Know where your data is

So the other day I was needing to get a backup of a QuickBooks file from someone for a project. In my office we get a copy for purposes of forensic analysis.  Even when the QuickBooks is online, there is a third party app that allows us to convert the online data to a desktop version (it’s called Exportmybooks for anyone interested). We do this in my business even with online QuickBooks to ensure that we have a copy of exactly what the accounting books were at a specific time.  Too often with accounting systems people move information around or things get changed and thus this ensures we can showcase (in court, in meetings, etc) what it was at X date in time. Long story short this is for analysis and forensic work and the data I obtain isn’t necessarily from clients that I work with on a regular basis.

So the other day I contact someone to get a backup of the QuickBooks and I ask them “Do you know if you have Desktop QuickBooks or Online QuickBooks”? They say “It’s on my laptop”. No problem I have a Splashtop SOS subscription so I can reach out remotely to people using a process of having them get a link and then giving me a one time code for this very need. So I log into their computer and I don’t see an icon on the desktop for QuickBooks. “Can you open your QuickBooks” thinking they hid the icon or something. They then launched a web browser and went into online QuickBooks.

It just hit me funny because that’s not “on your laptop”. That’s actually saved in the cloud and your laptop can get it it from the browser. I was reading a post the other day that was talking about how as we pivot more to cloud services (and trust me, I can see this over time that more and more businesses ARE moving such services to cloud offerings even if you personally won’t be) that we really need to rethink how we protect things. We can’tjust assume because something is up there that it’s automatically protected.

1. Authentication – make sure multifactor is enabled
2. Got a backup of that cloud? – We often rely on the vendor for cloud backups but should you?
3. Security and monitoring of the cloud  – recent case in point is this Microsoft security blog post regarding Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs (say that three times fast).  How can I as a consumer of cloud services know that my vendors are up on protecting their cloud services? For those folks with small businesses – the one in particular that you may need to review with you or your IT provider is the Azure Site recovery service that takes cloud backups/sets up virtual machine fallover service.

Bottom line, your data is “not just on your laptop”.  Act accordingly, and start thinking of better ways to protect it.