Triad part 3: Security

In the “Overcoming issues with upgrades” thread, I promised to write a piece on security issues. It’s in danger of becoming “War and Peace”. An interesting dimension is that SaaS cloud applications can (and often are) an improvement on on-premise systems in certain respects. But other aspects of security often leave me unconvinced. I’m therefore positive but cautious about SaaS cloud systems, depending on the specific offering, the risks related to the specific application (accounting, CRM, etc), and how weak are the on-premise alternatives.  

As both of you are waiting with bated breath, here’s an interim posting on security. Hopefully it will help to identify priorities.

Talking to a former senior executive of IRIS Software Group, he wrote “In my experience the issue of 'data security' is the number 1 concern of most people who are anti-cloud.” See also @dahowlett’s blog post.

Interesting then that IRIS’s web page for their OpenApps  offerings mentions encrypted data and “bank level security”.

Now I’m completely independent of IRIS, and haven’t got the time at present to investigate these claims in any detail. Encrypted throughout? Need hand-held security devices? Hogwash or realistic?

Thinking about related issued such as database performance, multi-tenant and back-up/ recovery, are IRIS being OTT?

Comments
DuaneJAckson's picture

Perspective

DuaneJAckson | | Permalink

 I'm not sure what your current level of understanding is around security (or multitennancy, db performance, etc) or what outcome you're looking for from these discussions. I'm assuming you're coming at this from an "uninformed consumer" perspective if you'll forgive the less than complimentary label?

The security Iris mention for their OpenBooks (which is the FreeAgent product rebranded) is standard for the industry. By "bank-level security" and encrypted data, they're just referring to SSL encryption.

It's not overkill, it's the standard minimum level of security for banking and ecommerce.

See KashFlow security page at http://www.kashflow.co.uk/security.asp

david_terrar's picture

I agree with Nick... I mean Duane

david_terrar | | Permalink

Duane's right - for Iris "bank level" security only means SSL style encryption. 

This topic needs to cover communications and login, backup and failover, confidentiality as well as well as access to your data if the SaaS provider fails.

Have you seen the Intellect Business Case for SaaS document? (you probably have, but other readers might not):

http://www.intellectuk.org/content/view/5534/84/

David Terrar

www.d2c.org.uk and www.twinfield.co.uk

challisc's picture

As Xanda would say …

challisc | | Permalink

@david_tennar: Thanks for the suggestions. I hadn’t seen this particular Intellect document. Certainly worth anyone interested in cloud computing taking a look .

On security, page 13 is enlightening. What it says is right on the money, and entirely consistent with my approach to SaaS. To quote a few examples:

“While the SaaS model offers significant advantages over on-premise, it does carry potential risks that must also be considered.”

“For SaaS providers {security] is mission critical, and is generally taken very seriously to the point where data security is as important, if not more so, than the SaaS product itself.”

 “…it is worth contrasting [SaaS] with your in-house security and compliance before becoming unnecessarily worried about storing your data outside your organisation.” (see my comment on my initial posting above “… how weak are the on-premise alternatives”)

As a buy-side person, it’s great to see security prominently displayed on @DuaneJAckson’s Kashflow site.

But it’s all basically what was good practice when I first started using SaaS services in 2000. Nothing major seems to have moved forward in he last ten years. Unless I’ve missed it, how about:
•    When should stored data be encrypted?
•    How well should data in multi-tenant systems be segregated?
•    How can individual tenants’ databases be recovered without affecting other tenants?
•    Etc etc

@david_tennar previously highlighted a public consultation paper on an Industry Code of Practicefor cloud issues.  I’ve only just had chance to register, and see that the consultation expires on 31st May, i.e. this coming Monday. Haven’t read the paper yet. Looks like I’ve got something else to do this weekend!

However, as Xanda would say ……

challisc's picture

Extention to CIF "Industry Code of Practice" consultation

challisc | | Permalink

Just to say that the Cloud Industry Forum's "Industry Code of Practice" consultation has been extended to 15 June. They are apparently keen to hear from both buy-side and vendor-side players, and indeed anyone else!

