Upload
hentsu
View
292
Download
0
Embed Size (px)
Citation preview
変通 [hen-tsoo] noun1. Resourcefulness – the quality of being able to cope with a difficult situation2. Adaptability – the ability to change (or be changed) to fit changed circumstances3. Agility – the power of moving quickly and easily; nimbleness
CLOUD SECURITY FOR REGULATED FIRMSSecuring my cloud and proving it
3 May 2023COPYRIGHT © 2016 HENTSŪ 2
WELCOME TO HENTSŪ
3 May 2023COPYRIGHT © 2016 HENTSŪ 3
AGENDA• Why cloud?• Hedge Fund Cloud usage update• How secure is secure enough?• Cloud security - Your responsibilities• Security Monitoring & enforcement Infrastructure as code• Wrap up• Drinks
3 May 2023COPYRIGHT © 2016 HENTSŪ 4
WHAT IS PUBLIC CLOUD?“A service provider makes resources, such as virtual machines, applications and storage, available to the general public.”• Utility model• No contracts• Shared hardware / multi tenant• Self managed
3 May 2023COPYRIGHT © 2016 HENTSŪ 5
WHAT IS PUBLIC CLOUD• Software as a Service
• Office 365
• Platform as a Service• AWS RDS, S3• Azure SQL Database
• Infrastructure as a Service• Virtual Machines• Virtual Disks• Virtual Networks
3 May 2023COPYRIGHT © 2016 HENTSŪ 6
WHY CLOUD? Scalability
Business AgilityCost
Capex to Opex InnovationCompetitive Advantage
Cloud APIsMobility
3 May 2023COPYRIGHT © 2016 HENTSŪ 7
CLOUD CONCERNSSecurity
Regulatory/Compliance
Lock-in
PrivacyReliabilityNe
twork
band
width
Interoperability
Complexity
3 May 2023COPYRIGHT © 2016 HENTSŪ 8
YOUR PUBLIC CLOUD USAGE?Where are you today?
On Premises
Bare Metal
On Premises
VirtualisedHybrid
All inPublic Cloud
3 May 2023COPYRIGHT © 2016 HENTSŪ 9
CLOUD USAGE BY HEDGE FUNDSHFM TECHNOLOGY SURVEY FEBRUARY 2016
83% of respondents plan to increase their cloud usage in 2016 - HFM Technology survey February 2016
“all firms will be leveraging cloud to some extent” in the future-Thomson Reuters managing director of enterprise Mike Powell
https://hfm.global/hfmtechnology/research-and-data/cloud-usage-trends
3 May 2023COPYRIGHT © 2016 HENTSŪ 10
CLOUD USAGE BY HEDGE FUNDS43% of managers said they did not want to place potentially sensitive information in the public cloud.
- HFM Technology survey February 2016
This attitude was one of the reasons four out of 10 participants used private cloud only.
https://hfm.global/hfmtechnology/research-and-data/cloud-usage-trends
3 May 2023COPYRIGHT © 2016 HENTSŪ 11
CLOUD USAGE BY HEDGE FUNDSIf using public cloud, what business functions do you run?
https://hfm.global/hfmtechnology/research-and-data/cloud-usage-trends
3 May 2023COPYRIGHT © 2016 HENTSŪ 12
CLOUD USAGE BY HEDGE FUNDSWhat concerns do you have about using the cloud generally?
https://hfm.global/hfmtechnology/research-and-data/cloud-usage-trends
3 May 2023COPYRIGHT © 2016 HENTSŪ 13
CLOUD USAGE BY HEDGE FUNDSFor new firms especially, “cloud technology allows them the ability to avoid making large capital outlays on servers that may not be fully utilised,” argues Iain Buchanan, CTO of Piquant Technologies.A sub-$500m quant fund launched in 2013, Piquant runs all its technology requirements through the cloud. It has no physical servers, using exclusively cloud services.
https://hfm.global/hfmtechnology/analysis/hybrid-solutions-tipped-as-more-managers-embrace-the-cloud/
3 May 2023COPYRIGHT © 2016 HENTSŪ 14
WE’VE BEEN HERE BEFORE?
