The accounting solution security issue rumbles on

by admin on February 29, 2012

in Cloud Computing/SaaS

Earlier today, Alan Wright, CEO Liberty Accounts sent me a note pointing to a piece he contributed to AccountingWeb on the topic du jour: third party application security, specifically bank feeds and its potential threats.

Alan puts up a spirited argument that is technical in nature. He tacitly acknowledges the underlying industry problem by suggesting:

Liberty Accounts will be happy to host a meeting of accounting software vendors in London where it ought to be possible to agree a simple specification and some next steps to take our proposal forward. Perhaps we could seek an independent and knowledgeable individual in this area to chair the meeting, perhaps Dennis Howlett if he is in the UK and willing?

That’s very generous of the company and I am flattered. The problem is that it wont happen and it wont work. At least not now. Commenters have made alternative suggestions like getting BASDA on board. David Terrar of D2C/Twinfield gets to the heart of the matter:

BASDA, EuroCloud and the Intellect SaaS Group have coordinated in the past and all support what the Cloud Industry Forum is doing on standards and the self certified Code of Practice to help buyers pick a good provider from a bad one…. but this kind of initiative needs more than the cloud vendor community getting together.  We need the banks, and I can’t see them being motivated to get together with us on this.

I’m happy to join any meeting on the topic, but I don’t think software vendors agreeing a specification is item one on the agenda.

There are two fundamental problems with this kind of activity that are paradoxically interlinked. The first is that the banks have issues.

As David says and which echoes comments from Gary Turner, MD Xero UK yesterday, UK banks are woefully behind the development curve when it comes to providing bank feeds. The message has not percolated through to them that offering common standards is good for them. In this context I am reminded of the work Twinfield did around XBRL in Holland where certain banks offer preferential rates for those that use XBRL formatted accounts. XBRL data in turn gets fed into the bank’s risk assessment programs and helps bank personnel make better informed decisions. Everyone wins.

In order to get the banks to come to the table, the vendors need the active support and evidence based data from users who talk to this issue. Banks need to feel there is something in it for them. This is known as WIIFM (What’s In It For Me.) Right now what we have are different sets of anecdotal evidence spread around different vendor websites and elsewhere. That in turn needs the active support of accountants willing to stand up and explain how cloud systems benefit both them and clients and especially in the area of real time data. The closest we’ve come in my view is contained in the edited video shoot I conducted last year with Xero customers and their accountants.

The second problem is with the industry.

I admire the efforts of the industry banding together to try move topics like this along but they suffer from the same problems all efforts of this kind suffer. The trade bodies can come up with all sorts of specifications but if the vendors dont develop for them then it’s all a waste of time. BASDA’s eBIZ-XML which goes back at least 10 years only ever achieved very limited success, despite its obvious utility for end user organisations. To this date I believe eBIZ-XML is one of the finest examples of what is possible but which went nowhere. This story is repeated many times in other parts of the IT industry. Ask Naomi Bloom about her life’s work on standards for HR solutions. Great idea, fantastic amount of work over many years  but the vendors didn’t play ball. Other BASDA initiatives have suffered a similar fate, only ever achieving limited, and therefore niche uptake.

If the industry is serious about this kind of thing then it has to abandon its ‘winner takes all’ position. It wont. Despite the public talk about collaboration, the players all see themselves as in aggressive competition for business. It’s a fair point when you have investors to which you are accountable. However, it misses the wider problem of convincing customers that you really are doing the right thing for them. It also misses the point that the UK market alone is sufficiently large enough for all main players to have a credible and profitable stake. The sins of the past do not need to be repeated but I sense they will.

Certain vendors respond by saying that with all the difficulties, they are not hanging about. They are getting on with the heavy lifting necessary to solve the issue for their customers. This provides a competitive advantage but one which is only sustainable for as long as all other competitors are not doing the same. The end game is that all surviving players will offer automated feeds. They won’t have a choice because it will be table stakes for the selection process. I have no insight into the timeline for this but it will certainly happen in this decade.

The industry as a whole has to decide whether it really wants to work together in a cohesive manner or whether it wishes to maintain competitive posturing upon issues that are not going to matter in a few years time.

One point I will pick up upon from Alan’s post:

…no matter what level of PCI compliance has been achieved, a degree of risk remains…a provable risk free solution is simple to achieve

This is a logical fallacy not based upon fact. I will repeat what I have said before: Anything that connects to a network is vulnerable. That includes EVERY cloud player, regardless of the service they offer. What matters is the extent to which vulnerabilities exist AND are capable of exploitation.

While we can never predict the future with certainty we can look back at track record and assess outcomes based upon those cases where a vulnerability has been exploited. The available evidence is unequivocal: Over a 13 year period, Yodlee, (the subject of the initial critique) has never had to report a security breach that resulted in the loss of money from its customers’ bank accounts. That’s a 100% record of success. There are many other examples both in the accounting market and elsewhere. From my analysis on this topic, the cloud is demonstrably better and safer than on-premise at offering secure services that might entail the physical loss of funds. I’ll bet on that any day in a world where the degree of sophistication underpinning some of these services is mind boggling to even those of expert status.

What Alan is proposing is not proven but a theory. It may be a very good theory building as it does on ideas around EDI, but it is not something that has been proven in this form. And by the way, machine to machine EDI links have been in existence for many years but like all efforts of this kind have been notoriously difficult to standardise and distil down to a singularity.

When the industry as a whole starts to consider how to seriously address these issues i.e. stops bickering and starts making a good case to the banks and which places customer interests at the centre of discussions, then I am more than willing to help with that endeavour should the parties so wish. We’re nowhere near that nirvana.

Comments on this entry are closed.

david_terrar February 29, 2012 at 5:59 pm

Thanks for the mention, for reminding us that things like the eBiz standard never got traction, and for saying “ the cloud is demonstrably better and safer than on-premise at offering secure services”.  Spot on.  I don’t think they’ll be a common solution to this, but hopefully the UK banks will begin to catch up with the Dutch.     

dahowlett February 29, 2012 at 6:02 pm

 @david_terrar …catch up with the Americans, Aus, NZ and a bunch of other countries that know the value of playing nicely. 

axw001 March 1, 2012 at 9:53 am

I agree with your overall analysis of the industry on this issue.
Your quote:
“…no matter what level of PCI compliance has been achieved, a degree of risk remains…a provable risk free solution is simple to achieve”
is a misreading of points I was making at quite different parts of the piece. If I had written them in teh way you quoted them then I would agree that
“This is a logical fallacy not based upon fact.”
I suggest you reread the case I was making in light of the following:
In one point in my piece I make the point that PCI compliance is not a guarantee that all risk has been eliminated and your point that anything that “Anything that connects to a network is vulnerable” supports this view. I think this could reasonably be stated as a fact.
3 paragraphs later, in a completely separate point related to the inherent risk associated with providing online banking credentials to a third party I make the case that if the automated transfer of data is initiated and controlled by the online banking user from within the online banking environment, the risk associated with handing over your credentials is eliminated because there is no longer any need to hand over your credentials. If you never go to Africa, your risk of dying in a car accident in Africa is zero.

Previous post:

Next post: