Customers in the Cloud: How Safe?

LITTLETON, Colo. -You can scale the outside wall of the Qwest CyberCenter here and drop down the other side into this industrial equivalent of a fortress, as a couple of national security spooks did a few years ago. But, like trying to scale a castle in the Middle Ages, you might just end up in a moat, inside.

If the tilt-up wall doesn't get you, the cameras will. Or, if the original FBI alumnus designing the security had had his way, the gun turrets would. But, as Paul Hoffer, the critical systems manager at the site, put it, "broomsticks" sticking out of the corners or tops of the walls surrounding what otherwise looks like just another distribution warehouse would probably draw more attention from the malicious set, than would justify their presence.

In any event, when the "men in black" scaled the outside of this facility where access to eight million customer records for more than 300 broker-dealers is controlled, Hoffer's watchful eyes were enough. He was out in the enclosed delivery yard, smoking a cigarette, and politely intercepted what turned out to be friendly, but determined, invaders.

Such is life at the hosting facility here where Quadron Data Solutions maintains the heart of its account opening and management business for broker-dealers and financial professionals, in the "cloud."

Roughly 65% of Quadron's customers are brokers, 30% investment advisors and 5% directly-sold mutual funds and annuity providers. From this base, Quadron receivess roughly 1,000 new customer records every day. Overnight, somewhere between 30 million and 40 million new records on financial transactions for all existing accounts are added to its database of customers and the $250 billion all told that sits in their accounts.

But the real security for those millions of customer account records and billions of transaction records does not rest with the Kevlar in the walls of the Qwest data center or the shredding of hard drives when their days are done. Or with its magnetic card, key and fingerprint access controls. Or the fact that all deliveries (and arrivals) must be cleared in advance of anything or anyone entering its front door.

Instead, it's the behind-the-scenes controls that a data services firm such as Quadron administers and maintains-and enforces with digital, rather than physical, protections.

Most notable is what Chief Security Officer Wade Turner and Executive Vice President of Technology Chris Cross refer to as "entitlements."

Basically: Keeping access to any part of the data limited to the fewest number of people possible, at Quadron. Because those with access to data are, logically, bigger threats, in theory and often in reality, than those who must scale the wall or otherwise break in.

In fact, Quadron's customers don't have direct access to their own data. They can only view it on screen, through Web services and file transmission, after it's been stored and processed.

Turner can't even see the data when it's in a readable form. "I have access to the raw data, the raw bits, the blocks," he said. He sees ones and zeroes, but not names and addresses or transactions.

Turner and Director of Information Technology Paul Chapman can move blocks of data around. They can access any piece of data. But, at the level in which they operate, there is no translation.

"The people who have the most access to the data don't really have a clue what the data is," Chapman said. "I mean, I can get to anything, but I really don't ever know what the data looks like-and I've looked at the data. It's just data." Not information.

There isn't a single employee, not even founder and Chief Executive Officer David Fetter, who has "total holistic access" to raw data and the finished information that it becomes, said Senior Systems Administrator Jason Simons. By design, access to any part of the finished data is partitioned.

Access is governed by roles. The folks, like Turner and Chapman, that can move data around, can't see what the information means. Those who can see the information, and what it represents, can't move it. Can't withdraw it. Can only make changes to it, as needed. And monitored.

Access to the customer and transaction records, in a visible form, is the purview of database administrators. And not just anyone at Quadron gets that type of access. Typically, they are employees who have been with the company for seven to 10 years. And they are not developers, who might use their skills to change something other than the records, and gain, say, root access to the system.

This is in a company with relatively low turnover. Average employee tenure is more than seven years and for database administrators, more than three.

The database administrators who do have access have only limited access, as well. Each might be limited, for instance, to just a subset of any particular client's total customer rolls. Say, from last names beginning with A to those beginning with F.

But even to get granted that level of access takes some doing. Before they ever come in the door, the would-be administrator-or any Quadron employee, for that matter-goes through criminal, credit, personal, military and reference checks.

