Date post: | 16-Apr-2017 |
Category: |
Technology |
Upload: | lbi-software |
View: | 1,767 times |
Download: | 0 times |
Risks and Rewards of Placing Employee Benefits Systems in the
CloudIs Offsite Software Hosting Safe and Secure?
Presented by:Howard Kaplan
Director of Business DevelopmentLBi Software
Agenda• Introduction• A Brief History of Computing• SaaS & Cloud Terms Demystified• 3rd Party Hosting vs On Premise Deployment• Risks and Rewards of 3rd Party Hosting• Engaging Your IT Department• Summary• LBi Overview• Q&A
A Brief History of Computing
• Mainframes and Green Screens– Intra-company system– Maintained by internal staff– Prior to the PC– Direct (hardwired) terminal to
mainframe connection– Leased (dedicated) data lines for
remote access– Zero risk of external malicious access
A Brief History of Computing• Client Server– Intra/Inter company system– Maintained by internal staff– User’s Desktop PC = “Client”– Powerful PC(s) = “Server”– Local Area Network (Ethernet)– Wide Area Network (Internet & Leased
Lines)• Virtual Private Network (VPN) (“point to
point tunneling”) encryption• Password encryption
– Virtually zero risk of external malicious access
A Brief History of Computing• Application Solution Provider (ASP)
Hosting– 100% 3rd party hosted
• No servers onsite• Support split - Internal IT & ASP host
– Generally Dedicated Servers• 100% Internet accessible• Dedicated machine(s) running only
your application(s)– No sharing with other companies
– VPN access recommended– Very minimal but possible risk of
external malicious access
A Brief History of Computing• Software as a Service (SaaS)
– 100% 3rd party hosted• No servers onsite
– Virtual Servers (Cloud)• 100% Internet accessible• Machines may run multiple Operating
System environments• Shared servers with other applications
and customers (i.e. Google apps)• Shared application (multi-tenant)
– VPN or other encryption recommended• HTTP vs HTTPS (Secure Sockets Layer -
SSL)• Other methods available
– Minimal but possible risk of external malicious access
SaaS & Cloud Terms Demystified
• SaaS - Primarily a software licensing model using cloud deployment architecture– Multi-Tenant Architecture = Multiple customers
sharing the same application instance and (usually) the same database (i.e. salesforce.com, citibank.com, gmail, etc.)
– Single-Tenant Architecture = One customer per application instance and database
– Deployed in the Cloud (Over the Internet in a shared environment)
SaaS & Cloud Terms Demystified
• Cloud Computing – Software deployment model– Computing via the internet– On-demand network access– Shared pool of configurable
resources– Rapid deployment– Infinite scale
What is SAS 70 Type II?
• Statement on Auditing Standards– Standard by which auditors evaluate servicing
companies• Unbiased reports by an auditor• Provides service organizations a reliable and widely
recognized means of disclosing their internal security controls and processes to their customers
– Evaluation includes the way the service / company conducts its business
Http vs Https (Secure Sockets Layer)
• Using an Https connection:– The server responds to the initial connection by offering a list of
encryption methods it supports– In response, the client selects a connection method, and the client
and server exchange certificates to authenticate their identities– Then both parties exchange the encrypted information after ensuring
that both are using the same key– In order to host https connections, a server must have a public key
certificate, which embeds key information with a verification of the key owner's identity
Secure Sockets Layer (SSL)• When using a SSL
connection (https):– Recognized by a secure
padlock which appears in the browser
– Web server requires the use of an SSL certificate
Security Breaches Happen
“A Wisconsin teenager has been arrested and charged for allegedly hacking into a Pentagon computer in June and illegally accessing a U.S. Army computer, according to the Department of Justice.”
DOJ charges teen with Pentagon hacking
Security Breaches Happen
“Epsilon, a marketing services firm based in Dallas, has warned clients that a massive breach in an email database may have exposed the names and emails of thousands of users.
Among the affected clients are Best Buy, RitzCarlton Rewards, JPMorgan Chase, Capital One and Citi.
Epsilon maintained that no financial information – credit card numbers, for instance – has been revealed.”
How many email warnings did you receive recently?
Why Host vs. On Premise Deployment
• Minimal security considerations• Selected vendor solution offered only in a hosted
environment• Price important– Capital vs Operating budget availability
• Deployment timeline• Limited internal IT resources• Limitless scalability• Reliability (99.99%+ uptime guarantees)
Driving Cloud Adoption
Cloud EconomicsEstimates vary widely on possible cost savings• “If you move your data center to a cloud provider, it will cost
a tenth of the cost.” – Brian Gammage, Gartner Fellow
• “Use of cloud applications can reduce costs 50% to 90%” - CTO in Washington D.C.
• Preferred Hotel– Traditional: $210k server refresh and $10k/month– Cloud: $10k implementation and $16k/month
Why On Premise vs. Host Deployment
• Maximum security– European “Safe Harbor” laws an issue
• Available IT resources• Price not an issue– Long term lowest cost
• Greater internal control• Company policy
Risks and Rewards of 3rd Party Hosting
• Risks– Security - Higher risk in a shared server/virtual server
environment and/or no VPN access• SAS 70 Type II audit provides high level of assurance that effective
security procedures are in place• Data encryption options• Risk still low
– System down - Major hosting providers provide multiple layers of backup and redundancy• Offsite / off grid Disaster Recovery options• Offsite data backup
– Internet Down - Everyone is down
Risks and Rewards of 3rd Party Hosting
• Rewards– Price - SaaS solutions generally have much lower upfront
costs and low monthly costs vs. outright software purchase and onsite implementation services
– Support - 24/7/365 maintenance and support included in the price & guaranteed uptime, commonly 99%+ uptime• Minimize need for internal IT resources• Patches and upgrades are generally automatic• Scales up on demand
– Deployment Time - Generally much faster than a local software implementation• Software already installed and ready to configure• Infrastructure in place and ready to go
Engaging Your IT Department• Be part of the discussion– Voice your issues and concerns
• Trust your IT department – They understand the technology, risks,
company policies, their resource constraints, etc.
• Work together in the vendor selection process– Weigh functional requirements vs
supportability– Gain consensus
Summary
• Trust your IT staff to design the safest environment for your needs
• Use VPN and other encryption technologies• Select only SAS 70 Type II certified providers• Consider Disaster Recovery options
(redundancy)• Frequent offsite data backups (at least daily)• Plan ahead for your worst case scenario
LBi Software
• Established 1982• Primary Focus on Human Capital Management
(HCM) Solutions• Legacy in custom HCM development• Custom & Packaged solutions• Web 2.0 Development expertise• IVR/CTI/Speech Recognition expertise• Mission/Business Critical solution delivery
LBi Software Products
Q&A