By Alan Salmon
Proceed with Caution
Know the risks of this important trend in computing
The technology industry is going through a transformational change. Many futurists predict that, over the next 10 years, the data and applications now stored on our local computers will migrate to massive data centres connected to the Internet. The computer hardware used to access these server farms will not store or process data, but will instead act as a terminal into this massive network, or “cloud” of resources.
Applications and data that are hosted online – and rented instead of purchased – are known as “Software as a Service” or “SaaS”, and are often referred to as “cloud computing.” Web and cloud-enabled applications can let you share information with a team of professionals across the globe in real time, while ensuring world-class security. The leaders in the space include major players such as SalesForce.com, Intacct, NetSuite, Intuit’s ProLine applications, CCH’s ProSystem fx, and Thomson Reuters’ Workflow and Software Solutions product lines.
While there are many benefits associated with this new mode of computing, there are also many new risks that need to be managed and mitigated. These risks can be classified into three major categories:
- security and privacy,
- availability of applications and data, and
- compliance with laws and regulations.
Although SaaS solutions offer significant opportunities for accounting professionals, users should have a clear understanding of issues relating to security, privacy, application and data availability, and compliance requirements.
Accountants should perform adequate due diligence on any web-based or cloud-based software to make sure the offerings, as deployed and implemented, will meet all current and future requirements for service and data availability, privacy and legal/regulatory compliance. Organizations should continue to prepare and test back-up service plans and alternate providers in the event of serious problems, such as service interruption, provider shutdown or a privacy breach.
Security and Privacy
When most accountants think of cloud computing initiatives, they immediately focus on security and privacy issues, since SaaS involves storing confidential information on remote servers. However, in many cases, these hosted solutions can offer better security than what is implemented in many small and mid-sized businesses, and often with lower capital and operating costs. Cloud application providers typically host applications in hardened data centres, with multiple layers of physical security, as well as redundant power supplies, Internet connections and hardware. In contrast, many small business server infrastructures are only protected by a door on an unlocked closet in the office, making them vulnerable to theft using “smash and grab” techniques, weather issues and many other threats.
Since most physical security concerns are handled by application service providers, end users must focus their efforts on ensuring that strong authentication methods are required to gain access to applications and data. The potential for exposure due to a breach of data security is more significant in a SaaS environment, since outsiders can execute malicious internal and external attempts for unauthorized access to data with impunity by guessing usernames and passwords. While the limited physical security of a personal computer with locally installed applications in a locked office may somewhat compensate for the weak logical security associated with an easily guessable password, the same weak password in a SaaS environment can easily lead to a privacy breach.
SaaS applications also have additional risks associated with the privacy policies established by providers that govern how and where information can be disclosed to third parties. Many of these privacy policies are subject to change by the service provider, without notice to the subscriber. Ask your organization’s legal counsel to review these agreements before storing confidential information on remote systems. End users of SaaS applications may also not have legal standing to quash overly broad subpoenas issued by a plaintiff or governmental agency, and the service providers may be legally prohibited from disclosing the event to the end user. Accordingly, users should exercise due professional care and consult relevant experts as part of the evaluation process.
Availability of Applications and Data
A second area of concern surrounding SaaS applications is the availability of hosted applications and related data. Events such as fires, storms, cuts in fibre optic cabling, sunspots and hardware failures can result in unexpected downtime for any computerized applications. Providers can go bankrupt, resulting in downtime and possible security breaches of confidential information. Many service contracts allow the provider to disable or delete free accounts and all related data without recourse, so users of those services may want to back up their personal information to local systems as part of their business continuity strategy. Service contracts may be referred to as “End User License Agreements” (or EULAs), “Terms of Service” (or TOS) and “Terms and Conditions.” These risks should be considered and evaluated before deploying SaaS applications.
The infrastructure needed to support SaaS applications may not be available in every location. Organizations that have unreliable Internet connections, or who cannot get a fast broadband Internet connection, may not be a good fit for SaaS deployments. Companies with significant SaaS deployments should strongly consider multiple Internet connections (e.g. cellular, cable, fibre, T-1 or DSL) so staff can access SaaS applications even when one provider is down.
Businesses should also investigate the service level agreement (SLA), uptime guarantee or terms associated with their Internet service provider.
A cable Internet user on a home Internet connection might report an interruption on Monday and have a technician in their home on “Friday, sometime between 1:00 and 5:00 pm.” If uptime from a home office is a concern, home users should invest in a more expensive business-grade Internet connection, which could have an SLA requiring a much more rapid response to service failures.
Businesses should also have a clear plan for how they will implement the solution, and how they will retrieve their data if they ever discontinue the use of a particular service before they make any commitments. Without a well-developed exit strategy, users may have to reperform many tasks on historical data when they transition to a new solution. Many providers have excellent resources to assist in this effort. For example, Google’s website www.dataliberation.org outlines how to import your existing data into Google’s applications, as well as how to download and remove your data if you decide to discontinue service.
The legal environment for privacy and identity theft statutes has changed radically in the recent past. Every accountant should have a basic knowledge of the laws they are required to follow, and should consult legal counsel if questions arise.
Although SaaS solutions offer significant opportunities for accounting professionals, users should have a clear understanding of issues relating to security, privacy, application and data availability, and compliance requirements. Users should also have clear plans for how they will transition into and out of the service before they implement it, and should revise their plans continually as service offerings change. While no plan can prevent every possible source of downtime or information breaches, a carefully considered plan, created in consultation with relevant experts, can help users realize the benefits of SaaS while effectively managing the associated risks.