The real security risks of cloud finance apps.

Author:Rajagopal, Ramesh
Position:Data Security

Finance teams have been relying on Web services since before the cloud got its name. Tasks--such as banking, payroll processing and benefits administration--have been online for several years. These days, though, chief financial officers are embracing Web applications more widely, including accounting, budgeting, enterprise resource planning (ERP), bill pay and more.



This shift is happening for many reasons, not least of which is the effectiveness of cloud applications to support flexible and decentralized workforces, including outside consultants and temporary workers.

Nonetheless, some CFOs remain fearful about the security of the company's data in the cloud. But where do the risks really lie, and what can CFOs do to embrace the cloud while containing their exposure?

Let's start somewhere incontrovertible; in terms of access to sensitive information, finance teams have the keys to the kingdom. Along with being the custodians of the financial assets, these users also have access to customer details, employee records, legal documents and regulatory information.

In many organizations, the CFO is ultimately responsible for protecting this data even though the chief information officer (CIO) may deliver the overarching information security framework.

It is therefore unsurprising that for every CFO who has embraced the cloud, there are others who remain skeptical. Despite core services like online banking that are already delivered over the Web, there is understandable caution in pushing broader classes of data online for storage on someone else's servers.

But in reality, an average-sized organization with limited budget and manpower is typically much better off leveraging security-capable cloud vendors that must make data security their business.

The best providers take a holistic view to securing customer data, including protecting the server from penetration, encryption of the data at rest, secure storage and retrieval of encryption keys, enforcement of internal access rights, data redundancy and backup/restore processes.

What's more, the over-fixation on data location seems out of line with the reality of where breaches typically occur. For the most part, data is safe sitting on servers the company doesn't own. Rather it's when its users access that data that things can get messy.

The methods by which users access data over the Web is much more fertile ground for compromise regardless of where...

To continue reading