When a journalist who owns a technology firm critiques companies that could be construed as direct competitors, he leaves himself open to criticism. He had better make sure that whatever he reports is complete and accurate. Unfortunately, one recent article that crossed my desk did not meet that standard.
An advisor recently sent me a copy of an article that Andy Gluck published online entitled “Advisors Putting Client Data at Risk”. The article begins” To save money, some advisors are putting client data in jeopardy, and the trade press isn’t helping matters”. As Gluck makes clear, two things triggered his article: A comment by an advisor who dared to questions Gluck’s statement on the call that Google Docs “was not secure” and a recent article in the trade press that suggested Zoho was secure.
Glucks discussion of Google Apps focuses on the Premier Edition, that is the paid edition targeted at businesses. I have not written extensively on Google Apps Premier Edition, but I was planning to do so anyway, so Gluck’s article spurred me to do some research of my own. As we shall see, my findings differ substantially from his.
The barbs tossed out a the “trade press” were clearly a thinly veiled attack on the recent article I wrote about Zoho for Financial Planning Magazine. For those of you unfamiliar with the firm, Zoho offers a fairly comprehensive suite of online applications specifically a story that I wrote for that publication regarding Zoho, an online provider of multiple applications (more on that later).
Google Apps Premier Edition
Let’s start by examinee Gluck’s criticisms of Google Apps. According to Gluck, his “findings” suggest that “it would be reckless for an advisor to store their data on Google Docs”. Now this may come as a shock to readers, but I think it was rather reckless of Mr. Gluck to make such an outrageous statement. My independent research indicates either sloppy research on his part, which lead him to supply incomplete information to his readers, or an intentional decision to attempt discredit a firm that he perceives as a threat to his own business. I’ll let you decide.
Let’s look at each of Gluck’s criticisms of Google’s document storage and sharing, and then l’ll supply you with a few examples of what he failed to investigate or chose not to mention.
According to Gluck; “You can’t force users to create “
While it is true that longer, more complex passwords are better than shorter, less complex ones, Google can certainly accommodate long complex passwords. It is true that the default Google sign on process does not allow firms to enforce a policy by rejecting shorter passwords, but each firm can make a judgment as to how important this feature is. Some firms may decide that a written policy requiring long complex passwords is sufficient.
Still, it occurred to me that Google’s security could not possibly be as limited as Glucjk suggests. . After all, major corporations such as Genentech and Salesforce.com as well as governments like the City of Los Angeles and the District of Columbia use Google Apps, and many of them endorse Google Apps at least in part because of its security.
According to Randy Levin, CTO, City of Los Angeles: "In addition to empowering employees across the city, everyone will benefit from Google's security controls, which will provide a higher level of security for City data than exists with our current system." Salesforce.com Chairman and CEO Mark Benioff is quoted as saying “"With Google Apps, everybody is running the same copy because it all comes from a central server. That's a more secure and a more powerful way to run your business."
So what did Gluck’s story omit? Well, if you don’t like Google’s log in, you can use another user authentication method of your own choosing. For example, if your firm has its own log on and password management system, you can use that system to authenticate Google apps. In the past, this sort of authentication and user administration was beyond the means of small firms, but not anymore. To offer up just a couple of examples, Opacus, a vendor on the Google Apps Marketplace, offers “strong aauthentication and user administration for Google Apps”. The price? $7.00 per user per year. Another vendor listed on the Marketplace, L Tech Consulting, LLC offers Google App Single Sign On, a similar product.
Another possible solution might be to might be to leverage the system of a vendor the advisor already does business with (Junxure’s ClientView is but one example of a firm that uses this technology) to authenticate and log on to Google Apps. Another possibility is to tie the Google App directly into your own corporate network authentication process. If you choose to bypass Google’s default application with one of your own choosing, you can implement a much stronger authentication regimen than Gluck suggests above. Ironically, by using your own resources, or those of another trusted provider, you can actually create a much more secure authentication process (including two or three factor authentication) than that offered by Gluck’s firm. I wonder why he failed to mention that.
Gluck’s next point is that Google Apps does not automatically force expiration of passwords.
Again, this statement is true but incomplete. One way to do this is to the expiration policies into the firms existing password management or network authentication systems, as discussed above. As an alternative, the administrator can independently set an expiration policy for each user. Google offers an API set that does allow administrators to force password expirations.
