Switching to the Cloud? Conduct Due Diligence
by Christopher M. Chudyk, CPA, CITP, and Randy Rudzik, Traphagen Financial Group –
March 16, 2018
Times are always changing, and technology is always advancing. Ninety-five percent of offices across the world store the majority of their information on the cloud using services or software such as Mega, Box, NextCloud, Google Drive, DropBox, OneDrive, SpiderOak, iDrive, pCloud and Apple iCloud. Cloud services are not only meant for storing data, they are also meant for sending or transporting data. When a company uses cloud services, it provides the opportunity for it to focus on its core business while avoiding computer and network maintenance.
Types of Cloud Computing
Cloud computing consists of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). These offerings differ based on the level of cloud that you manage versus your service provider. SaaS has everything managed by the company; for PaaS you would manage the data and applications; and for IaaS you would manage applications, data and run time.
There are three different models: private, public and hybrid. Private networks are highly secure and typically are for one organization. Public clouds are owned by the service provider and have the highest level of efficiency in sharing resources. Hybrid clouds incorporate both private and public features.
Why is due diligence so important when switching data to the cloud? You want to verify that the provider you are relying on has all the necessary safeguards against any possible threats. There are daily instances of familiar businesses being hacked and social security numbers stolen, or hackers encrypting data or networks until a ransom is paid. Selecting the right vendor for your company’s needs is half the battle; the second half is making sure the vendor and your own firm have the necessary safe guards to protect your and your clients’ data.
Elements to consider include:
- How much storage is available?
- What are the download and upload speeds?
Does the vendor and your own firm have a disaster recovery plan?
What is the cost and efficiency of switching support plans and how long does it take for a service restart in case of maintenance or power outage?
What level of encryption is applied?
What is the policy on the complexity of passwords and the frequency that passwords must be changed?
What technology policies and procedures does the vendor and your own company have? Are all employees required to sign off on them?
Does the vendor use dual authentication to be able to log in (e.g., after logging in, a code is sent to your cell phone)?
Has the vendor gone through penetration testing where an outside party tries to penetrate their company and then, based on those results, takes appropriate actions to alleviate the risk?
Does the vendor have annual technology audits (SAS 70; SOC 1 and 2)? Be sure to get a copy of the audited statement.
What are the support options (tickets, instant messaging, phone calls) and what are their respective wait times?
Is your company covered with cyber insurance?
What other companies use a vendor/provider that your company is considering?
Do you see any warning signs on the company’s website or social media accounts?
- How long does it take for a backup to be restored?
- How many backups are retained?
- Where are the backups stored?
- How often is data backed up?
Moving to the cloud is an old topic, but if you don’t take the necessary precautions (due diligence) in selecting the correct providers, your company could be the next name in the headlines. Stay out of the news by selecting the correct vendor and doing your due diligence.
Randy M. Rudzik
Randy Rudzik is a staff accountant with Traphagen Financial Group. He is a member of the NJCPA.
This article appeared in the March/April 2018 issue of New Jersey CPA magazine. Read the full issue.