3 May 2023COPYRIGHT © 2016 HENTSŪ 15
WE’VE BEEN HERE BEFORE?
How to cureNEPHOPHOBIA
(fear of clouds)
3 May 2023COPYRIGHT © 2016 HENTSŪ 16
HOW SECURE IS SECURE ENOUGH?REGULATORY REQUIREMENTS & INDUSTRY STANDARDS
3 May 2023COPYRIGHT © 2016 HENTSŪ 17
WHAT ARE THE REQUIREMENTSThe following Cloud Computing guidance is available:
• United Kingdom• Financial Conduct Authority (FCA)
• United States• Securities and Exchange Commission (SEC) Office of
Compliance Inspections and Examinations (OCIE)
https://en.wikipedia.org/wiki/List_of_financial_regulatory_authorities_by_country
3 May 2023COPYRIGHT © 2016 HENTSŪ 18
WHAT DOES THE FCA SAY?
https://www.fca.org.uk/static/fca/article-type/news/fg16-5.pdf
“We see no fundamental reason why cloud services (including public cloud services) cannot be implemented, with appropriate consideration, in a manner that complies with our rules.”
“We have successfully supported both new and existing firms to use cloud and other IT service solutions in a compliant manner.”
3 May 2023COPYRIGHT © 2016 HENTSŪ 19
WHAT DOES THE FCA SAY?• Risk Management
• identify current industry good practice, including data and information security management system requirements
• International standards• In conducting its due diligence on
potential third-party providers, and as part of ongoing monitoring of service provision, a firm may wish to take account of the provider’s adherence to international standards as relevant to the provision of IT services.
• Data security• Firms should carry out a security risk
assessment• have a data residency policy that sets
out where data can be stored
“Regulated firms retain full responsibility and accountability for discharging all of their regulatory responsibilities.” “Firms cannot delegate any part of this responsibility to a third party.”
https://www.fca.org.uk/static/fca/article-type/news/fg16-5.pdf
3 May 2023COPYRIGHT © 2016 HENTSŪ 20
SHARED RESPONSIBILITYCLOUD SERVICES PROVIDER
Responsible for security ‘of’ the cloud
CUSTOMER
Responsible for security ‘in’ the cloud
3 May 2023COPYRIGHT © 2016 HENTSŪ 21
SHARED RESPONSIBILITYCLOUD SERVICES PROVIDER
• Facility operations• Physical Security• Physical Infrastructure• Network Infrastructure• Virtualisation Infrastructure• Hardware lifecycle
management
CUSTOMER
• Identity management• Security Groups (firewalls)• Network Access Control Lists• Choice of guest OS• Application Configuration
Options• Account Management
flexibility
3 May 2023COPYRIGHT © 2016 HENTSŪ 22
INFORMATION SECURITY MANAGEMENTTHE HANDLING AND SAFEGUARDING OF INFORMATION
3 May 2023COPYRIGHT © 2016 HENTSŪ 23
INDUSTRY STANDARDS - ISO 27001“an auditable, international, information security management standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) that formally defines requirements for a complete ISMS to help protect and secure an organization’s data”
Requirements“User access is centrally managed using appropriate solution”
Controls“AWS Identity and Access Management (IAM) reuses Active Directory identities and groups via AD federation services.”