The way Google Docs passes access to documents via email is inherently flawed. If you use Google Docs to share a document with a client or another professional, Google enables you to send the link by email. Email is not secure. Moreover, anyone who receives the email with the link can open the document—without a password.
“I would argue that the opposite is true,” said Jeff Keltner, business development manager for Google Apps.”Most people share documents as attachments. Once they push the send button, the document is gone and anyone with access to the receiving email account can read it. That’s not the case with Google Docs”.
“With Google docs, only people with authorization can access it, so even when someone receives a document link, if the email recipient has not been granted access, they cannot open the document. An added benefit of this system is that you can revoke permissions. So, if you send a link to a spreadsheet to the wrong person, and you notice it, you can revoke the permission. It is also possible to set organizational policies that prohibit emailing documents outside of the organization.”
In fairness, some may feel in that certain cases that they want additional security above and beyond what Google Docs offers when sending a document. In those cases, it is possible to encrypt such documents using an on demand system such as ePostal Services, which I discuss in a recent Morningstar Advisor article entitled
“Documents on Google’s servers are not stored encrypted”, writes Gluck. “They’re encrypted when you upload them and when you download, but not stored encrypted. This could be an issue if a Google’s server storing your document is breached.”
This is a red herring, and if Gluck did any “research”, as he claims he did, he should know it.
According to Jeff Keltner, “Google Apps data is fractured and obfuscated across multiple servers and disks, making it human-unreadable. More information on Google security is available here:
By the way, the reason Google does not favor encryption is that it limits search functionality, and clearly Google is a believer in maximizing search capabilities. Keltner believes that Google apps give their customers the best of both worlds: security plus search functionality.
Google Docs doesn’t accommodate the hierarchy of users with different permissions that advisors need. Document-sharing vendors in the financial services business enable different roles and rights for their staff, advisors, advisory firm staff, a B/D’s compliance department, outside professionals an advisor works with, and clients of advisors. Google Apps has just two levels of authorization.
Google Apps does not offer the level of permissioning granularity that some other applications do, but “what advisors need” depends on the firm. I suspect here Gluck means that Google Apps allow either a “view only “ status and an “edit” status. The latter gives you full document access. Some organizations might prefer or need additional options, but this is not a fatal flaw for most.
Google Docs does not have bulk upload capabilities, enabling you to upload performance reports, financial plans, rebalancing reports, and other documents in batches.
Here again, the statement may be technically true, but if we were to grade it, we’d assign it a grade of “incomplete”. In January 2010 Google Apps launched their “upload any file feature”. With this feature Google Apps Premier Edition users can use the Google Documents List Data API to upload files to Google Docs in batches. Of course not every firm will want to go the API route, so Google has partnered with a number of third parties who offer batch capabilities.
Google Docs and Apps do not integrate with financial planning, portfolio management or other practice management apps used by advisors.
True, but firms in our industry have an easy path to integrate with Google Apps through the Marketplace if there is a demand for it. By contrast AdvisorProducts does integrate with a respectable list of technology firms that serve advisors, but the list is far from complete, and the level of integration varies from provider to provider.
The Bottom Line on Google Apps
Google Apps may or may not be an appropriate suite for your business. It definitely does offer a great deal of functionality for a very reasonable price, but it may lack certain features that you deem necessary. If it does lack one or more features in the “standard” offering, you may be able to aacquire those features for a modest additional fee through the Google Apps Marketplace. If you cannot configure Google Apps to your liking, perhaps you need to look elsewhere.
I took particular issue with Gluck’s statement that “To get the facts, I (Gluck) asked two seasoned engineers from Advisor Products to check into Google Apps’ security. I don’t know who at Gluck’s firm he asked, and I’m sure they are knowledgable, but we are talking about Google here. I’m sure that Google is not perfect, but they do seem to know a thing or two about security, and they can certainly attract and pay the best talent on the planet. In addition, one has to assume that the major firms and governments that use Google Apps have done their own due dilliogence and found Google secure.
Zoho
Now let’s turn our attention to Zoho. First, let’s review the comments that Gluck found offensive in my recent article:
“Combining Zoho CRM with Zoho email and Zoho Docs gives you robust CRM, integrated email that includes email storage, plus an integrated online entry-level document management solution at an unbeatable price,” the article says.
“Perhaps the greatest differentiator for many potential purchasers is security,” says the article. “Overall, the security capabilities of the application are impressive.”
