Firm Compliance In the Cloud

ProCirrus resolves the vast majority of the firm’s security needs at a much lower cost than an on premise solution.

When considering the move to the cloud, security is the most common apprehension expressed by IT decision makers.  Ironically, despite all of its other advantages, security is the primary reason why firms should consider a competent cloud provider.   In many respects, the IT debate between cloud and on premise security is like debating whether or not its better to save your money in a bank or hide it under your mattress.  Deciding where you keep your savings is a function of how much you value protecting your money and the quality of the bank you choose.  In the case of cloud computing, it boils down to how much you value the continuity of your business and the quality of your cloud provider.

Security is bigger than dotting i’s and crossing t’s

It’s not uncommon that regulatory or client requirements drive the security conversation and complying with the alphabet soup of regulators from GLBA to HIPAA can feel like an expensive hoop-jumping exercise.  Staring at an audit spreadsheet with 300 inarticulate control points from your new banking client is certainly a daunting experience. In truth, becoming compliant with these types of requirements is actually an important step to protecting the very continuity of your business and it can become a competitive advantage.

Where to start?

Regardless of the firm’s IT model (cloud, hybrid or on premise), the first step should be to develop and publish a clear security and continuity policy.  Ultimately firm compliance and security will be a combination of the written policies and confirmation of their implementation.  For example, the firm may have a policy requiring a ten-digit, alpha-numeric password but they also need to mandate and demonstrate its use.

Often times, the first client audit document is a great starting point for developing these policies.  The goal of the security policy is to ensure that sensitive information (i.e. data) is not lost or accessed by unauthorized parties.  Simply put, the firm’s policies and procedures must protect data at rest, data in transit and data in use.

Protecting data at rest, means that the data is safely stored when not in use.  This could include things like hard drive encryption (at rest), physical server security, physical device redundancy and mobile media encryption.

Protecting data in transit, means that the data is transmitted securely and accessed by only authorized individuals.  This would include things like encrypted transmission (i.e. email), content management and Wi-Fi security.  

Protecting data in use, means live data and could include data in active memory or data on display.  For example, if users don’t need to see a social security number the application or document should not disclose it. (i.e. 666-333-9999 becomes ***-***-****)

When developing a security plan, most people think in terms of the nefarious external hacker.  Although that’s certainly a risk, in reality the primary intrusion vector is the intentional or unintentional behavior of company’s end users!

Example Policies and Audit Control Points

The following are a few simplified examples of policies that a firm would define to address a compliance audit or the development of their internal policies.  In all cases, the firm would need to publish and enforce its policy either for itself or its vendors (i.e. a cloud provider) or both.  In most cases, due to the efficiency of scale, a competent cloud provider will resolve the most expensive requirements at a much lower cost than the firm. 

Sticking with the banking comparison for example… If the bank installs a vault that expense is distributed across all depositors. Whereas the guy who saves his cash under the mattress, would have to pay for the entire construction of a vault around his bed to get the same level of protection. 

Control Point Example 1

From a data loss prevention (DLP) perspective, does the scanning of outbound email include blocking or scanning of email content and attachments, including encrypted attachments, for NPI or confidential Data.

This is a common requirement where all email is required to be electronically scanned to make sure it’s not allowing protected information to be sent in an unencrypted method.  For example, the software will look for things like Social Security or credit card numbers.  This type of service is expensive for an on premise environment but would be available from a competent cloud provider.

Control Point Example 2

Are sensitive areas where data is stored, transmitted, or processed (e.g., computer rooms, network and communication rooms) protected by a fire detection and suppression system?

The physical security of data would include a host of requirements like fire suppression, redundant power, locked environment as well as redundant physical servers.  Again this requirement is prohibitively expensive for an on premise environment but would be readily available from a competent cloud provider.

Control Point Example 3

Are background checks including identity checks using Social Security Number (SSN) (or local country equivalent) and current and previous addresses performed (to the extent permitted by law)?

This would be a policy that the firm would need to implement and may need to require their vendors to implement.  A competent cloud provider would likely have this policy and have it verified through its annual compliance audits.

You should require that any cloud provider provide evidence of their successful annual SOC audits in addition to any data center in which they collocate.

Control Point Example 4

Is two-factor authentication implemented for remote network access?

Two factor authentication requires multiple verification methods, like a password combined with a texted one-time code.  It is a common requirement and another one that is costly for the on premise IT to implement and should be readily available through a cloud provider.

The Bottom Line

The cloud is not inherently more secure than an on premise IT environments and not all clouds are the same. However, the small to mid-sized firm cannot accomplish the same levels of security and performance of a competent cloud provider at the same or lower cost.

When evaluating the move to the cloud, it would be prudent to use the security plan to identify what services the firm will need fulfilled by the cloud provider(s) or the on premise environment.  By creating an apples-to-apples comparison the firm will be in a better position to quantify the value of the move. 

Audit Burden

The estimated audit burden for a cloud supported firm's regulatory compliance

Based on previous audits of clients, it would be reasonable to expect about 45% of a firm’s IT security policies to be resolved by ProCirrus directly.  This would include features like encrypted storage, redundant physical servers and a secure data center to name a few. 

Additionally, we resolve or offer services that would resolve another 30% of the firm’s policies.  This would include features like data loss prevention methods, multi-factor authentication, password management and many more. 

The last 25% of the firm’s policies would include those policies that are specific to the firm, like requiring background checks and polices that don’t apply. 

 

 

ConceptsDan Shelton