Cloud Security for Regulated Firms - Securing my cloud and proving it

変通 [hen-tsoo] noun1. Resourcefulness – the quality of being able to cope with a difficult situation2. Adaptability – the ability to change (or be changed) to fit changed circumstances3. Agility – the power of moving quickly and easily; nimbleness

CLOUD SECURITY FOR REGULATED FIRMSSecuring my cloud and proving it

3 May 2023COPYRIGHT © 2016 HENTSŪ 2

WELCOME TO HENTSŪ


AGENDA• Why cloud?• Hedge Fund Cloud usage update• How secure is secure enough?• Cloud security - Your responsibilities• Security Monitoring & enforcement Infrastructure as code• Wrap up• Drinks


WHAT IS PUBLIC CLOUD?“A service provider makes resources, such as virtual machines, applications and storage, available to the general public.”• Utility model• No contracts• Shared hardware / multi tenant• Self managed


WHAT IS PUBLIC CLOUD• Software as a Service

• Office 365

• Platform as a Service• AWS RDS, S3• Azure SQL Database

• Infrastructure as a Service• Virtual Machines• Virtual Disks• Virtual Networks


WHY CLOUD? Scalability

Business AgilityCost

Capex to Opex InnovationCompetitive Advantage

Cloud APIsMobility


CLOUD CONCERNSSecurity

Regulatory/Compliance

Lock-in

PrivacyReliabilityNe

twork

band

width

Interoperability

Complexity


YOUR PUBLIC CLOUD USAGE?Where are you today?

On Premises

Bare Metal

On Premises

VirtualisedHybrid

All inPublic Cloud


CLOUD USAGE BY HEDGE FUNDSHFM TECHNOLOGY SURVEY FEBRUARY 2016

83% of respondents plan to increase their cloud usage in 2016 - HFM Technology survey February 2016

“all firms will be leveraging cloud to some extent” in the future-Thomson Reuters managing director of enterprise Mike Powell

https://hfm.global/hfmtechnology/research-and-data/cloud-usage-trends


CLOUD USAGE BY HEDGE FUNDS43% of managers said they did not want to place potentially sensitive information in the public cloud.

- HFM Technology survey February 2016

This attitude was one of the reasons four out of 10 participants used private cloud only.



CLOUD USAGE BY HEDGE FUNDSIf using public cloud, what business functions do you run?



CLOUD USAGE BY HEDGE FUNDSWhat concerns do you have about using the cloud generally?



CLOUD USAGE BY HEDGE FUNDSFor new firms especially, “cloud technology allows them the ability to avoid making large capital outlays on servers that may not be fully utilised,” argues Iain Buchanan, CTO of Piquant Technologies.A sub-$500m quant fund launched in 2013, Piquant runs all its technology requirements through the cloud. It has no physical servers, using exclusively cloud services.

https://hfm.global/hfmtechnology/analysis/hybrid-solutions-tipped-as-more-managers-embrace-the-cloud/


WE’VE BEEN HERE BEFORE?


WE’VE BEEN HERE BEFORE?

How to cureNEPHOPHOBIA

(fear of clouds)


HOW SECURE IS SECURE ENOUGH?REGULATORY REQUIREMENTS & INDUSTRY STANDARDS


WHAT ARE THE REQUIREMENTSThe following Cloud Computing guidance is available:

• United Kingdom• Financial Conduct Authority (FCA)

• United States• Securities and Exchange Commission (SEC) Office of

Compliance Inspections and Examinations (OCIE)

https://en.wikipedia.org/wiki/List_of_financial_regulatory_authorities_by_country


WHAT DOES THE FCA SAY?

https://www.fca.org.uk/static/fca/article-type/news/fg16-5.pdf

“We see no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules.”

“We have successfully supported both new and existing firms to use cloud and other IT service solutions in a compliant manner.”


WHAT DOES THE FCA SAY?• Risk Management

• identify current industry good practice, including data and information security management system requirements

• International standards• In conducting its due diligence on

potential third-party providers, and as part of ongoing monitoring of service provision, a firm may wish to take account of the provider’s adherence to international standards as relevant to the provision of IT services.

