IT Reliability and Security in Investment Firms
Managed Service Providers (MSPs) serve the need; here's what to expect from them
Investment firms are among the most security-conscious businesses, for good reason. Their clients depend on them to be up and running constantly and to keep their investments and privacy safe. But disasters lurk in both physical (storms, power outages, hardware crashes) and cyber (viruses, malware attacks) realms. And in investment management, a day – or even an hour – of downtime is a disaster.
Technology and security play critical roles. Investment firms need fast, efficient and stable IT systems for research, trading, regulatory compliance and reporting results to their customers. And they have a paramount need to keep their proprietary data and customer accounts protected at all times.
Meeting these needs can be costly – custom-built, on-site IT infrastructure and security applications are expensive. Likewise, asset managers want to focus their core competency – seeking Alpha. Thus, many firms turn to managed service providers (MSPs) with cloud-based solutions for their primary IT needs.
A reliable MSP does the heavy lifting for its clients when it comes to technology and security. An effective provider will have built an adaptive infrastructure using enterprise class technology to provide a highly reliable and scalable computing environment. Leveraging industry best practices for hosting services, the MSP delivers secure and robust access to mission critical applications such as email, file sharing, mobile device management and platforms for industry specific applications.
At the core of the MSP’s operations will be a network of data centers that are highly secure, continuously available, scalable and manageable. MSP data centers should be certified to the highest industry standards and compliance requirements and be connected to the Internet using multiple Internet Service Providers (ISPs). Security should be implemented through multiple network layers. Starting with Internet access firewalls, access controls must be implemented to restrict inbound and outbound traffic.
As a best practice, an MSP’s hosted platform should:
- Be architected to allow for the failure of individual components without impacting the client or any of its users in their use of the IT functions.
- Have all hardware components in each data center configured for high availability.
- Have redundancies in the primary data center, all client data is replicated to a secondary data center.
- Be equipped to rapidly restore service and data in a secondary data center in the event of a disaster that affects the primary data center.
Investment managers and investors in general want peace of mind when it comes to the security of their data. A “3-2-1 methodology” for data protection provides that. In essence, 3-2-1 is three copies of data, stored on two different storage types, with at least one copy of data stored offsite. This can be accomplished by replicating data between geographically dispersed data centers and backing up vital data using different resiliency vendors and storage solutions.
At the heart of an MSP will be a 24/7 NOC that monitors internal and hosted services – among other things: preventively maintaining, checking disk sizes and circuit connectivity. Safeguarding files using these methods limits risk. The helpdesk must always be prepared should a disaster scenario occur, be it cyber attack, human error, or works of nature.
To be fully prepared for a worst-case disaster scenario, an MSP must test its primary and backup systems, using multiple approaches:
- Perform regular client data backups and restorations to ensure data is on secondary or tertiary storage.
- Run platform level penetration tests multiple times per year, contracting with different vendors to identify and remediate against any possible risk.
- Perform regular “failovers,” with hundreds of servers and the interaction of multiple clients. This includes third-party vendor coordination and participation.
- For hosted voice and networking, perform testing within its data centers, validating that both sides of a redundant pair can handle the full load should the primary go offline.
An MSP should also assist with client disaster recovery documentation and business continuity planning. Each test it performs should be followed up with a report, noting scope, timing and key takeaways. In addition to reports, important security and compliance focused documentation should be provided to clients in a transparent manner.
In today’s remote work environment, an MSP also needs to provide solutions for investment firm employees who work outside the office. Leveraging the cloud, an MSP can provide options to connect and access all systems remotely and securely. Should a client’s local office become unavailable, they can resume working from virtually any location with a stable internet connection.
Finally, an MSP must test, re-test and perfect its core systems. For each exercise, it should analyze the process, looking to automate or remove steps in an effort to improve overall speed and efficiency. The MSP is mission control of the firms in its orbit – failure is not an option.