Amazon Finspace - Security and Trust

kmiklas said:
True, but would you recommend it to a client that does trade heavily?
More...
Unless you are at the architect level, it's not a concern for your paygrade. Again no offense, but if you had the authority to choose deployment, you certainly wouldn't be asking ET instead of industry colleagues. That's where I would be directing my questions if I was concerned about it.
 
tsznecki said:
Unless you are at the architect level, it's not a concern for your paygrade. Again no offense, but if you had the authority to choose deployment, you certainly wouldn't be asking ET instead of industry colleagues. That's where I would be directing my questions if I was concerned about it.
More...
Can we please set aside my trading volume, pay grade and penis size, and answer the question?

-> Would this be a good fit for a hedge fund with proprietary data, analysis, and information, or is the security risk too high?
 
Last edited:
I'd be more concerned about a data leak happening like this one than Amazon stealing the data.
https://www.reuters.com/technology/...ustomers-exposed-databases-emails-2021-08-26/
EXCLUSIVE Microsoft warns thousands of cloud customers of exposed databases

By (MSFT.O) on Thursday warned thousands of its cloud computing customers, including some of the world's largest companies, that intruders could have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber security researcher.

The vulnerability is in Microsoft Azure's flagship Cosmos DB database. A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies. Wiz Chief Technology Officer Ami Luttwak is a former chief technology officer at Microsoft's Cloud Security Group.

Because Microsoft cannot change those keys by itself, it emailed the customers Thursday telling them to create new ones. Microsoft agreed to pay Wiz $40,000 for finding the flaw and reporting it, according to an email it sent to Wiz.

"We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure," Microsoft told Reuters.

Microsoft's email to customers said there was no evidence the flaw had been exploited. "We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key," the email said.

“This is the worst cloud vulnerability you can imagine. It is a long-lasting secret,” Luttwak told Reuters. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.”

Luttwak's team found the problem, dubbed ChaosDB, on Aug. 9 and notified Microsoft Aug. 12, Luttwak said.

The flaw was in a visualization tool called Jupyter Notebook, which has been available for years but was enabled by default in Cosmos beginning in February. After Reuters reported on the flaw, Wiz detailed the issue in a blog post.

Luttwak said even customers who have not been notified by Microsoft could have had their keys swiped by attackers, giving them access until those keys are changed. Microsoft only told customers whose keys were visible this month, when Wiz was working on the issue.

Microsoft told Reuters that "customers who may have been impacted received a notification from us," without elaborating.

The disclosure comes after months of bad security news for Microsoft. The company was breached by the same suspected Russian government hackers that infiltrated SolarWinds, who stole Microsoft source code. Then a wide number of hackers broke into Exchange email servers while a patch was being developed.

A recent fix for a printer flaw that allowed computer takeovers had to be redone repeatedly. Another Exchange flaw last week prompted an urgent U.S. government warning that customers need to install patches issued months ago because ransomware gangs are now exploiting it.

Problems with Azure are especially troubling, because Microsoft and outside security experts have been pushing companies to abandon most of their own infrastructure and rely on the cloud for more security.

But though cloud attacks are more rare, they can be more devastating when they occur. What's more, some are never publicized.

A federally contracted research lab tracks all known security flaws in software and rates them by severity. But there is no equivalent system for holes in cloud architecture, so many critical vulnerabilities remain undisclosed to users, Luttwak said.
More...
 
kmiklas said:
Can we please set aside my trading volume, pay grade and penis size, and answer the question?

-> Would this be a good fit for a hedge fund with proprietary data, analysis, and information, or is the security risk too high?
More...
Short answer no I don't think it's an issue.

Longer answer and my point from the earlier post Keith: WTF are you asking ET? 99% of ET struggles to make $50 a day and 99.99% have never worked with AWS. Absolutely the wrong audience to be asking the question. Would you ask your car mechanic on issues with your home plumbing?
 
tsznecki said:
Short answer no I don't think it's an issue.

Longer answer and my point from the earlier post Keith: WTF are you asking ET? 99% of ET struggles to make $50 a day and 99.99% have never worked with AWS. Absolutely the wrong audience to be asking the question. Would you ask your car mechanic on issues with your home plumbing?
More...
ET is a good forum, and there are some smart people here. I've received some great and helpful responses to some tough questions through the years--all for free. Are there gamblers and n00bs? Yes, but there are also seasoned professionals who are willing to share their experience. Maybe 99% are worthless, but the opinion of the 1%--the one guy that worked as a Data Engineer for Citadel, or another who is a Cloud Security Engineer--is gold. There's a reason we have a "Data Sets and Feeds" forum here.

