Key questions before entering the cloud

FIRMS ARE KEEN to explore an online model to offer value added services to clients. However, many are concerned about security and reliability, with fear of system compromise or failure encouraging a cautious attitude towards wholesale usage. These concerns are certainly valid but can be addressed with a robust approach towards due diligence of both internet vendors and data centres.

Sales of Software as a Service (SaaS) – systems based online – in Western Europe is anticipated to hit $3.2bn (£1.96bn) this year, according to IT analysts Gartner, up 18.5% on 2011’s levels. Organisations are keen to exploit the inherent usability and speed of online software as well as the economic benefits associated with subscription based pricing. According to a study by Verdana Research, 51% cite reducing the total cost of ownership as the biggest financial benefit of using internet based (or cloud) systems, while 46% reported reducing implementation fees.

But, with data security still raising concerns, how can an accountancy practice address fears about the corruption or loss of business critical financial data or explain to clients the compliance and governance implications of the shift from on premise to SaaS?

Most SaaS vendors will use third party data centres to store clients’ data. However, the difference between these organisations can be significant, not only in areas of performance and resilience, but also security. To ensure the long-term safety of financial data organisations need to look at a variety of issues from location to physical security and compliance with standards. When looking to sign up, accountants need to ask five key questions before signing on the dotted line.

1. Data location: Organisations are understandably concerned about where data is kept. With cloud data storage by its very nature based anywhere in the world users need to know where information is kept and the different legislation of that country in regards to data protection.

2. Data security: It is important to assess the quality of security being used. Check the physical security employed on site and whether the centre conforms to the European standard.

3. Data centre processes: With internet risks evolving on a daily basis, companies need to ascertain the quality of monitoring tools and intrusion detection techniques. They also need to check the robustness of back-up solutions to ensure no data is lost and what guarantees there are to continue receiving the promised 24×7 access to information.

4. Legal requirements: The essence of the SaaS model is total flexibility, allowing companies to easily move between suppliers. But what happens to the data if the company moves from one provider to another? With a legal requirement to retain financial information for at least seven years, it is essential to ensure the centre has a process in place to adhere with compliance requirements.

5. Secondary site: What is the data centre’s provision for disaster recovery? Many London-based data centres are having to consider the risks associated with the Olympics and Golden Jubiliee, but all data centres need to have good disaster recovery to ensure continuous availability and safeguards at the primary site. Also what are the security measures at the secondary site?

Accountants also need to delve deeper than just how their data will be managed. Security pledges are a key component of every sales offer; therefore accountants need to ensure the promised levels of security are consistently delivered by the data centre and vendor. Accountants should think about:

1. Independent audit: Is the vendor audited every quarter by a trusted third party, which assesses the quality of processes and technologies employed to safeguard financial information?

2. Effective staff management: What is the vendor’s policy towards front-end issues such as passwords? Most companies have good back end security processes in place, leaving hackers to focus on compromising staff in order to gain access to passwords. Can staff be targeted with unsolicited email and USB sticks which can upload trojans or other viruses onto your company network? Also do staff adhere to strict policies of data protection, such as shredding paper before disposal or changing passwords on a regular basis – it is worth asking for proof of these practices.

3. Education: For the investment in SaaS to realise its full potential, it is essential users trust the data – otherwise they will be tempted to retain key information in spreadsheets, undermining the improvements to be gained through automation and creating opportunities for errors. Can the vendor advise on good user education on the new online model as part of the overall implementation?

Kevin McLoughlin is Twinfield UK country manager 

Related reading