Cloud Hosting

With the current break-neck pace of software and technology we can often overlook the fact that "the cloud" is really just outsourcing. The term "cloud" is simply a catch-all term for subscription-based services running on someone else's network. Evaluating the security of such services requires digging in and asking the provider some possibly uncomfortable questions. If you aren't currently doing this for each cloud opportunity, and thinking through how its failure will impact your firm and your clients, you are simply putting the firm at risk.

As an example, I recently had a Partner forward me some information about a potential cloud service that we could use to help our staff by easing their manual data entry tasks. The idea behind the service was straightforward. Their cloud service would aggregate a client's transactions and allow the transactions to be bulk downloaded into our chosen software. To accomplish this, we would need to have each client enter their financial institution credentials into this cloud provider's system.

Our use of a cloud application like this would necessarily mean asking the client to participate. And, even if not actually stated, the fact that we would use it and ask the client to use it, conveys to the client that we "endorse" this software in some way. That means I had to ask the right questions before committing. If we ask our clients to participate in a cloud application, and then down the road that application is breached or found to be low quality, the client will be askingusthe hard questions.

These are the questions I always ask any potential cloud vendor:

If you can't get satisfactory answers to these questions, deciding to do business with such a provider boils down to a decision about how much risk your firm is willing to take on to gain the potential benefits the service will provide. And, if this is an app for doing client work, you will also be passing on that risk on to your clients. That has to be fully understood at the Partner level.

So, what do I consider "satisfactory" answers to the questions above?

Not answering one of the above questions doesn't necessarily shut the door on using the service. As long as the refusal to answer makes sense. For instance, a provider might tell you they definitely hash passwords stored in their database, but for security reasons they don't want to divulge which hashing algorithm they use. I'd be ok with that, as long as the rest of their answers seem competent and pass the "smell test".

Unfortunately, you will run into many startups that refuse to give straightforward answers to these questions. It's not enough that an app works well or solves a problem. If the people running the service don't have enough experience running and protecting such a service reliably at large scale, it's up to us to identify that ahead of time before we commit the data of our firm or our clients into their hands.

-------

Dave Jones is the IT Manager for Pearce, Bevill, Leesburg, Moore, P.C in Birmingham, AL. He has been a network and system administrator in the Birmingham, AL area for 20 years. He has been in the CPA technology field for 18 years. Email: dave@pearcebevill.com; LinkedIn: https://www.linkedin.com/in/daveajones.

Visit link:
8 Steps to Evaluating Cloud Service Security | CPA Practice Advisor - CPAPracticeAdvisor.com