• Data security• Firms should carry out a security risk

assessment• have a data residency policy that sets

out where data can be stored

“Regulated firms retain full responsibility and accountability for discharging all of their regulatory responsibilities.” “Firms cannot delegate any part of this responsibility to a third party.”

https://www.fca.org.uk/static/fca/article-type/news/fg16-5.pdf


SHARED RESPONSIBILITYCLOUD SERVICES PROVIDER

Responsible for security ‘of’ the cloud

CUSTOMER

Responsible for security ‘in’ the cloud


SHARED RESPONSIBILITYCLOUD SERVICES PROVIDER

• Facility operations• Physical Security• Physical Infrastructure• Network Infrastructure• Virtualisation Infrastructure• Hardware lifecycle

management

CUSTOMER

• Identity management• Security Groups (firewalls)• Network Access Control Lists• Choice of guest OS• Application Configuration

Options• Account Management

flexibility


INFORMATION SECURITY MANAGEMENTTHE HANDLING AND SAFEGUARDING OF INFORMATION


INDUSTRY STANDARDS - ISO 27001“an auditable, international, information security management standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) that formally defines requirements for a complete ISMS to help protect and secure an organization’s data”

Requirements“User access is centrally managed using appropriate solution”

Controls“AWS Identity and Access Management (IAM) reuses Active Directory identities and groups via AD federation services.”

http://www.iso.org/iso/iso27001


INDUSTRY STANDARDS - ISO 27001• Management direction for information

security• Responsibility for assets• Information classification• Business requirements of access

control• User access management• User responsibilities• System and application access control• Cryptographic controls• Operational procedures and

responsibilities• Protection from malware• Backup

• Logging and monitoring• Control of operational software• Technical vulnerability management• Information systems audit considerations• Network security management• Information transfer• Security in development and support

processes• Test data• Information security in supplier

relationships• Management of information security

incidents and improvements• Information security reviews

http://www.iso.org/iso/iso27001


DATA CLASSIFICATION AND CONTROLS Restricted Confidential PublicData examples

Strategy source codeRestricted documentsCleaned tickdata

Back office app source codeLogs and monitoring dataVendor dataCompany confidential data

3rd party software binariesIT automation scriptsPublic website content

Access Access controlled to authorised users & intended audience

Protection from System Admin access

Access logged Access approved by

Information Owner

Access controlled to authorised users & intended audience

Access logged Access approved by

information owner

No specific requirements

Transmission

Encrypted in transit Encrypted in transit No specific requirements

Storage Encrypted storage Data resident in UK

Encrypted storage Data resident in UK

No specific requirements

Disposal Secure erase Secure erase No specific requirements


ACCESS CONTROLWho needs access to what?• Use the same procedures for on premises as cloud

• Joiners and leavers processes• Single sign on

• Multifactor authentication (but what about scripts/scheduled tasks)

• Least rights privilege• Separation of roles and responsibilities

• Time based access (Just In Time Access, temporary access, escalate, drop back)


DATA TRANSMISSION• Encrypt data in transit (traversing 3rd party networks / public

internet)• Virtual Private Network (VPN)• Use encrypted protocols HTTPS, SFTP, SMB3.0


DATA STORAGE• AWS Elastic Block Storage - server side encryption for virtual disks

• Data volumes and also boot volumes (since Dec 2015)

• AWS Simple Storage Service (S3) server side encryption for objects

• Azure Client Side disk encryption Bitlocker (Windows), DM-crypt (Linux)• Azure Server Side encryption in preview, GA due

August/September 2016


CLOUD SECURITY EDUCATION

http://jklossner.com


SECURITY MONITORING AND ENFORCEMENTCLOUD SECURITY TOOLS ARE REALLY VERY GOOD…


AWS TRUSTED ADVISOR• Security Groups - Specific Ports Unrestricted• Security Groups - Unrestricted Access • IAM Use• Amazon S3 Bucket Permissions • MFA on Root Account• IAM Password Policy • Amazon RDS Security Group Access Risk • AWS CloudTrail Logging • Amazon Route 53 MX and SPF Resource Record Sets• ELB Listener Security • ELB Security Groups • CloudFront Custom SSL Certificates in the IAM Certificate Store • CloudFront SSL Certificate on the Origin Server • IAM Access Key Rotation • Exposed Access Keys https://aws.amazon.com/premiumsupport/trustedadvisor/best-practices/


AWS CLOUDTRAILAudit Trail for every use of AWS API• The identity of the API caller.• The time of the API call.• The source IP address of the API

caller.• The request parameters.• The response elements returned by

the AWS service

Extendable for Event Notifications and Analytics(CloudWatch, Splunk, SumoLogic, LogEntries, Datadog, LogicMonitor, Open Source)


INFRASTRUCTURE AS CODEDEFINE AND ENFORCE CONFIGURATION


OCTOBER EVENTGrid computing breakfast briefing

Wednesday 26th October

Hentsu Ltd1 Fore StreetLondon EC2Y 9DT

[email protected]://hentsu.com

mailto:[email protected]

mailto:[email protected]

https://hentsu.com/

https://hentsu.com/