If my data isn’t in a box in the office, where does it go and who can access it?
This a legitimate concern to have – there are a number of cloud platform providers being used now by Australian cloud-based products. So how can you be sure that your data is safe and secure when you sign up to use one of these products?
Caseware International have written a fantastic piece on the 7 basic criteria that they recommend using to assess the strength of any cloud-based platform, and include how Caseware handles each. The full article covering these criteria can be found here. It is well worth reading, especially if you are considering implementing a cloud-based solution.
In summary, the 7 criteria for evaluating Cloud solutions are:
This is the security over the cloud server hardware, facilities, personnel, access and availability, and the level of readiness for environmental factors like flooding and power outages. In our case, our Cloud is hosted on Amazon Web Services (AWS) platform which is covered by an SSAE 16 report and is PCI Level 1 certified, ISO 27001 certified, and compliant with all major security control frameworks.
This relates to the security around the components making up the system being considered, including application code and databases. The best way to get comfort over these is to determine what certifications the offering comes with. Following the lead of AWS, Caseware Cloud is undergoing certification for ISO 27001 and SOC 2 Type 1, which should be complete by the end of this year. Our SOC 2 Type 2 certification is then expected by mid 2018.
This covers controls like firewalls that limit traffic inbound, outbound and within the system itself. It is important that these prevent all forms of threats and attacks, as sadly they are becoming more common on our modern world. Caseware Cloud has firewalls in place, and the system is continuously monitored. Regular penetration testing is also performed on both our system and AWS, to ensure that they are as safe an secure as they can be.
Data security and privacy
Security of data should be considered in two forms – how data travels over a network/the internet (data traffic) and when it is stored within a system (data storage). Data accessibility and the legalities around where data can be stored is also relevant here.
A key aspect to Caseware Cloud is that all data traffic is SSL-encrypted, and advanced proxy services protect against malicious threats. Plus AWS also has policies and accreditations of their own that provide us with an added layer of data and network security.
As for where data is stored, the data on all Australian Caseware Cloud sites is stored on the AWS servers in New South Wales – no Australian data leaves the country.
Access controls (logical)
These are controls like passwords and multi-factor authentication that determine who can access a system, and to what level. With Caseware Cloud, all registered staff access Cloud using password authentication. Their staff role type in Cloud then determines what actions they can perform on Cloud, and what entities they can access.
These criteria relate to what guarantee a provider can offer that all of their services will be available and perform as expected when you need them. At Caseware, continuous monitoring, regular integrity checks and a number of other measures help us to ensure our Cloud is stable and always available. Plus we also perform regular backups to prevent any loss of data and work.
Business partnership and trust
These final criteria don’t relate to technology. Instead, this is about the service provider themselves… Are you comfortable heading into a business partnership with them? Caseware has been the leading provider of powerful, purpose-built audit and financial reporting solutions to the profession in Australia and New Zealand for more than 20 years. Our reputation and our proven track record of being a long term, premium products and services provider, with a continual investment in technology improvements and engagement with the legislative and standards associations, demonstrates our commitment to the industry. We are investing a significant amount of our resources into the Cloud and SMSF Audit areas, and are committed to further improving our products and service in this space long term.