Donít Let Service Providers Rain on Your Cloud
Experts weigh in on data security, contracts and efficiencies.
June 27, 2011
At the recent Cloud Computing Expo in New York City, one of the topics of concern for many attendees was contracts and what CPA firms should ask service providers before crossing the “t”s and dotting the “i”s.
If you’re thinking that once you sign a contract, you can say goodbye to your data, you’re wrong according to Chris Schin, VP-Products, at the Sunnyvale, Calif.-based data protection service provider, Zetta. Schin said that one of the many myths about cloud service providers is that they control your data. He emphasized that you don’t necessarily lose control of your data and in fact, you should keep ownership. He advised insisting to the service provider that you remain in control of your data.
“As a customer, you should always continue to own all data that you put into the cloud, but that the service provider would need to own the intellectual property (IP) that runs the cloud itself,” he said. “In other words, the service provider has built a cloud solution, and they need to own that solution and all enhancements they make to it, but you should always own your data,” he added.
That said, both Randolph Johnston, executive vice-president of Hutchinson, Kan.-based Network Management Group, Inc., as well as Byron Patrick, CPA.CITP, co-founder and CEO of Baltimore, Md-based Simplified Innovations, Inc. added a note of caution. “In most circumstances the firm will own the data but the next question is, ‘can I do anything with it if they export the data’?,” explained Patrick. For example, Patrick said he uses a SaaS solution called Zendesk for his firmís support tickets and can export the data to Excel but that the solution only keeps two years of history in the support site that can be lost after that time frame. He also said that there was no guarantee that he could import that data back into a replacement system in any usable format. However, if you use QuickBooks Online you can export a full QuickBooks file that you can then use with a locally installed version of QuickBooks and you would not lose an history in the file. “Most SaaS [Software as a Service] solutions maintain the data in a proprietary format. Therefore when exporting, it may be very difficult to transition it into another solution,” he added.
Another issue facing many firms is a locked-in contract. Always read the fine print and ask questions of your prospective cloud vendor before signing a contact. Patrick advised discussing your options with your vendor, especially their terms, should “you decide you no longer want to use their service.” Some vendors allow you to test their software before you sign a long-term contract, noted Schin. He also suggested avoiding proprietary application program interfaces (APIs). “There are many proprietary APIs out there. This makes it difficult to transition from one cloud vendor to another once a customer does the work to integrate to that specific API,” said Schin. “Using more-generally accepted standards (many of which are still in early stages) allows a customer to easily switch from one cloud provider to another,” he added.
Is there a time frame during which you need to let your cloud provider know that you will be either expanding your contract or ending it altogether? It largely depends on the provider, though both Schin and Patrick noted that it can be accomplished within 24 hours, though in very rare cases, it may take up to 30 days, said Johnston.
CPAs and most finance firms are wary about data security in the cloud and rightly so. For one thing, there is no such thing as hacker-free, where the Internet is concerned. That said, there are a few precautions you can take to ensure data security in the cloud. One thing you can do, said Schin, is to make sure that your service provider has programmatic access to your data as opposed to human access. He said that service providers need to run programs in the back end to ensure that your data is backed up safely. If this is done via computers, then you don’t need to worry about service providers accessing your data. Ask your service provider whether they have their staff backing up their systems or whether they use computer programs to automatically run system back-ups. Going with the automated system back-up is the better option because thereís no human contact, and so less chance of providers accessing your data. In the former scenario, there is a greater chance of staff backed-up systems leading to fraud and data breaches. Johnston advised looking carefully at the contract and asking your service provider “for documentation that all data is at least 128-bit AES-encrypted (Advanced Encryption Standard) at all times. More is better. Check browser access for ‘lock’ [and] read the company’s public claims on their website.”
Patrick agreed with Johnston and said your contract should include this information as part of the confidentiality section. “Depending on the type of service and what information is being stored, there may be a need for support to access the business’s data.” You should clarify what those circumstances are and when such data will be accessed and for what purpose. “For example, if the service provider is simply providing online backup services, there is no need for them to ever access your data and it should be encrypted in a manner that wouldn’t allow them to even if they tried,” said Patrick. “However, if you are using a hosted application of some sort and technical support needs to access your data to assist with an issue, it should be only upon your permission that they do so.”
With all the hoopla around cloud computing, it is no wonder skeptical CPAs want to know whether it is worth moving to the cloud. And for those of you who are solo practitioners or have small firms, and think this is just for large firms … think again. Johnston said some small firms have already moved to the cloud successfully with “lower cost [and] no software installs.”
Patrick agreed completely, saying that it was absolutely worth small CPA firms to move to the cloud. “We have a few sole practitioners using our private-cloud solution,” he said. The biggest advantages to sole practitioners and small CPA firms include the ability to outsource much of the internal maintenance that is required for maintaining their own technology, such as software installs, backups, patches, upgrades, etc. Depending on the solution you are looking at, you can typically buy only what you need and scale it as your firm grows, which is not always possible with traditional solutions. Patrick explained this further by providing two examples:
If you’re still debating about going to the cloud, think no more. In many cases, it is more secure and efficient than your traditional solutions and is also cost effective, just be sure to review your contracts carefully.
|Additional Resources:||AICPA Trusted Business Advisor Solutions|
|AICPA Trusted Business Advisor Cloud Computing Blog|
Sukanya Mitra is managing editor of the AICPA Insider™ e-newsletter group.