This month, HFMTechnology explores one aspect of the fund’s security infrastructure – the passwords hedge funds use to manage access. Reporter Sean Creamer spoke to Hans Bleuel, president and chairman of the Alter-native Investment Technologists Executives Club; Eric Dynowski, CEO of Turing Group; Grigoriy Milis, Yohan Kim, and Michael Asher, chief technology officer, chief financial officer and chief information officer, respectively, at Richard Fleischman and Associates; and Hector Hoyos, founder and CEO of Hoyos Labs, on the issue.
What aspects of the hedge fund require password protection and why?
Hans Bleuel: Hedge fund end-users enter passwords hundreds of times a day. One of the challenges the industry is struggling with is how to make authentication trustworthy, yet user-friendly at the same time. Yet the authentication process can’t be overly burdensome to the user – otherwise, they end up writing the passwords down on paper, breaking the system! Biometric authentication is interesting, and starting to take hold in the marketplace with the fingerprint reader on the iPhone 5S, but some are still hesitant due to the fact that it is tied to a person’s physical imprint.
How do ﬁrms tier trust for varying processes? HB: Financial firms have escalating levels of trust when it comes to employees. For instance, all employees could have access to their own email account and folder on the file server. Traditionally, access to this level of information is granted by the user knowing only a username and password. Moving up a level to accounting data, the firm’s controller might have a separate password to the accounting system. Going up another level, the tax information might be pro-tected by RSA tokens and housed in a third party facility. And finally, when dealing with wire transfers and movement of cash, most firms rely upon a dual
person authentication model whereby one person sets up the wire and another confirms and authorises the movement of capital.
Most would say the first authentication level I mentioned, username and password, is just single-factor authentication. But in reality, the traditional model was two-factor authentication at the onset. Two factor authentication means “something you have” and “something you know”. The something you know is the username and password. The something you have is yourself…, when the user is sitting in front of their terminal, they are the known entity. When a fellow coworker walks by and sees Bob at his PC, it’s a day as normal. But if they see someone else at Bob’s PC, they question who that person is.
Fast forward to today’s world and the model is broken. We can’t see every user from the office hallways. We can remote into the network from multiple devices – smart-phones, tablets, laptops, Citrix and thin client, virtual desk-top. So the second factor of being able to see the employee in their office has been lost. We had to build a better model.
Two-factor tokens such as RSA and cell phone or SMS-based authentication “soft tokens” are methods which are widely accepted today for financial transaction authentication. They work well because the “something you have” is the RSA token which changes its password every 60 seconds, or a software based token which is pushed to the end user’s handheld device by way of a text message or application.
Eric Dynowski: A hedge fund is primarily protecting its intellectual property – ensuring that information does not get out and, in the event it did, making sure you can find the individual(s) responsible.
Protecting proprietary information ultimately comes down to a balance between convenience and security – and then maintaining that good behaviour all the way up the food chain. There is no amount of software that can eliminate the friction between security inconveniences and employees doing their job, and we often find employees try to find ways around security, regardless of whether they have malicious motives or not.
Hector Hoyos (HH): All aspects of a hedge fund are covered. The process of transferring money to settle a transaction or paying money back to clients requires log-ins and passwords. The whole fiduciary process that the funds have to comply with in returning money is something hedge funds want to protect, even from other members of the fund.
Clients may want data concerning returns of these funds, which are managing millions to billions of dollars with many clients. Password and log-ins do not stand up to the test when someone asks, “Who is responsible?” as the accused could claim that their terminal was accessed without their knowledge. When someone says that an outsider must have illegally accessed their terminal, it is hard to make a legal case against that. The immediate reaction is for someone to say that a hacker stole the password and got into the computer. It is extremely hard to prove that someone didn’t do that.
HoyosID eliminates the accountability for a trade, transfer of money or sett ling a trade. The transaction is linked to your identity, and you cannot unlink yourself from that identity.
Beyond needing a living and active face to log in, there is an audit trail in the form of a back-end system with a large repository of every transaction and the associated log-in, which is fused to the biometrics.
If I want to see how many transactions John Doe moved around, I will go and index my database search with biometrics of John Doe, and pull out each transaction – and Doe cannot tell me otherwise, because it involved biometrics.
Grigoriy Milis (GM): The log-in and password protection at hedge funds is necessary for access to internal resources so they remain safe. Typically all hedge funds operate in Microsoft active directory, so to access the data from inside, a malicious user would have to authenticate a log-in via user name and password to gain access to resources.
Every hedge fund uses some kind of remote access in or-der to access the internal network from home or the road and any user would have to use two-factor authentication to remotely access data directly over technology like Citrix.
Yohan Kim (YK): A problem we’ve seen is during the takeover of one technology provider by another. In these instances, we’ve seen credentials left around on thumb drives and poor password management.
