As a regulated cloud user, security and compliance are two of your primary concerns, a workshop on how to keep secure and demonstrate your compliance to key stakeholders. Specifically, what can be done to secure cloud resources and show compliance for auditors, investors, DDQs, SSAE16, covering: - Strategies for securing data in transit and at rest - Federating with your internal directory for role based access to your cloud - Capturing and processing audit logs for security event notifications - Fun with Infrastructure as Code – detecting and reverting misconfigurations and manual changes

1. 変通 [hen-tsoo]
noun
1. Resourcefulness – the quality of being able to cope with a difficult situation
2. Adaptability – the ability to change (or be changed) to fit changed circumstances
3. Agility – the power of moving quickly and easily; nimbleness
CLOUD SECURITY FOR REGULATED FIRMS
Securing my cloud and proving it

2. WELCOME TO HENTSŪ

3. AGENDA
• Why cloud?
• Hedge Fund Cloud usage update
• How secure is secure enough?
• Cloud security - Your responsibilities
• Security Monitoring & enforcement Infrastructure as code
• Wrap up
• Drinks

4. WHAT IS PUBLIC CLOUD?
“A service provider makes resources, such as virtual machines, applications and
storage, available to the general public.”
• Utility model
• No contracts
• Shared hardware / multi tenant
• Self managed

5. WHAT IS PUBLIC CLOUD
• Software as a Service
• Office 365
• Platform as a Service
• AWS RDS, S3
• Azure SQL Database
• Infrastructure as a Service
• Virtual Machines
• Virtual Disks
• Virtual Networks

6. WHY CLOUD?

7. CLOUD CONCERNS

8. YOUR PUBLIC CLOUD USAGE?
Where are you today?
On Premises
Bare Metal
On Premises
Virtualised
Hybrid
All in
Public Cloud

9. CLOUD USAGE BY HEDGE FUNDS
HFM TECHNOLOGY SURVEY FEBRUARY 2016
83% of respondents plan to increase their cloud usage in 2016
- HFM Technology survey February 2016
“all firms will be leveraging cloud to some extent” in the future
-Thomson Reuters managing director of enterprise Mike Powell
https://hfm.global/hfmtechnology/research-and-data/cloud-usage-trends

10. CLOUD USAGE BY HEDGE FUNDS
43% of managers said they did not want to place potentially sensitive information in
the public cloud.
- HFM Technology survey February 2016
This attitude was one of the reasons four out of 10 participants used private cloud
only.
https://hfm.global/hfmtechnology/research-and-data/cloud-usage-trends

11. CLOUD USAGE BY HEDGE FUNDS
If using public cloud, what business functions do you run?
https://hfm.global/hfmtechnology/research-and-data/cloud-usage-trends

12. CLOUD USAGE BY HEDGE FUNDS
What concerns do you have about using the cloud generally?
https://hfm.global/hfmtechnology/research-and-data/cloud-usage-trends

13. CLOUD USAGE BY HEDGE FUNDS
For new firms especially, “cloud technology allows them the ability to avoid making
large capital outlays on servers that may not be fully utilised,” argues Iain Buchanan,
CTO of Piquant Technologies.
A sub-$500m quant fund launched in 2013, Piquant runs all its technology
requirements through the cloud.
It has no physical servers, using exclusively cloud services.
https://hfm.global/hfmtechnology/analysis/hybrid-solutions-tipped-as-more-managers-embrace-the-cloud/

14. WE’VE BEEN HERE BEFORE?

15. WE’VE BEEN HERE BEFORE?
How to cure
NEPHOPHOBIA
(fear of clouds)

16. HOW SECURE IS SECURE
ENOUGH?
REGULATORY REQUIREMENTS & INDUSTRY STANDARDS

17. WHAT ARE THE REQUIREMENTS
The following Cloud Computing guidance is available:
• United Kingdom
• Financial Conduct Authority (FCA)
• United States
• Securities and Exchange Commission (SEC) Office of Compliance Inspections and
Examinations (OCIE)
https://en.wikipedia.org/wiki/List_of_financial_regulatory_authorities_by_country

18. WHAT DOES THE FCA SAY?
https://www.fca.org.uk/static/fca/article-type/news/fg16-5.pdf
“We see no fundamental reason why cloud services
(including public cloud services) cannot be implemented,
with appropriate consideration, in a manner that
complies with our rules.”
“We have successfully supported both new and existing
firms to use cloud and other IT service solutions in a
compliant manner.”