Take @ph1l 's solid response for example: Azure was hacked, and data were exposed. Was any proprietary hedge fund data lost? Solid response!

- There's relatively little bias here: people speak their mind, and will speak the truth. Nowadays it's becoming harder and harder to find honest opinions that are not censored.

Curious as to why you undermine the question with personal attacks on my trading volume, pay grade, and bash the ET community as well? Cloud security, especially concerning proprietary financial data, is a reasonable concern. If you're a hedge fund PM spending $10M/year on Ph.D.'s in Physics and Mathematics to transform MD into profitable indicators, you'd want that secured, right? Why not just answer the question and give your opinion?

Finally, if not ET, where would you inquire? Should I ask on the AWS forum?
 
Last edited:
kmiklas said:
ET is a good forum, and there are some smart people here. I've received some great and helpful responses to some tough questions through the years--all for free. Are there gamblers and n00bs? Yes, but there are also seasoned professionals who are willing to share their experience. Maybe 99% are worthless, but the opinion of the 1%--the one guy that worked as a Data Engineer for Citadel, or another who is a Cloud Security Engineer--is gold. There's a reason we have a "Data Sets and Feeds" forum here.

Take @ph1l 's solid response for example: Azure was hacked, and data were exposed. Was any proprietary hedge fund data lost? Solid response!

- There's relatively little bias here: people speak their mind, and will speak the truth. Nowadays it's becoming harder and harder to find honest opinions that are not censored.

Curious as to why you undermine the question with personal attacks on my trading volume, pay grade, and bash the ET community as well? Cloud security, especially concerning proprietary financial data, is a reasonable concern. If you're a hedge fund PM spending $10M/year on Ph.D.'s in Physics and Mathematics to transform MD into profitable indicators, you'd want that secured, right? Why not just answer the question and give your opinion?

Finally, if not ET, where would you inquire? Should I ask on the AWS forum?
More...

You have got to be kidding me? There's little bias? This is one of the most heavily biased sites on the Internet. Some days I can't tell if I'm at Stormfront(google it) or ET.

If you are really employed at a respectable fund Keith, you would have access to your peers and the immediate community who would be much better at answering your questions than a random guy on ET. They would direct you to the right places. I'm not saying these people who are knowledgeable aren't on ET, but they are far and few.

I stand by my statement that 99% of ET struggles to make $50/day. You want to ask these guys on how to secure data sets? If I was your employer and found out, you would not be employed any more. Like I said, I'm not knocking your paygrade, but your decision making.

You should be asking on nuclearphynance, wilmott.com etc. Not ET. The fact that you didn't know where to ask tells a lot about you.
 
tsznecki said:
You have got to be kidding me? There's little bias? This is one of the most heavily biased sites on the Internet. Some days I can't tell if I'm at Stormfront(google it) or ET.

If you are really employed at a respectable fund Keith, you would have access to your peers and the immediate community who would be much better at answering your questions than a random guy on ET. They would direct you to the right places. I'm not saying these people who are knowledgeable aren't on ET, but they are far and few.

I stand by my statement that 99% of ET struggles to make $50/day. You want to ask these guys on how to secure data sets? If I was your employer and found out, you would not be employed any more. Like I said, I'm not knocking your paygrade, but your decision making.

You should be asking on nuclearphynance, wilmott.com etc. Not ET. The fact that you didn't know where to ask tells a lot about you.
More...
Again, back to the ad hominem attacks; this time it's my, "decision making." In my defense, ET is just one of dozens of sources I consult before making any decision; and yes, I do value opinions here on ET.

Yes, my trade volume is low, my pay-grade sucks, my decision-making is poor, ET is trash, and my penis is too small. I would add that I'm going bald, and have a bit of a beer gut. So having established my ignorance, insignificance, and ugliness, can actually use your brain to form an opinion on the OP? Some prompts:

1. What are the risks involved with a hedge fund using AWS Finspace
2. What are the pros and cons of setting up a small in-house cloud-based service? Is this possible?
3. Perhaps rolling their own servers still makes sense?
4. Are there any key differences among AWS, GCP, Azure, and other cloud services? Do any offer specific advantages to the Financial community?

A word of free advice: stop with the ad hominem attacks. You embarrass yourself.

--Keith
 
You must log in or register to reply here.
Back
Top