ABSTRACT
Information Security Risks: Internal
Systems, Vendors and The Cloud
The need to implement cyber security and other information security controls has become the new business reality. Organizations that are technology and data dependent, regardless of size, must evaluate their risk exposure and formulate an information security program, as well as contemplate their potential breach response. Such a program must address third party service provision, including cloud based service provision if applicable.
Organizations must recognize that their third party providers’ programs in many ways become part of their information security programs. Cloud based systems are getting significant attention as this model presents significant advantages over the traditional on premise setup for infrastructure and software. These advantages come with key risks, and those adopting the cloud-based approach must be aware of these risks and take action to mitigate them.
Introduction
The increased frequency and sophistication of cyber attacks has challenged businesses, from small to large, to address their exposure to cyber crime. The primary targets are financial services, including credit card processing, and energy. In the financial services industry, all of the primary regulators (such as the Securities and Exchange Commission, the Commodities and Futures Trading Commission, the Financial Industry Regulatory Authority, and multiple state regulators) have conducted inquiries of those entities under their oversight and are incorporating the review of information security controls into their examination processes. In addition, many states have breach notification laws which may need to be adhered to in the event that Personally Identifiable Information (PII) is disclosed as a result of a breach.
Establishing an Information Security Program (ISP)
With the number of potential threats ever changing, many organizations need a structured and on-going approach to managing information security threats. Below are some steps your organization can take.Identify the data assets you are trying to protect and establish their value to your business. Prioritize your efforts based on relative value.
Appoint key decision-makers and overseers.
Assess your current state. What’s working today? What information is confidential or sensitive? What systems and processes handle such information (and make sure to consider how you will keep this list up to date on an ongoing basis)? What are the security threats to this data? What is the likelihood that such threats will create a breach? If there is a breach, what would the impact be?
Consider using an independent technology risk assessment firm to provide more holistic insights into the risks and controls at a firm, as well as at their third party provider. Armed with a technology risk assessment, an executive can more easily plan projects and budget spending given their knowledge of the outstanding high-, medium-, and low-risk vulnerabilities at the firm.
Analyze. Based on the organization's assessment, the organization should conduct an analysis of: (i) security gaps; (ii) areas in need of improvement; (iii) efforts required to achieve the desired, but prioritized, security end state. Use this analysis to establish: (i) what security functions are valuable for the organization to implement; (ii) what security activities are necessary to deliver each security function; and (iii) the security capabilities that must exist in order to engage in such activities.
Plan and Develop Your Strategy. Security concerns need to be balanced against the costs of implementing (or not implementing) and impact. The greatest risk-weighted vulnerabilities need to be addressed first. Once management has committed to this list, an organization must develop their roadmap. This roadmap needs to incorporate milestones, deadlines, deliverables, inputs required, resources and constraints.
Build your organization’s information security processes. These processes should address, on an administrative, technical and physical level:
Information asset identification and management Risk management
Vulnerability management
Identity management and access control Change control
Awareness and training Physical security Incident response Auditing and monitoring
Make sure that each part of your organization understands its responsibilities and, where appropriate, has service levels assigned to it.
Monitor and Evaluate. Periodically review logs, audit results, and collect metrics and service levels. The overseers of the plan should meet regularly, with updates to management and the board of the organization. On a periodic basis, organizations should assess their system for security vulnerabilities, as well as stage mock hacks. “Table top” drills will help ensure that the staff understands not only their responsibilities, but how such responsibilities coordinate with the larger organization. Ensure that critical third party providers are monitored and evaluated as well.
Educate and Communicate. Create a communication plan for advising the board, management, and employees of the identified risks. Staff needs to be educated as to the importance of technology security with at least annual training sessions covering acceptable use, threat detection, and an overview of the firm’s incident response plan. Leading with a spear-phishing test can help provide the staff with tangible evidence of the ease of phishing and better convey key detection criteria.
