Apptrac has a look at security-requirements for cloud-hosted due diligence. Are we fooling ourselves?

How Secure is your Due Diligence?  An excerpt from our newsletter

Apptrac  


Dear visitor,

You may have heard about the large number of Linked-In passwords that appeared on a hacker web-site recently. We all like to think that our systems and tools are immune to something like that. But are we fooling ourselves?

In this issue of our newsletter, Apptrac has a look at security-requirements for cloud-hosted due diligence.
If you are using an electronic or virtual data room, you should verify if you can check all the boxes. And we'll be happy to assist if you are unsure.

Of course, our website has more information on the subject.
Check out: www.apptrac.net

Best regards,

Apptrac
Joseph Waals

 

 

 


And just so you know...
Due-Diligence-in-a-Box
Due-Diligence-in-a-Box
now available as a
Free 30-Day Trial
Click here to get your Free Trial

Call us:

(801) 981-4102

Europe: +49 204 1348 4565

 

Cloud-based due diligence (or web-hosted due diligence) has been around for a good number of years. Vendors of solutions in this field all point out the many advantages: low entry cost, quick start of projects and global access to data.
As with any tool, you will need to consider the risks too. Security is definitely the main concern for many organizations that are thinking about using cloud-based due diligence. This article discusses three aspects of Security for cloud-based due diligence:

  • The "People-factor" and the risks it may cause;
  • Security aspects of the technical implementation;
  • The legal and vendor environment.

If properly managed, the issues surrounding these aspects can be resolved. That's a big "if". But keeping your fingers crossed and hoping things will turn out fine is not an option.

The People-factor

When discussing cloud-based due diligence, technical concerns always come up first. Understandably, there is reluctance to trust your information to a bunch of network-servers in an undisclosed location.

In reality the people-factor is a far bigger risk for information-integrity during due diligence. Any member of your due diligence team can lose, say, a binder with confidential information. Or a discussion between team members in a hotel bar may be overheard. And even you, yourself, can get your laptop stolen.

Cloud-based due diligence can help you mitigate these risks. Information is stored centrally, reducing the chance that a significant chunk of your due diligence information is in a set of binders or on a single laptop. Many cloud-based due diligence solutions can help you to reinforce the message to your team that due diligence work is confidential.

To help you deal with the people-factor, here's what you should look for when selecting a cloud-based due diligence solution:

  • It should ensure that everyone in the team signs and adheres to a Non-Disclosure Agreement;
  • It should have an option to append signed NDAs to user-profiles and prevent team members from using the system if there is no NDA in their user-profile;
  • Every time they get on the system, youe team members should re-acknowledge that they have signed an NDA;
  • And your cloud-based due diligence solution should disconnect itself automatically after a short period of inactivity. You'll be surprised how many people leave their computers on during their lunch break.

There is no tool or system that can fully compensate human nature or intentional abuse. But a good cloud-based due diligence solution will reduce the people-factor risk.

Technical risks

Many vendors of web-hosted software will market their products with claims that read "100% security" or something to that extend. As they say, the only things certain are dead and taxes. Consequently, there is no 100% security for web-hosted software.

Cloud-based due diligence is no exception. There are two technical risks that can affect cloud-based due diligence: unauthorized access and loss of information.

A good cloud-based due diligence solution will take measures to reduce the security risks. For good reasons, most vendors will refuse to tell you which specific actions they are taking to limit the risks. Nevertheless, you ought to feel comfortable about the following issues before selecting a cloud-based due diligence solution:

  • What's the uptime and how much redundancy (slave databases, data lines to your server-park, etc.) is in the system?
  • How many clients/projects are stored in a single database? Anything in excess of 1 increases the risks that information may inadvertently be mixed up;
  • How often is my information backed-up? And how do I get a copy of every back-up?
  • Which password-hashing algorythm do you use and with how many iterations is it "salted"? Apologies for being a bit technical but your vendor should know. Less than 5000 iterations is not good;
  • Ask to see a record from a database. Does it look like "12,927, Here is some information" or does it look like "12,927, xDf35§ 53G(ght5s dhzh73d#3"? At the risk of pointing out the obvious: the latter is better.

High-quality providers of cloud-based due diligence will be able to talk about these issues. They will ensure you are comfortable with their methods, even if they cannot reveal all ins-and-outs.

The legal and vendor environment

Firstly, you are relying on a third party to provide a service for a process (due diligence) that is by nature time- and information-critical. What happens when your business partner suddenly seizes to exist? Furthermore, legislation and jurisdiction surrounding web-hosted services is patchy and continues to develop. IT-research firm Gartner is quite cleat that web-hosted services are still maturing and this is reflected in the legal framework.

The risks associated with the current legal and vendor environment call for a contract that focuses on your needs. The contract should be quite clear on the ownership of your due diligence information - yours at all times!). The contract should also cover a mechanism that ensures that you get regular copies of all your information.

There is always a chance that things go sour. But you will be able to continue your due diligence when you secure that you are the owner of your information and that you have access to it.

 

Conclusion
Cloud-based due diligence can be a compelling solution. The benefits are real. There is no reason to shy away from it when the associated risks are properly managed. We trust that this article helps you to make your mind up for cloud-based due diligence in your organization.