A lot of people starting hedge funds come from large institutions and investment banks that had strict security protocols, such as complex password policies and limited access to non-business related websites. Before relaxing these policies, business decision makers should understand the reasons why they existed in the first place. If they understood the Value at Risk, they may reconsider decisions to ease security policies for the sake of user convenience.
How do hedge funds usually manage security infrastructure?
HB: There are three primary schools of thought to security management in the alternative investment space.
The first is the smaller hedge funds, typically younger, under a billion AUM. They tend to leverage the cloud and outsource their technology to providers like ECI, RFA, Gravitas, Chelsea, Edge, Agio, Abacus, etc. They want to be nimble, not restricted by complex security policies. The IT Integrators bring recommendations to the table, but they cannot force their clients to comply with security best practices if they don’t want to.
The second camp is the hedge funds that have been in business a few years and have seen the risks associated with running technology this way. They may still outsource IT, but they work with their IT Integrator as a partner, not a vendor. As such, these technology environments are
typically robust and well protected with two-factor authentication on external points.
And finally, the larger firms have in-house IT staff . These technologists are working diligently to keep abreast of the latest methods of protection. They’re adapting to stay ahead of the malware and hacktivists. Put-ting technologies in place that will protect the environment with sophisticated partitioning of data, audit trails and forensics that help them to understand how data is being manipulated and how they can best protect it. They stay connected through groups like AITEC, where we provide a platform to share ideas, best practices, and to warn each other about threats in realtime.
ED: Every computer requires a password to log on, and, from there, all of the custom applications also require passwords – even down to cell phones and mobile devices.
Some applications allow users to save pass-words. For critical applications like trading platforms, data analytics, back-office systems, and saved passwords should not be allowed. In many cases, those critical applications also require multi-factor authentication.
HH: We have back-end software that is installed on-site at our clients’ data centre, secured by a firewall. The servers have intrusion detection and fi t on the Linux server for the back-end, which is all that they need. The parameters are set by a system admin. The system admin is bio-enrolled and tied to two other admins. There is an admin dashboard that enables them to settle parameters for information and data flow from the people utilizing the app. This is managed in-house.
YK: Firms need to be able to satisfy the conditions put forward to them in due diligence questionnaires (DDQs) from investors and auditing fi rms.
GM: When we do DDQs, there are significant portions al-located to IT sections. Three to four years ago we had five to ten questions about IT; now we are seeing 150 or 200 questions pertaining to technology, which mirrors the operation-al and trading sides of the business.
What types of security functionality (traditional log-ins and passwords, bio recognition, RSA to-kens) are popular today?
HB: AITEC recently collaborated with the security firm Bromium, which creates micro-virtualisation software for web browsers. What Bromium does is it isolates each web browsing session in a secure silo on the user’s computer. The website being accessed, and any malicious code running on that website, never has access back to the network, local drive, shared drive or even C-drives. As such, anything that tries to run and infect the machine cannot. When the user closes the browser, everything is destroyed.
ED: From a process perspective, hedge funds need to assign good controls – so be able to definitively say who is assigning permissions and to whom, for example. Clearly defining roles creates an audit trail that can be used in monthly or quarterly reviews. These reviews help identify whether an employee left and IT wasn’t properly notified or if those with certain access
actually need it to perform job functions.
HH: Some have a username and password with protocol to reset passwords every so oft en. Some funds do this once a month; others every couple of months.
Hedge funds will have a log-in and password coupled with an RSA token. You receive an SMS message to your phone with a pin that you need to enter in. The majority of them are username- and password-based with a simple protocol to reset the password.
HoyosID doesn’t have a username, password or token. Many features that are built in – liveness detection, biometrics detection and intrusion detection – are included to soothe worries of people in the financial space.
The app and server detect anomalous behaviour in case someone is trying to invade the system. If someone tries three or four times to enter the device, it will lead to the locking of a device. An instance of this could be if someone steals the phone and wipes it free to enroll his or herself in HoyosID.
If you are the perpetrator who stole the phone and wiped it and then tried to enter into the system, it only gives authority figures the face of the perpetrator. Once the phone is wiped and the app is reloaded, the server that the app is connected to will see that the app was deleted.
The app is protected by Elliptic Curve Encryption, which is a 384-bit encryption on the NSA level. A hacker needs a super computer and a few weeks to hack a single device. Even if you hack, you only hack the single device and the biometric data of the victim. Nothing else is stored on the device.
What are hedge funds protecting themselves against?
HB: The mindset of the technology industry used to be “trust everything” then write antivirus signatures which will identify the bad stuff . This is starting to change as the status quo is becoming to trust nothing except specific c URLs and applications based on a whitelist. Then security experts will scan and analyse new websites, portals or applications to verify they’re safe before use.
ED: In hedge funds, it is about preventing and controlling the exposure and leakage of data outside the fi rm. Funds are protective of their strategies and algorithms, in addition to sales pitches, client lists and everything else. IT security is about going through extra measures to protect that in-formation from leaking out – whether accidentally or intentionally.
