Enterprise financials in the cloud? Why the fog of skepticism may be lifting

fog lifting
Credit: flickr/Don McCullough

Spreadsheets and email documents are a bigger threat than the cloud, says Forrester Research’s Liz Herbert

San Diego — The corporate accounting department is the last place that I expected to see cloud computing. Thoughts of “fiduciary responsibility” and “Sarbanes-Oxley” and “HIPAA” and “PCI compliance” float through my mind as Insight Software talked up its new cloud-based offerings at its HubbleUp 2015 user conference, held here in mid June. Attendees, largely from financial departments at large companies, lapped it up.

Insight Software is a well-known maker of reporting, analytics and planning software that integrates tightly with big ERP (enterprise resource planning) financial packages such as JD Edwards, Oracle eBusiness Suite and SAP. Traditionally, ERP packages and add-ons like Insight’s tools run entirely on-premises. The latest version of Insight’s software, rebranded as Hubble, is also available as a cloud-based SaaS offering.

[ Also on ITworld: The CFO's role in the cloud question ]

As a business owner myself, this is scary. My financials? My budgets, my projections, my variance reports, my P&L statements, in the cloud? Exposed? If something bad happens, who is going to own the decision to place this critical data outside the firewall? Who will explain the incident to the shareholders, the Securities and Exchange Commission, the Wall Street Journal?

Turns out that while some organizations are perhaps moving slowly to put critical information like financials into the cloud, when you get outside the technology-analyst fog of skepticism, there’s a lot more optimism than expected.

One of the HubbleUp speakers was Liz Herbert, a vice president and analyst at Forrester Research. During her talk, she emphasized that when it comes to keeping private data inside the enterprise, the horse has already left the barn. She talked about one customer engagement, which the C-level officers brought Forrester in to begin – to begin! – a feasibility study of placing some corporate information into the cloud. However, once onsite, she learned that the company was already using to manage its customer interactions. The lesson: The company was already storing sensitive information in the cloud, but didn’t even realize it.

Herbert urged business to “get real” and accept that security breaches, such as HIPAA violations, occurred from the use and misuse and abuse of locally stored data, not data in the cloud. The common scenario, she said: documents and spreadsheets being emailed around the company. It’s very, very easy to accidentally send critical information to the wrong address, or intentionally leak the information via email, or even copy it off a hard drive onto a USB key. “Spreadsheets and email documents are a bigger threat than the cloud,” she said.

[ Don't miss: What your CFO needs to know ]

Stories abound about salary spreadsheets being shared inappropriately. Seemingly everyone has a story about sending or receiving information accidentally, thanks to old mailing lists or even email autocomplete. In fact, when chatting after Herbert’s talk with Angus Robertson, vice president of product marketing at Insight, he also related to that, recalling a previous job where he received a confidential document that was intended for his employer’s general counsel – also named Angus.

Herbert and others talking about financials-in-the-cloud at HubbleUp made some other strong arguments in favor of trusting the security model:

  • Large cloud vendors, such as Amazon, Google, Microsoft Azure, Rackspace are focused full-time on keeping up with the latest standards, regulatory issues, and compliance concern. Many enterprise data center managers are not. (Robertson told me that Insight uses Amazon Web Services to host the Hubble cloud offering.)

  • Many hardware, operating systems, and applications in an enterprise data centers are common off-the-shelf (COTS) systems, and hackers are working overtime to break them. Most cloud providers are running customer platforms, and hackers have less access to them, and thus have fewer opportunities to discover vulnerabilities.

  • When a vulnerability is found in a cloud system, the service provider can patch it immediately. When a vulnerability is found in COTS systems installed in the enterprise data center, the provider must develop a patch, distribute the patch to clients, and then clients must test then install that patch correctly. That’s a much slower process, with no guarantee that all data centers will even install the patch right away.

Despite those technical concerns about hackers, the biggest worry among the financial executives attending HubbleUp was about the proliferation of thousands of spreadsheets across their organizations. They see those as not only inefficient, but also untrustworthy: one statistic thrown around is that 88% of corporate financial spreadsheets contain errors.

The answer Insight proposed was the use of the cloud as a reporting and analytics portal: Instead of generating reports and spreadsheets, and then mail them around, put the information into the cloud, and let authorized users log in and see the current results instantly. No more email, no more data leakage — and no real worries about security.

Is data in the cloud vulnerable? Well, yes, all data everywhere is theoretically vulnerable and the cloud is no exception. To the CFOs and business analysts at this conference, anything is safer and more secure than emailing around spreadsheets filled with numbers. Hey, financial folks are often the most conservative and paranoid executives within a company. If the green-eyeshade crowd is comfortable with the cloud, you should be too.

[ The last word: Ten IT talking points your CFO will love ]

ITWorld DealPost: The best in tech deals and discounts.