Accounting for Client Data -- Promoting Security in the Cloud

IMGCAP(1)]Accounting firms transitioning to cloud computing face a unique set of concerns.  They’re the keepers of highly sensitive financial data, and their clients expect the ultimate level of security and data protection, yet cloud computing for many remains a question mark.  

One big question for firms is ‘if I move my client’s data to the cloud, can I be assured the data is completely secure? ‘ Moreover, if data is lost, how fast can it be recovered and what, if any, threats to data integrity should my clients be aware of?

The good news is that moving to the cloud can be more secure than data storage on site, if certain security and backup systems are in place.  One example is from Matthew Patrick, of Patrick Accounting in Memphis, who successfully moved to a cloud computing model for his small business clients and found it to be the right choice. 

“The fear factor really started for me when I thought, ‘what if a tornado hit our office building?   What would happen?  How could we serve our clients?” Patrick said.  He decided the solution was to move to the cloud.  “I liked the security of knowing that, if I could access the Internet, I could be back to work again.”

Patrick began assembling a cloud computing system and quickly fell into a common trap -- what the industry refers to as “cloud sprawl.”  The accounting firm winds up dealing with different cloud companies for file storage, file sharing, CRM (customer relationship management) and other functions critical to day-to-day operations.  As a result, critical data is everywhere, and it’s next to impossible to maintain a consistent SLA (service-level agreement) across these disparate environments.  The accounting firm ends up with a needlessly complicated system, when in fact they’re looking for a simple solution to managing – and protecting – their data.

After a few years of cloud sprawl, Patrick chose a full-service provider capable of hosting all his applications in the cloud.  Now, all data is in one place, providing him with greater control and sharing capability.  Eliminating cloud sprawl has meant immediate improvements in efficiency and data security.

Security and Reliability in the Cloud

Accounting firms such as Patrick’s also require the highest levels of cloud-based security and reliability, to ensure that client data is fully protected and accessible at all times.  Indeed, because Patrick serves his clients as their outsourced accounting department, downtime is unacceptable.  The flow of work is non-stop, from end-of-month closing to payroll, and the myriad other tasks that depend on secure, available data, 24/7.

Typically, when businesses think of factors that undermine reliability, power loss, hardware failure and connectivity failure at the ISP level come to mind.  In response, businesses implement redundancy in power, connectivity and hardware, and plan for business continuity in the event of system failure.  The only problem is, this strategy is seriously flawed: it focuses on hardware failure as the primary cause of downtime. 

In practice, downtime can be triggered by any number of events and conditions: attacks originating from the Internet, malware, spyware, viruses, data loss, poor performance, and even scheduled maintenance.  Malware and related threats must be stopped before penetrating – and corrupting – data in the cloud.  The key is an intrusion detection and prevention system (IDPS), currently the most advanced security on the market.  An IDPS goes well beyond typical firewall protection, which is incapable of stopping all threats and merely serves to limit the “surface area” of a protected system.  Firewalls don’t prevent attackers from targeting known vulnerabilities in applications.

The IDPS, by contrast, looks outside and above the firewall layer, detecting threats a firewall would not flag, including spyware, viruses beyond the perimeter, denial of service or brute force attacks, Botnet, code execution, SQL injection and phishing. To protect data, the cloud hosting provider also needs to screen out malware at the perimeter before it can reach the virtual infrastructure.  

Another important advantage of a well-implemented IDPS is that it can also identify anomalies in “normal” network traffic, offering yet another level of security for accounting firms managing data in the cloud.

To further protect client data against threats, make sure the cloud host provider places servers in isolated VLANs (virtual local area network), situated beyond a firewall.  This will prevent customers’ servers from communicating with other customers’ servers in the host provider’s system.

Even with every security protection in place, data loss can happen, whether the result of hardware failure or other events.   If data loss occurs, an “application-consistent” backup is the preferred method to restore data rapidly and in the cleanest possible manner.  This kind of backup procedure flushes the database and file system transactions prior to taking a point-in-time snapshot.  Doing so ensures that the file systems will be error-free, databases consistent, and restoration will be quick, without requiring any post-restore cleanup. 

Whether or not restoration is instant depends on the storage area network (SAN) employed.  The alternative -- the “crash-consistent” backup method -- can miss data, result in file corruption, and take hours, or even days, to restore.   In addition to the technical IDPS controls, it’s a good idea to ask your host provider if they have completed the SSAE (Standards for Attestation Engagements) No. 16 Type II audit, which confirms their level of service and reliability. 

As part of the audit, accounting firms should confirm that background checks were conducted on technical employees.  And because data is so critical, it’s wise to inquire about employee training and 24x7 support guarantees. Moving to the cloud offers firms the opportunity for IT systems to be efficient, easy to service and scalable, supporting future growth.  Indeed, any accounting firm can grow its business using cloud hosted services, and with a robust security system in place, provide clients with optimum service as they grow as the accounting firm does the same.

Adam Stern is founder and CEO of Infinitely Virtual, a provider of virtual server cloud computing services for businesses.

 

For reprint and licensing requests for this article, click here.
Technology Consulting
MORE FROM ACCOUNTING TODAY