Cloud concerns: Five cybersecurity questions every GP should be asking

As the alternative investment industry looks to migrate core applications and operations to the cloud, the need to understand the potential security risks and threats has become even more important.


 Organizations can better safeguard themselves and their data by asking the right questions upfront and developing a robust cybersecurity strategy for their cloud applications.  
The cloud is not inherently more secure or less secure than your on-premises datacenters.  With that being said, the cloud is one of the major IT trends today, and it is transforming the way businesses everywhere build and procure IT solutions. Rather than hiring technical staff to build data centers and configure servers, businesses are outsourcing these functions “to the cloud” and simply procuring applications and platforms from industry leaders like Amazon, Microsoft and IBM. The cloud enables new levels of business agility by abandoning large scale “capital expense” projects for “pay-as-you-go” Software-as-a-Service (SaaS) models. Firms and investors alike are now leveraging applications like to handle key business operations from fundraising to portfolio management.
But with the rapid growth and agility gained by leveraging cloud applications also come new opportunities for threats and attacks. A few key questions can start you down the path in ensuring your cloud application is secure and reliable.
So…what are some of the questions you should be asking your provider?
1. What compliance standards are being met at your datacenters?
No single cloud environment is 100 percent safe and its infrastructure must be controlled and monitored with a set of robust policies and standards. As cloud computing becomes more popular, it will become the target of more malicious attacks. Industry-specific compliance standards such as SSAE16, ISO, SOC 1 and SOC 2 indicate that your provider has gone through a rigorous process of independent audits that adhere to international standards. The standards serve as the framework for providing a secure and reliable cloud environment in which your applications will operate. You have the right to ask for verification of the implementation of security controls listed by your provider and the audit results from the certifying third parties.
2. Where is my data being stored?
The flexibility of the cloud means you can access it from anywhere, the downside is you may never know exactly where your data is being stored. If data is moved to a different country, a whole different set of laws and regulations can become applicable to you and your data. Some providers will allow customers to specify which countries they would like their data to be stored in, however, some may not due to the proprietary nature of their application. 
3. When is my data encrypted?
Encrypting your data while it’s in motion or in transit prevents it from being easily and cheaply compromised. Firms and investors are just as susceptible to inside threats as they are to outside threats.  Whether accidental or malicious, exposure of sensitive data can be equally as devastating. It’s important to recognize that safeguards at the perimeter do not substitute for safeguards inside. Ensuring your data is encrypting while it’s at rest or stored prevents unauthorized users from accessing your data via commonly available backend tools or backup files.   
4. How do I recover from a security breach?
Whether it is accidental or intentional, a security breach is more than likely to occur at some point in time. Your selected cloud application provider should have an incident response policy and team in place. You should also have an internal plan in place that provides you with the necessary steps to assess the damage and to recover. Your plan should include an internal and external contact list of security experts, law enforcement and legal counsel. Additionally, you should consider cybersecurity insurance to help mitigate the potential financial damage and cost of recovery. Cybersecurity insurance transfers some of the financial risk of a security breach to the insurer, however, it is not a complete solution.
5. Who’s responsible for the securing and monitoring our application?
Organizations that are outsourcing to the cloud may still need to rely on internal system administrators and/or have a good cloud security expert on staff to monitor applications and maintain policies. New proactive security solutions like virtual security appliances give you the ability to deploy agile, powerful and intelligent security systems anywhere within your cloud application and infrastructure. Your cybersecurity strategy should include defined roles and responsibilities that are accountable for securing and monitoring your cloud application.
Although we’ve come a long way with cloud applications and security, there are still some concerns and issues to overcome. There are many moving parts that create your cloud application and all of those pieces may not fit together entirely well at times. Cloud applications offer many advantages to your traditional in-house built or commercial-off-the-self solutions. However, it isn’t without some drawbacks, especially in regards to cybersecurity and data protection. Providing ultimate flexibility of accessibility and provisioning of services comes at a price. Once data has gone into a public cloud, data security and governance control is either transferred in whole or part to the cloud application provider. Understanding how much of that responsibility remains yours and how much rests with the cloud provider is paramount.
The key is never to become complacent, ask questions and not to assume that the provider cares about your data as much as you do.
Formerly the chief architect at The Carlyle Group, Richard Change is a managing partner at PFA Solutions, a provider of cloud-based applications for the alternative investment industry.