I recently had the pleasure of hearing Aaron Patzer of Mint.com speak at a Founder's Institute event. It was about how Mint was found and their early challenges.
One of the challenges he faced was similar to what we face at Plunify - security and trust
Mint.com helps you manage personal finances. Their interactive, user-friendly software keeps track of your spending, loans, etc.
However you have to key in confidential information such as banking passwords so that Mint can retrieve your data from your financial institutions.
"What! Key in my passwords? You must be joking!" - Yes, that was my initial reaction.
Check out Mint's forum and you will see lots of security-related posts.
I would say that the leap of faith required by Mint's users might be greater than that Plunify asks of ours. Yet, Mint is able to allay a lot of these concerns(not all--a fraction of consumers will most likely never be convinced).
At Plunify, instead of your bank passwords, what we ask for is your source code.
Which are just as important as your banking details.
One of the things that we like about the Cloud is how much more security we can provide to our users.
Plunify uses Amazon Web Services (AWS) for your Cloud resources. We spend a lot of time understanding AWS's security policies because this is important to our users.
To highlight a couple of important points of the 22 page security white paper.
1) Certifications and Accreditation
Amazon controls are evaluated every 6 months by an independent auditor in accordance with Statement on Auditing Standards No. 70 (SAS70) Type II audit procedures.
2) Employees
AWS requires that staff with potential access to customer data undergo an extensive Amazon Web Services background check (as permitted by law) commensurate with their position and level of access to data. Every access grant is reviewed every 90 days and explicit re-approval is required or access to the resource is automatically revoked. When an employee’s record is terminated, Windows and UNIX accounts are disabled and Amazon’s permission management system removes the user from all systems.
3) Physical Security
Datacenters are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access datacenter floors.
4) Network Security
AWS Security regularly scans all Internet facing service endpoint IP addresses for vulnerabilities (these scans do not include customer instances).
Of course, there are protection against network attacks, firewalls, intrusion detection systems are in place.
And the list goes on.
Frankly, security in the Cloud seems better than that in most companies we know.
For those companies, their core businesses aren't about IT infrastructure so they tend not to invest so heavily into IT security, infrastructure and related personnel.
On the other hand, all it takes is for one AWS customer to report the leak of sensitive data as a result of using the AWS Cloud, and Amazon will be in deep trouble.
We hope this gives some assurance about cloud security. Although technology doesn't fully answer the security and trust questions, effective use of technology will go a long way to allay users' concerns.
In a second part on this topic, we will put up more information about how Plunify protects your data as well.
If you have any questions or comments, feel free to let us know.