Data Protection Act

gsgordon | | Permalink

I have a concern about whether we can use cloud applications, such as CRM, and remain compliant with the Data Protection Act.

The Information Commissioner's Office (ICO) has had a consultation on the Personal Information Online Code of Practice, held between December 2009 and March 2010. Various respondents wanted the section covering cloud computing to be clearer about the potential pros and cons of using cloud services. Apparently the section has been revised to take this into account, but the document is not yet published.

Does anyone here have knowledge of the ICO position on using cloud applications, or can anyone point me to a discussion  of the topic elsewhere?

 

cverrier's picture

DPA

cverrier | | Permalink

The Data Protection Act has relatively little to specifically contribute as far as SaaS is concerned. If you hold or process personal data, then you need to protect it from misuse - that basic principle is the same regardless of the technology used.  (The DPA doesn't address particular technologies, as these inevitably change rapidly and the Act has to be relevant for years).

Firstly, the Act's requirement to keep data accurate and only as long as needed isn't a technology issue, but a matter of internal processes, so the nature of the system isn't relevant.

Given that a typical SaaS provider will be holding its clients data in dedicated data-centres, the physical security of the data is certainly greater than most small businesses could ever hope to manage with on-premise systems.

Arguably one big advantage of Saas is that you're never is a position where you could leave your laptop on the train and lose all your data, because your data isn't on that laptop any more - its in the datacentre.   You're also much less likely to burn stuff onto a CD ROM or Flash Drive if you know you can access it securely over the web from home or a client.

The use of HTTPS is still considered adequate protection against the interception of data in transit between server and PC.   Beyond that, I don't think encrypting data on the servers actually helps does it?   By far the most likely method of attack on an SaaS database is by somebody misusing a valid username and password, and in that situation, the system will blithely decrypt the data for the user anyway, so the encryption really only serves to protect against very unlikely scenarios.    You can guard against this with things like multi-factor authentication (little electronic gizmos that generate new passwords every few minutes, etc), but only if you're happy with the extra cost that goes with it.  Sometimes you have to take a view on what is reasonable and practical for the sort of data you are dealing with.

One possible area of concern is whether the data (in the datacentre) might be accessed by governments on fishing expeditions.  If your SaaS provider happens to use a datacentre in some far-flung corner of the world, then the data in the datacentre may well not have the legal protection we have in the UK and other places.  Again the issue of encryption becomes unimportant, because, faced with a court order, the datacentre will have no choice but to decrypt the data for whatever authorities demand it.

The Data Protection Act says that...

"Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."

"EEA" is European Economic Area (29 countries).  There are seven non EEA countries considered to have local data protection laws sufficient to be acceptable under the Act.  Finally, in the USA (not one of the seven), there is an agreement that data held under 'Safe Harbour" conditions (An agreement negotiated between the EU and USA) is also safe enough that the DPA allows transfer without special permission from the subject of the data.

So - if you are selecting an SaaS provider - you should certainly consider the physical location of the datacentres where your data will be stored, and most UK SaaS providers in our sphere use UK-based datacentres for this very reason.  (As an aside, GMail data will probably be held in the USA, but Google does operate the Safe Harbour scheme).

I'd argue that, where the DPA is concerned, it's areas like accounts and tax outsourcing where the real concerns lie, not with SaaS.  If you outsource compliance work to India or Asia, you MUST ensure your clients are aware their data is being sent outside a DPA approved area. (Usually you do this with a line or two in the engagement letter).

 

dahowlett's picture

Last para

dahowlett | | Permalink

@charles - your last para and interpretation of DPA is interesting because I know that is being used by services operating outside EU. I am learning more about the application of this term and how it REALLY operates from US players in particular. It doesn't represent a loophole but does represent something capable of agreed interpretation. In other words, some players are finding they can blow a hole through the idea that EU data must stay inside the EU. However, that opens a fresh can of worms that I am currently digging through. Would be interested in sharing perspectives. You know where to reach me.

challisc's picture

Encrypted data

challisc | | Permalink

@cverrier - You asked whether encrypting data on the servers actually helps. I've come across this in applications of highly sensitive information, such as corporate finance deals. The risk is disclosure to members of the vendor's IT team who have ready access to the databases without going through the normal user access routes. Whilst the risk may be perceived as low, it is very real in such situations.

