CaseWare Cloud

Data, Security & Assurance

We’ve got you covered so that you can focus on what matters most - your clients.

Choosing a cloud service provider can be a complex task given the nature of today’s security concerns. The number of potential threats - both malicious and benign - and the ever-increasing number of attack vectors can cause even security experts to feel overwhelmed. Let's take a look at some common questions about security so that you can feel comfortable with the subject matter and get back to your work day.

We've captured 7 basic criteria to assess the strength of any cloud-based platform so that you can make the most informed decision when choosing your Cloud service provider.

  1. Physical Security
  2. Application Security
  3. Network Security
  4. Data Security and Privacy
  5. Access Controls (logical)
  6. Availability
  7. Business Partnership and Trust

Note that CaseWare Cloud security requirements and measures are continuously monitored, assessed, and updated to reflect the changing needs and potential threats that may arise.

1. Physical Security

What is physical security?

Physical security concerns the foundation of any Cloud environment, namely: server hardware, facilities, personnel, access, availability and level of readiness for environmental factors such as flooding, overheating, power outages, and the like.

How does CaseWare Cloud handle physical security?

CaseWare Cloud is hosted on the Amazon Web Services infrastructure. Amazon provides physical security and logical security controls at the infrastructure layer. The following were considerations in our selection of Amazon:

What type of facility is it?

Amazon’s AWS platform is covered by an SSAE 16 report (done by Ernst and Young) and is PCI Level 1 certified, ISO 27001 certified, and compliant with all major security control frameworks. These security certifications are issued by authoritative international standards bodies. For more details on their security, see here: http://aws.amazon.com/security/.

For more information about their compliance, including assurance programs and third-party attestations, reports, and certifications, see here: http://aws.amazon.com/compliance/.

Where are the facilities located?

CaseWare Cloud is hosted on Amazon web servers around the world. Customers can request a specific region for their Cloud environment if they want. For performance and regulation reasons, we’ll typically set you up in:

  • United States/North Virginia if you’re located in the United States or South America
  • Canada/Montreal if you’re located in Canada
  • Australia/New South Wales if you’re located in the Asia-pacific region
  • Ireland/Leinster if you’re located in any other region

2. Application Security

What is application security?

At this level you’re assessing what measures were taken to ensure each component that make up the system is secure, such as application code, databases, configurations, third-party libraries, and others. You’ll want to account for potential vulnerabilities from both outside and inside the application.

How does CaseWare Cloud handle application security?

Application security is a team effort. We’ve built CaseWare Cloud with security in mind every step of the way. Our team of engineers is constantly performing tests to ensure that only quality and secure code reach our production environments. We test for a wide array of vulnerabilities including SQL injection, cross-site scripting, tampering, and session and authentication vulnerabilities, among many more.

We routinely perform penetration testing to defend against known and unknown attacks. CaseWare Cloud allows us to temporarily disable individual applications, where needed, thereby obviating the need to fully shut down the complete system when issues are detected.

Is the application certified under international security standards such as ISO or SOC?

CaseWare Cloud has earned ISO 27001 certification for its service delivery, operations and management of the CaseWare Cloud platform. The ISO 27001 certification for CaseWare Cloud can be found here.

CaseWare Cloud has also been certificated for SOC 2® Type 1. The certification was a comprehensive test of our personnel, processes, operations, and more.

Has the application undergone any independent security audits?

The application was designed following security framework guidelines and is regularly audited by an independent security firm, whose recommendations are reviewed for implementation within our Cloud security framework.

3. Network Security

What is network security?

Network security deals with the rules and controls that restrict or limit inbound and outbound traffic, as well as traffic within the system. You’ll want to ensure the necessary firewall rules are in place to prevent attacks such as malware, distributed denial of service (DDoS), and other potential vulnerabilities.

How does CaseWare Cloud handle network security?

CaseWare Cloud is continuously monitored for threats to the system. We have firewalls in place both at the infrastructure and application layers to ensure Cloud is protected from both potential outside and inside threats. Malware and DDoS vulnerabilities are mitigated by performing routine penetration testing of our system in conjunction with Amazon to provide you with multiple layers of security.

Monitoring is provided from a remote location, which immediately notifies dedicated CaseWare Cloud staff. An established escalation system is in place to handle issues as they arise. There is, for redundancy, additional monitoring set up within the data centers to monitor the other centers. Automatic restarts and other operations are provided to rapidly handle most failures within the system.

Do you perform any penetration/malware testing against the infrastructure?

CaseWare Cloud uses an advanced cloud-delivered endpoint protection platform to detect and defend against known and unknown attacks.

Do you have technologies that can reduce the impact of DDoS style attacks?

CaseWare Cloud works in conjunction with Amazon to mitigate the risk of DDoS style attacks. In the event of a DDoS attack, both Amazon and CaseWare Cloud have protocols and measures in place to independently (but in conjunction) reduce the impact of this event to ensure continuity of service.

