What criteria should I judge a cloud software provider by?
One of the common concerns we hear of from prospective CaseWare Cloud subscribers is data security – if my data isn’t in a box in the office, where does it go and who can access it?
It is a legitimate concern to have too – there are a number of cloud platform providers being used now by Australian cloud-based products. So how can you be sure that your data is safe and secure when you sign up to use one of these products?
Our counterparts at CaseWare International have written a fantastic piece on the 7 basic criteria that they recommend using to assess the strength of any cloud-based platform, and include how we at CaseWare handle each. The full article covering these criteria can be found here, and it is well worth reading, especially if you are considering implementing a cloud-based solution.
In summary, the 7 criteria are:
- Physical security. This is the security over the cloud server hardware, facilities, personnel, access and availability, and the level of readiness for environmental factors like flooding and power outages. In our case, CaseWare Cloud is hosted on Amazon Web Services (AWS) platform which is covered by an SSAE 16 report and is PCI Level 1 certified, ISO 27001 certified, and compliant with all major security control frameworks.
- Application security. This relates to the security around the components making up the system being considered, including application code and databases. The best way to get comfortable with these aspects is to determine what certifications the offering comes with. Following the lead of AWS, CaseWare Cloud is undergoing certification for ISO 27001 and SOC 2 Type 1, which should be complete by the end of this year. Our SOC 2 Type 2 certification is then expected by mid-2018.
- Network security. This covers controls like firewalls that limit traffic inbound, outbound and within the system itself. It is important that these prevent all forms of threats and attacks, as sadly they are becoming more common in our modern world. CaseWare Cloud has firewalls in place, and the system is continuously monitored. Regular penetration testing is also performed on both our system and AWS, to ensure that they are as safe an secure as they can be.
- Data security and privacy. This refers to the security of data both as it travels over a network and when is sits within a system. Data accessibility and the legalities around where data can be stored is also relevant here. A key aspect to CaseWare Cloud is that all traffic is SSL-encrypted, and advanced proxy services protect against malicious threats. Plus AWS also has policies and accreditations of their own that provide us with an added layer of data and network security.
- Access controls (logical). These are controls like passwords and multi-factor authentication that determine who can access a system, and to what level.
With CaseWare Cloud, all registered staff access Cloud using password authentication. Their staff role type in Cloud then determines what actions they can perform on Cloud, and what entities they can access.
- Availability. This criterion relates to what guarantee a provider can offer that all of their services will be available and perform as expected when you need them.
At CaseWare, continuous monitoring, regular integrity checks and a number of other measures help us to ensure our Cloud is stable and always available. Plus we also perform regular backups to prevent any loss of data and work.
- Business partnership and trust. These final criteria don’t relate to technology. Instead, this is a judgement call about the service provider themselves… are you comfortable heading into a business partnership with them?
CaseWare Australia & New Zealand has been the leading provider of powerful, purpose-built audit and financial reporting solutions to the profession in Australia and New Zealand for more than 20 years. Our reputation and our proven track record of being a long-term, premium products and services provider, with a continual investment in technology improvements and engagement with the legislative and standards associations, demonstrates our commitment to the industry. We are investing a significant amount of our resources into the Cloud and SMSF Audit areas, and are committed to further improving our products and service in this space for the long term.