Cloud Security
Cloud software has security risks, data-lock-out risks, and connectivity risks. However, these risks can be avoided, and cloud software eliminates other major IT risks. Overall, moving to cloud apps such as Xero probably increases overall security and lowers data risk if sensible policies are in place.
Summary
Section titled “Summary”- Moving data to a professionally run cloud solution takes advantage of a highly secure, single-purpose platform — more secure than most SMEs provide on their own servers. Many security risks are eliminated.
- The biggest technical point of weakness with cloud systems is user passwords. Mitigation: use good password policies and Two Factor Authentication.
- Email passwords are crucial — they are the key password reset mechanism.
- Staff security awareness is a big opportunity to improve security for a small effort.
- Many SMEs are already exposed to remote access risk via remote login software or Remote Desktop, and these risks can be worse than cloud apps because business computers may not have the latest patches.
Risks Introduced by Cloud Apps
Section titled “Risks Introduced by Cloud Apps”- Internet dependency — can’t access data if the internet is down. Mitigation: redundant internet connections (e.g., mobile data backup).
- Subscription dependency — may lose access if subscription terminates. Mitigation: restoration requires only resuming monthly payments. Data can be extracted via API.
Risks Eliminated by Cloud Apps
Section titled “Risks Eliminated by Cloud Apps”- No risk of data loss from fire, flood, theft, or hardware failure
- Vendor bankruptcy risk is much lower than with perpetual-licence software
- No security risks from unpatched software, old versions, or compromised business networks
- Data kidnapping (encryption attacks) is not possible with cloud systems
Infiltration Risk Assessment
Section titled “Infiltration Risk Assessment”Cloud vs On-Premise
Section titled “Cloud vs On-Premise”| Risk Factor | Cloud | On-Premise |
|---|---|---|
| Physical access | Professionally secured facilities (armed security) | Depends on office security |
| Patching | Automatic, continuous | Manual; often delayed |
| Attack surface | Minimal (single-purpose servers) | High (Office, IE, Flash, Acrobat, etc.) |
| Remote access | Inherent (by design, with proper auth) | Often added ad-hoc (RDP, VNC) |
| Password attacks | Centralised, can enforce TFA | Distributed, often weak |
For cloud services, infiltration risk is almost entirely based on password policy, because the chances of technical infiltration (security hole, trojan horse) are virtually zero.
Password Best Practices
Section titled “Password Best Practices”- Long passwords beat every other complexity technique. Four random words (e.g.,
exist-repeat-rise) score much higher entropy than short complex passwords (e.g.,b=nedicT10n) and are easier to remember. - Use correcthorsebatterystaple.net to generate long, memorable passwords.
- Measure password entropy at rumkin.com/tools/password/passchk.php.
API Security
Section titled “API Security”Cloud software APIs nearly always use strong authentication with expiring tokens. Access is granted in a more controlled fashion than to human users. However, API access is typically “all or nothing” — once granted, a third party can do everything supported by the API. Best practices:
- Limit API access to the minimum required
- Use expiring tokens
- Restrict API credential management to admin users
Two Factor Authentication
Section titled “Two Factor Authentication”TFA significantly reduces password-based infiltration risk. Xero supports TFA. Where available, it should be enabled for all admin users.
Single Sign-On
Section titled “Single Sign-On”Third-party services like OneLogin provide unified login to cloud apps. The admin can take control of credentials, making sure sign-on occurs via the SSO frontend. However, password reset mechanisms still allow a user to bypass SSO via their email account, making email security critical.
Google Apps for Work does not allow password reset emails and enforces SMS-based TFA for logins from unknown devices — a significant security improvement.
Staff Training
Section titled “Staff Training”Staff should be trained in:
- Choosing complex but easy-to-remember passwords
- What Two Factor Authentication is and why it helps
- The consequences of infiltration
- What a phishing attack is
- How malware works (how payloads are downloaded)
- How to recognise genuine sites
- Why Internet Explorer / legacy software should be avoided
- Social engineering attacks
- Mobile device security
This is approximately half a day of training.
Data Access Risk
Section titled “Data Access Risk”- Own your cloud accounts — don’t buy via resellers (e.g., accountants). Under common law, an accountant may have a lien which can deny you access to your data during fee disputes.
- Transaction log exports are the cloud equivalent of backups. Xero supports easy export of all accounting transactions. API-based automation of this is straightforward.
- Cloud services like Xero never delete records — audit trails provide a comprehensive record of all actions.
- Good employee termination processes are essential — de-activate accounts promptly.