The Five Commandments for Confidentiality in the Cloud
There are major benefits associated with the cloud – or Software-as-a-Service (SaaS) if you prefer that terminology – for the financial services industry.
Cloud delivery of trading services enables instantaneous updates and product enhancements, as well as “hive-mind” improvements – product updates that take place by drawing on the insights of how customers are using the solution in aggregate. These are critical in an environment where regulatory changes have sweeping implications that could be ill defined, and are rolled out on tight timelines.
Easily deployed cloud-based trading solutions can also widen the number of potential counterparties a firm can work with, increasing security, transparency, and efficiency.
The cloud also provides another major benefit that it’s most commonly known for in every industry: cost-effective solutions that don’t require an increase in internal headcount or hardware to manage. (A full explanation of the benefit of the cloud to financial firms can be found in my blog entry, The Top Eight Reasons for the Buy Side To Adopt The Cloud.)
Abuses of fiduciary responsibility and privacy lapses, while rare, aren’t unique to the cloud; they have taken place in business since the launch of capitalism. To maintain client confidentiality, cloud providers need to follow the following five commandments:
1. Know Thy Requirements. (Tweet this!) Clients must have a firm understanding of their data and security requirements. Cloud-based platforms, like locally deployed solutions, can provide the security clients require if configured properly. Customers need to define their requirements and review the vendor’s abilities to provide the appropriate level of security.
2. Thy Regulator is Everywhere so Follow all Thy Regulator’s Commandments. (Tweet this!) SaaS-based vendors are required to be proactive with global regulatory agencies to understand the mandates and best practice recommendations. These policies will address data retention and access and must be incorporated into the organizations internal policies, covering all employees and applications.
3. Thou Must Learn and Teach. (Tweet this!) Vendors must continually educate and train their employees on procedures and best practices. Security awareness and client confidentiality should be regularly discussed. Simulations are an excellent way to test how internal staff would react when faced with unethical scenarios.
4. Thou Should Trust, but Verify. (Tweet this!) Trust that your employees are honest, but verify that the controls in place are working. Technology can audit access trails to ensure only those employees and applications entitled, are accessing the data. Proactively look for unauthorized access to data and regularly review the entitlements, both of employees and applications, for those granted access to sensitive client information. End-users should request on-site audits to gain confidence in the controls technology providers have implemented.
5. Only the Anointed Shall Enter the Temple Lest They Die. (Tweet this!) Data should not be accessed via low level (SQL) means. Data should be controlled through applications and granted via role-based entitlements. Vendors have a need to provide a high level of service to their clients, however, service and support personnel should have a different access entitlement than the sales team.
The cloud offers unique advantages for efficiency, transparency, and savings which have never been available before. Taking advantage of this tool isn’t just a good idea – it should be required in most industries.
By working together with clients, and following the five commandments for maintaining confidentiality in the cloud, technology vendors can continue to provide this critical service in a secure environment while adding unparalleled value to their end-user.
Brian Nadzan is Chief Development Officer of TradingScreen.
Brian Nadzan has over twenty years of product development in the financial services industry, having spearheaded development in electronic trading, position keeping, P&L and risk management, compliance and STP.
Read recent media coverage by and about Brian Nadzan.