The SaaS vendor uses encryption as part of persuading buyers that their SaaS solution is more secure than on-premise systems, which are typically un-encrypted, and more secure than their competitors. In other words encrypting data on the servers actually helps not only with security, but where confidentiality is important, can also help vendors with marketing and achieving competitive advantage.

7 non-EEA Countries?

gsgordon | | Permalink

@cverrier - Where can I find the list of 7 non-EEA countries that are acceptable under the Act?

daveforbes's picture

encrypt or not

daveforbes | | Permalink

For high volume transactional data encryption would have a considerable performance overhead and as cverrier mentioned, of questionable value for the vast majority of users. Another solution for those with particular security requirements might be to anonymise (if that is how you spell it) the high volume transactional data and encrypt only the information that ties it to real world entities.

Taking steps to eliminate the possibility of password theft would perhaps be a better value for money step - something along the lines of the one time password generation used by some of the banks. I think this will become the norm in 2-3 years - especially once the credit card companies start moving away from "plastic".

When you start storing more private information - medical records and my particular interest - tax returns, then encryption possibly becomes more of requirement. I want privacy not just from the general public, but from the employees of my software provider also.

Sharing with a good level of security is inherently in cloud applications. A standalone PC locked in a room may give better privacy, but people do need to share data off premises. At this point people start using ad hoc methods - sending by email, setting up VPNs, or carrying flash drives around.

David Forbes

cverrier's picture

DPA and non EEA countries.

cverrier | | Permalink

@gsgordon..

Information Commissioners web-site...

http://www.ico.gov.uk/for_organisations/data_protection_guide/principle_8_sending_personal_data_outside_the_eea.aspx

The list of countries is about two thirds of the way down the page.

 

dahowlett's picture

Check this

dahowlett | | Permalink

From my pal and ex-FT reporter Tom Foremski.

daveforbes's picture

Data protection

daveforbes | | Permalink

It is reassuring that we can locate our data centre in the Faroe Islands.

Pity about New Zealand.

cverrier's picture

New Zealand

cverrier | | Permalink

@daveforbes - Good point.

Anybody know where Xero keeps it's UK customers' data?    ;-)

the DPA does let you place data in places outside the listed countries without being in breach, but the onus is on you to investigate, verify, and document the ways in which data is stored and protected in those countries.

I assume Xero have done the legwork for UK customers on this, but I didn't see anything on the 'Security' section of their web site.

 

garyturner's picture

Xero

garyturner | | Permalink

All Xero systems and data is hosted by Rackspace in the US and as you would expect, Rackspace are themselves Safe Harbor certified.

Gary.

(Xero's UK managing director)

daveforbes's picture

Xero

daveforbes | | Permalink

Phew.

Phew again!

gsgordon | | Permalink

Glad to see Xero take aWeb more seriously than the Xero Users Forum! I've been waiting 3 hours there - still no answer.

garyturner's picture

Multi-tasking

garyturner | | Permalink

Well, just answered you there, too. 3hrs direct response from a managing director ain't that bad, is it?

challisc's picture

CIF / Intellect / ICAEW IT faculty publications

challisc | | Permalink

Just a reminder to say that the Cloud Industry Forum's "Industry Code of Practice" consultation has been extended to 15 June. They are apparently keen to hear from both buy-side and vendor-side players, and indeed anyone else! You’ll need to download their consultation paper, and await an invite to feedback, so worth doing asap.

You may also be interested in two documents that are very enlightening on security and other SaaS cloud matters:
(1)    Intellect’s “The business case for Software as a Service”
(2)    ICAEW IT faculty’s "Cloud Computing – a guide for business managers"

I’ve compiled a brief summary of key points, which you may find useful.

challisc's picture

The issue that dare not speak its name

challisc | | Permalink

The cloud's "Macbeth" issue, which I have not mentioned for fear of sounding too negative, is having a sufficiently robust and speedy link to the internet from any location that's needed.  Locations may include the main offices, branch offices or staff homes.  "Loss of Internet = loss of information systems. PERIOD." With the threat of strikes at BT, now is the time to mention it.

