James Bourke

Data Security in the Cloud

What CPA firms can lose if they don't address three key issues before migrating to the cloud.

September 27, 2010
by James Bourke, CPA.CITP

Blogging, the embracing of social media and the utilization of the cloud model as a new way to conduct business and collaborate with our clients has resulted in the migration of a tremendous amount of data out to the net.

The key benefit that drives the popularity of the cloud model, i.e. data is available anywhere/anytime and accessible via a web browser, is the same reason that drives concerns in the area of security. It’s not only protecting data from individuals looking to access such data to commit some form of fraudulent activity, but also protecting such data from unauthorized governmental and/or private invasion. Because of the lack of security standards surrounding this space and the fact that data can be stored virtually anywhere in the world, under the laws and regulations of any country, it becomes a very difficult task to manage. Having said that, there are steps that can be taken to help to ensure your firm’s security and confidentiality of data stored using this platform.

Social Media

In the blogging and social networking space, the most obvious and often overlooked way to protect data, is simply to educate those who are actively publishing in this area. A professional should exercise “common sense” when posting comments, updates and other facts on these sites.

Difference Between Cloud and Onsite Security

The main difference between security in the cloud and security over data stored onsite is "visibility." It becomes very difficult to secure data that you cannot see. Therefore it is crucial for CPA firms to ensure that they work with their cloud service providers and work out the details of securing data on the cloud by coordinating and aligning their date with the selected vendor as well as the vendor’s multiple business partners that may be engaged to assist them with that process.

The location (country) in which the data is housed is an important factor to consider when evaluating vendors. For example, the European Union (EU) member states have nearly aligned their data laws and favor a very strict protection of privacy. Some countries, on the other hand, while offering very cost-effective data-storage solutions, have little or no laws and regulations in place concerning the privacy of such data.

Data Security in the Cloud

Similar to data stored internally, there are three basic requirements that should be considered regarding data security:

  1. Availability. A data breach at a vendor's data center could be detrimental, not to mention, a political nightmare for a business, but the loss of connectivity to such data center effectively puts a business "out of business" (at least temporarily).

    When addressing the issue of availability with the vendor, settle for nothing less than near-100 percent. Don't take the vendor's word on the subject, ask for a list of their largest and smallest customers and reach out to each. It is not uncommon for vendors to utilize various data centers to store data. Availability can vary greatly from data center to data center. Ask about uptime and in the event of downtime, ensure that it is noted, and inquire about the duration of the outage and the vendor's response to the situation.
  2. Integrity. When dealing with private and confidential client data, as well as the ever-increasing number of states passing rules and regulations surrounding this issue, data integrity should be a major concern when selecting a vendor in this space.

    Before selecting a vendor, inquire as to safeguards that are in place to ensure that only those authorized have access to make changes to applications and/or data center configurations that may affect the integrity of the data.
  3. Confidentiality. In its simplest form, confidentiality means that only those authorized have access to view and/or manipulate the data. Ensure that the vendor has strong controls in place to enforce policies over authorized user access, login/authentication and segregation of data.

    A high degree of confidentiality can generally be found with reputable vendors in this arena. Your firm should review the vendor’s policies surrounding confidentiality before selecting them especially if the vendor that is being considered has not yet had significant penetration in this area.

    As powerful as the cloud model may be, don't take security for granted. There is absolutely nothing wrong with doing a site visit of the vendor's data and/or operations center. If physical security is not visible at these centers, that would be your first indicator of a potential issue.


Lastly, since it is rare for commercial general liability and errors-and-omissions policies to cover “intangible” losses related to loss of data, privacy breaches and the like, cyber liability insurance policies are meant to fill that void and to address the particular needs of a company doing business in the cloud. Nearly nonexistent in our profession, just five years ago, today, such policies are starting to get traction. Many companies use such policies as a way to help limit their liability to third-parties that may be harmed in case such an event occurred. In addition, some policies offer coverage of expenditures that may be necessary to do damage control subsequent to such breach.


The flexibility and scalability that makes cloud computing so attractive also makes it very unpredictable. Do your homework. When it comes to a engaging a third-party to host sensitive data, make sure you ask your vendors about the above-listed concerns up front prior to migrating your data.

Additional Resources Trust Services Principles and Criteria Trust Services Principles and Criteria (PDF)
  Information Technology Center
  Technical Practice Aids

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

James C. Bourke, CPA.CITP.CFF, is a partner at WithumSmith+Brown where he is director of Firm Technology. He is a past president of the New Jersey Society of CPAs and currently serves on AICPA Council and the Chair of the AICPA CITP Credential Committee. He has been named by Accounting Today as one of the Top 100 Most Influential People in the Profession.