Pre-Breach Planning
While the foregoing focuses on the preventative measures that your organization must take, for those organizations who process PII, it is important to contemplate your breach response. Forty seven states have enacted legislation requiring notification to individuals impacted by security breaches involving personally identifiable information (http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx ). There are nuances to these laws by jurisdiction. Organizations should become familiar with these obligations now and anticipate necessary steps to comply. First and foremost, organizations should who know who their counsel and forensic team will be in the event of a breach. Collectively, they will be instrumental in determining whether an unauthorized party was able to access, acquire, misuse and gain the ability to disclose PII…key determinants under breach notification laws.
Organizations should identify in advance who their in-house breach response team will be as well, including the key decision maker(s). This team must have sufficient independence to move quickly, have representation by the key decision makers, be integrated with the business, and document all decisions.
Third Party Providers
Concerns about cyber security have forced firms to approach their third party vendor relationships with a different risk management focus. Particularly where PII is accessed, the failure to take reasonable measures to verify that third party vendors are taking appropriate measures to protect against information security breaches could expose an organization to litigation or regulatory risk. Complicating matters are inconsistent processes and frameworks that your organization may have adopted with respect to how third party vendors are retained. Such inconsistent processes could lead to a third party provider bypassing the IT security that in-house processes are subject to or may lead to a lack of ownership or enforcement with respect to such security requirements.
While it is certainly easier to collect information on a vendor’s information security program (ISP) at the outset of a relationship, organizations need to address the information security programs of existing vendors as well.
As part of standard protocol, organizations should request that their vendors who manage confidential or sensitive information provide: (i) a copy of their ISP; (ii) qualifications of their security team; (iii) system level certifications, if any; and (iv) any internal or external audit reports respecting their information security program. Your vendor’s ISP should be evaluated based on the same criteria that you used to build your own program. Investigate whether they deploy encryption as part of their information management program.
Third Party Provider Contracts and Concerns Particular to Cloud
Providers
Many agreements fail to document the critical expectations of organizations respecting their third party providers’ information security plans. This may be due to either the lack of proper counsel or the sense of powerlessness over their providers to change their information security processes. Even if your organization cannot gain significant ground in changing such contracts, however, an understanding of the terms and risks of such contracts will facilitate an informed decision to select one provider versus another. While such choices might come with more expense, the savings associated with an inferior information security plan might be more expensive considering the additional assumption of risk.
For example, the information security provisions of different cloud offerings should be a core element of an organization’s evaluation process. Consider that almost all cloud providers have indemnification clauses that, in all but the most egregious cases of misconduct, ensure that they will not be financially liable due to any damages suffered by its users due to a litany of events that constitute a partial or full service outage. Even if you can only negotiate a limitation on damages, it is in an organization’s interest to do. Similarly, while any third party provider might have an ISP, it could be wholly inadequate for your organization’s needs. Just because they’re big, that does not mean they have the requisite controls or, more importantly, that your organization’s needs are being addressed.
Negotiate terms that specify your organization’s requirements for computing resources, including physical security, access rights to your environment and data, data handling, and outage recovery. Make sure that the contract provides, at the very least, for immediate notification of breaches in data security and if PII is involved, your contract will most likely need to provide for the engagement of a third party forensics team to help determine the full scope of your obligations under breach notification laws. Without such protections in place, you may end up either over-disclosing (subjecting your organization to all the attendant reputational, litigation and expense risks) or under-disclosing in violation of state law. In addition, ensure that your contract contemplates data transfers, creation of derivative works from the data being processed by the provider, change of control of the provider, and what happens if law enforcement demands access to such data. Lastly, understand that the laws of the jurisdiction where your data resides, which could impact access rights and even ownership of your data.
Background on Cloud Computing
What is Cloud Computing?