Here is Gluck’s critique of my comments:Zoho is indeed an impressive application but documents are not stored in encrypted format. Zoho’s website says passwords are encrypted but says nothing about whether documents you save on its servers are stored encrypted.
Since the security information on Zoho’s site was vague, I called Zoho to ask about its encryption.
I could not understand everything the salesman said because of his thick Indian accent (despite the fact that I've grown pretty good at understanding Indian accents because my company outsources many development projects to India). Initially, the Zoho salesman told me all documents were indeed encrypted. But when I questioned him further, he suggested a security specialist call me back.
The security specialist called back the next day. While he was polite, I had difficulty understanding everything he, too, said because of his accent. He confirmed that documents stored on Zoho Docs are not encrypted.
First of all, I’m not sure what the relevance of someone’s accent is, nor was I interested in Gluck’s inability to decipher it, but just for the record, I’ve spoken to a number of folks at Zoho and while they do have accents, I did not experience any trouble understanding them .The whole subject seemed like a cheap shot to me.
Rather than respond myself this time, I invited Raju Vegesna of Zoho to respond. Here are his comments:
Security is a very vast subject. We can't call an application insecure because it lacks a feature. An application like Zoho Docs or Zoho CRM (or any Zoho App for that matter) is secured at multiple levels. I am sure this is the case with other SaaS vendors. While I can't speak for other vendors, here is what I can say regarding security for Zoho.
The applications and users data are protected at multiple levels starting at Network level, then at the System/OS level, the software infrastructure level and then the application level. We have expertise in all of these areas (and use several third party tools) and secure the data and apps through multiple means.
At the Network level, we have multiple levels of firewalls followed by Intrusion detection systems, Intrusion prevention systems, Anti-Virus systems, Anti-Spam systems among others. At the Systems/OS level, we run a stripped down version of OS (linux) that is completely secured for our own need. We also keep our software infrastructure and applications secure using multiple tools and techniques. Additional details about this is
Securing user's data is the top priority for Zoho. To put it in other words, if user's data is compromised, we are out of business. We take security very seriously and we are very paranoid when it comes to security.
Regarding the individual points mentioned in the article...I can't comment on behalf of Google's applications, but I can talk about the respective features in Zoho Apps
- Reg Passwords: We obviously recommend strong passwords. Our passwords expire frequently and users are requested to change their password every 3 months (if not one month - I need to re-verify this). Having a strong password keeps your account secure.
- Document Sharing: There are multiple ways documents can be shared. When a document is published (to the internet), documents are available using a URL. But this option is not default. The default option is private sharing. If the docs are privately shared, there is no way these documents can accessed by other people except the person it was intended to. Even in this case, the user has to be logged into the system to view a document.
- Encryption: Data transfer is encrypted between the user and the server using HTTPS. Documents are not encrypted currently on the server side. There are technical reasons why this not the case, but it'll be available eventually. The way we store it is no different than how it is stored on your desktop/laptop, but they are instead located in a highly secure data centers (with multiple backups) and secured in different ways
- Hierarchy: In our case, we let the owner share document with individuals or groups with document specific permissions.
- Bulk Upload: I am not sure if this comes under security. Anyway, we let users zip multiple files and upload them in a single shot and unzip these files after the upload
- Internal Threat: We have policies in place to prevent data theft internally. This has been verified by third parties like the stringent European standard -
SafeHarbor . We are also working to be SaS70 certified soon.
The Bottom Line on Zoho
As was the case with Google Apps, Zoho offers a great deal of functionality for a very reasonable price. Despite Gluck’s claims to the contrary, I believe that many advisors who perform their own due diligence will find the level of security that Zoho provides more than satisfactory.
As for functionality, there are some limitations, but these could be easily overcome if someone with industry experience were to customize a Zoho Edition for advisors.
Conclusions
If the article entitled “Advisors Putting Client Data at Risk” was written by an independent third party, perhaps one might view the glaring omissions as innocuous, but given the identity of the author, and the obvious conflicts of interest, one has to question what he was thinking when he penned this piece.
Although I admit that I was stung by the articles characterization of my article, I readily admit that the best of us, with the best intentions, somethings get the facts wrong. When we do, we do our best to correnct or mistakes.
In this case, however, for the record, I don’t believe that I made a mistake. As indicated by Zoho’s statement, I believe their security is quite strong. Could it be even stronger? Perhaps, but then so could everyone’s.