http://www.iso.org/iso/iso27001
3 May 2023COPYRIGHT © 2016 HENTSŪ 24
INDUSTRY STANDARDS - ISO 27001• Management direction for information
security• Responsibility for assets• Information classification• Business requirements of access
control• User access management• User responsibilities• System and application access control• Cryptographic controls• Operational procedures and
responsibilities• Protection from malware• Backup
• Logging and monitoring• Control of operational software• Technical vulnerability management• Information systems audit considerations• Network security management• Information transfer• Security in development and support
processes• Test data• Information security in supplier
relationships• Management of information security
incidents and improvements• Information security reviews
http://www.iso.org/iso/iso27001
3 May 2023COPYRIGHT © 2016 HENTSŪ 25
DATA CLASSIFICATION AND CONTROLS Restricted Confidential PublicData examples
Strategy source codeRestricted documentsCleaned tickdata
Back office app source codeLogs and monitoring dataVendor dataCompany confidential data
3rd party software binariesIT automation scriptsPublic website content
Access Access controlled to authorised users & intended audience
Protection from System Admin access
Access logged Access approved by
Information Owner
Access controlled to authorised users & intended audience
Access logged Access approved by
information owner
No specific requirements
Transmission
Encrypted in transit Encrypted in transit No specific requirements
Storage Encrypted storage Data resident in UK
Encrypted storage Data resident in UK
No specific requirements
Disposal Secure erase Secure erase No specific requirements
3 May 2023COPYRIGHT © 2016 HENTSŪ 26
ACCESS CONTROLWho needs access to what?• Use the same procedures for on premises as cloud
• Joiners and leavers processes• Single sign on
• Multifactor authentication (but what about scripts/scheduled tasks)
• Least rights privilege• Separation of roles and responsibilities
• Time based access (Just In Time Access, temporary access, escalate, drop back)
3 May 2023COPYRIGHT © 2016 HENTSŪ 27
DATA TRANSMISSION• Encrypt data in transit (traversing 3rd party networks / public
internet)• Virtual Private Network (VPN)• Use encrypted protocols HTTPS, SFTP, SMB3.0
3 May 2023COPYRIGHT © 2016 HENTSŪ 28
DATA STORAGE• AWS Elastic Block Storage - server side encryption for virtual disks
• Data volumes and also boot volumes (since Dec 2015)
• AWS Simple Storage Service (S3) server side encryption for objects
• Azure Client Side disk encryption Bitlocker (Windows), DM-crypt (Linux)• Azure Server Side encryption in preview, GA due
August/September 2016
3 May 2023COPYRIGHT © 2016 HENTSŪ 29
CLOUD SECURITY EDUCATION
http://jklossner.com
3 May 2023COPYRIGHT © 2016 HENTSŪ 30
SECURITY MONITORING AND ENFORCEMENTCLOUD SECURITY TOOLS ARE REALLY VERY GOOD…
3 May 2023COPYRIGHT © 2016 HENTSŪ 31
AWS TRUSTED ADVISOR• Security Groups - Specific Ports Unrestricted• Security Groups - Unrestricted Access • IAM Use• Amazon S3 Bucket Permissions • MFA on Root Account• IAM Password Policy • Amazon RDS Security Group Access Risk • AWS CloudTrail Logging • Amazon Route 53 MX and SPF Resource Record Sets• ELB Listener Security • ELB Security Groups • CloudFront Custom SSL Certificates in the IAM Certificate Store • CloudFront SSL Certificate on the Origin Server • IAM Access Key Rotation • Exposed Access Keys https://aws.amazon.com/premiumsupport/trustedadvisor/best-practices/
3 May 2023COPYRIGHT © 2016 HENTSŪ 32
AWS CLOUDTRAILAudit Trail for every use of AWS API• The identity of the API caller.• The time of the API call.• The source IP address of the API
caller.• The request parameters.• The response elements returned by
the AWS service
Extendable for Event Notifications and Analytics(CloudWatch, Splunk, SumoLogic, LogEntries, Datadog, LogicMonitor, Open Source)
3 May 2023COPYRIGHT © 2016 HENTSŪ 33
INFRASTRUCTURE AS CODEDEFINE AND ENFORCE CONFIGURATION
3 May 2023COPYRIGHT © 2016 HENTSŪ 34
OCTOBER EVENTGrid computing breakfast briefing
Wednesday 26th October
Hentsu Ltd1 Fore StreetLondon EC2Y 9DT
[email protected]://hentsu.com