On Financial Planning magazine's website, Bruckenstein questions Gluck's impartiality

April 16, 2010 — 6:29 AM UTC by Brooke Southall


Two prominent technology experts in the advisory business are taking each other on over the issue of data security of Google Apps and a company called Zoho in blogs and trade magazines.

Joel Bruckenstein, writer of Virtual Office News, principal of the Technology Tools for Today conferences and technology consultant, says that Zoho and Google Apps have secure applications for advisors. Andy Gluck, a technology writer and owner of Advisor Products, on the other hand, says no. Both men write articles for Financial Advisor magazine but most of the critical exchange took place outside the pages of their common publication.

The spat started when Bruckenstein wrote an article in March in Financial Planning entitled: Q: How can I start using CRM, cheap. A: Take a look at Zoho CRM

He argues that Zoho, for its relatively low cost, is worth a look for advisors wanting to add customer relationship management capabilities to their practices. As part of that discussion, he takes on the issue of whether the data on the Zoho system is secure enough for the highly confidential information that financial advisors are responsible for managing. “Overall, the security capabilities of the application are impressive,” he concludes.

Andy Gluck, a technology writer and owner of Advisor Products, then published an article on the Advisors4Advisors website entitled: “Advisors Putting Client Data at Risk.” The article can’t be accessed by non-subscribers, but is viewable on Gluck’s Advisor Products blog. Gluck wrote: “To save money, some advisors are putting client data in jeopardy, and the trade press isn’t helping matters.”

Can’t force users

In the article Gluck criticized the findings of Bruckenstein’s article that Zoho is secure. “Zoho is indeed an impressive application but documents are not stored in encrypted format,” he writes in the blog. He went on to give a detailed explanation of why Google Apps are also insecure. “You can’t force users to create “strong passwords,” he writes.

After an explanation of the significance of this shortcoming, he suggests that Google is not ready for the mission-critical needs of financial advisors — and won’t be anytime soon. “Google is a remarkable company and it could address these issues. But with its vast audience and potential, it has priorities other than serving the tiny independent financial advisor market,” he writes.

In response to Gluck’s criticism of his article, Bruckenstein published Risky Business on Monday in Financial Planning magazine. He responds to Gluck’s claims about the security shortcomings of Google Apps in this manner:

“It occurred to me that Google’s security could not possibly be as limited as Gluck suggests. After all, major corporations such as Genentech and Salesforce.com as well as governments like the City of Los Angeles and the District of Columbia use Google Apps, and many of them endorse Google Apps at least in part because of its security,” he writes in the article.

But Bruckenstein makes his argument more intensive and personal by saying that Gluck is wrong to contend that it would be reckless for an advisor to store their data on Google Docs.

Outrageous statement

“Now this may come as a shock to readers, but I think it was rather reckless of Mr. Gluck to make such an outrageous statement,” Bruckenstein writes. “My independent research indicates either sloppy research on his part, which lead him to supply incomplete information to his readers, or an intentional decision to attempt discredit a firm that he perceives as a threat to his own business. I’ll let you decide.”

Andy Gluck: I felt the inaccuracy of that [Bruckenstein] article needed to be addressed. Otherwise advisors might be left to think Zoho Docs and Google Docs are secure enough to use for client data.
Andy Gluck: I felt the inaccuracy
of that [Bruckenstein] article needed to
be addressed. Otherwise advisors might be
left to think Zoho Docs and
Google Docs are secure enough to
use for client data.

Gluck owns a company called Advisor Products that sells websites, portals and newsletters. It also sells a product called AdvisorVault that encrypts files while they are uploaded or downloaded. It also stores files using high encryption, according to the company’s website.

In an e-mail to RIABiz, Gluck stood by his blog posting that attacked what Bruckenstein writes about Zoho.

“I felt the inaccuracy of that [Bruckenstein] article needed to be addressed. Otherwise advisors might be left to think Zoho Docs and Google Docs are secure enough to use for client data. In fact, neither solution would be good for advisors because they do not meet their security or business-process requirements.”

Strong passwords

Here is part of why Gluck believes that Google is not secure enough for financial advisors: “You can’t force users to create “strong passwords.” Google has a tool that rates the strength of a password when you create it. The tool’s requirements are not up to professional standards. A strong password requires using non-alphanumeric characters (i.e., !, @, #,$, etc.). It is also at least eight characters and preferably 12. By default, Google Docs requires only six-character passwords, and it allows you to create a password as short as four characters.”

Here is part of Bruckenstein’s argument for why he believes Gluck is wrong about discounting Google Apps security:

“While it is true that longer, more complex passwords are better than shorter, less complex ones, Google can certainly accommodate long complex passwords. It is true that the default Google sign on process does not allow firms to enforce a policy by rejecting shorter passwords, but each firm can make a judgment as to how important this feature is. Some firms may decide that a written policy requiring long complex passwords is sufficient.”

For another view, see yesterday’s article in Fierce Biotech IT: Genentech a believer in Google online sharing apps

The blog posting in Advisors4Advisors was written with the best intentions, according to Gluck.

More important things

“I’m just doing the best job I can,” he writes in an e-mail. “Trying to do my job and I don’t need to go back and forth over that nonsense. I’m too busy and there are more important things I’m working on. While it sounds corny, I’m just doing my best to do an honest job in helping advisors and make the world a little better.”

