Accounting has been at the forefront of business automation since the creation of writing in clay tablets. With the advent of Internet connected businesses, something important has changed — the theft of client data is now easily possible.
A truism of network security is the only secure network is an isolated network, an air-gapped network. As few businesses, including your own, are willing to forego the benefits of being connected to the Internet, we all now have to implement good security hygiene on every system. This is tedious work that is easily accidentally subverted by employees.
Today, I want to discuss your cloud/server data security. As more of your records are stored on servers, is the data secure by default?
If your vendor is compromised by hackers, can the data be stolen without your cooperation? Is it just protected by a password but stored in the clear on the server? (Just a reminder, tens of millions of credit cards numbers have been stolen. How?
They were stored in ways easily subverted by hackers.) Good security is performed in depth, i.e. there are multiple locks that have to be opened. While every server system is different, there are some questions you should be asking your local system administrators and cloud vendors.
• Do all of my servers use full disk encryption? This ensures your data does not get compromised when a server goes out of service.
• Who has access to the root account keys/passwords? This speaks to the discipline of the organization.
• Is your data encrypted with a different key/password than the root account and is it controlled by your organization? This protects your data against breaches at the cloud vendor.
• How is your data backed up? Systems crash. Hurricanes, tornadoes and earthquakes happen.
• What are the security policies and practices in place to control access to the backups? Older data is still quite valuable. Is access to the backup controlled? Do you have control of the keys used to encrypt the backups?
Each of the above points form just the start of a security policy. There are whole IT consulting practices devoted to addressing different phases of the cloud data security problem. Being able to ask the above questions is great place to start protecting client data on theirs and your systems.