Securing Data in the Cloud (Markets Media, April 7, 2014)
A multitude of factors is leading asset manager to adopt and deploy cloud-based technology for running their infrastructure, cost savings and backup/recovery chief among them.
The cloud outsourcing model, which comes in a variety of favors—Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS)—enables hedge funds and other asset managers to leverage a shared IT platform at a fraction of the cost of maintaining one in house.
In terms of information security, clouds present certain challenges, which tend to fall into two broad categories: Security issues faced by cloud providers (organizations providing software-, platform-, or infrastructure-as-a-service via the cloud) and security issues faced by their customers.
“Many people really do not distinguish between public clouds and the private clouds,” said Grigoriy Milis, chief technology officer of Richard Fleischman & Associates, which provides technology services to hedge funds. “What they need to understand is that a public cloud solution cannot achieve the same amount of security that can be achieved in the private cloud.
The main reason is that the public cloud solution, quite often, really doesn’t pay as much attention to security, and also doesn’t carry as many security SLAs as the private cloud solution would.
Hedge funds are typically agile, and require robust technology. Using the cloud, hedge funds can implement applications very fast with low capital expense, and it allows them to change applications quickly.
The challenges of securing data in the cloud are similar to the challenges with securing data within one’s own data center. “You’ve got to have good network controls,” said Bryan Doerr, CEO of Observable Networks. “You’ve got to have good security practice around how devices get on and off the network. From that perspective they are similar.”
Where they start to diverge is that the cloud now needs to be connected to your data center and also needs to be connected to the corporate network, so that end-users can access it. “It’s an example of the notion that a well-defined perimeter, with very specific and controlled access points, gets much more complicated with each new node that you introduce into that network,” said Doerr. “The dissolution of this well-defined perimeter persists as a problem.”
The Cloud Security Alliance (CSA), a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing, has launched a Software Defined Perimeter (SDP) initiative, which defines an architecture to create highly secure and trusted end-to-end networks between any IP addressable entities, allowing for systems that are highly resilient to network attacks.
SDP has many use cases, from incorporating BYOD mobile and new generations of devices into enterprise networks, to creating robust virtual private clouds. SDP incorporates security standards from organizations such as NIST and takes inspiration from classified networks implemented at organizations such as the U.S. Department of Defense.
SDP works to mitigate network-based attacks on Internet-accessible applications by eliminating connectivity to them until devices and users are authenticated and authorized, according to CSA. By making networks “black,” or invisible to devices by default, several types of network attacks are mitigated.
“When selecting a cloud provider, it’s very important for the hedge funds to understand, ‘How does this cloud provider achieve multi-tenancy? How is the data of different funds being segregated? How is the data on different clouds being protected?’” said Milis.
Consumer grade cloud services like cloud file-sharing services are popular because they’re inexpensive. However, they really do not provide the same level of security in data segregation that the private clouds provide, Milis said.
Cloud providers are getting better at introducing security capabilities. “Early versions of cloud infrastructure were less securable,” said Doerr. “The cloud provider, whoever it might be, may not have provided you with the latitude that you had in your own data center to deploy security approaches. Then you were stuck really with the security that the cloud provider enabled for you. As time has gone on, we’re getting better and better.