How Accounting Firms Can Get Their Cloud Right the First Time
Adam Stern | CPA Practice Advisor
The cloud as an environment for serious business computing shows little sign of dissipating. Per market researcher IDC, about half of IT spending was cloud-based last year, “reaching 60 percent of all IT infrastructure and 60-70 percent of all software, services and technology spending by 2020.” As Paul Maritz, CEO of Pivotal Software, put it, “Cloud is about how you do computing, not where you do computing.”
For accounting practices and their clients, the need to get the cloud right has never been greater. While the cloud may be here to stay, there’s nothing fixed or “commodity” about it. Designing it, deploying it and operating within it are non-trivial pursuits. A well-architected cloud can be defined by any number of parameters, but three are paramount: uptime, security and data protection. (Note that all three are also the warp and woof of the accounting business.) Taking them in turn:
- Uptime. First and foremost, a well architected cloud must have the ability to deliver 100 percent uptime to clients. The architecture needs to look not only at failures and redundancies but also the ability to migrate workload to allow regular maintenance while remaining live, with zero or near-zero downtime.
- Security. Security mustbe part of the bones of the architecture. Think of security as integral to the design at inception. While building a cloud environment, security vectors need to be part of that process; this isn’t something that can be passed off to a third party. Gaping holes left after the initial build can’t be closed without re-architecting the cloud, and patch management won’t do the trick. Then, too, it’s vital to bake in the principles of Zero Trust and Least Privilege, governing access both inside and outside the network.
- Data protection. Architecture matters here as well. Whether data protection measures are deployed at the SAN level or in software, after the fact, makes a huge difference in the quality of protection. Choices around backup architecture (e.g., using agents to run on individual servers) must be part of the original design.
So how can an accounting firm achieve a well-architected cloud? To an extent, it’s a process question, pegged to the quality of the engineers on the team – whether those engineers are on your payroll or, more likely, in the employ of an IT firm you retain.
The first move in architecting a cloud is engaging transcendent storage, network and application designers and engineers. While it’s highly desirable that every member of the team think holistically, the individual at the top (again, your employee or your third-party point person) absolutely must.
For the sake of argument, let’s assume that, given the demands of running an accounting business, you’ll forsake the DIY option. To stretch the analogy a bit further, you don’t need to be a literal architect or a carpenter to know what you want in a house.
The elements of a well-architected cloud are immutable; it doesn’t necessarily matter who does the building as long as these fundamentals are in place. The resulting IT environment needs to be both effective (it gets the job done today) and capable of evolving as business/client/security needs change. In opting to rely on a third party to architect your cloud, you need to be an informed/smart IT consumer. That’s the case whether you’re a multi-office accounting practice, an accounting department within a larger enterprise, or a mom and pop CPA firm.
A few years back, Roy Stephan, founder and CEO of cybersecurity firm PierceMatrix, offered this aspirational take on cloud architecture: “With the cloud, individuals and small businesses can snap their fingers and instantly set up enterprise-class services.” Although it may not be quite that easy for every organization, Job #1 for companies seeking cloud designers is to do some serious tire-kicking.
Consider these questions as your starting line as you embark on this quest for a well-architected cloud:
o How long has the cloud provider been around? Has the company invested in building, testing and operating its own infrastructure/data center? Does it use what it sells?
o If the provider is affiliated with Azure or AWS, what value-add does it offer? If the cloud provider runs its own data center, what kinds of certifications has it obtained (e.g., VMware VSP)? If not, in whose data center is the virtual hardware housed?
o How well staffed is the cloud provider? Everything from applications to virtual hardware — or just the virtual hardware? What level of competence do its engineers have?
o What type of support is on offer, and how is that defined? Is the provider a 24x7x365 companion or a fair-weather friend? What assurances are there that the cloud provider has built a 24×7 hosting environment?
o What does the cloud provider’s service level agreement (SLA) consist of? What happens if the SLA isn’t honored?
o Does the cloud provider have the professional cred to keep your operation out of trouble? Has the company passed the SSAE (Standards for Attestation Engagements) 18 Type II audit, a sort of bar exam for cloud hosting companies. To be SSAE compliant, a cloud provider needs to offer managed backups with 14-day retention, enterprise-level and application level protection, advanced monitoring and multi-level intrusion prevention, SSL capability, hardware firewall and IP-restricted FTP.
While it’s the cloud architect’s job to fashion something that you can live/compute in, it’s up to you to ensure that the resulting cloud realizes your objectives and feels like home.