HH: The interesting thing is that in financial technology, the majority of events where criminal activity is involved come from within the organisation. HoyosID protects against corporate espionage and hackers who are trying to access the phones to gain entry into sensitive systems.
GM: Hedge funds are much more security-oriented and aware now due to threats from within in
addition to external factors.
A major threat is data theft . Hedge funds possess proprietary intellectual property and having that stolen is detrimental to the firm, hurting operations and reputations. Hedge funds will employ data encryption, data leak prevention solutions, and intrusion detection systems to alert when there is unusual traffic in or out of the network.
What vendors are in this space and which vendors and do many hedge funds make use of them?
ED: Two common security vendors are Symantec and Websense. Other programmes and applications can be either home-grown or custom design.
HH: RSA Securities and Technologies sell their products to the financial tech industry. But the issue is that RSA was hacked back in 2011. Lockheed [Martin] had 100,000 tokens for military technologists, and the RSA token also was broken into, and that is the same token used today. It is not a matter of being hacked again. It has been done; the seed core was compromised. Some say that tokens can be made more effective, but they cannot be. There are a series of solutions out there, but they are not necessarily geared toward hedge funds.
What would the ideal security solution be for a fund? What is blocking the industry from attaining that level of security?
ED: People are always the largest threat to a secure infrastructure – specifically, people who decide that they don’t need to abide by the policies and procedures IT sets to protect the firm. This could be a principal at the firm who wants IT to relax its security protocols – or even lower-level employees that use USB devices to transfer files, instead of secure email.
There is always a balance between security and usability. Security adds additional friction in the ability to get the work done – whether it’s the seconds to type a password or the extra time to double factor authenticate. As you move up the food chain, the tolerance for that level of friction goes down. It does not matter how good a fund’s software or systems are if it doesn’t use them.
HH: The ideal solution is one that costs as little money as possible. It is not that companies have not invested in security. They invest millions but find themselves in the same place with no additional security.
Funds don’t know what to make of the industry as many people have promised different realities for security, but the true reality for hedge funds is that they go back to the username and password.
How much do ﬁrms usually allocate to security, and how much should funds expect to allocate? HB: 5% to 10% of the IT budget feels about right for to-day’s environments. The industry as a whole needs service, not just software and hardware. It used to be closer to 1% of IT budgets allocated to antivirus and intrusion detection, but now you need to ensure you have the right
people behind the technology. It’s an operating expense, not just a capital expense.
ED: Security is not a cheap process, and should always be incorporated from the ground up – at every level of IT infra-structure. But, instead of thinking about this as one figure, think about it as insurance on a fund’s intellectual property. Without adequate security, that information is not protected.
HH: We don’t charge for the software and technology. We charge for the training of staff, which is $2,500 a day to have one or two professionals on site and have the offering up and running in two weeks.
GM: Depending on the functionality of the solution and the size of the protected network, projects can range anywhere between $25,000 and $250,000 and up.
Michael Asher (MA): We utilise our strategic expertise in the financial sector to make customised recommendations to our clients, since there is no one-size-fits-all solution to security. Depending on the firm’s business model, network infrastructure and overall strategy, RFA would design the appropriate solution.
Have hedge funds relaxed or bolstered any facet of security due to any current events?
HB: There has been a flurry of events over the past two to three years that has led to increased security. One of the most well-known is the RSA hack. When they got hacked, they were vocal about how it happened, and helped others to understand how they could prevent the same from happening to their firms. I give RSA a lot of credit for that. It’s not easy to show your weaknesses.
ED: Changing events should always change how IT leaders look at security. There is also always a concern that some-one may find a way to put a Trojan horse on a partner’s computer that would skim email. From there, the information could be used in a number of ways – including releasing the information to the public.
HH: Hedge funds are being more stringent where log-ins and passwords are used to gain access to a system. We can ping in real-time the user’s identity and tie it to set of rules that are stored in the back-end server. Once the trade hits X dollars per trade or cumulative number, you want to ping identities of traders. This enables much more transactional-based security than they ever had. It’s effectively the same thing as having a supervisor stand over you while you do your work.
MA: The SEC issues an annual list of National Exam Pro-gram (NEP) priorities. For 2014, they have identified technology as one of the “most significant initiatives across the entire NEP”. This demonstrates that even smaller financial firms that have traditionally been exempt need to take the security and high-availability of their networks very seriously.
Are hedge funds appropriately protected from intruders?
HB: Most security experts will tell you that it’s now a matter of when, not if, you will be compromised. As such, these firms are constantly researching how to contain and control an attack. If someone is trying to do a distributed denial of service (DDoS) attack, we can shut it down, but we can-not prevent it from starting in the first place.
The hackers are constantly building and improving in the same way we look to build and improve our own firms. They are sharing knowledge with one another in real-time, building upon each other’s code and even making toolkits which can be used to exploit common operating systems and applications. The business of technology hacking is a big business, and growing every day.