19. WHAT DOES THE FCA SAY?
• Risk Management
• identify current industry good practice,
including data and information security
management system requirements
• International standards
• In conducting its due diligence on potential
third-party providers, and as part of
ongoing monitoring of service provision, a
firm may wish to take account of the
provider’s adherence to international
standards as relevant to the provision of IT
services.
• Data security
• Firms should carry out a security risk
assessment
• have a data residency policy that sets out
where data can be stored
“Regulated firms retain full
responsibility and accountability for
discharging all of their regulatory
responsibilities.”
“Firms cannot delegate any part of
this responsibility to a third party.”
https://www.fca.org.uk/static/fca/article-type/news/fg16-5.pdf

20. SHARED RESPONSIBILITY
CLOUD SERVICES PROVIDER
Responsible for
security ‘of’ the cloud
CUSTOMER
Responsible for
security ‘in’ the cloud

21. SHARED RESPONSIBILITY
CLOUD SERVICES PROVIDER
• Facility operations
• Physical Security
• Physical Infrastructure
• Network Infrastructure
• Virtualisation Infrastructure
• Hardware lifecycle management
CUSTOMER
• Identity management
• Security Groups (firewalls)
• Network Access Control Lists
• Choice of guest OS
• Application Configuration Options
• Account Management flexibility

22. INFORMATION SECURITY
MANAGEMENT
THE HANDLING AND SAFEGUARDING OF INFORMATION

23. INDUSTRY STANDARDS - ISO 27001
“an auditable, international, information security
management standard published by the
International Organization for Standardization
(ISO) and the International Electrotechnical
Commission (IEC) that formally defines
requirements for a complete ISMS to help protect
and secure an organization’s data”
Requirements
“User access is centrally managed using
appropriate solution”
Controls
“AWS Identity and Access Management
(IAM) reuses Active Directory identities
and groups via AD federation services.”
http://www.iso.org/iso/iso27001

24. INDUSTRY STANDARDS - ISO 27001
• Management direction for information
security
• Responsibility for assets
• Information classification
• Business requirements of access control
• User access management
• User responsibilities
• System and application access control
• Cryptographic controls
• Operational procedures and
responsibilities
• Protection from malware
• Backup
• Logging and monitoring
• Control of operational software
• Technical vulnerability management
• Information systems audit considerations
• Network security management
• Information transfer
• Security in development and support
processes
• Test data
• Information security in supplier relationships
• Management of information security
incidents and improvements
• Information security reviews
http://www.iso.org/iso/iso27001

25. DATA CLASSIFICATION AND CONTROLS
Restricted Confidential Public
Data
examples
Strategy source code
Restricted documents
Cleaned tickdata
Back office app source code
Logs and monitoring data
Vendor data
Company confidential data
3rd party software binaries
IT automation scripts
Public website content
Access  Access controlled to authorised
users & intended audience
 Protection from System Admin
access
 Access logged
 Access approved by Information
Owner
 Access controlled to authorised users
& intended audience
 Access logged
 Access approved by information
owner
 No specific requirements
Transmission  Encrypted in transit  Encrypted in transit  No specific requirements
Storage  Encrypted storage
 Data resident in UK
 Encrypted storage
 Data resident in UK
 No specific requirements
Disposal  Secure erase  Secure erase  No specific requirements

26. ACCESS CONTROL
Who needs access to what?
• Use the same procedures for on premises as cloud
• Joiners and leavers processes
• Single sign on
• Multifactor authentication (but what about scripts/scheduled tasks)
• Least rights privilege
• Separation of roles and responsibilities
• Time based access (Just In Time Access, temporary access, escalate, drop back)

27. DATA TRANSMISSION
• Encrypt data in transit (traversing 3rd party networks / public internet)
• Virtual Private Network (VPN)
• Use encrypted protocols HTTPS, SFTP, SMB3.0

28. DATA STORAGE
• AWS Elastic Block Storage - server side encryption for virtual disks
• Data volumes and also boot volumes (since Dec 2015)
• AWS Simple Storage Service (S3) server side encryption for objects
• Azure Client Side disk encryption Bitlocker (Windows), DM-crypt (Linux)
• Azure Server Side encryption in preview, GA due August/September 2016

29. CLOUD SECURITY
EDUCATION
http://jklossner.com

30. SECURITY MONITORING AND
ENFORCEMENT
CLOUD SECURITY TOOLS ARE REALLY VERY GOOD…

31. AWS TRUSTED ADVISOR
• Security Groups - Specific Ports Unrestricted
• Security Groups - Unrestricted Access
• IAM Use
• Amazon S3 Bucket Permissions
• MFA on Root Account
• IAM Password Policy
• Amazon RDS Security Group Access Risk
• AWS CloudTrail Logging
• Amazon Route 53 MX and SPF Resource Record Sets
• ELB Listener Security
• ELB Security Groups
• CloudFront Custom SSL Certificates in the IAM Certificate Store
• CloudFront SSL Certificate on the Origin Server
• IAM Access Key Rotation
• Exposed Access Keys
https://aws.amazon.com/premiumsupport/trustedadvisor/best-practices/

32. AWS CLOUDTRAIL
Audit Trail for every use of AWS API
• The identity of the API caller.
• The time of the API call.
• The source IP address of the API caller.
• The request parameters.
• The response elements returned by the
AWS service
Extendable for Event Notifications and
Analytics
(CloudWatch, Splunk, SumoLogic, LogEntries,
Datadog, LogicMonitor, Open Source)

33. INFRASTRUCTURE AS CODE
DEFINE AND ENFORCE CONFIGURATION

34. OCTOBER EVENT
Grid computing breakfast
briefing
Wednesday 26th October

35. Hentsu Ltd
1 Fore Street
London EC2Y 9DT
hello@hentsu.com
https://hentsu.com