Your donor, member, supporter, and so on data is gold to your organization. And you want to keep it safe. We get it. That’s why when I saw Steve Backman’s post “Cloud Security in the Era of Wikileaks” on the Idealware blog, my ears perked up and I sat up at full attention.
I read it, was impressed and was eager to talk to a local expert about being safe in the cloud. So I took the post to Cliff Armstrong, Convio‘s Engineering Manager. Straight from the horse’s mouth, here’s what Cliff had to say.
Idealware: “The data system in a public cloud is “multi-tenant”–tenant as in big apartment building. Even more than in a condo development, an apartment building provides uniform infrastructure supports distributed across all residents. Apartment building tenants in a well-run building can still personalize a unit yet off-load most all concerns for maintenance and infrastructure.”
Cliff: Great analogy, and I would extend it by adding that really good apartment buildings also provide 24 hour security. As the tenant you may have the key to your apartment, but there’s also someone watching all the doors to make sure that only authorized people can even get into the building. Good cloud service providers, including Convio and Salesforce, do the same thing. They watch the logs for suspicious activity and are proactive in addressing it.
Idealware: “In a cloud environment, you have to select vendors you can trust based on their size, history with privacy incidents, and leadership and board commitments.”
Cliff: Trusting your service provider is critical. While you could take it upon yourself to evaluate the history and operations of a service provider, to do it thoroughly is a daunting task. An alternative is to look for reviews performed by independent auditors. One of the most commonly used ones are the Service Organization Control Reports (formerly SAS 70 reports). These reports contain an independent auditor’s analysis of a service provider’s controls related to security, processing integrity, confidentiality/privacy and availability. While the report itself isn’t a guarantee that nothing will ever go wrong, it does indicate that the service provider takes processes and policies seriously and is willing to invest in the people, facilities and processes necessary for the report. Check out “Cloud Computing: What Accountants Need to Know,” specifically the section Security and Reliability Considerations, to explore this area more.
If your cloud solution accepts credit card transactions then the stakes are even higher. In this case you’ll want to ensure your vendor is PCI Compliant. (Convio is PCI Compliant.) PCI Compliance requires a vendor to follow prescribed security management practices and policies. It also verifies that their network architecture, software design and other critical protective measures are properly managed. The standards established by this certification are intended to help proactively secure and protect customer data.
When your organization is considering technology and security, what elements do you take into consideration? What are your make-it or break-it points?