Bruckenstein adds in a phone interview with RIABiz that his aim in responding to Gluck’s article was merely to defend his own writing.

“I’m not trying to start a war with him,” he says. “He made criticisms of my article that I didn’t think were valid. I stand by my criticism of what he said about Google.”

Brooke’s Note: I sent an e-mail to Evan Simonoff, editor of Financial Advisor magazine, to see if he had a reaction to his two writers engaging in a sharp exchange of words. He declined to return the message.

Mentioned in this article:

Technology Tools for Today
Consulting Firm
Top Executive: David J. Drucker

Share your thoughts and opinions with the author or other readers.


Stephen Winks said:

April 16, 2010 — 1:50 PM UTC

The security of client data is often assumed or taken for granted. Such an elevated discussion on data security makes us all want to ask questions and increase our criteria for “adequate” safety.



Peter Giza said:

April 16, 2010 — 4:03 PM UTC

Just a few of words on the subject of “security” in and out of the cloud:

1) ANY firm can be hacked this continues to be proved on a daily basis. Hacking doesn’t just include electronic exploits. It includes and many times combined with social engineering

2) If your firm has a link to the Internet then you are in the cloud and subject to rule #1

3) Greater than 60% of breaches come from within

4) People will trim hedges with a lawnmower (according to urban legend.) Technology is a tool. Used properly it can be of great benefit. Used improperly you can destroy your credibility. You cannot force sensible use. Yes you can try to enforce safety factors such as enforcing password updates and requiring minimum length and special character use. But what is really happening on the backend of the service? What other holes exist? What other windows can be left open by the user that could breach security?

It would be nice to hear from Google and Zoho. Let’s remember these are tools and tools can hurt you:)


Peter Giza
RedBlack Software www.redblacksoftware.com


Brooke Southall said:

April 16, 2010 — 5:26 PM UTC


Thanks for your good insights and good humor.

I think my dad was the guy who used the mower on the hedges.

It would be nice to hear from Google and Zoho.



Scott McKenzie www.cloudlogic.co.uk said:

April 16, 2010 — 6:35 PM UTC

Key to Google Apps’ security is that it can’t be subjected to dictionary attacks which many corporate systems, even those that require complex passwords to be created, can be.


Nevin Freeman said:

April 16, 2010 — 6:36 PM UTC

Scott: This is an interesting point. Can you explain why that’s the case?


Scott McKenzie www.cloudlogic.co.uk said:

April 16, 2010 — 6:52 PM UTC

CAPTCHA for one. After a few failed login attempts, Google Apps forces the user to read and type in some mangled text that only a human can read. This stops a hacker directing a program at the login screen that simply tries millions of character combos until it guesses the password. So even if the password is “password” unless the dictionary attack attempts that on the first few goes, it will fail to access the Google Apps account.


Nevin Freeman said:

April 16, 2010 — 6:56 PM UTC

Ahh, I see, makes sense. Thanks for the info; I think it’s definitely relevant to the discussion.


Anonymous said:

April 20, 2010 — 2:49 PM UTC

Front page story in today’s New York Times: Cyberattack on Google Said to Hit Password System (http://www.nytimes.com/2010/04/20/technology/20google.html?hp)


Gabriel Cooper said:

April 15, 2011 — 8:39 PM UTC

Understanding that the comments in this article are out of context, I wonder if the writers merely aren’t considering the whole realm of possibility that these services provide. I’d argue that a few key points make a world of difference.

1. Google Apps Premium provides single sign on to almost all Google Services, including Docs, and applies enterprise level security controls to the individual users. This includes password length restrictions, sharing controls, and options to tie login to local domains. Using Apps to access Google’s native services, or Marketplace services using sing sign on and/or integration, is an entirely different level of security control than simply signing up for a regular Google account.

2. Zoho is a Google Apps Marketplace service, allowing Google Apps administrators to integrate users’ access to Zoho within their Apps domain. Whether or not Zoho offers good administrative control over security policy is moot when it is used with Apps.

3. Enforced password policy is often a vital factor in security, but it is neither necessary nor sufficient to ensure appropriate security. Solid passwords tied to services that can’t detect automated intrusion attempts are almost meaningless in today’s world. Without good written policy controlling user behavior, strong passwords will end up written on post it notes in laptop bags anyway.

If the question being addressed in these comments is whether Google and/or Zoho office tools mandate sufficient security for the investment business, I don’t think that’s the real issue. Most tools don’t mandate sufficient security by themselves and any feature that increases mobility and access will increase the potential for breaches. I’d offer that the real question should be whether these systems offer a sufficient toolset for administrators to to use them in a balanced security plan… and how this factors into the comparison to products of similar price and functionality.

While certain aspects of Google Apps password control offer less than some competitors, like the ability to mandate character types instead of simply length, this doesn’t cripple the service by itself. If this is seen as a requirement for use there are ways to enforce it by tying external authentication to Apps or by applying good behavioral policy. These extra steps may or may not leave the product as the best choice for an application, but I don’t think it means that the product is unusable because it doesn’t include every security feature by default.

Submit your comments: