Business risks of cloud software
Cloud software has security risks, data-lock-out risks and connectivity risks. These risks can be avoided, and cloud software eliminates other major IT risks. Overall, moving to cloud apps such as Xero probably increases overall security and lowers data risk if sensible policies are in place. Before moving to cloud accounting such as Xero, or to a cloud ERP system, it's worth reviewing these risks.
Moving to the cloud does not increase data risk if good password policies are in place. It also reduces many existing risks linked to traditional on-premise applications. That’s because:
Moving the data to a professionally run cloud solution takes advantage of a highly secure , single-purpose platform: more secure than most SMEs provide on their own servers. Many security risks are eliminated.
The biggest technical point of weakness with cloud systems is user passwords.
Mitigation: use good password policies. Take advantage of Two Factor Authentication (TFA) if it is available (available for Xero as of Dec 2015). More on TFA below.
Make sure email passwords are good; they are crucial.
Your staff and their awareness of security is a big opportunity to improve security for a small effort
Note that many SMEs are already exposed to remote access risk since they often have remote access of some kind (via remote login software on a PC, or Remote Desktop on a server). These risks can be worse than cloud apps because the business computers which are open to the internet may not have the latest patches, often run software which can be exploited such as Office, Outlook, Internet Explorer, Flash and Acrobat Reader, and once infiltration occurs, the intruder may be able to access a vast body of documents (think file servers).
For a more general introduction to cloud security, see this article by Xero: https://www.xero.com/au/small-business-guides/business-management/cloud-security/
If you want a long exploration of different cloud accounting solutions for SMEs, read: Review of Cloud Accounting options
Data security requires tradeoffs
A business does not generate data solely for the purpose of securing it. Business data is collected and used to make decisions, win business and to avoid costs through more efficient processes. For SMEs, moving to a “cloud stack” can mean big leaps because data is better integrated (a CRM which talks to the accounting system, for example) and it’s more collaborative, as remote staff, warehouse staff and sales reps on the road can share common information.
Enforcing high security has costs, possibly including inefficiency and lost abilities to use and share information to the benefit of the business. Therefore, there are trade-offs. The most secure IT system is based on an “air gap”: no network connection to the outside world. Obviously, not of much use to a business.
Humans are a weak link
It is important that staff understand modern security risks. There are many urban myths about security, and staff are "informed" about security risks through the media, sometimes including social media hoaxes. Staff should be trained in:
choosing complex but easy to remember passwords (see below)
What Two Factor Authentication is, and why it helps
The consequences of infiltration
What a Phishing attack is
How malware works (i.e. how payloads are downloaded)
How to recognise genuine sites
Why Internet Explorer is avoided, and other key risks of traditional Windows software
Social Engineering attacks
mobile device security.
Larger businesses also have polices to safeguard who has access to what, to reduce the Edward Snowdon event, where someone walks out the door with valuable data on USB sticks or sent to Dropbox. This level of security would be bureaucratic and expensive for a typical SME. Even the NSA didn't stop Edward Snowdon, so it's harder than it looks.
This is around half a day of training. GrowthPath has training material for on-premise training, but nothing online yet.
Cloud software risks
Using core cloud applications introduces some new risks which are not direct security risks. Prominent new risks are:
can’t access the data if the internet is down. Mitigation: this affects other systems anyway, such as email. Redundant internet connections (e.g. mobile data backup).
may lose access to the data if the subscription terminates. Mitigation: Restoration of access requires only to begin monthly payments again (and missed payments are not required). Data can be extracted. Note that the extraction of raw data is not very useful outside of the system it was designed for, but this is true of all applications. A sophisticated user can transform the data for import into another application.
Risks eliminated by cloud apps
Some risks go away when using a cloud system:
no risk of data loss or interruption due to fire, flood, theft or other physical damage, or hardware failure.
The risk of vendor bankruptcy or abandoned support for an old version is much lower
No security risks associated with unpatched software, old versions, or compromise of the business network
Typical data risks in an SME, cloud vs now
Before you react to the risks of moving to cloud systems, it’s worthwhile thinking of your current risk profile to keep things in context.
