On May 23, 2019, the Office of Compliance Inspections and Examinations (“OCIE”) issued the alert “Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features”. In this alert the OCIE ‘identified security risks associated with the storage of electronic customer records and information by broker-dealers and investment advisers in various network storage solutions, including those leveraging cloud-based storage’.
The OCIE highlighted:
- Misconfigured network storage solutions
- Inadequate oversight of vendor-provided network storage solutions, and
- Insufficient data classification policies and procedures
The OCIE loosely (intentionally) defined what a cloud-based storage solution was. To provide some clarification of what a “cloud-based” storage solution is, so you understand your potential exposure, we provided some examples below:
- A file storage and sharing solution like Microsoft OneDrive, Dropbox, Box, Sharefile, and similar.
- It could also be virtual servers running in Microsoft Azure, Amazon Web Services, or Google Cloud.
- If you are using a private cloud, like those provided by managed IT service providers, it would be the virtual servers they host in their data centers for you.
- Backup data stored in an online solution like KeepItSafe, iDrive, Livevault, Amazon S3 Buckets or Glacier, etc.
- Email in the cloud like Office 365, Mimecast, Intermedia, etc.
If you are using one or more of these solutions and have not performed holistic assessments of the usage, gaps may exist that leave you exposed to both cyber and regulatory risk.
When using cloud-based storage solutions data classification is a starting point for maintaining the confidentiality and potentially the integrity and availability of data based on the data’s risk impact level, so setting the right level of specificity matters.
- The first step is to inventory the data so you have a clear picture of what will be stored in the cloud.
- Risk assess and classify the data. This is where the development of your policies and procedures come into play.
- Implement the controls in the cloud, then assess the controls to ensure they are working as intended.
- Perform appropriate levels of monitoring and review to ensure compliance with your policies and procedures.
Elteni recommends that analysis be performed of each public-cloud solution being used to ensure:
- All of the security best practices provided by the vendor have been implemented.
- Encryption is used where necessary. If using encryption, ensure there is a way to secure the encryption keys.
- Two-factor or multi-factor authentication is used.
- Proper deployment of role-based access has been configured.
- Access is limited to only those that need it.
- Appropriate oversight is being maintained in the form of log collection and review.
- Thorough vendor diligence has been performed.