We've captured 8 basic criteria to assess the strength of any cloud-based platform so that you can make the most informed decision when choosing your Cloud service provider.
Note that CaseWare Cloud security requirements and measures are continuously monitored, assessed, and updated to reflect the changing needs and potential threats that may arise.
Physical security concerns the foundation of any Cloud environment, namely: server hardware, facilities, personnel, access, availability and level of readiness for environmental factors such as flooding, overheating, power outages, and the like.
CaseWare Cloud is hosted on the Amazon Web Services infrastructure. Amazon provides physical security and logical security controls at the infrastructure layer. The following were considerations in our selection of Amazon:
Amazon’s AWS platform is covered by an SSAE 16 report (done by Ernst and Young) and is PCI Level 1 certified, ISO 27001 certified, and compliant with all major security control frameworks. These security certifications are issued by authoritative international standards bodies. For more details on their security, see here: http://aws.amazon.com/security/.
For more information about their compliance, including assurance programs and third-party attestations, reports, and certifications, see here: http://aws.amazon.com/compliance/.
CaseWare Cloud is hosted on Amazon web servers around the world. Customers can request a specific region for their Cloud environment if they want. For performance and regulation reasons, we’ll typically set you up in:
At this level you’re assessing what measures were taken to ensure each component that make up the system is secure, such as application code, databases, configurations, third-party libraries, and others. You’ll want to account for potential vulnerabilities from both outside and inside the application.
Application security is a team effort. We’ve built CaseWare Cloud with security in mind every step of the way. Our team of engineers is constantly performing tests to ensure that only quality and secure code reach our production environments. We test for a wide array of vulnerabilities including SQL injection, cross-site scripting, tampering, and session and authentication vulnerabilities, among many more.
We routinely perform penetration testing to defend against known and unknown attacks. CaseWare Cloud allows us to temporarily disable individual applications, where needed, thereby obviating the need to fully shut down the complete system when issues are detected.
CaseWare Cloud has earned ISO 27001 certification for its service delivery, operations and management of the CaseWare Cloud platform. The ISO 27001 certification for CaseWare Cloud can be found here.
CaseWare Cloud has also been certificated for SOC 2® Type 1 and SOC 2® Type 2. The certification was a comprehensive test of our personnel, processes, operations, and more.
The application was designed following security framework guidelines and is regularly audited by an independent security firm, whose recommendations are reviewed for implementation within our Cloud security framework.
Network security deals with the rules and controls that restrict or limit inbound and outbound traffic, as well as traffic within the system. You’ll want to ensure the necessary firewall rules are in place to prevent attacks such as malware, distributed denial of service (DDoS), and other potential vulnerabilities.
CaseWare Cloud is continuously monitored for threats to the system. We have firewalls in place both at the infrastructure and application layers to ensure Cloud is protected from both potential outside and inside threats. Malware and DDoS vulnerabilities are mitigated by performing routine penetration testing of our system in conjunction with Amazon to provide you with multiple layers of security.
Monitoring is provided from a remote location, which immediately notifies dedicated CaseWare Cloud staff. An established escalation system is in place to handle issues as they arise. There is, for redundancy, additional monitoring set up within the data centers to monitor the other centers. Automatic restarts and other operations are provided to rapidly handle most failures within the system.
CaseWare Cloud uses an advanced cloud-delivered endpoint protection platform to detect and defend against known and unknown attacks.
CaseWare Cloud works in conjunction with Amazon to mitigate the risk of DDoS style attacks. In the event of a DDoS attack, both Amazon and CaseWare Cloud have protocols and measures in place to independently (but in conjunction) reduce the impact of this event to ensure continuity of service.
Here you’ll want to ensure that all your data and your clients’ data will be safe whether within the system or traveling over network. Not only should you be concerned about things like encryption, but also legal requirements such as where your data can reside, who at the provider has access to that data, and how requests to that data are handled when approached by third parties or government entities.
All traffic to CaseWare Cloud is strictly SSL-encrypted, with advanced proxy services to provide high availability and high-speed operation, monitor for security threats, and protect against malicious traffic. All communication with Cloud utilizes APIs that have been verified by independent internet security testing firms.
CaseWare Cloud also relies on the Amazon Web Services security policies and their accreditations, which are a key element to protecting your sensitive information.
