Don't Forget to Share this Post

Application Security in the Cloud: Questioning Internal and External Procedures

By Mary Beth Hamilton | Tuesday, March 22nd, 2011

More and more is being discussed about the security of cloud services particularly as investment management firms are drawn to the benefits these services have to offer (i.e. efficiency, scalability and cost savings). At the heart of cloud security is an architectural approach called multi-tenancy that allows for the sharing of one or more infrastructures, databases or applications across many customers.

For Infrastructure as a Service offerings, multi-tenancy means customers can control processing power, networking components, the operating system, storage and deployed applications, but do not control the underlying physical infrastructure. In the Software as a Service model, customers share all or part of an application but do not control the underlying platform or infrastructure. These two approaches can deliver security on-par with in-house services but they also introduce new challenges for IT around data management and security – particularly from an end-user perspective.

When an application is licensed and resides in-house only IT can have complete control over user access and data security. However, as companies gravitate towards SaaS products, such as Saleforce.com, IT no longer has control over the application making it difficult to control user access and protect the data. In many cases, these applications are controlled at the business unit level rather than centrally by IT which adds a new level of complexity for security and policy management.

When evaluating a SaaS offering, it is critical that firms ask potential service providers tough questions but it is also important to have strict internal policies around application use and access. Here are some external and internal questions to ask:

Questions on the Service Provider’s Practices

  • What are your backup and retention procedures? How long is data retained?

  • What is your disaster recovery strategy and how frequently is it tested?

  • What security standards are used to ensure data and application integrity?

  • Is data encrypted in transit?

  • How are support requests handled, and what is the expected response time?

  • Have you ever experienced a security breach? If so, how was it resolved and what safeguards where implemented to prevent a repeat experience?

  • Is your service SAS 70 compliant?

Questions on Internal Practices

  • When an employee leaves, what is the process for blocking access to applications to prevent data downloads?

  • How do we prevent employees from sharing login credentials with unauthorized employees?

  • How do we define and enforce user roles to control access levels?

  • Who has the authority to add new users?

  • How often will employees be required to reset passwords? Are there requirements around complexity standards for passwords?

For more on cloud computing, check out these articles:

contact eze

Don't Forget to Share this Post

Related Posts

Q&A Summary of Major Themes and Takeaways from ECI’s Webinar on New SEC Cybersecurity Rules
Webinar Recap: What Financial Firms Need to Know About Upcoming SEC Rules on Cybersecurity, Part 2
Webinar Recap: What Financial Firms Need to Know About Upcoming SEC Rules on Cybersecurity, Part 1
Why Your Firm Needs a Governance, Risk and Compliance (GRC) Program
A Comprehensive Approach to Security Automation
Crafting a Third-Party Partnership for Better Compliance

How Can Eze Castle Integration help you?Contact us today!

Contact Us