Build Your Own Storage Cloud

Thursday, February 25, 2010 10:47
edit
Build Your Own Storage Cloud

In 2010, buzz around financial advisor conferences seems to always include the topic of cloud computing. Advisors stand to save considerable money and time by offloading the management of programs historically installed on local computers and servers. But one concern always pops up during cloud discussions, and that's the concern of data security.

 

Advisors are justifiably concerned about data security when coupled with cloud services. Client data is sensitive, private, and confidential, and advisors are under legal obligations to keep the data safe in all circumstances. So when considering cloud services that hold client data, how secure is that data? Unfortunately I can't answer that question in one brief column.

 

But what if there is an alternative to cloud services where advisors can still access client data remotely, but the data isn't stored on anyone's server but the advisor's? Enter the Pogoplug.

This Website Is For Financial Professionals Only


The Pogoplug is an external piece of hardware that connects to external USB hard drives. In less than 60 seconds, the Pogoplug can be connected and service can be activated so advisors can access all files and data on the USB hard drives through a web browser. Files from the hard drive pass through Pogoplug servers and are fully encrypted and are transferred through the HTTPS protocol. No copies of the files are ever kept on the Pogoplug servers.

 

So this device, at a cost of just $129.99 on Amazon.com, allows advisors to build their own storage cloud. So any piece of data, whether it be a PDF, Word document, video, or podcast, can be accessed remotely through the Pogoplug service.

 

Pogoplug's website is filled with informative short videos on how the device works, technical specifications, and examples of techniques to get the most out of the device.

Comments (4)

...
agluck
What about security of the advisor's servers? Cloud computing companies (i.e. Advisor Products) should go to great lengths to store data securely. That means behind multiple firewalls and at SAS 70 facilities.

Advisors may not be nearly as careful or even know what to look for in a data center. Or, scarier still, may put the server in their homes or in their firms. The room where our servers are stored requires fingerprint authorization. So no one can come in just steal your server. Many small data centers are not nearly as careful. And an advisor's home or office is obviously not going to have this kind of physial security.

Plus, the data that is stored should be encrypted. A lot of the cloud services store data unencrypted and only encrypt it when uploaded or downloaded. That's not enough.

And there's the issue of backing up the data. Will the , as advisor run a backup daily? Will he ever text the back up to be sure it's working?

As you know, there are a lot of issues when it comes to storing sensitive client data, and I just wanted to mention a few to balance out the low-cost solution you put forward.
agluck , February 26, 2010
...
billwinterberg
Andy,

You are spot on in identifying the trade-offs when advisors choose to store sensitive data on local hardware.

Both local storage and cloud storage offer pros and cons. You say that the room where your server is stored requires fingerprint authorization to enter. But have you actually visited the facility and seen the security measures for yourself? If not, you're taking what the vendor says about their security practices on faith.

Obviously, the more reputable the vendor (Amazon S3 as an example), advisors can have a higher degree of confidence that what vendors say about security is probably true. In addition, a vendor's reputation and viability in the marketplace depends on its proactive stance on security.

While I admit it's a stretch to think that every user should physically inspect a cloud provider's security measures, it still begs the question: do you really know how secure your cloud-based data is?

In full disclosure, I use several cloud services from vendors that advertise SAS 70 Type II compliance and SSL and AES-256 encryption, so I've accepted the fact that the vendors I use implement the security measures that they say they do.
billwinterberg , February 26, 2010
...
agluck
Our IT Director visits our data center once or twice a week! And one of our other engineers who lives near the data center also usually stops by there once every week or two. That's how our backup tapes get changed out and systems are checked. In addition, the data center has a team monitoring our systems 24/7.

Advisors simply cannot afford that kind of expertise on their own and generally don't have manpower dedicated solely to IT. But when you have a full rack of servers at a data center, you must have this kind of support.

Accepting the SAS 70 certification is about as safe as accepting an audit of a publicly held company. The certification is maintained by the AICPA. While doing your own inspection is necessary, even with the certification, the SAS 70 imprimatur provides assurance that basic standards and procedures are verified to be in place at a data center. But there's nothing like having your own staff on site frequently to ensure everything is operating correctly on an ongoing basis.

And there's a lot more than security involved in collocating at a data center. Power backups and generators, multiple Internet pipes from different providers, fire safety, and redundancy go hand in hand with security.

I think redundancy is also key. Even if it takes a vendor a five or 10 hours to get a warm backup online in the event of a hardware failure, having encrypted data written to two servers simultaneously is important. And if that can be done on two different power grids in different regions of the country—multi-site redundancy— then that’s even better. At some point, I'll draw up a checklist of security questions advisors can ask SaaS providers.

While I like to see articles about technology ideas that can save advisors’ money, I don't think these issues are explored in depth enough in the trade press. Recently, an advisor insisted to me that Google Docs was secure. But when I dug into it, I found it was not fully secure. Encryption worked when uploading and downloading but documents are not stored encrypted. The devil is in the details with this stuff.
agluck , February 26, 2010
...
bwarrene
I see this much in the same light as dumpster diving behind office parks and finding highly confidential information not shredded and laying around in dumpsters. The problem of secure storage of our information has been around as long as there has been confidential data. It is a combination of security practices, common sense on data handling and some layering of defense.

bwarrene , February 26, 2010

Write comment

You must be logged in to post a comment. Please register if you do not have an account yet.

busy