Data Security in the Cloud
What CPA firms can lose if they don't address three key issues before migrating to the cloud.
September 27, 2010
Blogging, the embracing of social media and the utilization of the cloud model as a new way to conduct business and collaborate with our clients has resulted in the migration of a tremendous amount of data out to the net.
The key benefit that drives the popularity of the cloud model, i.e. data is available anywhere/anytime and accessible via a web browser, is the same reason that drives concerns in the area of security. It’s not only protecting data from individuals looking to access such data to commit some form of fraudulent activity, but also protecting such data from unauthorized governmental and/or private invasion. Because of the lack of security standards surrounding this space and the fact that data can be stored virtually anywhere in the world, under the laws and regulations of any country, it becomes a very difficult task to manage. Having said that, there are steps that can be taken to help to ensure your firm’s security and confidentiality of data stored using this platform.
In the blogging and social networking space, the most obvious and often overlooked way to protect data, is simply to educate those who are actively publishing in this area. A professional should exercise “common sense” when posting comments, updates and other facts on these sites.
Difference Between Cloud and Onsite Security
The main difference between security in the cloud and security over data stored onsite is "visibility." It becomes very difficult to secure data that you cannot see. Therefore it is crucial for CPA firms to ensure that they work with their cloud service providers and work out the details of securing data on the cloud by coordinating and aligning their date with the selected vendor as well as the vendor’s multiple business partners that may be engaged to assist them with that process.
The location (country) in which the data is housed is an important factor to consider when evaluating vendors. For example, the European Union (EU) member states have nearly aligned their data laws and favor a very strict protection of privacy. Some countries, on the other hand, while offering very cost-effective data-storage solutions, have little or no laws and regulations in place concerning the privacy of such data.
Data Security in the Cloud
Similar to data stored internally, there are three basic requirements that should be considered regarding data security:
Lastly, since it is rare for commercial general liability and errors-and-omissions policies to cover “intangible” losses related to loss of data, privacy breaches and the like, cyber liability insurance policies are meant to fill that void and to address the particular needs of a company doing business in the cloud. Nearly nonexistent in our profession, just five years ago, today, such policies are starting to get traction. Many companies use such policies as a way to help limit their liability to third-parties that may be harmed in case such an event occurred. In addition, some policies offer coverage of expenditures that may be necessary to do damage control subsequent to such breach.
The flexibility and scalability that makes cloud computing so attractive also makes it very unpredictable. Do your homework. When it comes to a engaging a third-party to host sensitive data, make sure you ask your vendors about the above-listed concerns up front prior to migrating your data.
|Additional Resources||Trust Services Principles and Criteria Trust Services Principles and Criteria (PDF)|
|Information Technology Center|
|Technical Practice Aids|
James C. Bourke, CPA.CITP.CFF, is a partner at WithumSmith+Brown where he is director of Firm Technology. He is a past president of the New Jersey Society of CPAs and currently serves on AICPA Council and the Chair of the AICPA CITP Credential Committee. He has been named by Accounting Today as one of the Top 100 Most Influential People in the Profession.