Accounting in the cloud – the light and the shade

The first of a two-part series on keeping your customer data secure in the cloud

IP image

You will no doubt be aware that the threat to businesses from cybersecurity attacks continues to increase. The expectation is that cybercriminals will seek to attack businesses at predicted peak times of the year, for instance month end, so practitioners need to continue to be vigilant.

To support members in practice, and so you can support your clients, we’ve pulled together useful ACCA and partner guidance and resources on cybersecurity.

We’ve also teamed up with IASME Consortium to raise awareness of the Cyber Essentials scheme. Since 2020, IASME Consortium has been the National Cyber Security Centre’s Cyber Essentials Partner, responsible for the delivery of the scheme. Cyber Essentials is an effective government-backed scheme which focuses on the five technical controls designed to guard against the most common internet-based cybe security threats.

It allows organisations of all sizes to demonstrate their commitment to cybersecurity and is now widely considered the minimum level of cybersecurity for businesses. The Cyber Essentials scheme  offers businesses a simple and affordable way to tackle cyber security and covers the basic technical controls that will help protect organisations from a whole range of the most common cyberattacks.

Below is the first part of a two-part series from IASME on keeping your customer data secure in the cloud. The second part will appear in the next issue of In Practice.

Due diligence – do your homework

You do not have physical control over the servers owned by your cloud service provider, so how do you know if they are secure?

With 24/7 onsite security, advanced encryption, secure backups, and firewall protected servers, most cloud service providers have invested in security features that you could never match if you used your own servers. However, it is worth bearing in mind that not all cloud service providers understand or value security. It is essential that your organisation researches the security controls used by the cloud service provider before entrusting organisational data to that service. Have you checked the security features of the platform you’re using?

When talking about security, cloud service providers often reference a 'shared responsibility model'. This means that for some security controls, it is the cloud service that is responsible for implementation, whereas for other features it is the user organisation. Who implements which controls will vary depending on the design of the cloud service being subscribed to. 

Working with a cloud provider can be unfamiliar and new for some organisations and it is helpful to outline from the start where the line is between the cloud provider's security responsibilities and those of the user organisation. Each provider and each service will have different security models, different tools for ensuring security, different configuration parameters, different dashboards and different contact points. The business owner or IT manager should reference their service-level agreements and clear up any confusion with the provider when necessary to ensure a successful security strategy. Putting all these details together and creating a coherent multi-cloud security strategy is a vital process. It is a good idea to have security in mind when researching a cloud service product in the first place, and to document a named point of contact to help and support your organisation if there are difficulties. 

Where the cloud provider implements a control, the user organisation must satisfy themselves that this has been done to the required standard. Details of implementation of these controls can usually be found in the terms and conditions of the service. Look within contractual clauses or in documents referenced by contract, such as security statements or privacy statements. Cloud providers will often explain how they implement security in documents published in their trust centres.

The security arrangements of a cloud provider are sometimes explicitly documented; for example, Microsoft Azure and AWS document shared responsibilities and whether the provider or the customer is responsible for aspects of security operations and management. With smaller providers or SaaS products, however, these details may be less explicit, but they will still need to be accounted for. 

Understanding your security responsibility is essential to keeping your data safe in the cloud. Look out for part two next month.