Is It Safe In The Clouds?

Earlier this month, a hacker reportedly exploited a vulnerability in an Internet-based virtualization software platform that took down more than 100,000 Web sites and other applications.

“That was an intrusion that was cloud-specific–it went through a virtualized vulnerability,” said Jim Reavis, founder of the Cloud Security Alliance, an industry group representing risk managers at financial and other firms.

There haven’t been large scale reports of financial data losses due to cloud vulnerabilities, he said–but that’s because financial firms haven’t yet started using cloud computing for sensitive applications.

The securities industry firms involved in the Cloud Security Alliance are considering using clouds–but not for regulated information, he said.

“People are mostly in the architecture, pilot and strategy phase,” he said.

Government agencies are also still in the information-gathering phase, he added.

“We’re talking to the regulators and auditors and they’re not sure about this,” he said. “They know how to audit a data center, but they don’t know how to audit the cloud.”

However, financial firms are using cloud services for less sensitive applications such as customer relationship management, he added. In fact, financial management and wealth advisory firms are big adopters of this cloud-based technology.

Bob Barry, president of Barry Capital Management, a small wealth management firm based in Hackettstown, N.J., used desktop-based customer relationship software and financial tools for decades.

But he finally made the switch to Salesforce.com a year ago, and, looking back, says he’s hasn’t seen any of the problems that he expected.

He’s become comfortable with the level of security. “I use Salesforce everywhere,” he said. “I use it from my laptop. And I’ve used it on other laptops while I’ve been out of the office.”

Barry also uses Salesforce.com to load in customer data from Schwab, via third-party financial tools vendor E-Assist.

One outcome of the financial crisis is that everyone connected with the financial services industry now has a heightened awareness of security, he said, and Salesforce is no exception. “We have confidence in them,” he said. “They understand what the security issues are.”

Gary Roth, chief operating officer at United Capital Financial Advisers, with $11 billion in assets under management, saw this personally at a recent meeting with the CEO of Salesforce.com, Marc Benioff.

“He had his chief security officer there,” Roth said. “To talk to us about what they’re doing to keep up to speed with data security and threats. It makes us feel good about their commitment to data security.”

Roth talks about security issues with all of his cloud-based vendors, he says–and there are a lot.

“We use cloud for everything,” he said, “from e-mail to office applications to industry-specific applications. Our portfolio management. Our CRM [customer relationship management].”

How to check on security

Customers like Roth are becoming increasingly savvy about what to look for when it comes to cloud security and reliability–and this is making vendors step up their game, said Mark Seward, director of product management at security firm LogLogic. “Customers didn’t really know what to look for before,” he said. “Now customers are asking for independent audits and penetration testing, and SAS 70 type 2 audits to understand how data is handled within the confines of the applications.”

For example, one of the biggest threats to cloud security lies in the browser. To test for this, customers can ask for vulnerability testing of applications, he said.

But, overall, he said, cloud computing environments have the potential to be safer than a company’s internal systems.

“It’s the old ‘where do I keep my money’ analogy,” he said. “Do I stick my money in a mattress, or do I put it in the bank? ”

Finally, customers need to check for role-based access controls, he said, so that their employees can’t see data they’re not supposed to have access to. For example, Ted Tsung, CEO at E-Assist, says that the first thing his customers to want to know about is security. “They want us to produce our SAS 70 statement.” E-Assist has about 40 securities customers such as brokerages, and investment management firms, and focuses mostly on small to mid-sized firms.

“My relationship with E-Assist benefits from the same level of security that exists within Salesforce.com,” said Jerry Luff, managing director of San Francisco-based Baker Avenue Asset Management, which has $350 million under management.

To help customers assess the reliability and security of their cloud vendors, a new industry of security consultants has sprung up, according to Jeff Kalwerisky, chief security evangelist at consulting firm Alpha Software. “Cloud providers maximize their revenue models by using technology assets to service multiple customers,” he said. “Therefore, by definition, there is the likelihood that different–possibly competing–customers will share the same resources. There must be strong controls in place to ensure that a customer’s data is not available to another customer or even the cloud vendor’s own operations staff.”

In addition, clouds can often cross geographical boundarie–a potential problem for financial institutions, especially those located in Europe, said Sriram Chakravarthy, senior product marketing manager at Tibco, which has recently released its Tibco Silver cloud application development platform, which helps companies utilize cloud such as those offered by Amazon.

Despite these challenges, Wall Street firms are under pressure to find ways to use cloud computing, he said, because of the potential cost savings they offer, he said.