Private capital firms are discovering that business best practices center not only on cybersecurity awareness but also on the reality that firm-wide computing networks have expanded in the current at-home work environment.
This has meant a new set of risks that firms are still assessing even as we are going into our third year of dealing with working from home.
Grigoriy Mills is a 17-year cybersecurity veteran and leads the cybersecurity, automation and research and development teams at IT/cybersecurity firm RFA. Mills oversees RFA’s systems architecture team and the support of RFA’s clients which include hedge funds, private equity funds, fund of funds, private wealth management and investment management firms.
He is constantly eyeing opportunities to create solutions that benefit RFA clients IT departments, daily operations and deal flow.
In this exclusive Alternatives Watch interview, Mills agreed to tell us about one of the more exciting developments being applied by their clients and the potential to significantly boost cybersecurity.
Alternatives Watch: What is Zero Trust Network Access (ZTNA) and how does it differ from VPNs?
Mills: ZTNA is a framework of controls designed to establish additional parameters required to access network resources beyond authentication. The concept of zero trust relates to the fact that a network always assumes that any user or device is not authorized for access, and as such, every request to access a part of the network must be authenticated each time. This is compared with a VPN, which works by assigning credentialed users/devices a system-approved IP address and subsequent access to the entire network.
Alternatives Watch: What are some common misconceptions around Zero Trust?
Mills: There are two common misconceptions which are useful for managers to understand. The first is that ZTNA is complicated and expensive to implement and maintain. Every manager, regardless of size or the network infrastructure it has in place, can implement ZTNA with the help of a specialist who can assess which tactics to employ and which vendors to utilize. Another common misconception is that by implementing ZTNA senior management is saying that it does not trust their employees. Rather, the goal with ZTNA is simply to prevent unauthorized access to your network and data breaches by malicious actors, which could result in large fines, which ultimately negatively affects a business and its employees.
Alternatives Watch: Why have security experts shifted towards this framework?
Mills: VPNs typically are not designed to enforce resource segregation and zero trust policies as they provide insufficient controls on data access and usage policies. It is also difficult to monitor activity inside encrypted VPN tunnels. Essentially once you are inside a network that is using a VPN you can get access to everything, and malicious actors have shown many times its possible to infiltrate networks supposedly protected by VPNs.
Alternatives Watch: What is unique about the security considerations, and vulnerabilities, of alternative asset managers? Hedge funds specifically? Private equity specifically?
Mills: Alternative asset managers are a particularly attractive target for malicious actors because of the immense sums of capital that they deal with as businesses. Take for instance the middle office of a hedge fund, charged with collateral management and posting margin. This part of a hedge fund’s business is a gold mine for malicious actors who can pose as a fund’s CFO or prime broker and request payments in the hopes of being wired millions of dollars by mistake (it has happened more than a few times). Similarly, private equity firms usually have some form of connectivity with their portfolio companies, which themselves could have access to confidential customer information. Therefore, a cybersecurity breach at the manager level, could theoretically lead to the leak of personal information being held by a portfolio company. This is why a ZTNA framework is vital for the protection of assets, communications and intellectual property in the alternative investment space.
Alternatives Watch: How can a firm successfully deploy ZTNA?
Mills: Given a large majority of managers do not have significant in-house IT teams, it is advisable to work with a specialist third party that understands the business of running an alternative investment manager and can therefore tailor ZTNA design and implementation to your firm’s specific requirements. A general lack of knowledge/awareness is a major contributing factor in slowing down the adoption of ZTNA. Today the majority of the public cloud /SaaS ecosystems (such as those run by Microsoft, Amazon and Google), which increasing numbers of managers are utilizing, provide many ZTNA capabilities integrated directly into their platforms. A specialist third-party can help you identify which vendors to use create a wider-reaching solution for your business, notable examples include Zscaler, Palo Alto Networks and Axis Security.
Alternatives Watch: What should organizations consider before implementing ZTNA?
Mills: It is absolutely vital for every organization to be aware of what their critical data is and where it is stored. For most managers, this is where the value is within their businesses and what the hackers are looking for access to when they attempt to breach their systems. Once you have this information, the next step is to review who has access to that data, how it is accessed and whether each user needs the access they have. Auditing your user access is best practice cyber hygiene and should be included in your day-to-day operational practices anyway. A suitable place to start is to build out a data privacy impact assessment (DPIA) alongside a robust risk management process for your technology stack.
Next, review your supply chain relationships and communications governance. Supply chain access passwords are often the biggest offender in terms of cyber breaches. It is absolutely imperative that your team are fully trained and understand the consequences of any communications or shared information they may have used to ease other processes. Clear and concise guidelines within supplier agreements will help deliver the correct level of governance. Alongside the security perspective, this is also essential knowledge for any firm to be able to share with regulators and to fulfill any operational due diligence requirements from investors too.
Alternatives Watch: How has the industry adopted it? At what rate?
Mills: The alternative investment industry specifically is rapidly moving to a SaaS consumption model for data and application delivery. This significantly diminishes the need for VPNs, and we fully expect them to become obsolete in our industry within the next three to five years. We would estimate that at least half of alternative investment funds we interact with have adopted ZTNA in some form, with another 30-40% being in a strategy mode. ZNTA is definitely an accelerating trend, and we expect it to be the norm across the industry in the next 12 months.