Replies (20)
Please login or register to join the discussion.
Arrrrgh!
Does no-one see the flaw in having client data with a handful of cloud based companies that could be subsumed at any time and thereby giving said subsumer (in any country) access to interesting data? Knowledge is power after all.
Come to think of it why not just use Facebook and cut out the middle man!
For the avoidance of doubt, that last comment was said with my tongue firmly in my cheek .... but makes a point.
Only 1GB
They only give you 1GB for free - and obviously don't tell you what they would charge if you exceed the measly 1GB upfront.
Spideroak.com
Having used Dropbox I too was concerned about the site being hacked and lack of secure encryption. Apparently the encryption keys are uploaded with the files making them easy to gain access to. I looked around for a secure alternative and found Spideroak.com. The data is encrypted on your computer and transmitted as such. If anyone intercepted the data and looked at it, including employees of Spideroak, it would make no sense to them. This feature is well publicised on their web site. I now have synchonised and encrypted files on all my computers. The first 2Gb is free. Well worth considering in my opinion.
Point of order
Having used Dropbox I too was concerned about the site being hacked and lack of secure encryption. Apparently the encryption keys are uploaded with the files making them easy to gain access to. I looked around for a secure alternative and found Spideroak.com. The data is encrypted on your computer and transmitted as such. If anyone intercepted the data and looked at it, including employees of Spideroak, it would make no sense to them. This feature is well publicised on their web site. I now have synchonised and encrypted files on all my computers. The first 2Gb is free. Well worth considering in my opinion.
Can I point you to :-
http://news.hitb.org/content/moxie-marlinspike-announces-cloud-based-encryption-cracking-service
The cloud is indeed very useful .......... to some.
@BigBadWolf
We have had a good look around and the system seems very good - to answer your question each additional GB is £5 I believe. There are upgrade options within the application.
HA
@ Hosted Accountants
We have had a good look around and the system seems very good - to answer your question each additional GB is £5 I believe. There are upgrade options within the application.
HA
Thanks - £5 per GB is that annual or monthly?
Why don't they tell you the price on their marketing website? I hate companies who aren't upfront with their prices!!!
Is it any better than docSafe, which has a digital signature facility as well?
Pricing
[/quote]
Thanks - £5 per GB is that annual or monthly?
Why don't they tell you the price on their marketing website? I hate companies who aren't upfront with their prices!!!
Is it any better than docSafe, which has a digital signature facility as well?
[/quote]
Sorry for the slow reply BigBadWolf.
It is £5 per GB per month - it looks like there is also a 15% off deal for paying for the year but you will need to speak to you IRIS account manager. As discussed by Adrian if you stick to normal documents and PDF's then 1GB should give you plenty - c100,000+ pages, but obviously this depends on many variables.
And yes pricing would be useful but then again it is in the product after a simple sign up...
I have not used docSafe - we use EchoSign (Adobe) for signing up clients and sharing contracts....
Dan
Who cares?
Cloud security / confidentiality issues need to be put in perspective.
Would a chinese, or russian or even teenage british "hacker" have any interest in seeing your client's profit and loss account? Or a copy letter you sent to HMRC about car benefits?
If your desktop PC or office server has a connection to the Internet, it is just as vulnerable (probably more so) to hacking as a cloud server. The fact is your office server is not being hacked because the sort of people with the skills and motivation to do so have no interest whatsoever in your client's data.
"who cares?" -- well, employees for starters
Cloud security / confidentiality issues need to be put in perspective.
Would a chinese, or russian or even teenage british "hacker" have any interest in seeing your client's profit and loss account?
True, however, often client data includes employee privileged information -- including information ripe for identity theft (birth dates, close relatives, social insurance/ID numbers, earnings information).
And in some cases, the information may contain credit info for customers, including credit card numbers. Clients aren't supposed to retain this information A) for very long and B) in an unencrypted state and C) not outside of the credit card processing system but, that doesn't mean that the client has actually DONE any of this -- especially the small clients).
So, it does matter -- or at least some diligence has to happen before we assume that *all* data is appropriate for upload to networks outside of the control of the accountant.
Regards,
R. Grant Rowson, CISA, CGA
(Canada)
SpiderOak.com
To quote SpiderOak's website
"SpiderOak uses industry-standard SSL encryption to secure communication channels from end-to-end. Data is encrypted locally, uploaded encrypted, stored encrypted, and sent back to a user’s registered device encrypted. This provides the foundation for our ‘Zero-Knowledge’ Privacy environment."
"Our 'zero-knowledge' privacy environment ensures we can never see your data. Not our staff. Not a government. No one. The myth about 'online' and 'privacy' has been dispelled - leaving an environment whereby it is impossible for us to betray the trust of our users."