Data that is transferred to and from CaseWare Cloud (data-in-transit) is encrypted via TLS with ephemeral key exchange and use industry-accepted strong cipher suites. Certificates use a minimum of 2048-bit key strength with SHA-2 or stronger signature algorithm.
Storage of data (data-at-rest) is encrypted at the server level, using the industry standard AES-256 algorithm.
All your data is held in one of Amazon’s secure data centers for your region. Data does not leave the region to abide by local regulations.
Customers maintain ownership of their data. CaseWare Cloud will use non-identifiable data with your consent, to enhance our services. CaseWare does not otherwise access or use customer content for any purpose other than as legally required, and for maintaining CaseWare Cloud services and providing service to our customers and their end users. We never use customer content or derive information from it for marketing or advertising.
Controls are in place to prevent CaseWare Cloud staff from accessing user data other than where requested by firms. CaseWare Cloud goes to great lengths to ensure users outside of the firm and its contacts do not have any access to the firm. As well, it goes to great lengths to ensure that any data within a firm is visible and editable only by the specific set of users authorized by the firm.
Amazon AWS Storage Technologies are used for both CaseWare Cloud's archive feature and regular backups. This data is fully encrypted. Backups, including all user data and system logs, are taken daily and are available for restores on firm request for up to 90 days.
The General Data Protection Regulation (GDPR) is a regulation under European Union law designed to harmonize and modernize data protection laws across Europe. Its aim is to protect the privacy of individuals through increased controls on personal data and understanding of its usage for the enhancement of “digital rights” for EU citizens.
CaseWare International Inc., along with its subsidiaries and partners around the globe, believe this is a positive direction for individual privacy and data protection - not only for citizens of the European Union but for the wider online community. Click here to learn about how our products are in compliance with the provisions set out under the GDPR.
Access controls determine who at your organization can access the system and to what depth. Passwords and multi-factor authentication are typically your first level of security, but once in the system you’ll need to be aware of what the users are authorized to see and modify.
CaseWare Cloud requires password authentication to access the base system. Once in the system, users must be assigned security roles to perform additional operations and access certain content. With security roles, you can control who has access to what content.
No, your organization is responsible for developing appropriate security policies around passwords and security roles using the security features provided in CaseWare Cloud.
We’ve built in security roles and groups to help you manage who can access the system and define who is authorized to perform what operations. There are two types of policies to follow based on the size and structure of your organization: equal access or discrete access. Equal access essentially provides your staff with access to all clients and departments in your organization by default. For confidential material you can override this default access and provide select staff with access. Discrete access limits your staff’s access from the start. You must explicitly grant your staff access to client, departments and other material on a case-by-case basis.
Equal access can be beneficial if your organization is small and there are only a handful of confidential documents that you need to limit your staff from accessing. Discrete access is appropriate for larger organizations that may not want to share information so freely between staff. In this case, your data is assumed confidential until shared.
From CaseWare Cloud, you can set the password policy for your organization, including password strength and expiry.
You want to ensure that your provider can guarantee that all services will be available and performing nominally when you need to get work done. A key component to availability is ensuring there are redundancies in place to both data and infrastructure so that there is no single point of failure.
Our dedicated team of Engineers ensures that our Cloud platform is ready and available when you need it. To provide you with stable and highly available services, we've provisioned the system with redundant components, continuous monitoring, regularly scheduled integrity checks and other such measures to provide consistent performance and service. We also perform regular backups of data to prevent loss of work.
You can visit our status page to see the availability of servers in your region and stay up-to-date on any planned maintenance: http://status.casewarecloud.com/.
Although this criteria appears last on our list, perhaps it should be considered the first when choosing a Cloud service provider. Does the provider have a good track record of delivering quality and stable solutions? Do they ensure their clients’ needs and expectations are met? Will they still be operational over the long term? Choosing the right provider is like entering a business partnership - ensure that they have firmly established your trust to meet your business needs now and into the future.
CaseWare was founded over 29 years ago and continues to deliver a full range of software solutions and tools that empower accounting firms small and large, businesses and government entities. Our solutions continue to meet the changing needs of businesses and have been used in millions of engagements in over 170 countries around the world.