Securing the Cloud: Q&A with Dean Hill
This article first appeared in HFMWeek Fintech Special Report
Eze Castle’s Executive Director, Dean Hill recently sat down with HFMWeek Magazine to talk about how the firm guides clients about taking a Security-First approach to the cloud and security best practices. Following is an excerpt of the article.
What is meant by security-first when it comes to the cloud?
Historically, we have talked to clients about technology, and the move towards a cloud-based architecture and the benefits of deploying and managing such infrastructure from a cost and operational standpoint.
If we look at the demographics of our clients, the types of information financial firms hold and the capital that they raise as a business inevitably makes them high-value targets for criminals. The discussions that we're having with clients now are more around security and how to best secure a firm with the different types of infrastructure and technology that are available in the marketplace.
When we talk about security-first, the conversation centres around the expectations of investors, regulators and partners within the business in terms of what their security aspirations are and the sensitivity of their data.
We've got some different definitions of security layers in the types of architecture we're providing --cloud infrastructure and application components can fall easily into place, but this has to be planned out. There are various layers and elements of security you can add in or bolt-on, and so talking security first, we mean that we sit down with clients in the first instance and lay out all of the elements of security prior to suggesting the most suitable product for them.
As an organisation, we would always recommend that clients should lead with the highest levels of security. The problem is that higher levels of security come with higher levels of cost, and some clients haven't the appetite or budget to expand on the levels of security that we as a business recommend to them. What we do is conduct a cost/risk analysis for clients and highlight what is absolutely fundamental for them and what is 'nice to have'.
We then walk clients through the various scenarios and processes in term of what different risks could be, and what security products are available in the market to mitigate these.
From the beginning of this advisory process, what must firms be thinking about on the security side?
They should ultimately be thinking about the impact of security on their firm and reporting back to the regulator. They've got to think about their internal compliance policies, data retention policies, data deletion policies and encryption. And then we must look at the processes surrounding these areas.
There are three aspects of what we try to do with clients. We look at technology, the process, and the people. We then take a multi-faceted approach around these areas on the security side, ensuring that the technology is best-of-breed and that we are recommending industry-standard technology both from a deployment, resilience and security standpoint.
Further, we make sure that clients are adhering to our recommendations on any policies we require, so compliance, data retention, data deletion and encryption, and making sure that we're making the right recommendations around the policies. Finally, we work with clients to make sure that it's not just their CTO, or COO who is aware of the risks. We ensure that the entire firm and all of the users with access to company-sensitive data and information are aware of the policies that surround these, and we provide training for this.
We'll introduce go-live support with our technical, security and management team to make sure the end user is supported in terms of multi-factor authentication or encryption and understands why things are being deployed.
A measure to avoid human error?
We do the best we can on the technology side with regards to the budget available to us from the client. In terms of the policies, procedures and processes, we work with clients and deploy our industry-standard recommendations for the financial services sector.
Humans are error-prone, and we aim to mitigate this by doing all that we can on the training and documentation side so that people are aware of the risks and kept up to date in terms of the relevant training that they need.
Is there such a thing as a one-stop shop solution for security?
The company’s view on this is that there is not one vendor that should be relied upon to provide everything. There are multiple vendors that do multiple things. They can do them up to good standards, but I would say there isn’t any one vendor in the market which excels on multiple levels and with multiple services.
We do a lot of things around technology for our clients and use multiple vendors such as Microsoft. What we don't do, however, is put all of our eggs in one basket. We use multiple vendors to provide multiples services, and we choose the best in breed providers for each service.
We are not a one-stop shop for one particular vendor; we're an aggregator of multiple industry leading vendors to provide an industry-leading solution to our clients.
It's worth mentioning to that when looking at our position in the market as a Manged Service Provider and aggregator of technologies, we take the burden on for clients, helping them to manage multiple best-in-breed vendors through one convenient source.
What are some of the rising threats in 2018?
We're likely going to see more of the same. The biggest rising threat for us is that people will become complacent. They've got a technology solution in place that is managed by a third-party and are told that data is backed up, secure and encrypted. And these clients sit back in the belief that they don't need to do anything further. This is fundamentally untrue. These clients need to continue reviewing with their third parties and must stay up-to-date about evolving threats and emerging technologies.
Image Credit: Dean Hill