I am quite satisfied that SpiderOak have taken sufficient measures to protect my data and I believe it is all too easy to become paranoid about hacking and data theft. Provided you have taken all security steps possible I see no reason why the cloud should not be used to store and sync data and I shall continue to use SpiderOak do so.
SpiderOak
I am quite satisfied that SpiderOak have taken sufficient measures to protect my data and I believe it is all too easy to become paranoid about hacking and data theft. Provided you have taken all security steps possible I see no reason why the cloud should not be used to store and sync data and I shall continue to use SpiderOak do so.
While I do feel that SpiderOak has given attention to the issue, I'd feel a heck of a lot more assured if they actually posted the audit opinion of an information systems auditor (along SAS70 or SSAE16 standards -- even though these relate more to financial system internal controls, audit opinions can be issued for non-financial systems too).
Considering that we're all accountants and/or auditors, I think part of the diligence process should include examination of a cloud provider's system by a third-party who can attest if they actually A) have controls to protect access/privacy/disclosure/etc. and B) whether the company follows them and C) are they effective. If a major cloud service hasn't gone down this route, then I would be concerned if they are serious about their business. This is akin to putting your bank deposits in a nationally-certified/monitored/regulated bank vs "giving the money to Vinny down the street who will hold it safely for you" (no offences meant to the Vinnys of the world). It's also a differentiator between consumer vs business services.
Regarding the "belief" that one can become paranoid about hacking and data theft - I know what you're saying - but my CISA professional development requirements have me monitoring the topic as part of general concerns about system security and governance. There are whole security professional conferences out there (Black Hat, in particular) where they have competitions to break all of the "industry standard SSL" stuff, etc. It's not a question if the security is solid/impregnable but rather how FAST the teams can do it. Combine that with the number of botnet systems (home/business computers that are actually hijacked and remotely "owned" by a system somewhere else and thus used for identity theft, espionage or other purposes), and one can see that the problem is a bit more insidious than what might first appear.
A few years ago, BBC did a really good story on the subject -- they "bought up" a criminal botnet on the black market -- a small one, where only 20,000 computers were controlled -- and on television had a security professional show how the net could be used to take control of victims' computers, etc.and use it to gather information. I believe they actually got sued over this, even though they didn't actually do anything criminal with it and actually contacted all of the victims to let them know that their machine was "compromised and now liberated." Bottom line: you need to make sure that ALL pieces of your information system -- local OR cloud -- have the proper protection in place to prevent "unintended access/disclosure of sensitive information."
ps: I use various cloud services extensively (DropBox in particular, though have used SpiderOak and SugarSync, too) - but I do have regulatory requirements (in health care) that restrict what type of data I can put on such cloud services (or anywhere else, for that matter).
Regards,
R. Grant Rowson, CISA, CGA
(Canada)
Digital Signature
Not much use at the moment as you can upload a tax return to someone, then they have to print it out, sign it, send it back, we have to scan it....................
When they add signatures so we can just publish, get it signed and then we can submit it will be great!!
Another issue I can see with this is that if we store the signed returns on this system and dont archive them manually the storeage will grow forever along with the monthly fee.
HMRC do not need a signature
Not much use at the moment as you can upload a tax return to someone, then they have to print it out, sign it, send it back, we have to scan it....................
When they add signatures so we can just publish, get it signed and then we can submit it will be great!!
Another issue I can see with this is that if we store the signed returns on this system and dont archive them manually the storeage will grow forever along with the monthly fee.
Provided you have received approval for the client's SAR from the client then HMRC will accept that when you submit the SAR electronically. We use this method where clients choose or who may live abroad. Especially useful as the deadlines approaches. In these cases we email the client's SAR to them (if they want it encrypted we can do so) and then ask them to approve the SAR in an email back to us quoting the HMRC IRMark so they approving a specific SAR. We keep this email on file with the return. Have done this for many years without any problems.
@roblpm
Why all the printing, signing and scanning ?
The HMRC say at http://www.hmrc.gov.uk/softwaredevelopers/2013-copyspec.pdf
2) Receive confirmation in writing from the client that the information is correct and complete to the best of the client’s knowledge and belief. The client may give their written confirmation in electronic or non-electronic form.
Signing
Thanks for the answers.
However what I was getting at was that it would be even better long term to have the returns and confirmations all together without the hassle of filing emails etc. As the previous poster points out they get the client to quote the IRmark in the email. Much simpler for the client to electronically sign. We then get notified and submit the return with no filing at all.
Security & signatures
I'm in the real world with Adrian over security, everything I have is now hosted and I feel a lot safer that I did when I had my own box & cables running into the wall. I use Dropbox extensively for my own and client stuff and anything sensitive deposited up there is encrypted by us. Same goes for anything sent out on emails.
