A few tips to securing data in the cloud

Posted on : 30-11-2016 | By : john.vincent | In : Cloud, Cyber Security, Data, Uncategorized

Tags: , , , , , , , , , , ,

0

In our view, we’ve finally reached the point where the move from internally built and managed technology to cloud based applications, platforms and compute services is now the norm. There are a few die hard “remainers” but the public has chosen – the only question now is one of pace.

Cloud platform adoption brings a host of benefits, from agility in deployment, cost efficiency, improved productivity and collaboration amongst others. Of course, the question of security is at the forefront, and quite rightly so. As I write this the rolling data breach news continues, with today being that of potentially compromised accounts at the National Lottery.

We are moving to a world where the governance of cloud based services becomes increasingly complex. For years organisations have sought to find, capture or shutdown internal pockets of “shadow IT”, seeing them as a risk to efficiency and increasing risk. In todays new world however, these shadows are more fragmented, with services and data being very much moving towards the end user edge of the corporate domain.

So with more and more data moving to the cloud, how do we protect against malicious activity, breaches, fraud or general internal misuse? Indeed, regarding the last point, the Forrsights Security Survey stated:

“Authorised users inadvertently exposing sensitive information was the most common cause of data beaches in the past 12 months.”

We need to think of the challenge in terms of people, process and technology. Often, we have a tendency to jump straight to an IT solution, so let’s come to that later. Firstly, organisations need to look at few fundamental pillars of good practice;

  1. Invest in User Training and Awareness – it is important that all users throughout and organisation understand that security is a collective responsibility. The gap between front and back office operations is often too wide, but in the area of security organisations must instil a culture of shared accountability. Understanding and educating users on the risks, in a collaborative way rather than merely enforcing policy, is probably the top priority for many organisations.
  2. Don’t make security a user problem – we need to secure the cloud based data and assets of an organisation in a way that balances protection with the benefits that cloud adoption brings. Often, the tendency can be to raise the bar to a level that both constrains user adoption and productivity. We often hear that IT are leading the positioning of the barrier irrespective of the business processes or outcomes. This tends to lead to an approach of being overly risk adverse without the context of disruption to business processes. The result? Either a winding back of the original solution or users taking the path of least resistance, which often increases risks.

On the technology side, there are many approaches to securing data in the cloud.  Broadly, these solutions have been bundled in the category of Cloud Access Security Broker (CASB), which is software or a tool that sits in between the internal on-premise infrastructure and the cloud provider, be that software, platform or other kind of as-a-service. The good thing about these solutions is that they can enforce controls and policies without the need to revert to the old approach of managing shadow IT functions, effectively allowing for a more federated model.

Over recent years, vendors have come to market to address the issue through several approaches. One of the techniques is through implementing gateways that either use encryption or tokenisation to ensure secure communication of data between internal users and cloud based services. However, with these the upfront design and scalability can be a challenge given the changing scope and volume of cloud based applications.

Another solution is to use an API based approach, such as that of Cloudlock (recently purchased by Cisco). This platform uses a programmatic approach to cloud security on the key SaaS platforms such as  to address areas such as Data Loss Prevention, Compliance and Threat Protection with User and Entity Behaviour Analytics (UEBA). The last of these users machine learning to detect anomalies in cloud activities and access.

Hopefully some food for though in the challenge of protecting data in the cloud, whichever path you take.

Investment Management – what’s left to outsource

Posted on : 30-11-2016 | By : richard.gale | In : Finance

Tags: , , , , , ,

0

Many Investment Management (IM) firms have outsourced significant business functions: settlement, collateral management, accounting departments have been ‘lifted out’ of a significant number of IM companies and are being run as a service by a smaller number of specialised financial services organisations.

We think the next phase for outsourcing are the middle and some of the front office functions as focus for IM firms is on ability to out-perform, reduce time to market for new products and to reduce costs. Regulation is a key driver for this as the complexities of dealing with constant regulatory change is increasing costs and constraints on  IM firms ability to move into new, more profitable, markets. New investment themes such as liability driven investing and securities such as OTC derivatives are much more widely utilised in investment firms than, say, 5 years ago. There is also the avalanche of regulation in-flight (AIFM, Dodd-Frank, MiFIR & Solvency II to name a few)  to enforce reporting and risk management. This results in operational activities such as collateral management becoming much more complex than transacting with conventional securities.

A few months back we discussed the future of middle office outsourcing with Maha Khan Phillips in Best Execution magazine and we want to expand on those thoughts here.

Another trend we see is how the Investment Banking industry is starting to look at outsourcing the non-value-add functions to reduce costs and help streamline their business areas. They are being impacted in a similar way to IM firms at the turn of the century in terms of reduction in income and focus on cost reduction.

 Outsourcing history and developments

The first phase of outsourcing often was a simple ‘lift-out’ where the back office was separated as a whole – people, systems, and processes  with a line drawn across the organisation splitting the remaining front/middle office from the outsourced back office. This was driven by a number of factors but cost reduction and the drive to better returns was core.

As an approach the lift-out worked and enabled the IM organisation to focus on its core business of investing money.  Over time as the industry matures, the limitations of this approach are becoming clear. The ability to be responsive to new business requirements can be reduced:  flexibility in the operating model to react to new changes such as business focus, new asset classes and volume variations are often slowed by split between organisations. The outsourcers will have a number of clients with differing requirements and a limited ability to change which can impact speed of delivery.

These factors have led to some operational challenges and frictions between the client and supplier the result of which has led to a reassessment of the services and relationship. The client has a number of choices available and, as the earlier contracts mature, firms are identifying this period as an opportunity to review the current state vs. alternative strategies. The choices are broadly:

  1. Insource. To undo the lift-out and bring services back in-house. Some organisations have done this with varying degrees of success but the underlying rationale for outsourcing and the business case underpinning this needs to be closely examined.
  2. Migrate to new outsourcer. This is potentially one of the more complex solutions but also a possibility to re-engineer the business. Often there are complex interactions between the client/supplier that exist because of the way the outsource was constructed historically. This ‘web’ of interfaces, processes and procedures will need to be cleaned and logically split to migrate. Also the level of complexity from moving from one (client) organisation to an outsource supplier goes to a new level when migrating suppliers.
  3. Stay with existing and work together to improve service, relationship and capabilities.
  4. A combination of the above not excluding outsourcing more functions of the client firm.

Assuming the client strategically does not which to insource the functions then one of the most important activities is to grow the client/supplier relationship into an aligned partnership. This is the time when parties need to work together to construct a roadmap to move to a more efficient, cost effective and flexible model to deliver optimised services and capacity to grow.

This trend is gathering pace as firms look to ‘smarter’ outsourcing which bundles up groups of functions and let someone else look after the day to day management whilst enjoying a consistent service and pricing. Significant middle office functions are in-scope and included in those are what are traditionally seen as front office capabilities such as deal execution and compliance monitoring.

Interestingly the Buy-side has led the way on outsourcing. Investment banks have previously been too busy ‘running’ to keep up – growing new business areas and have been wary of outsourcing as a brake on their flexibility and ability to expand. The focus has been on IT infrastructure, testing & development and creating ‘captives’ in lower cost areas for operations. Now cost and regulatory pressures are proving a heavy burden then banks are now spending more time and energy looking into outsourcing their non-propriety functions. We think this is one of the trend areas for the next few years.

This is an updated version of our article first published in 2012. The thoughts are still very relevant and we wanted share them again.

www.twitter.com/broadgateview