the primary transit, be sure you are working with a VoIP provider who manages the entire network and has control over traffic prioritization. In most cases you want to ensure voice traffic takes precedent over data or travels on a different network.
The competition amongst firms in the financial services industry is ever burgeoning, and in order to achieve differentiation, it is imperative for firms to create and maintain robust, manageable, scalable and reliable technology infrastructures. Increasingly, we’re seeing more than just emerging managers opting for a cloud solution and established hedge funds and alternative investment firms shifting gears from traditional on-premise IT infrastructures to cloud services.
If you missed our webinar yesterday on Why the Billion Dollar Club is Going Cloud, read our recap below or scroll down to watch the full webinar replay, featuring Eze Castle’s Managing Directors Bob Guilbert and Vinod Paul.
The Business Case for the Cloud: Why Established Firms are Making the Move
Across the industry, established firms that have been in business for several years are moving away from physical infrastructures and adopting the cloud. Traditionally, investment firms would allocate substantial capital budgets to build on-premise Communication (Comm.) Rooms. These cost-intensive infrastructures can take months to build out, and specific expenses can vary depending on a firm’s unique needs. For example, at minimum, investment firms require file services, email capabilities, mobility services and remote connectivity, as well as disaster recovery and compliance. Beyond those, many firms also require systems and applications such as order management systems (OMS), customer relationship management tools (CRM), and portfolio management or accounting packages.
Categorized under: Cloud Computing Disaster Recovery Security Hedge Fund Due Diligence Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Outsourcing Trends We're Seeing Videos And Infographics
Your hedge fund's information security plan likely includes details on where information is stored, how it is accessed and who it is accessible to. But a critical component of this plan often overlooked is how and why data is destroyed when it is no longer needed. Including data destruction procedures in your WISP or as a separate document is vital to ensuring your firm’s sensitive data and intellectual property does not fall into the hands of the wrong people. Unfortunately, in today’s technology-driven, cyber-aware environment, simply hitting the delete key is not enough.
There are a few different scenarios that warrant secure data destruction maneuvers:
Changing service providers
Retiring a service/product
Your methods and policies for secure destruction may vary according to the above scenarios, or they may be standard across the firm. Your hedge fund should also consider if there are any regulatory implications. Do you need to maintain/archive data for a prescribed period of time in order to comply with state, federal or other compliance or auditing standards?
In any case, you’ll want to consider a variety of methods in the beginning to ensure your firm’s confidential data (e.g. investment portfolio, investor contact information, etc.) is thoroughly destroyed, preventing unwanted breaches or thefts.
We are excited to debut our newest video that explains why the network powering a cloud service matters and should be evaluated closely.
As background for why we created this video, in today’s interconnected financial world, investment firms have global interests and a global presence, making fully on-premise IT infrastructure a way of the past. Cloud service providers have a variety of capabilities, each designed to serve a specific set of needs, which makes it crucial for businesses to critically evaluate the network behind a cloud and what it can deliver. Not all clouds are created equal.
Our ECI Link Financial Network is a global private cloud network built for the financial industry. With data centers in the US, UK and Asia, it enables organizations to efficiently leverage a single provider for all their global infrastructure needs.
Now on to the video -- let us show you why ECI Link is THE single converged network built to power today’s buy-side firms' trading operations.