More and more is being discussed about the security of cloud services particularly as investment management firms are drawn to the benefits these services have to offer (i.e. efficiency, scalability and cost savings). At the heart of cloud security is an architectural approach called multi-tenancy that allows for the sharing of one or more infrastructures, databases or applications across many customers.
For Infrastructure as a Service offerings, multi-tenancy means customers can control processing power, networking components, the operating system, storage and deployed applications, but do not control the underlying physical infrastructure. In the Software as a Service model, customers share all or part of an application but do not control the underlying platform or infrastructure. These two approaches can deliver security on-par with in-house services but they also introduce new challenges for IT around data management and security – particularly from an end-user perspective.
When an application is licensed and resides in-house only IT can have complete control over user access and data security. However, as companies gravitate towards SaaS products, such as Saleforce.com, IT no longer has control over the application making it difficult to control user access and protect the data. In many cases, these applications are controlled at the business unit level rather than centrally by IT which adds a new level of complexity for security and policy management.
When evaluating a SaaS offering, it is critical that firms ask potential service providers tough questions but it is also important to have strict internal policies around application use and access. Here are some external and internal questions to ask:
Questions on the Service Provider’s Practices
- What are your backup and retention procedures? How long is data retained?
- What is your disaster recovery strategy and how frequently is it tested?
- What security standards are used to ensure data and application integrity?
- Is data encrypted at rest as well as in transit?
- How are support requests handled, and what is the expected response time?
- Have you ever experienced a security breach? If so, how was it resolved and what safeguards where implemented to prevent a repeat experience?
- Is your service SAS 70 compliant?
Questions on Internal Practices
- When an employee leaves, what is the process for blocking access to applications to prevent data downloads?
- How do we prevent employees from sharing login credentials with unauthorized employees?
- How do we define and enforce user roles to control access levels?
- Who has the authority to add new users?
- How often will employees be required to reset passwords? Are there requirements around complexity standards for passwords?
For more on cloud computing, check out these articles:
- Understanding Public, Private, and Hybrid Cloud Infrastructures
- Cloud Computing: Application Hosting Considerations, Part One
- Eight Questions to Ask Application Hosting Vendors
- New Considerations for Launching a Hedge Fund: Insights from the experts
- Corporate Essentials for Successful Hedge Fund Startups
- Recapping a Busy Week in Cyber Security Across the Globe
- What Do Hedge Fund Investors Ask About IT? A Technology DDQ cheat sheet
- Webinar Recap: What Investment Firms Need to Know about Social Media Compliance
- business continuity planning
- cloud computing
- data loss prevention
- disaster recovery
- eze castle milestones
- hedge fund due diligence
- hedge fund marketing
- hedge fund operations
- hedge fund regulation
- help desk
- high frequency trading
- launching a hedge fund
- privacy compliance
- project management
- real estate
- startup & relocation
- trends we're seeing
- videos and infographics