When it comes time to grant access to the database, four levels of approval are required. The worker first must request access of his or her manager. Then, that manager, in most cases, must get Turner's approval. Once Turner is satisifed that the need is legitimate and productive, the two of them then must turn, in the case of access to actual information, to the database administrator who has supervision over the portion or portions of customer account records that will be accessed and managed. Approval is also needed from an infrastructure manager, such as Chapman or Simon.

Developers have to seek similar clearance. And developers who get to both create code and then move it into actual use, called production, have to get two separate clearances, for each function.

Then, there are systemic means of protecting customer records and the transactions that feed into their accounts.

Some of the simplest-but most effective-protections are built into the firm's AccountQ account opening and management software. As many fields of information as possible are handled with drop-down menus, so that a user can't type a code the wrong way, for instance, and create a "NIGO"-"not in good order" record.

Data coming in from a major clearing services or other sources is scrubbed to make sure that the code for a particular representative handling an account also appears in the right style, every time. AB-1, instead of AB1 or AB 1.

And the process of getting all the right forms filled out for a particular type of account is also automated.

But the real security comes in the holistic approach to security that encompasses data transmissions, data storage, appropriate permissioning and monitoring, policies and procedures throughout the company, as well as ongoing training of all staff.

Take data transmission. When information is being transferred over the Internet, from a Web browser, Secure Sockets Layer technology is employed, where a browser must send a request out to a server to get access. The server sends back a certificate identifying itself, the browser checks the certificate and sends back a digitally signed acknowledgement that in turn must be cleared by the server.

Then, and only then, does information get transferred. This is encrypted by an encryption string that is 128 bits of information long. To break into a session with that level of encryption, a hacker with the time, tools and incentive would need a trillion years to get the job done, according to VeriSign, the authentication unit of security software supplier Symantec.

But two levels of authentication take place, before information ends up in the uber-database maintained by Quadron.

First, the user must be authenticated to log in to his or her broker's system for taking in new account information. A user does not log into Quadron's system.

After logging in to the broker's system, clicking on a link sends the customer over to the Quadron system. Quadron verifies that the information is coming from within the broker's systems, not the open Internet, exchanges certificates of authenticity, and then takes in the information.

In effect, the customer first verifies his or her authenticity with a broker; then that broker must authenticate itself with Quadron.

The protection in transit does not stop with exchanging certificates. The pipes get protected and the files get protected.

Some brokers pick virtual private networks, which create protected tunnels through shared digital connections. Others use dedicated lines, which are not connected to public networks at all.

The most security-conscious firms also encrypt the files, before sending them through either the VPN or the dedicated line.

When it comes to customer records and anything financial, you can't be safe enough. Organizations in financial services industries are being specifically targeted in Web attacks, by highly sophisticated criminals, rather than the glory-seeking hackers of the past.

These organized attackers "know what assets they're going after, and they're going after you in a very orchestrated way," according to Edward Powers, a principal at Deloitte & Touche, the auditing and financial advisory firm.

Quadron has not been without its close calls. In 2004, Turner's laptop was stolen. Luckily no records were stored on it. A couple years later, a backup tape went missing. But it was misplaced, not stolen.

This can be problematic. In 2005, Bank of America lost tapes carrying 1.2 million records involving financial information for government employees, including Social Security numbers (SSNs), addresses and account numbers. That same year, Citigroup lost 3.9 million customer records on backup tapes during UPS shipping, and CardSystems saw 40 million payment card records get stolen by hacking into the systems of a payment processor.

As recently as 2008, Bank of New York Mellon lost 12.5 million customer when data tapes went missing.

"The day I have to call a customer to say we lost one million of your customer records, that's when you have a business-threatening event," Fetter said.

For reprint and licensing requests for this article, click here.
Money Management Executive
MORE FROM FINANCIAL PLANNING