We talk to security experts about the cyber attack on a cloud computing system and what that means for organisations such as family offices and wealth managers in general.

An earlier version of this article appeared in Family Wealth Report, sister news service to this one. As the concerns are global in nature, we thought it good to share these thoughts with readers in Asia, Europe and other regions as well as those in North America.

We talk to security experts about the cyber attack on a cloud computing system and what that means for organisations such as family offices and wealth managers in general.

A few weeks ago, Capital One, the fifth-largest US credit-card issuer, was hit by a hacker who accessed personal information on about 100 million card customers and applicants. It is perhaps a sign of the times that the sheer size of the attack provoked, what appeared to be, an almost a collective shrug of the shoulders making hacking seem like the new normal.

Even so, one feature of the attack caught attention: Capital One had embraced the “cloud” for storing data. When asked about cyber-security breaches, advocates of cloud computing told this publication that security in this model is often as good as, if not superior to, the in-house systems that companies have used in the past. But the scale of the Capital One saga is bound to cause concern over the vulnerability of cloud computing.

Wealth management organisations such as family offices should be aware of the risks and understand that there are different types of “cloud”, practitioners have told Family Wealth Report. “There’s tons of ambiguity…people don’t understand that there are different [cloud] types,” Tania Neild, a former employee at the National Security Agency, and a technology consultant working with family offices, said.

One assumption people make is that cloud-based service providers, being large, have the resources and processes to be secure, in ways that a small family office, for example, cannot afford. But there are challenges in that assumption, Theresa Pratt, chief information security officer, Market Street Trust Company, told this publication.

“When I am not in the cloud, even if my security could be better, I am a small fish who may be hard to detect. When I am in the cloud, even though their security may be better, I am in a much larger pond and may potentially be in more danger…in a large cloud my data might get stolen as collateral damage,” she said.

"I have to trust that the vendor knows what they are going to do to protect my data. That is the risk of moving data to the cloud,” Pratt continued.

There is a conflict, perhaps unresolvable, between the cloud’s advantages of speed, efficiency and cost savings for users, and what happens if there’s a breach, she said. “By moving [to] the cloud you are only shifting technology, not your risks and responsibilities,” she said. “Security and functionality are often 180 degrees in opposition. Everything that enhances functionality reduces security and vice versa."

Gaps in the wall
A particular concern that emerged from the Capital One case is that some of the containers used in cloud computing have become more vulnerable. A cloud container is a standard unit of software that packages up code and all its dependencies so that the application runs quickly and reliably from one computing environment to another. However, because they are so easy to use, errors can creep in when they are installed – creating openings for hackers. Computer security company, Skybox Security, which recently updated the market about industry concerns in its 2019 Vulnerability and Threat Trends Report, said that some of the containers face a problem. Skybox said that vulnerabilities in container software rose by 46 per cent in the first half of 2019 compared with the same period in 2018, and by 240 per cent compared with the figures two years ago (source: Skybox).

Furthermore, technology practitioners and experts on data security think that wealth managers, such as family offices, private banks and other structures, cannot assume that putting material “in the cloud” gets them out of danger. A difficulty with this is that the term “cloud”, in fact, refers to a variety of quite different approaches, which vary in risk and cost.

A definition helps, thanks to Wikipedia: “Cloud computing is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user. The term is generally used to describe data centers available to many users over the Internet.”

According to Neild, there are three broad models. First, there is an offering from an application service provider, or ASP. The bulk of the work is done on a server not limited to a network outside of a specific physical place. Such ASPs are the likes of Office365, DropBox, Addepar, Archway, and others. Access is via a login and a password, perhaps two factors, but otherwise users have no control.

The second model is one in which “you’re renting part of a server that is `on-prem’ but you have shared responsibility for it,” she said. In this case, it not used for cost-cutting but for better disaster recovery and more flexibility. There is also some specific technical support for the user.

A third model - a “private cloud” - gives the user as much control as on-premises hardware and systems; a user will house their own machines in a secure hosted facility. Security control is at a higher level than in the other two models, but it is the user’s responsibility to set it up and maintain it properly. Users select this model for the DR of the facility and environment.

Single family offices are, in many cases, choosing to stick with in-house, on-prem systems or use ASPs, Neild said. The second model, given its cost, may be too high for some SFOs. In the case of multi-family offices, they tend to be evenly distributed across the three broad cloud computing types, she said.

One important task for cloud computing users is knowing how to perform due diligence on ASPs – and that might involve bringing in outside experts. A lay person cannot easily do that, any more than they are equipped to diagnose an illness or health condition, she said.

Today, some wealth managers are resigned to hacking taking place, while a small number are engaging outside advisors to navigate the security terrain, she said. There is a wide spectrum of due diligence and requirements by user, which is equally wide for setup and maintenance of vendors.

ROI
Something for the wealth industry to get to grips with is that with margins still under pressure, the cost/benefit equation of efficiency versus security is not an easy task to resolve, Pratt of Market Street Trust Company said.

"Writing an application securely takes time, money and expertise. Vendors are under pressure to get their applications to market quickly. Chances are excellent that someone is going to cut corners somewhere, leaving security gaps. I am not making value judgements here – this is the reality,” Pratt continued.

Users of cloud computing systems should have response plans in place and know who to call, and what to do, when an attack happens, she said. “Chances are that someone you already work with is already compromised.”

It appears that in the fields of security and efficiency, there are no free lunches, any more than in economics and business generally. The lessons that appear to come out of the latest incidents are that cloud solutions are not a silver bullet for those who use them; the due diligence needed to check their suitability is as necessary as it is for choosing a bond or piece of real estate. Wealth managers should take the latest cases as a wake-up call.