In Part 1 of our hybrid cloud whitepaper excerpt, we reviewed the primary benefits to public, private & hybrid cloud infrastructures, and reviewed a number of considerations including service & support, availability and uptime, and proximity. In Part 2 below, we dive into additional factors to contemplate, specifically: security, application hosting and cost. Remember, to download the full whitepaper, Is Hybrid Cloud Right For Your Firm?, click here.
While your public cloud provider may provide world-class security for its services, your company is still on the hook for certifying all aspects of information security. For compliance-driven businesses, there are still countless vulnerabilities and exposures that public clouds often fail to address. Advancing security features such as multi-factor authentication, targeted attack protection and managed phishing simulations are gaining traction among private/hybrid cloud users who benefit from their providers’ extensive managed security services.
Multi-factor authentication requires at least two authenticating factors to log into a system or network (e.g. strong passwords, security tokens, fingerprint scanning) and can add an additional layer of security for users across email, applications, etc.
Since email often serves as a gateway for hackers to surreptitiously penetrate networks, it’s become essential for firms to employ targeted protection tools and advanced email precautions to ward off these threats. That’s one of the many advantages a private cloud provider can bring to a firm. For example, next-generation security technology can protect private cloud users from attacks delivered through email, social media and mobile applications, prevent advanced attacks, and minimize compliance risks.
Categorized under: Cloud Computing Security Operational Due Diligence Outsourcing Launching A Hedge Fund Private Equity Hedge Fund Operations Hedge Fund Regulation Infrastructure Communications Trends We're Seeing
Below is an excerpt from our whitepaper, Is Hybrid Cloud Right For Your Firm?. If video is more your style, scroll to the bottom and watch our 30-minute webcast on hybrid cloud considerations for financial and investment firms.
With its security, privacy, and performance, the private cloud has been the go-to option for financial and investment firms that require enterprise-caliber IT infrastructure. In most cases, that private cloud is professionally managed by a service provider solely focused on monitoring, managing, and maintaining that infrastructure to meet business requirements and compliance directives. Thus, firms benefit from seasoned, industry-experienced professionals who live and breathe financial IT.
For many firms, so-called public cloud infrastructures offer compelling opportunities and advantages. For many smaller and younger firms in particular, the flexibility and ease of deployment are persuasive drivers. What’s more, the initial costs appear to be lower for certain feature sets (although an analysis of the total cost of ownership indicates that advantage is less clear-cut).
Hybrid Cloud: Bringing Them Together
Fortunately, investment firms needn’t take an “either/or” approach to their IT infrastructures. With a hybrid cloud approach that combines many of the most compelling features of public and private clouds, firms can leverage a uniquely flexible platform that meets a broad range of needs.
Which Cloud Has the Edge?
The decision regarding your IT infrastructure has significant implications on the ability of your investment firm to gain and maintain a competitive advantage. As you weigh your options – public, private or hybrid – it can be beneficial to consider the following aspects of cloud architectures and weigh their importance as unique to your individual firm.
We spend a lot of time making suggestions and recommendations about what financial and investment firms should do when it comes to their technology. And while it might sometimes seem obvious, we also think it wise to remind firms what not to do from time to time. In fact, the following technology pitfalls are prime examples of what not to do with respect to your firm’s IT.
Set IT and forget IT.
Technology isn’t evergreen, and it certainly isn’t infallible. With so many investment firms today reliant on managed service providers to support their IT operations, vendor management has become a critical area of importance. IT outsourcing provides great opportunity for firms to rely on experts to manage infrastructure updates, maintenance windows and network upgrades, but the onus remains on your firm to ensure your technology is up-to-snuff and meets not only your demands but those of investors and regulators as well. A “set IT and forget IT” strategy won’t work here; even via outsourcing, your IT management responsibilities fall on you.
Plan your infrastructure only for the short-term.
A crucial mistake often made by funds is not planning for the future. From the earliest pre-launch meeting, you should be thinking about what your firm will look like and what technology you will require down the road. Planning out two to three years in advance is recommended in order to reap the most benefits with regard to your infrastructure. Plus, if you don’t plan ahead, you may wind up incurring more costs and dealing with a much bigger headache if technology decisions need to be made unexpectedly (e.g. cloud and data migration).
