By Grigoriy Milis, CTO, RFA
2014 was the year of cybersecurity in the hedge fund industry. The release of the SEC’s OCIE Cybersecurity Initiative meant that firms could no longer view proper network security precautions as optional. Firms were forced to take a hard look at the value at risk (VaR) of the data with which they had been entrusted and come up with plans that balanced the need for compliance with the realities of budgetary planning.
Analysts predict an update to the guidelines detailed in the Cybersecurity Initiative to address further strengthening the networks used by hedge funds, meaning new processes and technologies. Tough penalties for non-compliance may also be on the horizon, so firms must be prepared to assess their exposure or deal with the burden of fines. But financial investment in security has not been the only challenge in the wake of the initiative. Many professionals are struggling to find a balance between the ease of employee access to information and the security of the data contained on their firms’ networks. It is this balancing act that will define the technology trends we can expect to see in 2015.
Multi-Factor Authentication for SaaS
A key element on the side of enhancing security is multi-factor authentication for network access, not just for remote access to on-premises technology, but for cloud applications. Multi-factor authentication combines standard password protection with a token issued by the firm’s network administrator. Tokens can now take the form of a virtual smartphone app and are therefore no longer restricted to physical key fobs that can be misplaced. The ever-changing, randomized codes generated by tokens enhance the security of more-static user log-on passwords, and are a familiar sight for network administrators. With the increased reliance on cloud applications and infrastructure, firms must assess the need to increase secure access to these resources. Consider the client data contained in a service such as Salesforce.com and the damage that could be done should a user’s password fall into the wrong hands. Layered security such as multi-factor authentication is an answer to these concerns.
The demand for data encryption will expand as companies of all sizes seek to keep their most sensitive data safe from breaches. Hedge funds are entrusted with the personally identifying data of their clients and must take appropriate steps to secure that information. With tougher penalties associated with exposure of client information on the horizon, firms will need to examine the steps they must take to protect this data from attack. A method that will be increasingly adapted by SMBs is data encryption at the file, drive and server levels. The use of console-based encryption tools enables network administrators to create rules surrounding data sets, applying an additional set of password rules to sensitive data. Users who lack the appropriate authorization will be unable to access encrypted information, rendering it useless if a breach occurs.
New Mobility Requirements
The need to enable employees to work on corporate files from their mobile devices shows no signs of diminishing, but these solutions must keep corporate assets secure on these platforms. Remote workflow optimization continuously tests security precautions, but employees demand solutions that allow them to remain productive. Mobile devices will continue to be used as tools to access files and, in addition, mobile workers have begun to expect collaboration tools that will allow them not just to view files, but to work on them. The security challenge increases in companies that have bring your own device (BYOD) policies that may lead to situations where sensitive corporate assets are saved to personal mobile devices.
Consumer file sharing solutions lack the controls necessary to ensure data security since files are saved on a shared cloud resource. Many users will resort to emailing sensitive corporate documents back and forth between personal and business accounts, posing a threat to network security. It is vital to keep corporate files safe behind the firm’s network security configuration and enterprise solutions exist that allow data and applications stored on corporate servers to be collaborated on from a variety of platforms, including smartphones and tablets. This technology contains virtualized interfaces that mimic the functionality of office programs, empowering users to edit and revise documents while maintaining security settings at the corporate server level and never letting files to be saved locally on mobile devices.
Data Access Auditing
Mobile data access must be paired with thorough reporting and analysis on data access. It is likely that a process is in place to review the user permissions surrounding corporate datasets to ensure the correct employees have access to sensitive data. With the addition of mobile access, administrators will need the tools to see where users are accessing data, both in terms of geography and platform. Regularly scheduled file access reporting and auditing will not only make certain employees have the correct server permissions, but will also play a role in detecting improper file sharing.
Every firm’s approach to security will be unique, and successful implementations will be the result of assessing employee needs, evaluating VaR and making optimal use of budget. With proper configuration and diligent administration, networks can strike a balance between security best practices to protect the firm and collaboration tools that increase productivity.
Originally Appeared in TabbFORUM, November 21, 2014