By Grigoriy Milis, CTO, RFA
The 2014 release of the SEC’s OCIE Cybersecurity Initiative meant that hedge funds could no longer delay putting proper network security precautions in place. Forced to take a serious look at the value at risk (VAR) of the data with which they had been entrusted, firms scrambled to come up with plans that addressed the need for compliance while considering the realities of budgetary planning. Analysts anticipate updates to the Cybersecurity Initiative guidelines in 2015 that will require further strengthening of the networks used by hedge funds. Tough penalties for noncompliance may also be on the horizon, so firms must be prepared to assess their exposure or deal with the burden of fines. One of the key elements that will need to be addressed in 2015 will be the expanding boundaries of information networks. Once relegated to on-site technology, infrastructure and applications are increasingly provided by cloud services and are accessed by users around the globe.
Security for mobile workers
For many professionals, mobile access to corporate data has become an everyday part of conducting business. The methods used to achieve this goal can become a security nightmare for technologists dedicated to protecting their firms’ assets. Consumer file-sharing solutions employ a shared cloud for storing data, and many users resort to emailing sensitive corporate documents back and forth between personal and business accounts. This poses an increased threat to information security, since sensitive data may be saved locally to an improperly secured mobile device that can easily be lost or stolen. Beyond simply viewing files, remote workers have begun to expect collaboration tools that will allow them to have application-level control over documents, effectively working while outside the office. It is vital to keep corporate files safe behind the firm’s network security configuration. Enterprise solutions allow data and applications stored on corporate servers to be collaborated on from a variety of platforms, including smartphones and tablets. This technology contains virtualized interfaces that mimic the functionality of office programs, so users can edit and revise documents while data remains protected at the corporate server level.
Auditing data access
Expanded access to data means firms must keep a strict watch on who is employing this access. A formal process may exist to review the user permissions surrounding corporate data sets, but it is increasingly important to review and analyze this data regularly. With the addition of mobile access, administrators will need the tools to see where users are accessing data, in terms of both geography and platform. External links provided by file-sharing services provide a simple way for administrators to track when authorized third parties access corporate assets, above and beyond the tools used to track email traffic. Regularly scheduled file access reporting and auditing will make certain that the correct users have server permissions. These tools will also help firms determine who is using files and the ways in which they are interacting with these files.
The demand for data encryption will expand as companies of all sizes seek to keep their most sensitive data safe from breaches. Hedge funds are entrusted with the personally identifying data of their clients and must take appropriate steps to secure that information. With tougher penalties associated with exposure of client information on the horizon, firms will need to examine the steps they must take to protect this data from attack. A method that will be increasingly adapted by SMBs is data encryption at the file, drive, and server levels. The use of console-based encryption tools enables network administrators to create rules surrounding data sets, applying an additional set of password rules to sensitive data. Not only can data encryption techniques be applied to data residing on corporate severs, but they can also be used to lock down assets that are transmitted outside the network, both intentionally and unintentionally. Users who lack the appropriate authorization will be unable to access encrypted information, rendering it useless if a breach occurs.
Multi-factor authentication for cloud applications
The exponential growth of cloud applications and infrastructure has changed the way firms deliver technology to their end users. With this increase in the use of off-site technology comes the need to increase secure access to these resources, which have traditionally been protected simply by a user ID and password. Firms must consider the client data contained in a service such as Salesforce.com and the damage that could be done should a user’s password fall into the wrong hands. Multi-factor authentication has long been used to provide secure access for remote workers using the firm’s own infrastructure, and it can now be applied to third-party cloud applications. Multi-factor authentication combines standard password protection with a token issued by the firm’s network administrator. Tokens can now take the form of a virtual smartphone app; they are no longer restricted to physical key fobs that can be misplaced. The ever-changing, randomized codes generated by tokens enhance the security of more static user passwords, and they are a familiar sight for network administrators. This additional layer of security will help protect confidential assets stored outside the firm’s network.
Going into 2015, firms will need to properly secure the entirety of their corporate data, whether it resides on-site or in the cloud. With the right tools, network administrators can help make sure that information remains secure while continuing to employ off-site technology.
Focus on Data Security Shapes 2015 Hedge Fund Tech Trends (Wall Street and Technology, November 18, 2014)