It was roughly 15 years ago that I hosted the very first panel discussion, at one of the early T3 conferences, on an entirely new concept called “remote hosting.” Instead of installing the components of your tech stack on the server that lives in the closet behind the reception area, advisors had everything installed on a virtual machine that could be accessed through their web browser.
The audience was amazed to hear that the panel of advisors were able to log into their full software suite through a single sign-on. They could work on financial plans and input client data in the CRM through a dumb terminal at a coffee shop in Tunisia or the public computer at their local library. No on-site server to maintain, all software upgrades were handled automatically by the remote server platform, and the data protection measures were infinitely better than the virus protection software advisors were typically installing on their servers.
We didn’t even have the term “cloud” to describe where the virtual server resided. But everybody in the room realized that our technology was moving into a new and more productive direction that would offer more freedom to work remotely.
In the days after that presentation, several remote hosting companies popped up, including True North Networks, RightSize Solutions, Itegria and OS33 – and all of them offered a lot of conveniences. But, as most of you know, the software solutions in the financial planning ecosystem – and pretty much all software solutions everywhere else – migrated to this new “cloud” thing, so an advisor’s entire tech stack was accessed remotely.
If your firm is sophisticated (meaning large), there might even be a single sign-on overlay.
And since COVID, the profession has embraced the freedom to work anywhere and made it a business necessity. Staff members routinely log in from home, at their kitchen table or a desk in their bedroom.
What is the state-of-the-art for consolidating a tech stack and protecting client data?
Steve Ryder, founder and CEO of True North Networks, has been helping advisory firms move away from the remote hosting concept while still maintaining the security and conveniences that their teams have grown accustomed to.
“Everything today is in the cloud anyway,” he says. “So why pay for remote hosting of applications that are already cloud-based?”
If the answer is “convenience,” then Ryder offers a packaged solution that costs less and provides the same litany of conveniences that remote hosting provides. Start with single sign-on applications like Azure, Okta, LastPass or OneLogIn, where the firm can manage staff access on their local laptop, and all the dual-authentication processes for all software are (like the remote hosting solutions) are consolidated into one login. “A great example is one of our clients, Mariner Financial, which is a large firm,” Ryder says. “We’ve moved them off of remote hosting so they are managing their environment via a single sign-on through Azure,” he continues. “People at the firm can log in once, and the program knows the user name and password for each of the programs on the other side of the portal. They can access their applications and use multi-factor authentication once instead of multiple times.”
Not only is this more cost-effective, but it simplifies what is normally a complex cybersecurity chore: changing passwords for the whole firm whenever a staff member who previously had access leaves the firm or is fired. “If somebody leaves the company,” says Ryder, “I can simply disable their access to the portal and they can’t get access to all the applications behind it. It saves that fire drill of, oh, my god, I’ve got to remember to take them off of AdvisorEngine, and MoneyGuidePro, and NetDocuments, and shut down access to all those other programs.”
Of course, not every software program is stored in the cloud. Each staff member’s laptop has to have a web browser, which can be Chrome or Firefox. And because having workers sitting at their kitchen table is inherently less secure than having everybody in the office, Ryder installs a zero-trust VPN on each laptop, which authenticates that individual computer and user, and ensures that this person on this computer is permitted to use certain designated applications.
Like Ryder’s other advisory-firm clients, Mariner has installed Perimeter81, but there are other alternatives, like Azure and InTune, which make sure the actual laptop is secure. This adds a multi-factor authentication step to the process of logging in. “If you can’t log into your computer, or you cannot get on the Internet because your VPN will not authenticate you,” Ryder says, “or if your computer is not where it says it is, then you cannot get beyond that.”
Under Ryder’s recommended system, the staff member has multi-factor authentication to get into the computer and then multi-factor authentication to get into the portal that provides access to the designated software programs he or she is allowed to work in. “Not everybody is using these protocols to get into the company computer yet,” Ryder cautions. “But insurance companies are pushing people to make that a requirement. Within the next 12 months, I expect that to become a standard.”
With those provisions in place, the cybersecurity work is done, right?
“Not yet,” says Ryder. “We also use a SIM technology – a System Information Management program that grabs all the logs of every computer on the network, and immediately alerts us of any nefarious activity on any of the computers.” Ryder recommends Seceon, which will detect ransomware and other malware, hacking attempts and bogus (pfishing) website links.
But isn’t there also an antivirus software program in the mix? “We recommend an enhanced anti-virus program called Sentinel One, which is an anti-virus on steroids,” says Ryder. “It has endpoint detection response and managed detection response built-in.” Translated, that means evaluating data moving back and forth among machines (the endpoints) and analysis of suspicious activity to detect malicious attacks by bad actors who might be trying to penetrate the system, either using stolen credentials or persistently trying different passwords.
Ryder also recommends ProofPoint, which blocks spam and flags questionable URL links in e-messages, which can also help prevent pfishing attacks. “The problem there is that 90% of all breaches are because someone clicked on the links in pfishing emails or social media posts,” Ryder explains. “With ProofPoint, if you send me a link, and I click on that link, ProofPoint says, this is a good link, or this is a bad link. If it is a good link, then it will redirect back to the actual website. If it’s a bad link, it will block it and notify you.”
Can’t you just rely on backups to avoid paying a ransomware cost? Ryder says he used to rely on restoring a computer’s data and software, but that isn’t enough anymore. “Cybercriminals no longer care about real-time backups,” he says. “They’ve gotten smarter over the years. Now they say to people like us, who can recover the data, you’re going to pay us a ransom anyway, or else we’ll publish all your client data.”
Taken together, Ryder says that the emerging best practices for remote access to the tech stack and cybersecurity involves the layering of defenses. “If somebody clicks on a link taking them to malware, and they somehow get past ProofPoint,” says Ryder, “then Sentinel One can roll back the computer to a prior state. In addition, Seceon will notice something bad is happening on the computer.”
If the laptop falls into the wrong hands, Perimeter81 will lock out the thief from getting into the tech stack or even the Internet itself.
If a former employee tries to use old credentials to access client data, he or she will find that the Azure credential no longer works.
Advisors still have the conveniences to work from anywhere, since the professional tech stack lives in the cloud – and that’s something nobody was able to take for granted a decade and a half ago.
But we no longer have to rely on a remote server to get the convenience of single sign-on or (more importantly) the automated data security features that are necessary to satisfy SEC auditors and thwart sophisticated cybersecurity bad actors. Ryder is quick to admit that there are a lot of other permutations of solutions that might be as effective as the ones he recommends; the point here is that the software ecosystem has given us the tools to recreate the remote hosting solution at a lower price point, with more features and better protection that any of us could have envisioned in the past.
Bob Veres' Inside Information service is the best practice management, marketing, client service resource for financial services professionals. Check out his blog at: www.bobveres.com.