Categorized under: Hedge Fund Operations Cloud Computing Security Operational Due Diligence Outsourcing Disaster Recovery Hedge Fund Regulation Infrastructure Business Continuity Planning Trends We're Seeing
This article first appeared on Hedgeweek as part of their 'Cybersecurity in Europe 2017' Special Report.
According to the PhishMe 2016 Q3 Malware Review, the proportion of phishing emails containing ransomware grew to 97.25 per cent in Q3 last year. This is a threat that is becoming more sophisticated, and more targeted. Not only that, but the frequency of attacks is at an all-time high.
"As people become better aware of what a phishing attack is, so the sophistication of attacks targeting individuals and organisations becomes greater," says Dean Hill, Executive Director, Eze Castle Integration.
This is also being driven by continued investments in technology, making it harder for hackers to breach organisations. There is, in effect, an arms race between organisations and hackers, each trying to stay one step ahead of the other.
Stephen Banda is Senior Product Manager at Eze Castle Integration. Discussing the more targeted nature of phishing attacks, he says: "They are doing a really good job of mimicking an email that might genuinely have come from the CEO. It's difficult for the recipient to discern this unless they really take care to look at the email signature – is there a 1 being used instead of an I, for example, in the person's email name?"
In this interview, Eze Castle's Chief Strategy Officer, Mark Coriaty, discusses the emergence of the hybrid cloud and why some financial and investment firms are taking a closer look. NOTE: This article first appeared on Hedgeweek and Private Equity Wire.
Talk about the advancement and evolution of cloud services in recent years and how we’ve ended up where we are.
MC: If you step back and look at the landscape over the last four or five years, we have seen a lot of changes both on the technology front, as well as within the financial markets. Whether the result of fund raising challenges or increasing regulatory demands, the landscape for alternative fund managers has changed significantly.
We’ve therefore had to adapt to the market and this includes three different components: service, technology, and networking/security. With all the different regulatory bodies and demands from standards boards and governments, we needed to make sure we were providing a solution to our clients that a) met those requirements and b) was up to par with the security measures that we pride ourselves on at Eze Castle.
When you look at the Eze Private Cloud, it is a very controlled environment. It features a number of components related to private networking, client controls, data integrity controls, as well as enterprise-standard security measures. But as the public cloud has started to become more popular and mature in recent years, firms have started to pay closer attention to it.
Typically, this is because the cost structure is scalable. If you look at major providers like Amazon, Microsoft and Google, they have enough scale in their infrastructure such that it becomes less expensive for the customer to use the public cloud. However, when you analyse what they deliver versus the requirements of a lot of investment firms, oftentimes those requirements supersede what these large public cloud providers can offer.
Hence the hybrid cloud.
This article first appeared on Hedgeweek and Private Equity Wire as part of Eze Castle Integration's Technology Resource Center.
Just a decade ago, the cyber threat landscape was far less pronounced, but thanks to significant advances in IT, mobile technology and digital platforms, the the threat of cybercrime has grown exponentially and poses risks across the global industry and for national critical infrastructure (power stations, hospitals, dams, financial services).
As managers in the financial services industry increasingly adopt digital technologies, they increase the number of attack surfaces and weakness points within their networks. As a fund manager introduces a new counterparty into their network, the exact increase in risk is unknown but it may likely be substantial.
“Unless you are running a shutdown, fully closed network environment, the reality is you are always going to have the risk of someone trying to gain access to your network,” says Mark Coriaty (pictured), Chief Strategy Officer, Eze Castle Integration.
“That said, when you look at the different technologies that exist today – next generation firewalls, endpoint protection, active threat protection – there are many ways to keep on top of cyber risk. These layers of protection can be enhanced by real-time monitoring by security analysts. Companies that operate a security operations centre (SOC) can bring a human level of interaction too. They will proactively monitor for active threats across thousands of networks, which gives them an advantage in identifying and preventing intrusions."
Technology is only effective if it’s supported by a robust network infrastructure. And despite that you can’t see it, your network is one of the most powerful (and underrated) components to your IT operations.
