Responsibility of the cloud application provider for contents of their application ……

An interesting topic arose the other day on another part of AWeb which gives rise to the question about responsibility of the SaaS/Cloud accounts provider
http://www.accountingweb.co.uk/topic/technology/cloud-accounting-software-review-xero/493411

The scenario involved the fact that a well-established provider (Xero) has included in their application the use of a 3rd party product Yodlee, that may have questionable security.

Are the following true in respect of Yodlee

  • Not all banks are participants and the bias is towards those with weak security systems – i.e. Yodlee operates best with banks that have basic (weak) security – i.e. username, password
  • Security & sign on are concerns
  1. By providing Yodlee with real Credentials (rather than read only) the user opens the possibility of allowing impersonation and subsequent authorisation of transactions – if the Yodlee systems were ever breached the issues would be immense and far reaching
  2. Are customers being advised to provide ‘read only’ credentials (not the norm?)
  • There are potential issues with Multi-Factor Authentication (MFA)
  • The majority of their development and testing resources are located in Bangalore, India – is this an issue. Yodlee is audited and supervised by the US Federal Government but how on earth can they keep track of a company which has their code written and tested in a foreign country
  • It is understood that the Yodlee 10.x platform is being built on Adobe Flex. Adobe PDF and Flash. Adobe PDF and Flash already have a multitude of security problems appearing of a regular basis (0 day etc.). Bearing in mind Adobe’s existing issues is it too early to trust a new software framework for funds transferring

The fundamental questions in relation to the provider of cloud based accounting (or other) applications are:

  • Does the accounts provider have a responsibility for the content of their application to their customers?
  • Does any responsibility extend to 3rd part products included in their application?
  • Has this issue been addressed by the Cloud Industry Forum - Code of Practice, and if not – why not?
  • What recourse does the customer have and who do they call upon for recompense - ultimately pushed between may suppliers (bank, Yodlee, Xero) - but who is actually liable

I have to say that question posed in the aforementioned thread on AWeb was not really satisfactorily answered and the comment ‘..we recognise that different users have different levels of confidence and attitude towards risk and security online ..’ from the UK MD is one of the most extraordinary comments uttered for a long time; especially bearing in mind that it refers to the security area

Furthermore does the response ‘.. I can't really add any more than has been said at length elsewhere on AccountingWeb and our own blog about Yodlee and security ..’ look to be anything other than ducking the issue?

Where do we draw the line and at what stage does the urge to make marketing capital outweigh any obligation to the customer? We can all be first to deliver a new area but if the end product contains a potential risk (however small) is this approach correct?

Is it really acceptable to say that is a breach is only a remote possibility and therefore there is no need to be concerned – witness this stance over Fukushima

Comments
garyturner's picture

Good questions

garyturner | | Permalink

@JC

Good round up - I'll add a couple of things.

Before I do,

- How is "we recognise that different users have different levels of confidence and attitude towards risk and security online" in anyway an extraordinary thing to say? It's a fact that some people are wary of even shopping online let alone anything sophisticated like connecting their online accounting system with a bank, directly or through an aggregation service. Some people are comfortable with it, others are not. Not an extraordinary statement at all.

- The Yodlee Adobe platform based product you refer to is an independent end-user product Yodlee resellers to consumers which connects with their feed web service, it's not the same thing as the back-end feed service used by Xero or other Yodlee service customers. Interesting choice for them to go with Flex, it's their shout.

- MFA feeds are coming this quarter in Xero whereby in order to download a day's bank transactions, the Xero user must manually authenticate with their MFA code generator.

- Regarding validating the broader trustworthiness or resilience of a cloud supplier, I believe this also extends into other areas.

  • Several third party providers are usually employed in both online and offline software development. For example, we partner with around 15 banks and now Yodlee, Microsoft, PayPal and Rackspace in bringing Xero to market.
  • The liquidity or financial resilience of the provider.
  • The hosting architecture and fault tolerance and backup systems in place.
  • The capacity of the hardware employed for hosting.

Trust here is something that seems not be be containable within the scope of a code of practice, whether CIF or any other. 

It's good that the software industry is held to account and the emerging generation of online services bring with them more complex issues and considerations than their PC predecessors, but I do wonder how long it will be before someone seriously proposes the best practice charter equivalent of an ASBO for cloud suppliers.

Gary Turner
UK Managing Director, Xero
@garyturner

Add comment
Log in or register to post comments