Data safe-keeping risks
Relying on on-premise servers risks a loss of data causing business disruption (fire, flood, roof leak, theft of hardware, hardware failure). Offsite backups are a good idea, but there is still significant disruption if you need to buy, install and configure a new server.
Compared to the cloud:
The cloud service is essentially immune to physical disasters, as servers are kept in purpose-built facilities (including armed security), and data is continually distributed across multiple locations. Note that some cloud vendors do not provide backups per account, including Xero. That is, they will restore your data if the servers are affected by a problem, but they won't roll you back to a previous day if you need it due to something at your end. This is disappointing but audit trails save it from being an insurmountable problem (discussed below). There are third-party backup solutions which extract raw data using the API.
Data safe-keeping risks are almost eliminated with a move to cloud applications.
Changes to disaster recovery procedures
With no more risk of physical server harm, disaster recover becomes much easier. The business can be operational on the accounting and inventory systems with basically any access to the internet. Disaster recovery is more than physical destruction of servers. It could also include malicious damage of data (mass deletion of information, for example).
There are two defences to this. The first is a daily data backup, leading to a database restore to some prior point. This option is not available from Xero. They do frequent backups, but only for system wide disaster recovery. They do not do individual client file roll-backs. It is possible to automate transaction backups from Xero via the API, and third party providers do this. However, there is no automatic mechanism to use this to roll back to a prior state.
Transaction Log Downloads: the cloud equivalent to backups.
The traditional backup is a copy of data in a format native to an application, so that you need the application to open it again. This is "lockin", but if you have the application on a computer you own, then it does not seem very severe. This is different for a cloud application, if you want to preserve your independence.
In this case, we need a transaction log in text file or some other standard human readable format.
Transaction log downloads are the second defence, one which puts the client in control. Xero does have an easy transaction export to a text file: every accounting transaction is available, and it takes only a couple of clicks to download this file. This would easily allow reconstruction of transaction history. Xero does not natively support automation of this, but it is an easy task to do this via the API in a few lines of code. This transaction log does not include voided or draft documents.
The second mechanism is the audit trail. Both Xero and Dear Inventory never delete anything, so there is always a trail of actions. This can be used to restore, but the process is manual.
In these cases, risk can be reduced through good user roles, and good employee termination processes (to inactivate accounts).
Infiltration means unauthorised access to data.
Some infiltration risks associated with electronic data, regardless of where it is stored, are:
theft of data with breach-of-privacy, reputation or lost business consequences.
data taken hostage (blackmail), locked out from system
These involve infiltration of a system. Infiltration could occur via as a user with a stolen or cracked password, it could be access via a security hole, or it could be a trojan horse attack, where malicious software is unwittingly installed by a user.
Infiltration is much easier if there is remote access.
Obviously all SME cloud systems offer remote access since they are hosted on the internet (the “public cloud”), so this risk comes to mind.
However, remote access risks already exist at many SMEs, which have their own remote access such as Remote Desktop or screen sharing apps for access to individual PCs, and trojan horse attacks trick users to create remote access.
Infiltration is easy if a password is known. Infiltrators can get passwords by:
guessing (including automated guessing)
social cracking (pretending to be an authorised representative via phone or in-premise contact)
phishing (fake email or fake website which tricks a user to provide a password)
Even if you feel that your business doesn’t have data of much value to anyone else, you are still vulnerable to data kidnapping (where your data is encrypted via a password which you need to pay for). A daily backup is a good defence, but this attack is not even possible with cloud systems.
Security vulnerabilities exist in all operating systems. Windows has been traditionally very vulnerable for various reasons although its reputation has improved since Windows 7 and many cloud services which I regard as secure run on Windows servers (these servers have some advantages: there are no normal users and almost no applications are installed). The best solution is to automate updates and to reduce the attack surface area.
