Responsibility of the cloud application provider for contents of their application ……
An interesting topic arose the other day on another part of AWeb which gives rise to the question about responsibility of the SaaS/Cloud accounts provider
The scenario involved the fact that a well-established provider (Xero) has included in their application the use of a 3rd party product Yodlee, that may have questionable security.
Are the following true in respect of Yodlee
- Not all banks are participants and the bias is towards those with weak security systems – i.e. Yodlee operates best with banks that have basic (weak) security – i.e. username, password
- Security & sign on are concerns
- By providing Yodlee with real Credentials (rather than read only) the user opens the possibility of allowing impersonation and subsequent authorisation of transactions – if the Yodlee systems were ever breached the issues would be immense and far reaching
- Are customers being advised to provide ‘read only’ credentials (not the norm?)
- There are potential issues with Multi-Factor Authentication (MFA)
- The majority of their development and testing resources are located in Bangalore, India – is this an issue. Yodlee is audited and supervised by the US Federal Government but how on earth can they keep track of a company which has their code written and tested in a foreign country
- It is understood that the Yodlee 10.x platform is being built on Adobe Flex. Adobe PDF and Flash. Adobe PDF and Flash already have a multitude of security problems appearing of a regular basis (0 day etc.). Bearing in mind Adobe’s existing issues is it too early to trust a new software framework for funds transferring
The fundamental questions in relation to the provider of cloud based accounting (or other) applications are:
- Does the accounts provider have a responsibility for the content of their application to their customers?
- Does any responsibility extend to 3rd part products included in their application?
- Has this issue been addressed by the Cloud Industry Forum - Code of Practice, and if not – why not?
- What recourse does the customer have and who do they call upon for recompense - ultimately pushed between may suppliers (bank, Yodlee, Xero) - but who is actually liable
I have to say that question posed in the aforementioned thread on AWeb was not really satisfactorily answered and the comment ‘..we recognise that different users have different levels of confidence and attitude towards risk and security online ..’ from the UK MD is one of the most extraordinary comments uttered for a long time; especially bearing in mind that it refers to the security area
Furthermore does the response ‘.. I can't really add any more than has been said at length elsewhere on AccountingWeb and our own blog about Yodlee and security ..’ look to be anything other than ducking the issue?
Where do we draw the line and at what stage does the urge to make marketing capital outweigh any obligation to the customer? We can all be first to deliver a new area but if the end product contains a potential risk (however small) is this approach correct?
Is it really acceptable to say that is a breach is only a remote possibility and therefore there is no need to be concerned – witness this stance over Fukushima