Data security — risks and opportunities in the cloud
When data security is everything, what are the opportunities and risks when moving to the cloud?
- Data sovereignty needs to be considered carefully when adopting a cloud provider
- Security systems offered by reputable providers are constantly monitored and updated
- When a business leaves a cloud service data sovereignty can be an issue
By Adam Ferguson
The rapid growth of cloud services and products and the adoption of the technology among the small business community has created a raft of benefits for industry and the economy.
In the first quarter of this year, just under a third of SMEs in Australia and New Zealand reported using cloud products and services in the MYOB Business Monitor Digital Nation report.
According to the report, businesses that are using the latest technology tend to be earning more, as well as enjoying more sales and a greater level of client engagement.
But, as with any new technology, it pays to be aware of any potential downsides for business clients — especially where their most valuable data is concerned.
Data security is one of the most common concerns for SMEs considering a move to the cloud. For businesses, the loss of data can be disastrous, especially if it includes tax records or sensitive client information.
For many business owners, keeping data in-house just feels safer. They take comfort in knowing information is stored on a server on the premises. However, in truth, keeping your data in a cloud server with a reputable and reliable vendor is, most often, far more secure than storing it on an internal system. Cloud storage means data can be backed up across multiple, world-class data centres, with an array of fail safes and backups in place.
The security systems offered by reputable providers are also far more comprehensive than most businesses can afford. In addition, they are constantly monitored and updated — not just when there is a reported issue, but as part of a constant improvement cycle.
In saying this, it is important to be aware that standards in the field are not always consistent. A good example of this in the online accounting field is the practice of screen scraping to collect bank data. Employed by some providers, this practice can put both the security and accuracy of clients’ data at risk.
[Screen scraping is collecting screen data from one application and translating it to another. It is useful for capturing data from older applications so it can be displayed using more modern interfaces.]
In MYOB’s experience, the bank feeds feature is one of the most popular on the cloud platform. It allows bank transactions to be automatically imported and matched to the correct accounts in the business’ accounting software. This process saves the accountant, bookkeeper and/or business owner many hours of tedious data entry and significantly reduces errors through incorrect coding or recording of figures.
MYOB recommends the bank-authorised data collection system provided by BankLink, which provides secure bank transaction data via direct feeds from financial institutions, without the need for a client to share bank login details.
The data is supplied in a “read only” format, ensuring it cannot be changed and the owner retains full control of it. The entire process complies with the stringent Payment Card Industry Data Security Standard for the safe handling of transaction data and meets the requirements of more than 100 financial institutions.
Data sovereignty — Who owns your info?
Another key concern for clients, particularly if they want to take advantage of services that offer a better price or range of features, is the control they maintain over their data.
The concept of data sovereignty is one that has become more widely discussed with the growth of the cloud and internet-based services in general. This covers three broad areas:
- Who has access to data?
- Who controls the data?
- How will that data be made available if the client wants to switch providers?
Although control of access is an important issue, it’s what happens when a business leaves a cloud service that makes questions of data sovereignty so relevant.
Before a business signs up to any cloud provider, it’s important they have a clear picture of the form in which their data will be returned, and how long it will take to get it all back.
In particular, businesses or their advisers need to find out if they will get their data back in a useable form — one that will allow them to continue to work offline — or if they will just be given a report on their data.
This is, of course, a real concern not only because of the impact it can have on the day-to-day running of a business, but also in terms of any government regulations around record keeping.
One of the areas that can make understanding both security and sovereignty issues more complex is where a provider bases its service on multiple add-on solutions.
When using these services, rather than a single provider, businesses need to be aware of the standards and practices of every provider.
For example, if one of them stops trading, who is responsible for managing any disruption, retrieving data and providing any required support?
Ultimately, the onus of managing these relationship is likely to fall on the businesses themselves, making it very important they understand the implications of using a range of providers, and ensuring they have adequate backup in place to cover any eventuality.
Evaluating a cloud provider
High standards of security and access should be a given for leaders in the technology industry. For businesses to evaluate their chosen provider, however, there are a range of other elements to consider that will provide a more comprehensive picture of the provider they are choosing to handle their vital business data.
Reputation: This is likely to be the first thing that most businesses consider, but it is important to get an objective view on the provider that can meet a business’ evolving needs over the long term.
Cost: When evaluating cost, it is important to consider whether a business is getting everything it needs for the advertised price, or whether add-on solutions will be required, increasing the overall cost of choosing a particular provider.
Transparency: When it comes to protecting and managing data, nothing is worse than a surprise. So it’s important businesses choose a cloud vendor who is as transparent as possible, especially about the terms of any service level agreement, or about important metrics like availability, frequency of outages and exit terms.
Backups: Businesses should also be clear on their process for creating backups if data is lost. Is this something that is provided automatically or do they need to do it themselves?
Availability: This is an important metric as it measures how often the cloud solution that businesses will be using is available. No system is perfect, but a really good provider should be able to guarantee 99 per cent availability.
Support: When something goes wrong, most businesses want to know that their cloud provider is going to provide them with the support they need. It’s particularly worth considering the benefits of a provider that offers real time phone support over those that offer email only support, or live chat.
Adam Ferguson is the general manager — accounts at MYOB.
This article was first published in the October 2014 issue of Acuity magazine.