How to Approach Data Security for E/CTRM Cloud Migration

Nearly 50 percent of firms surveyed said data security in a hosted environment is their number one concern for moving their energy or commodities trading risk management systems to the cloud.

That’s according to a survey conducted during the webinar Moving to the cloud: the next frontier for E/CTRM systems? hosted by EnergyRisk in partnership with Sapient Global Markets. Data security was chief among concerns ahead of the complexities of moving to the cloud at approximately 30 percent and vendor offering limitations at roughly 20 percent.

The results come at a time when energy and commodities firms are evaluating their capabilities to transition their data to a public cloud for enhanced agility and cost savings (click here to read the first blog of this series) amid uncertainty around the ability to securely manage sensitive data.

One of the main security issues discussed during the webinar centered on creating a secure environment for transferring data. How secure is your data when it is moved back and forth internally and externally? What’s the right level of security encryption so that unauthorized people are not able to access your data without the appropriate permissions?

Another concern focused on the security level of the hosting environments once data is transferred to a platform.

So what is the best approach for tackling these and other data security challenges during E/CTRM cloud migration?

From an actual requirements perspective, the data classification should be the first step, e.g., classifying the various data items as public, private and restricted. When you look at the application (your CTRM or ETRM system) that you are moving to the cloud, you need to classify the different categories of data included in those systems and map them against the four information security attributes:

  • Confidentiality
  • Integrity
  • Availability
  • Nonrepudiation

For each class of data, whether it is public, private or restricted, you will have different requirements against these security attributes. For instance, restricted data pose the highest risk if leaked and will therefore require the highest levels of confidentiality, integrity, availability and non-repudiation.

Next, you need to look at the matrix of data classification against the information security attributes and plan the appropriate security controls. You should consider how your data is accessed across the different layers in the cloud platform and devise a strategy for addressing specific security requirements of different information categories. So at the basic level, what do you need to do from an infrastructure and networks perspective? Do you have the right connectivity and the appropriate hardened environments?

After you work through those considerations, at the next level you would evaluate security on the platform. What additional protection mechanism does the cloud vendor provide? Many of the cloud vendors like Microsoft Azure or Amazon Web Services (AWS) provide several security controls including network protection, access controls and identity management.

Finally, you would move into the application level of security, evaluating how you are integrating your data with any of the authentication and authorization solutions in addition to formulating a plan to keep the data secure at the application level. Also for specific data items, are there any encryption requirements for specific data categories?

As you weigh these implications and concerns, it is important to keep in mind that at the end of the day you have to approach the entire security requirements discussion at the solution level, considering each of the different layers— network, host, application and data (this layering of security measures is a proven defense in depth approach). Security cannot simply be a one dimensional control focused purely on security in the cloud. There are a numbers of factors that should be high on your priority list, including:

  • Securing your infrastructure
  • Securing the platform services on that infrastructure
  • Protecting the data living on that platform
  • Securing access and the assigned permissions to people working with that data

For more on this topic, view the webinar


Sudip Dasgupta – Director
As a leading Infrastructure Architect, Sudip has been involved in the infrastructure design of some of the largest technology programs in the last decade (c. $1 billion). He has over 15 years of experience in infrastructure and database planning, design, installation and maintenance for large multinationals as well as government organizations. Sudip is an expert in infrastructure design and operations including capacity planning, design of high availability and disaster recovery architectures, and network designs. His expertise spans Windows and UNIX / Linux environments as well as several cloud IaaS platforms. He has designed compute, storage and network architectures for high-end infrastructure solutions including virtualized platforms. He has helped clients define standards and guidelines for their compute and storage and architected cloud platform.