TaxCalc Blog

TaxCalc Cloud Connect – Our approach to Cloud security

At Accountex in May of this year, we announced a new service for our practice customers called TaxCalc Cloud Connect. We're working on it right now and as its name might suggest, it will enable our software to connect to a database in the Cloud, rather than one found on a local computer or network server.

It’s actually a really big project for us. Unlike most of our releases, it doesn’t just touch on the software (which has been turbocharged to deal with latency caused by the Internet) but has required us to build a lot of supporting infrastructure, not just in physical assets such as servers, but in our website too.

Also, for the first time, we’ll be looking after your firm’s data. With this comes great responsibility and so we have sought to find a security model that provides peace of mind whilst not getting in the way.

In this post, I’ll explain our approach to security and the reasons why we’ve made these decisions.

Protecting access

In our research, we found that many Cloud systems are based upon a username, often an email address, and a password. It’s something we’ve become quite used to, especially if you use an email system like gmail or Outlook.com. Indeed it’s the approach we took with our own customer account access.

However, whilst this is perfectly fine for a website that lets you buy software from us, it’s not very secure if these are the only things protecting your clients’ names, contact information, tax references and tax return data.

To help reinforce the point, do you publish your email address on your website? Do you publish the Cloud products you use in your firm? If so, you may well have provided a data thief with one half of your log in credentials!

So, as a first point, customers of TaxCalc Cloud Connect will have their customer account upgraded with a form of two-factor authentication, or 2FA for short.

This introduces a device, in our case your mobile phone, that will receive a message that contains a pass code to let you in. Thus, if a third party does somehow get hold of your email and password, the chances are that they aren’t going to have your mobile phone as well.

And let’s say this third party calls us and tries to impersonate you, asking us to change your account’s details. As part of TaxCalc Cloud Connect, we’re taking the opportunity to introduce security questions, which can be set by you, the proprietor of the firm. Whilst these are optional, we’ll use them to challenge anyone who claims to be you.

Protecting your staff

Given that TaxCalc Cloud Connect is based upon our desktop software connecting to a remote database under our custody, we need to consider how the physical software is licensed.

Currently, you use your TaxCalc customer account username and password. We’ve found through our research that these are often passed around a firm to gain access to the installer and license the software. However, since our objective under the new model is to keep these secret, this won’t work.

Therefore, under TaxCalc Cloud Connect, customers will be able to create a special username and password that is used for the sole purpose of downloading the installer and licensing the software.

Protecting your clients

The final step already exists in the software, which is that ultimate user access is controlled by a username and password. In the highly unlikely event that a third party is able to license your software, they still need a user’s account to get in.

But that’s not all. To give peace of mind, we’re building an access monitor so you can see exactly who is logging in and from where. We’ll send you alerts if there are too many failed attempts, computers can be blocked and you can even revoke the license credentials for all users.

Finally on this note, we aren’t going to be running one huge database with everybody’s data in it. Instead, we’ve opted for many databases; one for each customer and each ring fenced from each other.

Staying safe online

With 74% of small businesses and 90% of major businesses suffering a breach¹ in the last year, here are some tips and things to look out for when working with Cloud products.

• Do you publish an email address on your website that you also use to access your various Cloud services? Do you publish which Cloud providers you use? If so, you may have inadvertently told a data thief which products they should go for and one half of your access credentials!
• Do you use the same email address to access each Cloud system? If access is controlled by just an email and password, consider setting up separate email accounts for each system you use.
• Never use the same password with more than one site.
• Change passwords on a regular basis. Random combinations of letters, numbers and punctuation make it harder for data thieves to crack passwords.
• Check with your Cloud provider that they thwart the ability of their website to be hacked by so-called dictionary attacks. This is where a robotic script tries entering passwords one after another in quick succession in the hope that one will get them in. A website that’s been designed with this in mind will use one or more techniques to stop the script from working.

¹ Source HMRC press release: UK businesses urged to protect themselves from growing cyber threat