The Role of Security in Reference Data Management
Warren Buckley, Chief Technology Officer, PolarLake
If the financial crisis of the last few years has taught us anything it has been that control and transparency in reference data management are now even bigger issues for anyone involved in operations and IT than they were before the crisis. While there are a huge number of stories relating to unsecured client account information, mostly within Retail and Consumer environments, what about the control required for non client account data or reference data as we know it? In the post Lehman Brothers world of control we have seen in the market a massive focus on who in a firm gets access to all sorts of reference data, largely seen as not worth the effort to control in the past. Why is the trader in the equities division requesting massive amounts of fixed income pricing data? Why is the commodities analyst requesting settlement instructions for financial institutions? And why is all data on all asset classes being sent to all downstream systems, leading to a reference data security free for all?
There are a number of reasons why this now matters a heck of a lot more today than it used to in the pre-crisis world. Firstly nobody wants to be the next firm where a rogue trader is exposed. Controlling the appropriateness of reference data access can play a part in controlling the activities of traders. Secondly there is the issue of cost. Making sure all data access is controlled is a simple and effective way of making sure that only the data that is required and is appropriate is purchased from third party data vendors. How many applications in large firms are still requesting data daily which is no longer relevant to their current portfolio? And thirdly the issue of compliance with data vendor license agreements can be an area of risk for a firm. Do you know where all the data you have purchased is getting distributed? Is it licensed for those end users or geographies? What is the financial and reputational risk if the firm is inadvertently breaching license terms? And can I provide an audit to the data supplier of data usage by type, volume, role and territory over a particular time period?
How can we tackle these concerns? Security in the enterprise is typically implemented based on user profiles in global directory services for email, operating system, and various applications that staff has access to. But when it comes to reference data is it a bit much to ask application administrators of trading, risk, accounting and portfolio systems to manage a new class of user authentication around data types and classifications as the data arrives into the system? This is something that has been centrally addressed for sensitive client data, but the range and diversity of reference data makes this a much more daunting task. And despite the aspirations of the centralized enterprise data management group, for many firms much data access takes place outside of their gaze.
From our experience in many data management projects the only manageable place to control this new type of access control is within the distribution mechanism. Some of our clients have gone from a position where equities systems were getting flooded with fixed income data at the peak of the crisis as prices were getting reset, to a situation where what they receive is controlled by a tight subscription of relevant, timely data, which is traceable and auditable back to all sources. Distribution systems are really the only mechanisms to provide this capability without upheaval and change in application administration. Doing reference data security at the distribution level is very different from locking down a single source of client data which has been centralised. Distribution touches all endpoints transparently and is by its nature non-invasive.
Reference data security is truly an enterprise issue where old tactics based on application security no longer cut it. A light touch with potentially zero impact on the consumer is essential for success.
Talk to us to learn more of our thoughts on this fascinating emerging area.
2010