Taking the Cloud Security Exam (aka Hedge Fund Checklist)
Last month our friends at eSentire published a Cloud Security Checklist to provide hedge funds and alternative investment firms a guide when evaluating a cloud provider such as Eze Castle Integration. The Checklist asked the question, “How can you know if your Cloud Service Provider has your best risk management interests in mind?”
Since here at Eze Castle Integration we are big proponents of secure cloud computing, we thought we’d be the first cloud service provider (that we know of!) to complete eSentire’s checklist.
1.0 Physical Security: Does the cloud provider have a rigorous physical access protocol?
Yes, yes and yes. Eze Castle has detailed Access Control and Premise Access policies that extend from physical to virtual environments. Following are some of the key physical access control protocols we have in place:
24x7x365 manned lobby with visual verification of identity
Two-phase authentication of visitors (card and biometric)
Secured access at all entry points, including doors and elevator banks
Monitored security cameras as well as door, motion and camera sensors
Visitor logs closely monitored and escorts required at all times
Key-locked cages and cabinets at all data center facilities
2.0 Background Checks: Does the cloud provider have rigorous physical access protocol?
Absolutely. Eze Castle holds its employees to the highest standards. During the hiring process we conduct extensive background checks including social security trace, education verification, criminal court records and reference checks to verify all information on our detailed employment application.
3.0 Access and Change Control Audit: Does the cloud provider meet current SSAE 16 SOC2 Type 2 certification?
Before answering this question, and on the off chance these acronyms are all Greek to you, let me give a plug for our SAS 70, SSAE 16 & SOC: Understanding Audit Terminology article that defines each of these audit terms. Now back to the question at hand. All of the data centers housing our Eze Private Cloud in the United States hold either SAS70 or SSAE 16 certifications. Our international data centers hold the appropriate ISO certifications. The Eze Private Cloud services also hold a SOC 2 certification.
4.0 Vulnerability Assessment: Does the cloud provider perform regular vulnerability assessments to determine security gaps?
Eze Castle employs a broad spectrum of security mechanisms to secure our Eze Private Cloud, which you can read more about here. Additionally, we have teamed with eSentire to offer hedge funds managed security services for cloud and on-premise environments that safeguard critical data by proactively intercepting threats and preventing data leakage.
5.0 Data Residence, Persistence, Back-ups and Replication: Does the cloud provider have the proper processes, systems and services in place to ensure data integrity and persistence?
We combine multiple layers of data protection processes and systems to safeguard data within our Eze Private Cloud and keep it highly available. These layers of protection include full disk backups of all client data – copies of the disks are stored off-site – plus SAN-to-SAN near real-time replication over an Eze Castle-owned MPLS connection to hosted DR environment located in a geographically diverse location.
6.0 Business Continuity: Does the cloud provider have a Business Continuity Plan in place?
You bet. Not only do we have an extensive Business Continuity Plan, which we test quarterly, our in-house Certified Business Continuity Planners also write BCPs for our clients. We are happy to provide clients an executive summary of our BCP and DR plan.
7.0 Network Traffic and Access Logging: Does the cloud provider log network traffic, file and server access?
Eze Castle employs a central logging system that records all login/logout events, as well as inbound/outbound connections through Internet-facing firewalls.
8.0 Connections and Authentication: Does the cloud provider provide adequate security for network access and authentication?
Yes, connections managed by Eze Castle have encryption using strong cryptography. From a password perspective, we recommend enforcement of strong password policies. This can be accomplished using either Authanvil/Cryptocard tokens or group policy (12-character passwords, changed at least every 60 - 90 days, not reused).
9.0 Infrastructure: Does the cloud provider provide security measures for infrastructure, including sub-contractors?
The Eze Private Cloud delivers a secure, isolated environment for data, resources and applications to reside. Through secure separation, there is no risk for cross-contamination of data or access to other client environments. Redundancy is built into every layer of the cloud infrastructure – from computing resources to networking and storage resources. Additional server security measures are in place in accordance with vendors’ best practices recommendations. These measures include approved upgrades, patches and security packs, server health monitoring and reporting, server authentication, corporate anti-virus software and more.
10.0 Failover Site: Does the cloud provider provide security measures for infrastructure, including sub-contractors?
Yep. Disaster recovery in the Eze Private Cloud is provided via an active/active configuration using SAN-to-SAN replication over an Eze Castle-owned MPLS connection to a hosted disaster recovery environment located in a geographically diverse location. The disaster recovery environment is a mirror image of the production environment and is designed for complete recovery from a catastrophic event resulting in the production environment becoming completely unavailable.
11.0 Customer Policy Enforcement: Does the cloud provider enforce policies required by their customer hedge fund?
Well this question is tough to answer since “policies” is a fairly generic term. So I’ll just say this: Eze Castle is committed to providing outstanding service to our clients and working together to find the best possible solution to a client’s problem/needs. That’s a long way of saying, we’ll do our best to accommodate your policy requirements!
12.0 SLA standards: Does the cloud provider have an active SLA in place that identifies minimum performance (such as uptime) and any associated penalties for SLA breach?
The Eze Private Cloud infrastructure is fully backed by an aggressive Service Level Agreement (SLA) to keep it up and running continuously and at peak performance.
DONE! We have reached the end of eSentire’s Checklist. Now I have a few questions for you:
Want more information from us about any of these areas? Just ask!
Convinced the Eze Private Cloud is for you? Learn more here.
Want to get a bit "smarter" about the Cloud? Visit the Hedge Fund Cloud Forum.