In part two of our webinar series, Cloud Perspectives: How to Impress Investors, Security Pros & CXOs, Steve Schoener and Lisa Smith of Eze Castle Integration shared their expertise with regards to security infrastructure, policies and procedures in the cloud.
Threat Landscape for Hedge Funds
With security breaches and incidents reaching sophisticated levels, Schoener first addressed the evolution of the cybersecurity landscape for investment firms. In the past, hackers were often kids with too much time on their hands looking to create chaos for a period of time. Today, it has evolved into a business for educated hackers, conducting thorough research and drawing readily accessible information from the Internet to target individual firms as a way of making money.
We love showcasing our work with clients and one such client is Astellon Capital Partners who selected the award-winning Eze Private Cloud for all of its IT needs. Astellon moved to the Eze Private Cloud because of Eze Castle Integration's leadership role in bringing cloud services to the investment community, as well as its ability to deliver the high performance, applications and exceptional user experience the investment firm demands.
Established in 2011, Astellon Capital Partners is a twelve user alternative investment manager based in London focusing on European event-driven value-investing with a particular focus on German-speaking countries.
Davi Vieira, head of operations at Astellon Capital Partners, said, "Our move to the Eze Private Cloud was born out of the need to have a secure, reliable and institutional-grade IT platform that matches our focus on implementing strong financial, operational and infrastructure controls. Eze Castle Integration is the driving force behind the adoption of cloud services in the hedge fund industry and the optimal partner to help us run our business for many years to come."
It’s a question that many folks in the financial services industry have been asking for a few years now. Are potential investors comfortable with the idea of hedge funds leveraging cloud services? In Part 1 of our cloud webinar series, The Investor Perspective on Cloud and Security, we asked Ashley Gimbel, Senior Vice President at Dyal Capital Partners, to share her thoughts on evaluating the operational and infrastructure decisions of hedge funds and alternative investment firms and if investors are truly comfortable with the cloud. Click here or scroll down to watch the full replay of our conversation with Gimbel.
The simple answer is ‘yes.’ According to Gimbel, investors are and should be at ease with hedge fund clients using cloud infrastructures to support their daily operations. In fact, she says, hosted infrastructures often make more sense for firms with little to no IT resources in-house.
With a few caveats, of course. Firms should ensure outsourced cloud providers have proper Service Level Agreements (SLA) in place and are conducting appropriate oversight of their provider(s). A few other technology must-haves:
Well integrated data and systems
Established policies and procedures
Comprehensive disaster recovery
What happens when it’s not a drill? What will employees in the office do after hearing an announcement or alarm due to an incident? Quickly make their way to the stairs or ignore it and continue working?
In critical situations, time matters. If everyone delays evacuating to make sure it’s the “real thing” or just completely ignores the warning, they can potentially put themselves in serious jeopardy. At home or at work, fire alarms go off from time to time. Unfortunately, responses to such alarms can range from grabbing a fire extinguisher to fuse the situation to putting on ear plugs and continuing with your workday. Inadequate responses to a fire alarm, for example, can put yourself, coworkers, and even first responders at risk. Fines can also be assessed to a firm by agencies such as OSHA or the local fire municipality if employees fail to evacuate in a timely manner.
A recent report from the National Fire and Protection Agency (NFPA) estimated that in 2013 alone there were 487,500 structure fires, causing 2,855 civilian deaths and 14,075 injuries. Below are four areas of importance that firms should focus on during these types of scenarios to ensure their employees and businesses are not negatively impacted.
As the frequency of cyber-attacks increases, so too do the maturity of attacks and their methods of prevention and remediation. Think of cybersecurity as a two-way street. One side is trying to deceive and breach, and the other is trying to protect, prevent and detect. The commonality is both are progressing towards automaticity.
Cybercrime: The Evolving Chameleon
A common misconception about cyber-attacks is that they only take the form of fake virus alerts, spam, outlandish emails and the like. On the contrary, a threat can take many forms, and cyber criminals are getting smarter. Today, hacktivists target the automaticity of our behaviors, responses and daily routines. This applies to both the human and business side of things. Cyber criminals now study and familiarize themselves with the daily activities and internal processes of firms to identify gaps and find a way in. The idiosyncrasy is in the simplicity with which cyber schemes are pulled off.
