Is It Safe In The Clouds?
June 22, 2009
Earlier this month, a hacker reportedly exploited a vulnerability in an Internet-based virtualization software platform that took down more than 100,000 Web sites and other applications.
"That was an intrusion that was cloud-specific--it went through a virtualized vulnerability," said Jim Reavis, founder of the Cloud Security Alliance, an industry group representing risk managers at financial and other firms.
There haven't been large scale reports of financial data losses due to cloud vulnerabilities, he said--but that's because financial firms haven't yet started using cloud computing for sensitive applications.
The securities industry firms involved in the Cloud Security Alliance are considering using clouds--but not for regulated information, he said.
"People are mostly in the architecture, pilot and strategy phase," he said.
Government agencies are also still in the information-gathering phase, he added.
"We're talking to the regulators and auditors and they're not sure about this," he said. "They know how to audit a data center, but they don't know how to audit the cloud."
However, financial firms are using cloud services for less sensitive applications such as customer relationship management, he added. In fact, financial management and wealth advisory firms are big adopters of this cloud-based technology.
Bob Barry, president of Barry Capital Management, a small wealth management firm based in Hackettstown, N.J., used desktop-based customer relationship software and financial tools for decades.
But he finally made the switch to Salesforce.com a year ago, and, looking back, says he's hasn't seen any of the problems that he expected.
He's become comfortable with the level of security. "I use Salesforce everywhere," he said. "I use it from my laptop. And I've used it on other laptops while I've been out of the office."
Barry also uses Salesforce.com to load in customer data from Schwab, via third-party financial tools vendor E-Assist.
One outcome of the financial crisis is that everyone connected with the financial services industry now has a heightened awareness of security, he said, and Salesforce is no exception. "We have confidence in them," he said. "They understand what the security issues are."
Gary Roth, chief operating officer at United Capital Financial Advisers, with $11 billion in assets under management, saw this personally at a recent meeting with the CEO of Salesforce.com, Marc Benioff.
"He had his chief security officer there," Roth said. "To talk to us about what they're doing to keep up to speed with data security and threats. It makes us feel good about their commitment to data security."
Roth talks about security issues with all of his cloud-based vendors, he says--and there are a lot.
"We use cloud for everything," he said, "from e-mail to office applications to industry-specific applications. Our portfolio management. Our CRM [customer relationship management]."
How to check on security
Customers like Roth are becoming increasingly savvy about what to look for when it comes to cloud security and reliability--and this is making vendors step up their game, said Mark Seward, director of product management at security firm LogLogic. "Customers didn't really know what to look for before," he said. "Now customers are asking for independent audits and penetration testing, and SAS 70 type 2 audits to understand how data is handled within the confines of the applications."
