Cloud Security Best Practices
Guidance on security practices to help ensure secure
cloud computing at hedge funds
Proper security in a cloud environment requires specialized practices and processes at both the physical and virtualization levels. Following are some key features to look for when evaluating a cloud services provider:
Physical Security at Data Centers
- 24x7x365 manned lobby with visual verification of identity
- Two-phase authentication of visitors (card and biometric)
- Secured access doors and elevator banks
- Monitored security cameras
- Additional door, motion and camera sensors
- Visitor logs for cages
- Key-locked cages and cabinets
In what is sometimes known as a multi-tenant environment, cloud subscribers share the same underlying infrastructure, databases or applications. In public cloud environments, multi-tenancy can pose a security risk if proper isolation measures are not put into place to securely separate data and resources. If you’re looking for more security through a private cloud, be sure to look for these requirements:
- Availability: Redundancy should be built into every layer of the technology infrastructure to minimize the risk of unplanned downtime.
- Secure Separation: Ensure that your cloud provider will use secure separation to isolate your silo and resources from other cloud customers.
- Service Assurance: Computing, networking and storage resources should be readily available to you as needed to deliver top performance and accommodate fluctuations in user demands.
- Management and Monitoring: Work closely with your cloud services provider to ensure they will have comprehensive control and extensive visibility over your cloud infrastructure at all times. You need to ensure it is highly secure, your environment is separated and you receive the highest level of service.
Policies, Policies, Policies
Additionally, plan to vet your service provider around the policies and procedures they have in place for access control to your cloud environment. Following are some must-haves:
- Access Control Policy: How is access to and control of the storage, virtualization and network infrastructures managed? What protocols are in place for monitoring, granting access and logging changes to client information systems?
- Information Security Management Policy: What safeguards does the provider have in place to protect against physical and virtual threats? How are security violations and incidents reported and managed? What information does the provider collect about clients and how is it handled? Has the provider ever had a security breach, and if so, what was the outcome?
- Employee, Visitor and Contractor Physical Security Policy: What practices are in place for monitoring employees, visitors and contractors while on premise (office or data center)? What background verification, screening agreements and employment agreements are established?
Don't Forget the Basics
Finally, since we can all use a refresher from time-to-time, here are six fundamental security practices that firms should follow whether using on-premise infrastructure or a cloud service.
- Passwords are essential, but simply having one isn’t enough. Remind users not to leave passwords on sticky notes or under their keyboards. One way to remember a new password is to use it immediately and often. Also, don’t change a password before leaving for vacation or on a Friday, as you’re more likely to forget it.
- Create strong passwords. A good password is easy for a user to remember but hard for someone to guess. Think about substituting letters for numbers and vice versa. Also, be sure to change your password often - best practice is every 30-90 days.
- Remember to lock the doors. Propping open a door to expedite FedEx deliveries or get fresh air is fine, but keep an eye on who uses the door and be sure to make sure it is locked before leaving for the day and when the front desk is not staffed.
- Laptops are easy prey. About 97 percent of stolen computers are never recovered, according to the FBI. The latest designer bag is the first tip-off to a would-be thief. Also, do not leave your laptop unattended while in an airport, hotel or conference.
- Add local security measures. Further security measures can be taken locally on laptops through the use of portable physical locking mechanisms, active directory, biometrics, and encryption. Local encryption software can provide automated, real-time data encryption that can help protect information even if a laptop is lost or stolen.
- PDAs need protection too. Just as laptops require passwords, so do PDAs.