During a recent webinar, Eze Castle Integration's VP of Network Services, Mike Abbey, discussed trends in networking technology and highlighted the power behind your firm’s network. Some areas he explored during the 20-minute discussion include:
How private networks differ from traditional Internet lines
Why global private networks are particularly advantageous for financial and investment management firms
How Internet of Things devices - and the multitude of devices in general - are impacting network infrastructure requirements (speed, bandwidth, etc.)
What benefits/advantages firms can gain from direct peering and connectivity
Watch below or click here for our full webinar.
Keeping up with the myriad of cyber security requirements expected of today’s financial firms is a daunting – and sometimes unachievable – task. This list continues to grow in size and scope, and remembering how often to perform tests or when to change passwords is a growing challenge for CTOs and business execs responsible for technology.
To assist in guiding your firm with its cyber plan implementation, we’ve outlined a basic calendar of security reminders to help you stay on track. Listed in order of frequency, here’s how often you should plan to take these security steps:
3 months: Change your passwords.
At least every 90 days, we recommend changing your network, system and application passwords to prevent intruders from gaining unauthorized access. Remember: password creativity is critical, and password re-use is a big no-no.
3-6 months: Conduct a simulated phishing exercise.
Phishing is one of the most effective, and thus dangerous, social engineering scams in use today and threatens to deceive and manipulate users into opening gateways, sharing confidential information or, in many cases, making financial transactions. Simulated phishing exercises (whether conducted by your firm itself or via a managed service provider) are the most effective way to test users’ knowledge of email threats and train them to be cyber aware. Most firms opt to perform quarterly phishing tests, but semi-annual exercises are commonplace also.
Earlier this week, our friends at Proofpoint released their 2017 Human Factor Report, which shines a light on the role individuals play in protecting organizations against cyber security threats. The trends highlighted in the report reinforce a number of ongoing trends we’ve written about before, notably the growing threat of phishing scams and business email compromise. Let’s review some of the key findings.
Hackers are consistently impersonating your CEO.
According to Proofpoint, business email compromise attacks increased 45% in Q4 2016 (compared to Q3). These types of attacks consistently involve hackers posing as firm CEOs and requesting wire transfers and sensitive material disclosures from CFOs and other internal contacts. Compromises of this nature can be extremely damaging – and avoiding them requires diligence on the part of individuals to execute checks and balances internally to review and approve any material handoffs or financial transactions.
Email isn’t the only way hackers are phishing users.
Email may be the most popular way to target individuals with phishing scams, but SMS/text scams are widely growing in popularity. Oftentimes, individuals are more keen to open messages or click on hyperlinks from their mobile devices, giving weight to these “smishing” scams. Additionally, social media phishing continues to grow. Sometimes known as “angler phishing”, in these cases, hackers pose at company support accounts and take advantage when users request support or customer service from various organizations. This is an easy way to goad users into sharing their credentials or clicking on malicious links/attachments – and Proofpoint reports an increase in occurrences by 150% in 2016!
There’s a lot hackers can do to wreak havoc for private equity and other investment firms – and it extends far beyond forcing users to change their passwords. In fact, with their roguish hands on the right information, the consequences can be downright destructive for a firm’s business operations and integrity.
Systems & Network Access
Of course, with stolen passwords and login credentials, hackers can gain access to company systems and networks – not an insignificant feat. Unfortunately, we’ve seen many cases over the years where users rely on reused passwords across multiple systems – meaning when a hacker deciphers a password, it’s a profitable gateway beyond a user’s individual email account.
That said, within that email account alone, a number of critical dangers await. For example, inside your email, a hacker can access, send and delete communications at will, potentially intercepting company sensitive material, financial data or personal details they can use to further infiltrate your network.
They can also easily decipher the corporate hierarchy and capitalize on relationships with those responsible for company payments and financials. For instance, they may send a phishing email to your CFO, posing as you, requesting a fund transfer to a provided bank account number – and depending on your role within the firm, this could be considered routine and easily executed upon.
Beyond email, if a hacker gains entry to your firm’s network, they may also get their hands on company files, personnel information, financial reports, and more.