Cloud computing is a paradigm shift in which servers, software, and IT support and management have been moved to third-party providers. Over the past 10 years, service providers, such as Amazon, Microsoft, and Google, have developed infrastructure services that enable software vendors to provide their services cheaply and easily to clients. This comes in the form of providing computer grids, virtualized machines that can be created or destroyed on-demand and paid for on a usage basis, as well as highly-reliable, cost-effective, redundant storage services. The on-demand, virtualized compute grid and storage are referred to as Infrastructure-as-a-Service (IaaS). Software vendors utilizing IaaS, in turn, have published their
applications online and taken over the administration and support of their software, creating what’s now called Software-as-a-Service (SaaS). Other types of cloud services have been created on top of IaaS, as well, such as virtualized desktops (Desktop-as-a-Service, DaaS) and publication of webservers, database servers, etc. for software to run on (Platform-as-a-Service, PaaS).
Why Is This Model Attractive?
Scalability, ease-of-management, cost-effectiveness, deployment-time, and convenience are the primary drivers behind cloud adoption. IT infrastructure in the cloud does not suffer from high procurement and support costs, long procurement timelines, or issues stemming from obsolete hardware; the cloud service provider’s scalability and virtualization allows for real-time decision-making and resource deployment for a firm.
Multi-Tenancy
One of the keys to the scalability of cloud platforms is the ability to share resources across many clients and applications. For example, a given physical server may have 32GB of memory and 32 cores (akin to processors). Those resources can then be divided into eight independent ‘virtual’ computers with 4GB and 4 cores each, and with each allocated to a different client. Thus, the single server has eight tenants. Multi-tenancy applies throughout the stack of infrastructure and software. Cloud platforms not only share computing resources, but may often include a database server set up on a shared server. The database server, in turn, might be shared across multiple clients and applications.
Key Cloud
Computing Concerns
Provider Stability
The provider your organization chooses should have the financial, technical, and personnel resources to survive stiff competition in the cloud computing space and the wherewithal to handle special situations. When looking at SaaS, this is no different than assessing vendor-specific business and operational risks, aside from the data control concerns discussed in the Resiliency section later. When looking at IaaS, however, this is far more critical given the crucial role infrastructure plays in your organization.
Resource Sharing
Multi-tenancy allows for scalability via virtualization, but it creates risks around: (i) data security, (ii)
access controls, and (iii) resource sharing. Are all the machines carved out of the shared server fully independent, or could they access each other’s data via a bug or misconfiguration? Additionally, while there are completely split and dedicated resources on the virtualized machines guaranteeing a certain level of compute power and/or memory, there are also shared resources on the parent physical server, for example the network card(s). If one application has a burst of network utilization due to web requests or a denial-of-service attack, it could saturate the network card’s bandwidth, causing the performance of the other machines and clients on the shared server to suffer. Further, the resources provided on the server
"Cloud computing" by Sam Johnston. Licensed under Creative Commons Attribution-Share Alike 3.0 via WikiMedia
could be “over-subscribed”, allowing a burst in computing activity on one instance to affect the computing power of the other instances.
Virtualization software has grown in sophistication and maturity, and concerns over data breaches at the machine level are generally considered minimal now. Risks continue to exist around multi-tenancy data protections and resource sharing at the infrastructure, platform, and software levels. An assessment of the provider’s multi-tenancy data controls and policy is required. Could operational staff accidentally copy your data into another client’s environment, for example? Additionally, assessing whether the provider oversubscribes its hardware resources can lend insight into risks around underperformance. To alleviate these concerns, many cloud providers offer single-tenancy options at a higher cost.
Data & Systems Access
Who has access to your data? Who can control your setup? Could operational or engineering employees of the cloud provider see or take your data? Could malware infecting the computers of those employees access it? Could a bad actor take down your setup? Does the service provider’s staff have the ability to access your data on their home computers or mobile devices? How are these setups protected from data loss?
Virtual access controls must be in place for the firm to provide assurance that employees, malware, bad actors, and hackers would not be able steal or tamper with the data or system, and that all data access is audited and monitored. For IaaS, many of these concerns can be addressed via client-side encryption of data at rest, discussed later. For SaaS, however, there are many tools and techniques that need to be validated to ensure your data is protected. For example, ensure the software vendor utilizes a containerized mobile device management (MDM) tool for their employees if their employees have access to your data. Similar concerns exist around remote access and in-house data loss prevention techniques.
Physical Access controls must be in place protecting the data center, machines, and networking equipment behind the service. Are they susceptible to theft or tampering that could lead to data loss, corruption, or system instability? Does the firm keep copies of the data on desktops within their offices? Do they utilize laptops that hold the data? Could those desktops or laptops be stolen and result in data loss?
Most data centers employ significant amounts of physical protection in the form of security guards, biometric identification, and surveillance. Largely, IaaS physical concerns are addressed via these protections. However, for SaaS, most software vendor offices lack strict physical access controls, and laptops, staff mobile devices, and staff remote access present security holes that need to be addressed and open up additional physical access concerns. Mitigating these risks is best accomplished via data and systems access controls described above, in addition to tools such as hard drive encryption, boot passwords, and mobile data management (MDM).
Additional Key Risk Mitigants
Encryption
Encryption of Transport: Given that hosted data must be transmitted from the provider’s data center to your firm’s business location, the data is likely traversing the public internet. Data passed through the internet is liable to be intercepted in the middle of transit, as it often makes many hops along its route. To protect against data interception, secure transport should be utilized and required. This is the difference between the http and https protocols, for example (https represents that the secure transport protocol is utilized). Secure transport should be required for all access to the data, whether it be via web, via desktop application (e.g. Outlook connecting to a secure mail hosting provider), or via API to internal software or databases.
Encryption at Rest: A key means of protecting your data from being stolen is encryption of the data when stored as files or in a database, “at-rest”. When properly setup and when the encryption keys are properly protected, it can mitigate the risks around physical and virtual theft. There are two types of encryption at rest: server-side and client-side. With server-side encryption, the provider holds the keys to decrypt and encrypt the data, and how they protect those keys is critical. With client-side encryption, the end-user holds the keys to encrypt and decrypt data, meaning the provider has no access to your data: the data is extremely well protected.
DEPICTION OF ACCESS CONTROLS,DATA TRANSMISSION ENCRYPTION, AND ENCRYPTION AT REST
Source: Centers for Disease Control: Details About Data Encryption http://www.cdc.gov/cancer/npcr/tools/security/encryption2.htm
External Audits & Certifications
Cloud providers often undergo various audits to attest to their controls over data and systems access, as well as their policy around implementation of system changes that could cause disruption if not properly managed. While not a guarantee of protection by any means, these help provide comfort that the organization underwent external validation for at least some of their controls. The value of the audit is often dependent on the quality of the auditors and their ability to identify the key control objectives for the firm.
For More Information
Hess Legal Counsel
Hess Legal Counsel LLC is a small law firm providing counsel services to investment advisers, hedge funds, broker dealers, execution venues and financial technology firms, including vendor risk management services. In conjunction with its sister entity, HLC Consulting LCC (www.HLCConsultingNY.com ), it provides compliance, technology risk, information security governance solutions, including policies and procedures, and breach management services to financial services firms.
www.hesslegalcounsel.com | [email protected] | (646) 783-7030
Aponix Financial Technologists
Aponix Financial Technologists is a team of highly specialized and experienced technologists from large banks and hedge funds focusing on technology advisory, technology risk and cyber-security, and IT governance for financial firms. Aponix centers its services around independent, holistic technology risk assessments for investment advisors, hedge fund investors, and financial software vendors, covering infrastructure, software, service providers, workflows and integrations, and cyber-security. The assessments are paired with phishing tests, on-going staff security training, network vulnerability testing, and independent advisory.
