Is CleverDome the Holy Grail of Cybersecurity?
“If you think technology [alone] can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
– Bruce Schneier, Cryptographer and computer security expert
Companies around the world are under constant attack by an increasingly business-savvy brand of cyber-criminal. Using ever more sophisticated techniques, they have successfully stolen hundreds of millions of dollars by planting malicious software into their targets’ computer networks.
According to the IBM X-Force Threat Intelligence Index, in 2017, financial services firms experienced 65% more cyber-attacks than other industries. This was an average increase of 29% over the prior year.
Banks have suffered some of the highest profile hacks in recent history. They range from small, little known ones like Banco del Austro (BDA) in Ecuador and the Agricultural Bank of China to the largest global institutions like JP Morgan Chase. Even the inter-bank messaging system SWIFT (Society for Worldwide Interbank Financial Telecommunication) has been successfully hacked.
While every financial firm has been busy implementing traditional security products, they only address part of the problem. They are still exposed to hackers and other nefarious actors because their data and client communications still travel across the open Internet.
What is needed could be called the “holy grail” of financial cyber-security: a regulatory-compliant, end-to-end solution where all data is encrypted before being sent over the Internet, and all participants have been verified as having implemented the required security processes.
A new non-profit company called cleverDome believes that they have such a solution, which they recently announced at the T3 Enterprise Conference in Las Vegas.
What is cleverDome?
cleverDome is a combination of secure communications software, end point protection and due diligence of each participating firm that joins their network. Data is automatically sent out over multiple virtual private networks (VPN) with improved performance by directing data through the path with the lowest latency.
Their technology is a big improvement over point-to-point VPNs where the trade off for higher security is reduced performance. cleverDome’s software is akin to multi-threaded processor versus a single-threaded one and avoids the one tunnel, one key requirement that keeps regular VPNs from scaling, according to CEO Aaron Spradlin.
Spradlin believes that current networking products are based on a broken model that relies heavily on trust between parties, which is difficult to verify. cleverDome’s goal is to remove communications from the open Internet and move it into a community-based solution where the security profile of all parties is validated.
They could have an uphill battle to attract enough vendors and client firms to be successful.
Spradlin’s team has gotten off to a solid start based on the initial partners they have signed up. These including industry heavyweights Riskalyze, Redtail, Orion Advisor, TD Ameritrade and United Planners. They are all currently live on the cleverDome solution, with UP’s 500 advisors set to be provisioned soon, he promised.
With such a mammoth task ahead of them, cleverDome’s ability to scale up their internal infrastructure is critical. Their plan is to deliver expandable endpoint device protection, which will allow clients to provision additional resources as they are needed, Spradlin explained.
One concern is that they have not developed a repeatable process for onboarding new vendors and client firms. A concept like cleverDome is only as strong as the size of their network. If they succeed in attracting additional companies, they could be swamped with too many access requests.
Spradlin assured me that they are working on the onboarding process and will have all the kinks worked out in 1Q 2018.
cleverDome relies on a number of external technology partners to provide key components of their platform:
- NetFoundry provides security software that forms the foundation of the cleverDome system. It allows clients to communicate with one another over any broadband internet connection.
- Entreda software is used for end point security, which means all of the devices connected to a firm’s network including personal computers and smartphones. They provide automated compliance and security for all of the connected equipment within the ecosystem. This ensures that the networks and applications that make cleverDome work are all protected in accordance with a unified security policy.
- Financial Computer also provides end point security via their ProtectIT application. They are a cybersecurity services firm that delivers, manages and monitors best of breed tools to keep firms secure and in compliance with applicable regulations.
It is through these strategic partnerships that Spradlin believes cleverDome will be able to leverage a best in class user experience with the safety and security that is built into the design of their framework.
cleverDome’s approach to secure Internet communications has confused other media outlets that have written about it recently, incorrectly labeling it as a “dark pool”. This is clearly not the case since cleverDome is only a means for transporting data from one party to another via a secured Internet connection, whereas a “dark pool” refers to a private trading exchange not available to the public.
This confusion could be understandable to a certain extent, as new technologies are often misunderstood when they are first released. cleverDome is protected by a security layer known as a Software Defined Perimeter (SDP) which works by dynamically creating one-to-one network connections between users and the data they access. It isolates the communications between parties in a “dome like” virtual structure.
From which comes the pithy catch phrase, “Get under the dome!”
In order for a broker-dealer or vendor to be accepted into the cleverDome community, they must deploy an end point security tool such as Entreda or Financial Computer that will secure every device on their network. This includes not only servers and desktop computers, but tablets and smartphone as well.
Financial services firms should “not forget mobile security in their cybersecurity posture,” warned John Boulanger, CTO of cybersecurity firm Investment Technology Partners.
The cleverDome framework requires an endpoint client protection system that provides secure communications. This often includes a secure API that developers can continue to improve upon without exposing the system to vulnerabilities.
While the cleverDome software is responsible for managing the secure network, the end point vendor is responsible for bringing the client’s security level up to the Minimum Cybersecurity Workstation (Endpoint) Standard, explained Brian Edelman, CEO of Financial Computer. This is required for any device to connect to the cleverDome network.
If an advisor’s device is ever compromised, Financial Computer’s ProtectIT software will automatically disconnect it from the secure network to avoid other systems being infected. Once the device is remediated, it is reconnected automatically. This all happens without any end user interaction required, Edelman noted.
Pivoting from Document Management
This cybersecurity infrastructure play is not the first incarnation of cleverDome. They previously were a cloud-based document management solution for advisors. Coincidentally, that launch was also at the T3 Enterprise Conference back in 2013.
The three general partners that run United Planners were investors in the first cleverDome, which was a for-profit limited liability corporation.
They have since pivoted and legally restructured as an Arizona Benefits Corporation, which is a non-profit that operates similar to a co-op. The purpose of a “B Corp” is to create one or more specific public benefits. According to Spradlin, this structure has a higher level of transparency and accountability than for-profit firms. For one, they must file an annual benefit report stating how the entity has met its requirement to provide its stated specific benefits.
Word of their benefits appear to be spreading throughout the wealth management industry. When asked about the the most impressive technology development of 2017, Joe Duran, CEO of United Capital, pointed to cleverDome’s ability to protect financial transactions. There’s no comment from either party on whether or not the $20+ billion RIA is planning to deploy cleverDome across their 80 offices.
For vendors, such as Riskalyze and Redtail, cleverDome has a somewhat complex pricing model that can range from $21K to more than $42K annually, depending on the size of the firm and amount of data being transmitted. There is a licensing charge of between $15K-$30K per year, plus administrative and setup costs, as well as an extra fee for an annual due diligence check. A network usage cost of $6,000 – $12,000 per year also needs to be factored in, with an added charge for high availability (HA) services.
Wealth management firms will pay a flat fee of $10 per advisor per month, which does not include endpoint protection. Enterprise clients will also need to factor in the cost of a software gateway.
CleverDome has targeted 1Q 2018 for their official product release, which will allow their initial group of vendors and wealth management firms to perform as much testing as possible.
Starting in 2019 there will be a shift in CleverDome’s focus towards development of a consumer version that promises to deliver a secure platform directly to individual advisors and RIAs. This is good news for small RIA’s who are increasingly finding themselves on the receiving end of cyberattacks without the budget or infrastructure to protect themselves.
There are still numerous obstacles to overcome for cleverDome to be accepted as a standard cybersecurity solution in the wealth management industry. But Aaron Spradlin and his team are off to a solid start. Their product positioning appears to be blue ocean, without a direct competitor offering a similar end-to-end solution. They also have a terrific list of brand names for their initial client base.
My feeling is that they 2018 will be a great year for cleverDome and they could set themselves up to become the holy grail of cybersecurity in wealth management.