The Four Security Questions for a Cloud Move
The cloud has been gaining great traction in the accounting world. This is due to its ability to reduce hardware, software, and storage costs. The cloud introduces vast efficiency enhancements. It enables mobile access and elevates the overall level of client services. It can scale up or down easily with the size and needs of your firm while adding enhanced functionality to your operations.
While the benefits of the cloud are numerous, one item that many accounting practitioners are concerned about is security. The CPA2Biz second annual cloud survey polled more than 300 CPAs from a mix of small to large public accounting firms on cloud computing. Seventy-three percent of the respondents stated that security concerns are the biggest barriers to cloud adoption or expansion.
Clearly, cloud-computing security is at the top of practitioners' minds. A majority of that concern can be alleviated through a thorough vetting of cloud technology providers. According to our IT experts, here are four questions you should always ask a cloud-based service provider.
- What type of protection does your organization use to safeguard my information?
Ideally, a cloud-based provider should offer Extended Validation (EV) SSL encryption technology that ensures the privacy of communications between your browser and the provider's servers. A cloud-based provider should use 256-bit encryption—the same encryption that the banks use to protect your data—when you connect to its site, application, or server.
Additionally, it should employ firewalls to prevent unauthorized electronic access to its servers and your information.
- What security measures does your organization take for its data centers?
Cloud-based technology services rely on a network of connected devices to host your information and services. Part of that process often includes the inclusion of servers. Doubtless, the security on each server is important, but the need to physically protect those servers from unauthorized access is also important. After all, what good is virtual security if someone can walk in and take your information off of a server? The company's production servers should be in highly secured, locked facilities with biometric access controls. The data centers should have guards and video surveillance 24 hours a day/365 days a year. To enter a facility, authorized employees who have undergone background checks should have ID cards, PINs, and finger/hand scans.
- Do you regularly undergo security audits in compliance with industry standards?
Your cloud technology provider should undergo an SSAE 16 SOC 1 Type II Audit by a leading national CPA firm each year. The comprehensive audit not only validates the virtual security of the company's IT protocols, but also examines the handling of and access to your information. The items the audit categorizes include:
- A review of the procedures, both manual and automated, by which the company's transactions are initiated, recorded, processed, and reported from their occurrence to inclusion.
- An audit of accounting records, whether electronic or manual, that support information and specific accounts involved in initiating recording, processing, and reporting.
- How the company's information system captures events and conditions that are significant.
- How—and how often—do you back up your servers?
Since your data is hosted in the cloud, your firm is relieved of the strain of conducting regular data backups. However, you should ask your cloud technology provider how often it backs up your data. Two words that you should hear in the company's answers should be "regular" and "redundant." Continuous backups should be performed so that the provider can recover from a potential disaster quickly and without a disruption in your service. The company should also conduct redundant backups, where your data is stored on protected yet redundant servers housed in a separate yet secure data center.
You do not have to sacrifice the benefits of cloud technology in the name of security. By relying on these questions, you can quickly get a strong picture of a company's security practices and protocols and in the process create a greater level of safety for your firm and clients.
About the author:
Eric Chan, CTO of Bill.com, has over 10 years of experience in software development, specializing in highly scalable SaaS applications. Prior to Bill.com, Eric led the Service Cloud Team as a senior member at Salesforce.com developing the framework, scaling the application, and co-authoring multiple patents. Eric received a BA in Computer Science from University of California, Berkeley.