It's worth mentioning that in several cases it's clients that invite me to link to their dropbox rather than the other way around.
I've also signed up for Iris OpenSpace and it looks well designed and slick and I like the idea that we & clients get notified as soon as anything goes up there. Unless you or clients are silly enough to deposit Sage type data files then 1GB should be ample for many small practices (even with loads of photos I struggle to use over .8GB on DropBox). I don't see OS as being a permanent archive, ie once a filet has been used/approved it can be copied to local drives & deleted.
Electronic approval &/or signature functionality is available at a price from other systems but, as with so much in the IT world, give it a year or two and all file sharing systems will provide this as standard.
Why the focus on cloud security?
@growson I hear what you say and, of course, you are correct in many of the points you make regarding data security generally.
What always surprises me though is that any talk of hosting data remotely seems to attract an inordinately negative commentary about perceived security concerns; compared to "controlled" systems such as a physical server in one's own office.
Professionals have been storing confidential client data on their own servers, PCs, laptops, portable hard drives, USB sticks, DVDs, CDs, floppy disks AND paper files for decades (centuries in the case of the latter). This data is, indeed, capable of being used by the unscrupulous for many nefarious purposes. Yet there is no hand-wringing over the (lack of) security these media provide. This is because we are all familiar with these traditional methods and, by comparison, cloud storage is new.
If you challenged me to get my hands on your confidential data, offered me a substantial cash sum (and immunity from prosecution) I would attempt real-world physical access to your data in preference to the much harder digital attack every time. Unless you have data centre (i.e. almost military) levels of physical security over your office and/or home premises I would opt to engage the services of common criminals to break-in, put your server under their arm and walk right out again. Whilst ransacking your offices, they could also collect assorted portable drives, disks (and paper files) that will likely be pretty easy to find and pick up.
Hell, it might not even be that difficult. If you conscientiously take your DAT tape backup from the server home with you each evening, my newly-hired unsavoury cohorts could simply mug you in the office car park.
The point I am trying to make is that if firms undertook the same kind of audit on their existing security vulnerabilities as they demand in respect of prospective cloud storage solutions, they would quickly realise that data is much safer with professionals: in a secure, purpose-built facility that a) makes physical access impossible and b) employs professionals whose only job is to employ the most robust digital security available and monitor it 24/7 365 days a year.
Adrian
Why focus on just cloud security - back door wide open at home
The point I am trying to make is that if firms undertook the same kind of audit on their existing security vulnerabilities as they demand in respect of prospective cloud storage solutions, they would quickly realise that data is much safer with professionals: in a secure, purpose-built facility that a) makes physical access impossible and b) employs professionals whose only job is to employ the most robust digital security available and monitor it 24/7 365 days a year.
Adrian, you're completely right here. The "fuss" over the hosted storage sites results because those entities are OUTSIDE of our DIRECT CONTROL -- meaning, we really don't know what access controls, security processes, containment processes, disaster/continuity management plans, etc. that they have. But I'd agree entirely that MOST local environments haven't really considered all of these points also. And as I think it's already been said here by someone (you? - can't see the response thread as I reply), your sensitive data might actually be BETTER PROTECTED in the cloud than on a local network: how many places are using replicated virtual servers within their own networks? And even if they are, how many site IT managers can call up, in the pinch of a disaster, the THOUSANDS of servers that Amazon has for their cloud offering? Or Google/Microsoft? Again, I think the big issue is making sure that your cloud company of choice has all of the right assurances in place to give you the operational flexibility and security that you require of your data . . . .
. . . . and the same diligence should happen with local networks as well. We're a long way from the old adage "oh, the tape backup is capturing everything" (presuming that someone has actually TESTED the theory :-/ ), and some false delusion that the local network;s security is sufficient just because there's a wal-mart-grade firewall and antivirus software installed (which is only stage one preparedness out of three - the other two being intrusion detection and data loss prevention).
Regards,
R. Grant Rowson, CISA, CGA
(Canada)
hypothetical criminal
If you challenged me to get my hands on your confidential data, offered me a substantial cash sum (and immunity from prosecution) I would attempt real-world physical access to your data in preference to the much harder digital attack every time.
If there was only a small chance of a cash reward and no immunity from prosecution, would you change your strategy ?
No, but I'd have to do it myself
@daveforbes - the cash and immunity were merely required for me to put my case in the first person. The cash allowed me to pay criminals and immunity would let me sleep at night.
Of course, in reality, our hypothetical criminal would be comfortable breaking into premises or mugging individuals and would do so only for the potential rewards to be had from selling or misusing the data. Likewise, they would be familiar with the risk of being caught.