On Wednesday 28 May 2008 (around 11am to be precise) hundreds of homes, offices, shops and other businesses in west Maidenhead lost their telephone lines and broadband connections. No automated credit card authorisations. No landline telephones. No internet connection. Some joker had stolen or vandalised a length of copper running up the main road in broad daylight! Initially promised a fix date of 11th June, my landlines were fixed late on Friday 7th. That was services lost for 10 days. Fortunately I had 3G data backup and a mobile phone. Others weren't so lucky. 3G data links sold out quickly!

Last summer the BBC reported that "Phone lines in a Derbyshire village are working again after residents said they were cut off for four weeks" after a strike by lightning. Now potential strikes by BT repair engineers and call centre staff could convert minor issues into major outage.

I'm in contact with one of BT's non-execs I know to get further information.

Whilst SaaS cloud applications can be used from an alternative location, moving an office lock stock and barrel for an extended (and initially unknown) period is easier said than done.

There are solutions that can be put in place in advance to deal with outage risk. Any others?

 

 

daveforbes's picture

Dependency on the internet

daveforbes | | Permalink

With companies so dependent on communications, not having access to their accounting software as the business went down the pan might be seen as a benefit - a bit like Zaphod's glasses in Hitchhikers Guide to the universe !

SimonH's picture

Hybrid systems

SimonH | | Permalink

Most of the posts seem to be based on Local OR Cloud perspectives. Could a system work as a hybrid between the two? For example, with regular back-ups between local and hosted data, if a connection goes down, the system automatically switches to a local version. There may be some data issues but synchronising could solve those. After all, the original idea of the Web was finding alternative routes to send packets of data.

david_terrar's picture

Broadband backup and hybrid solutions

david_terrar | | Permalink

@challisc - Internet availability is obviously a key issue to plan for, and I know that Richard Anning of the ICAEW IT Faculty often highlights that is a key worry from members considering the Cloud.  However, over the last 10 years I've had only a few minor outages of my broadband service. As you say, it's relatively cheap and straightforward to have mobile 3G broadband as a backup, or even 2 broadband providers fo some resilience.  Smaller companies/individuas could also to get access via an Internet cafe or local wifi hotspot.  Of all the risks to consider, this one should be easy enough to handle.  

@SimonH - On hybrid as you describe, Salesforce do have a cut down version available offline, and some consumer apps use Google Gears so that you are synchronized with off-line data on your local PC.  However, for mainstream accounting applications (or other Cloud business apps) I don't know of any SaaS/Cloud provider who is taking this route of making available a local version of their software to sync to.  They put their resources in to making sure they've got layers of redundency in their web server, processor, disk infrastucture in the data centre so that if anything goes wrong, the service carries on (albeit at some level of degredation).  The better providers will have data stored in multiple locations, and/or failover to alternate systems.        

David Terrar

www.d2c.org.uk and www.twinfield.co.uk

SaaS over Internet = asking for trouble

Peter Howsam | | Permalink

I'm surprised to see two opposing issues within the same thread of dialog; on one hand we're discussing security and reliability of service, and in the same thread we're talking about SaaS provided over the internet?

Even if you're accessing the internet over a business grade service you'll be sharing your bandwidth at some point with the residential users and their dubious downloads. I talk to SaaS providers and the biggest negative impact to the end users experience is from an unreliable connection.

If your business relies on the cloud application, then make an investment in a private connection to the host data centre such as point-to-point MPLS. You'll get guaranteed fix in the event of a failure and a guaranteed level of performance inn-service. Furthermore, you won't need encryption (unless for reasons of compliance such as GSi) so your throughput will be faster.

So much talk seems to connect SaaS to the internet as opposed to private networking. Having reaad the CIF consultation document there's no mention of private connectivity there, either. It's just as simple to build a private connection as a public one, and if the difference in cost is vast then you're talking to the wrong providers; the Telco's will compete to get into the Cloud market.

PH

Add comment
Log in or register to post comments
Group: Cloud Computing for Accountants discussion group
A place for accountants to share their thoughts about web-based systems