A war of words flares up between Andy Gluck and Joel Bruckenstein
On Financial Planning magazine's website, Bruckenstein questions Gluck's impartiality
Stephen Winks
The security of client data is often assumed or taken for granted. Such an elevated discussion on data security makes us all want to ask questions and increase our criteria for “adequate” safety.
SCW
Peter Giza
Just a few of words on the subject of “security” in and out of the cloud:
1) ANY firm can be hacked this continues to be proved on a daily basis. Hacking doesn’t just include electronic exploits. It includes and many times combined with social engineering
2) If your firm has a link to the Internet then you are in the cloud and subject to rule #1
3) Greater than 60% of breaches come from within
4) People will trim hedges with a lawnmower (according to urban legend.) Technology is a tool. Used properly it can be of great benefit. Used improperly you can destroy your credibility. You cannot force sensible use. Yes you can try to enforce safety factors such as enforcing password updates and requiring minimum length and special character use. But what is really happening on the backend of the service? What other holes exist? What other windows can be left open by the user that could breach security?
It would be nice to hear from Google and Zoho. Let’s remember these are tools and tools can hurt you:)
Regards,
Peter Giza
RedBlack Software www.redblacksoftware.com
Brooke Southall
Peter,
Thanks for your good insights and good humor.
I think my dad was the guy who used the mower on the hedges.
It would be nice to hear from Google and Zoho.
Brooke
Scott McKenzie www.cloudlogic.co.uk
Key to Google Apps’ security is that it can’t be subjected to dictionary attacks which many corporate systems, even those that require complex passwords to be created, can be.
Nevin Freeman
Scott: This is an interesting point. Can you explain why that’s the case?
Scott McKenzie www.cloudlogic.co.uk
CAPTCHA for one. After a few failed login attempts, Google Apps forces the user to read and type in some mangled text that only a human can read. This stops a hacker directing a program at the login screen that simply tries millions of character combos until it guesses the password. So even if the password is “password” unless the dictionary attack attempts that on the first few goes, it will fail to access the Google Apps account.
Nevin Freeman
Ahh, I see, makes sense. Thanks for the info; I think it’s definitely relevant to the discussion.
Anonymous
Front page story in today’s New York Times: Cyberattack on Google Said to Hit Password System (http://www.nytimes.com/2010/04/20/technology/20google.html?hp)
Gabriel Cooper
Understanding that the comments in this article are out of context, I wonder if the writers merely aren’t considering the whole realm of possibility that these services provide. I’d argue that a few key points make a world of difference.
1. Google Apps Premium provides single sign on to almost all Google Services, including Docs, and applies enterprise level security controls to the individual users. This includes password length restrictions, sharing controls, and options to tie login to local domains. Using Apps to access Google’s native services, or Marketplace services using sing sign on and/or integration, is an entirely different level of security control than simply signing up for a regular Google account.
2. Zoho is a Google Apps Marketplace service, allowing Google Apps administrators to integrate users’ access to Zoho within their Apps domain. Whether or not Zoho offers good administrative control over security policy is moot when it is used with Apps.
3. Enforced password policy is often a vital factor in security, but it is neither necessary nor sufficient to ensure appropriate security. Solid passwords tied to services that can’t detect automated intrusion attempts are almost meaningless in today’s world. Without good written policy controlling user behavior, strong passwords will end up written on post it notes in laptop bags anyway.
If the question being addressed in these comments is whether Google and/or Zoho office tools mandate sufficient security for the investment business, I don’t think that’s the real issue. Most tools don’t mandate sufficient security by themselves and any feature that increases mobility and access will increase the potential for breaches. I’d offer that the real question should be whether these systems offer a sufficient toolset for administrators to to use them in a balanced security plan… and how this factors into the comparison to products of similar price and functionality.
While certain aspects of Google Apps password control offer less than some competitors, like the ability to mandate character types instead of simply length, this doesn’t cripple the service by itself. If this is seen as a requirement for use there are ways to enforce it by tying external authentication to Apps or by applying good behavioral policy. These extra steps may or may not leave the product as the best choice for an application, but I don’t think it means that the product is unusable because it doesn’t include every security feature by default.
Related Moves
Orion names 'left-brained' Natalie Wolfsen as CEO to replace Eric Clarke, and AssetMark, which synchronized its announcement, hires Michael Kim as her replacement
Orion Chairman Charles Goldman again lures his protege to self-replace, while Michael Kim was 'integral to AssetMark’s record financial performance over the past several years'
September 8, 2023 at 11:58 PM
Broadridge CEO Tim Gokey gets Google Cloud's head of platform in his corner as he sets sights on wealth management cloud thunderclapper
Amit Zavery takes a Broadridge board seat as the New York firm--its shares skyrocketing in recent years--adds a wirehouse and makes wealth management a third pillar of growth
July 9, 2019 at 11:33 PM
Technology Tools for Today
Consulting Firm
Top Executive: Joel Bruckenstein