4. Data Security and Privacy

What is data security and privacy?

Here you’ll want to ensure that all your data and your clients’ data will be safe whether within the system or traveling over network. Not only should you be concerned about things like encryption, but also legal requirements such as where your data can reside, who at the provider has access to that data, and how requests to that data are handled when approached by third parties or government entities.

How does CaseWare Cloud handle data security and privacy?

All traffic to CaseWare Cloud is strictly SSL-encrypted, with advanced proxy services to provide high availability and high-speed operation, monitor for security threats, and protect against malicious traffic. All communication with Cloud utilizes APIs that have been verified by independent internet security testing firms.

CaseWare Cloud also relies on the Amazon Web Services security policies and their accreditations, which are a key element to protecting your sensitive information.

Is the data encrypted?

Data that is transferred to and from CaseWare Cloud (data-in-transit) is encrypted via TLS with ephemeral key exchange and use industry-accepted strong cipher suites. Certificates use a minimum of 2048-bit key strength with SHA-2 or stronger signature algorithm.

Storage of data (data-at-rest) is encrypted at the server level, using the industry standard AES-256 algorithm.

Where is the data hosted?

All your data is held in one of Amazon’s secure data centers for your region. Data does not leave the region to abide by local regulations.

Who owns the data and who can see it?

Customers maintain ownership of their data. CaseWare Cloud will use non-identifiable data with your consent, to enhance our services. CaseWare does not otherwise access or use customer content for any purpose other than as legally required, and for maintaining CaseWare Cloud services and providing service to our customers and their end users. We never use customer content or derive information from it for marketing or advertising.

Controls are in place to prevent CaseWare Cloud staff from accessing user data other than where requested by firms. CaseWare Cloud goes to great lengths to ensure users outside of the firm and its contacts do not have any access to the firm. As well, it goes to great lengths to ensure that any data within a firm is visible and editable only by the specific set of users authorized by the firm.

Do you perform backups and have a recovery process?

Amazon AWS Storage Technologies are used for both CaseWare Cloud's archive feature and regular backups. This data is fully encrypted. Backups, including all user data and system logs, are taken daily and are available for restores on firm request for up to 80 days.

5. Access Controls (Logical)

What are access controls?

Access controls determine who at your organization can access the system and to what depth. Passwords and multi-factor authentication are typically your first level of security, but once in the system you’ll need to be aware of what the users are authorized to see and modify.

How does CaseWare Cloud handle access controls?

CaseWare Cloud requires password authentication to access the base system. Once in the system, users must be assigned security roles to perform additional operations and access certain content. With security roles, you can control who has access to what content.

Does CaseWare Cloud manage our security?

No, your organization is responsible for developing appropriate security policies around passwords and security roles using the security features provided in CaseWare Cloud.

How do I use security roles?

We’ve built in security roles and groups to help you manage who can access the system and define who is authorized to perform what operations. There are two types of policies to follow based on the size and structure of your organization: equal access or discrete access. Equal access essentially provides your staff with access to all clients and departments in your organization by default. For confidential material you can override this default access and provide select staff with access. Discrete access limits your staff’s access from the start. You must explicitly grant your staff access to client, departments and other material on a case-by-case basis.

Equal access can be beneficial if your organization is small and there are only a handful of confidential documents that you need to limit your staff from accessing. Discrete access is appropriate for larger organizations that may not want to share information so freely between staff. In this case, your data is assumed confidential until shared.

What password settings are available?

From CaseWare Cloud, you can set the password policy for your organization, including password strength and expiry.

6. Availability

What is availability?

You want to ensure that your provider can guarantee that all services will be available and performing nominally when you need to get work done. A key component to availability is ensuring there are redundancies in place to both data and infrastructure so that there is no single point of failure.

What is CaseWare Cloud’s availability like?

Our dedicated team of Engineers ensures that our Cloud platform is ready and available when you need it. To provide you with stable and highly available services, we've provisioned the system with redundant components, continuous monitoring, regularly scheduled integrity checks and other such measures to provide consistent performance and service. We also perform regular backups of data to prevent loss of work.

You can visit our status page to see the availability of servers in your region and stay up-to-date on any planned maintenance: http://status.casewarecloud.com/.

7. Business Partnership and Trust

Although this criteria appears last on our list, perhaps it should be considered the first when choosing a Cloud service provider. Does the provider have a good track record of delivering quality and stable solutions? Do they ensure their clients’ needs and expectations are met? Will they still be operational over the long term? Choosing the right provider is like entering a business partnership - ensure that they have firmly established your trust to meet your business needs now and into the future.

CaseWare was founded over 29 years ago and continues to deliver a full range of software solutions and tools that empower accounting firms small and large, businesses and government entities. Our solutions continue to meet the changing needs of businesses and have been used in millions of engagements in over 170 countries around the world.


See our latest policies for more information:

CaseWare Cloud Data, Security & Assurance
Scroll