Whether you are a new hedge fund startup evaluating technology solutions or an established investment firm looking for an application upgrade or technology refresh, you’re likely to consider the cloud as one of your infrastructure options. If a cloud platform is ultimately your preference, however, your decision-making is far from over.
Deciding between a low-budget public cloud environment (think: Amazon Web Services, Microsoft Azure) and a vertical-specific private cloud (hint, hint: The Eze Private Cloud) is not always an easy choice for financial services firms. Despite the clear advantages of the private cloud, many investment management firms are drawn to the low-cost and high flexibility of a public cloud. While this type of infrastructure may suit a variety of other verticals, financial services firms have high standards and require a level of service and infrastructure beyond what public cloud platforms can offer. Trading via the public cloud can pose a host of challenges and concerns - let's look at a few.
Preparing for Cyber-Attacks and Breaches
At the top of everyone’s priority list these days is cybersecurity preparedness. And rightfully so. Security breaches and attacks are seemingly occurring on a daily basis, and hackers have become savvier than ever. As a result, large public cloud enterprises – the Googles and Amazons of the world – are inherently more susceptible to attacks and, as a result, downtime. While these public cloud services are surely beefing up security and have billions of dollars’ worth of resources to dedicate to security planning, it remains to be seen if they can sustain a targeted attack or significant downtime.
At Eze Castle Integration we see thousands of due diligence questions about hedge fund technology and operations each year. The questions around security are getting more specific with investors wanting details about each layer of a firm’s security stack.
A new question we’ve seen pop up one or twice centers around whether a firm’s online systems have undergone an ethical hack. So what is ethical hacking and how is it different from penetration testing?
What is Ethical Hacking?
Going back to our trusty security dictionary, SearchSecurity defines ethical hacker (aka white hat hacker) as a “computer and networking expert who systematically attempts to penetrate a computer system or network on behalf of its owners for the purpose of finding security vulnerabilities that a malicious hacker [aka black hat hacker] could potentially exploit.”
The increased focus on all things cybersecurity related – cyber-attacks, cyber warfare and cyber terror – has even led to the creation of a Certified Ethical Hacker (CEH) designation, which hacking pros can earn by completing online courses offered by the EC-Council.
In an interconnected world, there is a trade-off between enjoying limitless information at our fingertips and threats that are just one click away. Most of us have become so accustomed to being plugged in, that we forget the world is simultaneously plugging in to us as well.
The global evolution of cybercrime continues to push boundaries and raise the bar for technology innovation and advanced security solutions. Indicating the evolving regulatory landscape, the US Securities and Exchange Commission (SEC)'s Office of Compliance Inspections and Examinations (OCIE) announced back in 2014 that it planned to inspect the cybersecurity preparedness of over 50 registered broker-dealers and investment advisers. In 2015, their examinations will continue across the financial services industry, and firms are locking down security practices in advance of these inquiries. Additionally, in Asia, the Singapore Personal Data Protection Act governs the collection, use, and disclosure of personal data.
The amount of data and information that passes through the Internet every day is – for lack of a better term - enormous. And truth be told, sometimes we are sharing information that we don’t want to get into the wrong hands, whether it be via email, instant message or other communications. Think: credit card information, personal information (name, address, social security number, etc.), bank account information or sensitive company or financial data.
A secure way to transmit this information is through encryption. According to TechTarget, encryption is “the conversion of electronic data into another form, called ciphertext, which cannot be easily understood by anyone except authorized parties.”
The history of encryption, believe it or not, began a long time before the Internet existed and we started sending electronic data. The ancient Greeks and Romans, in fact, sent secret messages by substituting letters that only a secret key code could decipher. In the time of Julius Caesar, he created a cipher by which he shifted letters to the left or right to hide his messages.
The official definition given in TechTarget’s IT Dictionary reads: “Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. Authentication is a process in which the credentials provided are compared to those on file in a database of authorized users’ information on a local operating system or within an authentication server. If the credentials match, the process is completed and the user is granted authorization for access.”
At the heart of authentication is controlling access to ensure individuals only access the information they need. With stories of password compromises becoming more common it is important to understand the types of authentication factors available and good computing practices.
As part of Information Security Planning, firms should also identify applications, services or websites that require at least one level of authentication (e.g. password protection, PC certificate, or security tokens) as well as any that may require multi-factor authentication.