Brought to you by

With your data, it’s good to be paranoid

Posted 7 years ago in Tech by Alastair Grigg
Posted by Alastair Grigg

A few high profile, online security failures have stirred up paranoia about putting your data in the cloud. Major breaches to Sony’s Playstation Network, Dropbox and Distribute.IT in Australia have gotten many people paranoid.

And when it comes to data security, paranoia is a good thing. We have a security team plus an independent security consulting firm who are vigilant about data security and protecting our systems against breaches. We invite you to read about our substantial security measures.

It’s always a huge disappointment when we hear about these major breaches, mostly because they often turn out to be quite preventable – the victims are usually the subject of attack because they didn’t take some fundamental precautions.

In the wake of such breaches, a few people tend to declare an adamant refusal to put their data in the cloud. The reality is, nobody can avoid having their data in the cloud – for years now, all of us have had an ever increasing amount of our own data, along with data about us, accessible in the cloud. It’s a basic and unavoidable reality of the world we live in: your data is in the cloud. The speed and ease of living in the 21st century wouldn’t be possible any other way, it’s the plumbing of our global economy.

The vast majority of the time, having data in the cloud is a huge blessing. Once in a while, a breach happens. That’s why we need to stay paranoid. Pretending we don’t already have data in the cloud is the opposite of being paranoid, it’s being in denial.

So if you’re considering who you can trust to properly protect your data make sure you ask these extremely important questions.


Berend de Boer
June 23, 2011 at 3.25 pm

Question number one: does Xero backup my data to tape, which is offline, and is rotated for some time before being reused?

Michael Kent
June 23, 2011 at 4.39 pm

Thanks Alastair, it is an important issue. I get asked about security by every client I propose Xero to. The information outlined on the “security measures” page is good, but lacks independent verification.

I would like to see Xero publishing reports or at least high level findings of its independent third party security auditors and inspectors. Are the results of these audits and inspections ever made public?

June 23, 2011 at 4.50 pm

I find it somewhat ironic that this blog is about internet security but the third party bank feed provider xero uses requires your internet banking login and password to download nz credit card data and import it into xero

Alastair Grigg in reply to Ben
June 23, 2011 at 6.17 pm

@ Michael, we don’t publish security audit and pen test results because even at a high level this would not be good practice from a security perspective. We’ve looked at many of the automated vendor test suites that have some sort of ‘hacker safe’ badge, but they only testing for very common misconfigurations of commodity software. We subject Xero to far more comprehensive and bespoke pen testing.

@ Jay, we’re working with banks to establish as many bank feeds as possible as direct partner feeds. But where we need to enable these through Yodlee we encourage more banks to also offer read-only user roles for this.

Craig Walker Xero
June 23, 2011 at 4.53 pm

@Berend Actually we have a backup-in-depth strategy. First we backup to SAN – transaction logs are backed up constantly, differentials done nightly and full backups done weekly. We then backup the diffs and full backups to tape. As well as that we utilize log-shipping to an offsite environment so that in the unlikely event of SAN failure we have a live copy of the database sitting offsite, active, and ready to restore. The rotation on the tapes is fairly tight – we should never be in the position of requiring old tape backups.

We don’t take data loss lightly and are constantly improving our processes.


Berend de Boer
June 23, 2011 at 5.55 pm

Craig, not sure you have followed the DIT story, but the issue there did not seem to be the lack of backups. Most companies have backups to guard against disk loss, server loss, data centre loss, that kind of thing.

But here it appears an hacker was intend on destroying as much as possible so he wiped every backup as well. So you can have your off-site backup, but that won’t protect you in case an attacker can wipe it.

That’s where my offline tape backup comes in.

I’m pretty sure Xero can survive loss of a major portion of the planet, but protection against a planned attacker who wipes out every boot sector and every backup is something entirely different.

Many hosting companies are currently rethinking their backup strategies in light of this information.

In case of the most catastrophic loss I rather have a 30 day old backup than nothing obviously.

Paul Rushworth
June 24, 2011 at 9.39 am

Hi Berend,

As we’ve mentioned, we replicate data in real time to multiple geographically dispersed locations.

In each location, we take point in time backups to discrete Storage Arrays, which are then archived to tape. The network design and implementation of this backup system is entirely isolated from the rest of Xero’s environment to the extent Xero administration staff do not have direct administrator access to it.

Xero is a public company, and its own accounts are on Xero. Xero’s IT team are independently audited regularly by one of the big four for the IT controls we have in place around the protection of Xero’s own data generally, and within that backup system.All Xero customers benefit from this as their own data is protected by the design and implementation of this system.

Crucial Security Reviews - Crucial Paradigm Official Forums
June 24, 2011 at 3.54 pm

[…] been with you guys a while now and while I’m happy and have not had any major issues occur – as the recent blog on Xero mentions – It’s good to be paranoid about data […]

Brendan Tully
December 19, 2011 at 10.55 am

Its hilarious when SMB clients ask us about security in the cloud – our first response is to ask them if they’re using the same password across the 100+ accounts they have for different services…in 90%+ of cases they are and its easily guessable.

Yes cloud introduces risk but its significantly less than the risk of that data sitting on their office server or PC and with a poor password strategy they may as well be leaving the front door open right now

Leave a reply

Your email address will not be published. Required fields are marked *