Don't Forget to Share this Post

Managing Risk and Protecting the Private Cloud (Webinar Recap)

By Anna Wendt | Thursday, April 23rd, 2015

In part two of our webinar series, Cloud Perspectives: How to Impress Investors, Security Pros & CXOs, Steve Schoener and Lisa Smith of Eze Castle Integration shared their expertise with regards to security infrastructure, policies and procedures in the cloud. 

Threat Landscape for Hedge FundsCloud Safe

With security breaches and incidents reaching sophisticated levels, Schoener first addressed the evolution of the cybersecurity landscape for investment firms. In the past, hackers were often kids with too much time on their hands looking to create chaos for a period of time. Today, it has evolved into a business for educated hackers, conducting thorough research and drawing readily accessible information from the Internet to target individual firms as a way of making money.

Examining Perspectives

The concept of the cloud is one that many hedge funds and investment firms have been leveraging for years: storing their information in data centers, creating greater uptime with fewer power-downs and building maintenance. The real risk from a security perspective revolves around the cloud provider chosen and whether or not firms trust the provider they select to protect their data. When choosing a cloud service provider, there are two perspectives to look at:

  • Security Perspective: Is the provider employing strict policies and testing procedures to ensure that infrastructure is protected at all times?

  • Business Perspective: How is that provider doing financially? Are they a sustainable business?

Much of the potential risk associated with a service provider can be discovered during the due diligence process, which was highlighted last week, in Part One of the webinar series.

Security Policies and Procedures

While most cloud infrastructures will have intrusion detection/prevention in place, Smith discussed the other side of protecting confidential information. With policies such as Written Information Security Plans (WISP) and incident response procedures, firms are taking additional steps to protect their data, particularly as regulatory bodies such as the SEC begin to expect documentation around security. The initial step is to define and identify the information, which means asking questions such as:

  • What is confidential information?

  • Where is that information located?

  • How is it stored?

  • How is it protected?

  • Who can access it?

After the above questions are answered, firms can create cybersecurity teams to handle responses to incidents if/when they occur, with representatives from both the operational and technical sides of the business involved.

Implementing Technical Safeguards

Employing written policies to define confidential data and explain procedures for dealing with security incidents is critical, but there are also technical safeguards that should be in place as part of a firm's comprehensive cybersecurity protection plan.

  • Intrusion detection and prevention systems

  • Encryption – Protecting email and/or laptop/mobile devices

  • Technical Policies:

    • Access Control – Utilizing the Principle of Least Privilege

    • Advanced Password Policies

Security Incident Response Management

Here are a few tips for managing the aftermath of a security incident or breach:

  1. As mentioned above, establish a cyber-incident response team to ensure immediate action is taken in the aftermath of a security event.

  2. Identify the type and extent of the incident.

  3. Escalate incidents as necessary.

  4. Notify affected parties and outside organizations.

  5. Gather evidence.

  6. Mitigate risk and exposure going forward.

Questions to Ask Cloud Providers

Doing your due diligence on cloud providers is a critical step to ensuring your firm enters into a successful partnership with your service provider. There are dozens of questions to ask during the evaluation/DDQ process, but here are a few to keep in mind:

  • (If touring a data center) What equipment are you leveraging? How is the facility maintained/monitored?

  • How many clients do you have? How many users does your cloud support?

  • Is your company financially stable?

  • Do you have other clients similar to my firm's type/strategy/requirements?

  • What are your employee training procedures?

Relevant Articles:

Cybersecurity Whitepaper

Cloud Security Photo Credit to Blue Coat Photos found via Flickr
Don't Forget to Share this Post

Related Posts

Q&A Summary of Major Themes and Takeaways from ECI’s Webinar on New SEC Cybersecurity Rules
Webinar Recap: What Financial Firms Need to Know About Upcoming SEC Rules on Cybersecurity, Part 2
Webinar Recap: What Financial Firms Need to Know About Upcoming SEC Rules on Cybersecurity, Part 1
Why Your Firm Needs a Governance, Risk and Compliance (GRC) Program
A Comprehensive Approach to Security Automation
A “Just Right” Approach for Just-in-Time Access Management

How Can Eze Castle Integration help you?Contact us today!

Contact Us