Note that many attacks which are apparently attacks on Windows are actually attacks on applications such as Internet Explorer, Microsoft Office, Microsoft Outlook and Adobe Flash and Acrobat. These applications have either been granted extensive access to the operating system (they can do anything) or they have a history of exploitable weaknesses. Security professionals say the attack surface area on a Windows computer is very high because of all the targets, only one of which needs to have an unpatched vulnerability. Single-purposes servers, such as a cloud computing server, have a much lower surface area, and run on best-in class servers which are professionally and continually maintained. Updated machines will be safe, but every machine in the business must be updated. Further, Windows security is of no use if a naive user is tricked into granting high level permissions to malicious software. It’s possible to block this from happening, but then users need administrator support when installing software or printers, and since most SMEs don’t have that support, Windows is run with relaxed security.
Cloud services running on Windows servers, as some of them do, have no ordinary users, very minimal applications and are professionally updated and monitored. They are a tiny target for attackers.
For many clients, the most sensitive data will be in the accounting app and in the supply chain app, which combined will hold sales history, pricing, customer records, employee records and financial data. CRM may also be important.
These systems have role-based security, which we should use to minimise exposure to confidential information, should an user password by guessed or stolen.
Some SMEs use consumer-class network hardware (such as the router), often unpatched for security updates. They may not even disable basic firewall security holes like UPnP. Obscurity (no one knows that I have remote access) is a fool’s defence. I recently enabled remote login to a computer at my home, and watched how quickly this was discovered, leading to mass attempts to crack the password.
Infiltration risks for cloud servers are almost entirely based on password policy, because the chances of a technical infiltration (security hole, trojan horse software) are virtually zero. With good passwords, this risk is low. Two Factor Authentication is a great idea, but it is not available in Xero yet. SMEs using traditional IT have surprisingly high infiltration risks. As with any application, consider user roles to limit the capacity of non-essential user accounts. Have policies banning password sharing. Consider single sign-on support (see below) to centralise password management for cloud apps.
The business should have good policies for employee termination, to de-activate accounts.
Cloud software nearly always supports “Open APIs”, which allow other applications (or in fact any user on the internet) to access data. These APIs nearly always allow updates to data, and they usually are “all or nothing”. Once API access is granted to a third party, the third party can do everything supported by the API. However, access is granted to APIs in a more controlled fashion than to human users. API security is usually very good, since we don't have to make compromises around simplicity. A very complex type of password is used. Setting and viewing the API access is strictly limited to the admin user. While most APIs are well secured, there are still best practices which are based on expiring tokens. Even if the token is stolen, it can't be reused.
Protection against data infiltration: Two Factor Authentication
Password protection is not very convincing to security experts, and many recommend some improvements. The most common improvement is two-factor authentication (TFA). The first factor is a confidential fact, (a password). The second factor is exclusive physical access to something (such as a phone which can receive texts, or a keytag-style generator of a certain sequence of numbers).
Not all SME cloud systems support Two-Factor Authentication, which is a great shame. In late October 2015, Xero announced it was testing TFA, probably provided by a third party called Okta, and that it would be released soon. Update: released in December 2015.
Password policies fail if they are too much hassle. Make sure you get enough user licences so that sharing of a login is rare. Having to remember too many passwords is also a burden which encourages simple, weak passwords. Single Sign On is a good solution. Some cloud apps support it natively, most often by letting users log on with a Google Apps for Work id. Xero supports this.
A third party service, https://www.onelogin.com, provides “single sign on” via authorities such as Google Apps for Work, and Office 365. It includes limited Two Factor Authentication. Onelogic supports 4000+ cloud-apps, such as Dear Inventory and QuickBooks online, Xero and Saasu. However, security benefits are limited if the application does not support enforceable single sign on.
A competitor is https://www.meldium.com
Data access risks
Cloud Vendor lock out
On top of these data access risks, there are business risks with data, such as the need to access historical data for audit or legal issues, or the need to access data to migrate to new systems.
