In the wake of the Capital One breach, what software vendors can you trust? - Aprio
The word security and related words inside an eye shape
September 29, 2019
Federico de Giuli

In the wake of the Capital One breach, what software vendors can you trust?

“Can I trust “the cloud” and cloud-based software?”

This is the question that’s come up since the Capital One security breach, which affected more than 100 million customers.

Many people contacting us to learn about the Aprio board portal are in financial services and they’re shaken by the data leak at Capital One. They might not know the ins and outs of the breach (it was actually related to a having a misconfigured firewall and not related to the cloud), but they do know that the data was stored somewhere in the cloud.

We empathize, and are glad to see attention paid to data security.

We also want to offer a truly useful answer to the question: “Can I trust “the cloud?” And as CU Management wrote in its great article on the topic – the answer is yes, “but you shouldn’t do so blindly.”

To equip board chairs and administrators as they evaluate board meeting software, we put together some questions to help customers make an informed comparison of board portal software vendors – by demystifying how they use the cloud.

Not all “cloud” services are the same

First some context. It’s important to recognize that there are different levels of data security with different kinds of cloud technologies and services.

Least secure: massively shared cloud environment – one cloud server is used by hundreds or more tenants. Maybe you’ve been to GoDaddy or seen ads to host your website or software with them for just $0.99 a month. That kind of pricing comes with mass shared environments and the greatest security risk. Fine for a tiny cat toy business perhaps, but not right for an enterprise.

More secure: limited sharing cloud environment – one cloud server is used by several tenants that select protection levels for data. With just a few co-tenants, the security risk is much lower. This may be right for some enterprises, even small software companies – the key is to control the security within the isolated environment.

Most secure: dedicated cloud environment – the most secure environment is a dedicated virtual cloud environment where only one organization has access. This gives the business ultimate control over security levels, and importantly, ensures no risk of other businesses or 3rd party service providers entering the space. It’s the most expensive – but software residing in this cloud infrastructure is as highly protected as possible in our modern business environment.

3 cloud security questions to ask of board portal vendors

When talking with cloud-based board portals, we suggest asking how your data is protected with these questions:

  1. Is your solution hosted in a dedicated, secure cloud? If not, how is it hosted?
  2. Who has access to your cloud server? What about third-party partners?
  3. Where is your cloud data hosted – in a data centre that’s highly protected in the geographical area of your choice? How is it hosted?

Answers to strive for

Here’s some key information you’ll want to hear from software vendors to deem their cloud-software trustworthy:

  • We’re on our own dedicated virtual server.
  • Our data environment is not shared with any other tenants.
  • We exclusively manage the data security and encryption of our software and systems.
  • We know the location of each of our data centres and all are managed with the industry’s highest level of security protection.
  • Our server infrastructure has high levels of uptime guarantees (99.99% or higher), can scale on demand, and has low recovery time and recovery point objectives. The server is also not a physical server that is prone to hardware issues.

Answers to listen for and avoid

If you hear these answers from cloud solution providers, we suggest you resist their budget pricing and keep looking:

  • Our software is in a shared server with other highly security-conscious tenants.
  • A third-party manages our data security, but they are very good.
  • Our data is hosted in one location. You have no choice of where your data is located – it falls under the legal jurisdiction of where we select for it to be stored.

Technology strength beyond cloud security – important additional questions

Today, Aprio is delivered as a cloud-based solution that conforms to the industry’s highest security standards. Our board of directors’ portal is on our own dedicated virtual server. Our server and data environments are not shared. We exclusively manage the data security and encryption levels of the data we manage. We offer data locations to our customers, including locations in Canada, the United States, and internationally.

We didn’t always deliver our service via the cloud. As a matter of fact, back in 2003, when we started, secure clouds were not available, and we started offering dedicated physical servers. Then, with the advancement of technology, we switched from physical servers into a secure cloud. Using a dedicated secure cloud is more expensive than running a physical server, so it wasn’t cost savings that motivated us to make the move – it was four key things which are incredibly important to our customers: data security, software performance, reliability, and system capacity and scalability.

We offer these additional questions to assess the strength of board portal vendors:

Performance – How quickly does the software complete an action, delivery response to a query, or upload data? Listen for SSD capabilities.

Reliability – Tell us about your backup and redundancy policies? Listen for clear and detailed responses about the protections in place for reliability if some part of the system gets compromised.

Capacity and scalability – How will your solution scale as data managed or customers managed expands? Listen for capability to expand using virtual infrastructure, with no downtime or granting of access to third-party partners.

Security track record & communication – In addition to the cloud questions above, ask if the software vendor has ever had a data breach. What are the communication protocols in place if there is an issue? How quickly would you hear about it and through what channels?

Data location – Do you get a choice of where your data will be stored? Can it be in Canada, the United States, or at an international location of your choice? Listen for the option that aligns with your data governance policy.

Compare Aprio to other board portals

Data breaches are unnerving to all of us. It is a modern reality that we need to be practical and proactive in protecting our organizations. The best means of protection is to be selective in choosing our vendor partners, and mindful in how we build our internal systems.

We welcome your questions and the opportunity to show you the Aprio board portal software. Please also take a look at our audit of Aprio security that details our data protections and caliber of our IT infrastructure.

As the leader of Aprio’s technology team, I ask myself – are we doing everything that we can to safeguard our customers’ data? Our partners and customers have my commitment that Aprio will continue to utilize the industry’s most sophisticated tools for data protection as technology, cloud services, and the risks we all face evolve.

Ready to learn more? Book an Aprio demo

Curious? Find out more.

Book your demo

Suite 1090, 1090 West Georgia Street
Vancouver BC Canada V6E 3V7

Suite 450, 1733 H Street
Blaine Washington USA 98230

Board Portal Software Why Aprio Customers About News Get Demo
Resources Careers Support Contact