Virtualization, mobility and cloud technologies have broadened the possibilities for business continuity and disaster recovery, both of which form an integral component of information security.

“You no longer have to build out a 1:1 data center in another location to get true disaster recovery,” said James Russell, principal in the information technology group at consultancy Rothstein Kass. “It is possible to build in-house solutions for a fraction of the cost and space it used to require using virtualization.”

Hedge funds and other trading and investing firms can have DR built in as part of their cloud infrastructure.

“That is one of the strengths of the cloud and providers with multiple data centers,” Russell said. “With the right provider, DR is almost a by-product of their infrastructure design. This allows about any company to have a good DR solution without having to put down a large capital expenditure like in the past. Now it can be built into the solution and instead becomes an operating expense.”

Mobility also offers more advantages than in the past. “If your DR solution is cloud-based or otherwise designed for mobility you can have users working remotely from just about anywhere,” said Russell. “This can eliminate the need to have a ‘hot’ or ‘warm’ site ready and waiting in most cases. This can vary depending on the business type or sector, but in many cases mobility allows for employees to get back to work from just about anywhere even after a major disaster.”

When selecting data centers, hedge funds need to understand what their critical applications are and which business functions are covered by that application. They also need to make sure that their infrastructure is fault-tolerant.

“Exercising a BCP plan is very important, so we do tabletop exercises at least quarterly to go through different disaster scenarios and how to respond to that,” said Doug Steelman, chief information security officer at Dell SecureWorks. “We’ve been fortunate in that we’ve had several real-world events that have tested our BCP and DR, and we’ve been successful in…executing on those plans that we’ve developed over time.”

This is not to say that hedge funds no longer need to be concerned with information security once they’ve inked contracts with cloud and data center providers; industry experts and practitioners say it is quite the contrary.

“The biggest challenge is the delusion that you can ‘check the security box’ by housing your data with a cloud provider that has excellent security,” said Mason Weisz, counsel at ZwillGen, a law firm specializing in Internet security issues.

This mindset is problematic in two ways — one more obvious than the other, according to Weisz. The first and more obvious reason is that pitfalls in the vendor selection and onboarding process can prevent a company from accurately identifying and appropriately entering into a relationship with a cloud provider that has excellent security.

“There is no question that many cloud providers are better equipped to provide data security than many hedge funds’ in-house IT departments,” said Weisz. “Many cloud providers have more significant resources in this area, and their entire organization can focus on data security, which gives them a significant advantage.”

The second and less obvious challenge takes shape after the cloud provider has been engaged. Take, for example, a cloud provider engaged by a hedge fund to hold all of its investor records. “Let us assume that the cloud provider offers an easy-to-use, password-protected interface, it has perfect security and cannot be hacked, and the contract with the hedge fund is very favorable to the hedge fund,” said Weisz. “Good enough? Not close.”

To responsibly use a provider’s services, the hedge fund still needs to implement rigorous controls around passwords, secure the computers that employees use to access the service, train employees to avoid falling prey to phishing scams and other social engineering ploys that criminals use to trick employees into providing their login credentials to the service, and implement controls around managing records outside the cloud service.

“Records that are never entered into the service cannot benefit from its security, nor can records that are copied from the service to another location, such as a user’s hard drive,” said Weisz.

Unfortunately, for some providers, security is an afterthought, which doesn’t always stop them from making bold security claims in their marketing campaigns. Without a rigorous process to vet vendors (e.g., through the use of questionnaires, interviews and review of security audit certifications), it can be difficult to reliably identify the ones that actually are capable of providing adequate security.

Feature image via DPC