Cloud software access is always linked to payment of the service fee. Different services will take different actions when a client stops paying. Sometimes read-access is possible. Data will kept for a substantial period of time so it can be reactivated later, and reactivation fees usually do not require “catchup” back to the point when payments stopped.
Traditional business software is usually based on a perpetual licence model. If you stop paying, nothing prevents you from using the software as it is, although you won’t get updates. Accessing updates usually requires paying regular “maintenance” fees, and these ARE typically backdated to the time payment stopped, if you wish to access then.
This data access risk is basically a matter of cashflow. Cloud software requires ongoing payments, which entitles you to a certain bundle of benefits, such as continual improvements. The cost of ownership is much lower, as there are no additional fees for servers. There are no exit fees or lock in. The savings from a pay-once “perpetual” licence may not be all they seem, since an out-of-date system won’t be supported if a necessary upgrade to the server makes it inoperable.
However it is very important to be the owner of your cloud accounts. Don’t buy via a reseller, such as an accountant. Under common law (US, UK, Canada, Aus, NZ), an accountant has access to a lien which is a legal basis to deny you access to your data if there is a dispute over unpaid fees. Accounting vendors such as Xero often defer to the legal owner of the account; this is the entity with whom they have a service agreement.
If you don’t pay your cloud bills, you will lose access (temporarily) to your data. This is the same as the electricity. Perpetual licences for traditional software don’t do this. But they cost more and don’t get better over time. Traditional software vendors need an ongoing cashflow too, and they get this via "maintenance fees" which typically provide a modicum of basic support, security and bug fixes, and the right to future versions, but this right means you must be completely up to date with your fees. So the “risk” of being locked out by not paying for your account is really a business decision about cashflow options, which must include the the benefits of cloud software. The only reason you'd want to stop paying is if you plan to use alternative software, and the month-to-month approach is very flexible.
There are also a class of security attacks called “denial of service”, where data is not stolen, but customer access is effectively blocked because the server is deliberately flooded with fake users. Criminals do this and then ask for "protection money" to make it go away. Professionally-hosted cloud services are protected against this. On-premise software is also immune to this, so this is not very relevant.
Cloud systems need good password policy, but apart from vulnerability to weak passwords, the security situations actually improves with the move to cloud systems.
Single Sign on via a directory such as Google Apps for Work or third-party applications reduces password fatigue.
Email security is very important because email is the key password reset mechanism for cloud apps. An email system that disables users resetting their own password, or which at least requires a second factor of authentication, is a step forward for security. Google Apps for Work, which hosts email for corporate domains, has smart TFA: it will prompt for a code sent by SMS if it notices a login from a new device (Facebook does this as well).
Admin users of cloud apps have a special responsibility to have good passwords.
Apart from email, TFA for key apps, such as Xero, is highly recommended.
Appendix: Best Practice Passwords
You can have secure, memorable and short passwords, but you can have only two of those attributes. To keep them secure and memorable, accept that passwords will be long.
The best way to secure a password is to make it (a) long and (b) memorable.
Long passwords consisting simply of four random words are equal to or better than RaD0m! passwords with hard to remember special characters.
This site generates passwords based on those principles: http://correcthorsebatterystaple.net/
Appendix: Using Single Sign On via a third party service (and why email password security is very important)
As mentioned, there are third party services which provide a unified login to cloud apps. A free account for OneLogin supports three apps, but a paid plan is required to use TFA (Two Factor Authentication).
It also requires an extension for the browser; I tested with Chrome, and added Xero and Dear Inventory. The extension is a shortcut to the apps.
The admin can take control of the credentials of each app, making sure that sign on must occur via OneLogin. This means that users would not know their password and would be forced to logon via the OneLogin frontend. So far, so good. But password reset mechanisms would still allow a user, or someone impersonating a user, to get control by sending a reset link to the email account associated with the user id. This means that email passwords are very important, since a compromised email account renders OneLogin’s Two Factor authentication irrelevant. Note that Google Apps for Work does not allow password reset emails, and will enforce SMS-based Two Factor Authentication for logins from unknown devices, which is a big step forward for security.