Risks and Rewards of Placing Employee Benefits Systems in the

CloudIs Offsite Software Hosting Safe and Secure?

Presented by:Howard Kaplan

Director of Business DevelopmentLBi Software

Agenda• Introduction• A Brief History of Computing• SaaS & Cloud Terms Demystified• 3rd Party Hosting vs On Premise Deployment• Risks and Rewards of 3rd Party Hosting• Engaging Your IT Department• Summary• LBi Overview• Q&A

A Brief History of Computing

• Mainframes and Green Screens– Intra-company system– Maintained by internal staff– Prior to the PC– Direct (hardwired) terminal to

mainframe connection– Leased (dedicated) data lines for

remote access– Zero risk of external malicious access

A Brief History of Computing• Client Server– Intra/Inter company system– Maintained by internal staff– User’s Desktop PC = “Client”– Powerful PC(s) = “Server”– Local Area Network (Ethernet)– Wide Area Network (Internet & Leased

Lines)• Virtual Private Network (VPN) (“point to

point tunneling”) encryption• Password encryption

– Virtually zero risk of external malicious access

A Brief History of Computing• Application Solution Provider (ASP)

Hosting– 100% 3rd party hosted

• No servers onsite• Support split - Internal IT & ASP host

– Generally Dedicated Servers• 100% Internet accessible• Dedicated machine(s) running only

your application(s)– No sharing with other companies

– VPN access recommended– Very minimal but possible risk of

external malicious access

A Brief History of Computing• Software as a Service (SaaS)

– 100% 3rd party hosted• No servers onsite

– Virtual Servers (Cloud)• 100% Internet accessible• Machines may run multiple Operating

System environments• Shared servers with other applications

and customers (i.e. Google apps)• Shared application (multi-tenant)

– VPN or other encryption recommended• HTTP vs HTTPS (Secure Sockets Layer -

SSL)• Other methods available

– Minimal but possible risk of external malicious access

SaaS & Cloud Terms Demystified

• SaaS - Primarily a software licensing model using cloud deployment architecture– Multi-Tenant Architecture = Multiple customers

sharing the same application instance and (usually) the same database (i.e. salesforce.com, citibank.com, gmail, etc.)

– Single-Tenant Architecture = One customer per application instance and database

– Deployed in the Cloud (Over the Internet in a shared environment)

SaaS & Cloud Terms Demystified

• Cloud Computing – Software deployment model– Computing via the internet– On-demand network access– Shared pool of configurable

resources– Rapid deployment– Infinite scale

What is SAS 70 Type II?

• Statement on Auditing Standards– Standard by which auditors evaluate servicing

companies• Unbiased reports by an auditor• Provides service organizations a reliable and widely

recognized means of disclosing their internal security controls and processes to their customers

– Evaluation includes the way the service / company conducts its business

Http vs Https (Secure Sockets Layer)

• Using an Https connection:– The server responds to the initial connection by offering a list of

encryption methods it supports– In response, the client selects a connection method, and the client

and server exchange certificates to authenticate their identities– Then both parties exchange the encrypted information after ensuring

that both are using the same key– In order to host https connections, a server must have a public key

certificate, which embeds key information with a verification of the key owner's identity

Secure Sockets Layer (SSL)• When using a SSL

connection (https):– Recognized by a secure

padlock which appears in the browser

– Web server requires the use of an SSL certificate

Security Breaches Happen

“A Wisconsin teenager has been arrested and charged for allegedly hacking into a Pentagon computer in June and illegally accessing a U.S. Army computer, according to the Department of Justice.”

DOJ charges teen with Pentagon hacking

Security Breaches Happen

“Epsilon, a marketing services firm based in Dallas, has warned clients that a massive breach in an email database may have exposed the names and emails of thousands of users.

Among the affected clients are Best Buy, RitzCarlton Rewards, JPMorgan Chase, Capital One and Citi.

Epsilon maintained that no financial information – credit card numbers, for instance – has been revealed.”

How many email warnings did you receive recently?

Why Host vs. On Premise Deployment

• Minimal security considerations• Selected vendor solution offered only in a hosted

environment• Price important– Capital vs Operating budget availability

• Deployment timeline• Limited internal IT resources• Limitless scalability• Reliability (99.99%+ uptime guarantees)

Driving Cloud Adoption

Cloud EconomicsEstimates vary widely on possible cost savings• “If you move your data center to a cloud provider, it will cost

a tenth of the cost.” – Brian Gammage, Gartner Fellow

• “Use of cloud applications can reduce costs 50% to 90%” - CTO in Washington D.C.

• Preferred Hotel– Traditional: $210k server refresh and $10k/month– Cloud: $10k implementation and $16k/month

Why On Premise vs. Host Deployment

• Maximum security– European “Safe Harbor” laws an issue

• Available IT resources• Price not an issue– Long term lowest cost

• Greater internal control• Company policy

Risks and Rewards of 3rd Party Hosting

• Risks– Security - Higher risk in a shared server/virtual server

environment and/or no VPN access• SAS 70 Type II audit provides high level of assurance that effective

security procedures are in place• Data encryption options• Risk still low

– System down - Major hosting providers provide multiple layers of backup and redundancy• Offsite / off grid Disaster Recovery options• Offsite data backup

– Internet Down - Everyone is down

Risks and Rewards of 3rd Party Hosting

• Rewards– Price - SaaS solutions generally have much lower upfront

costs and low monthly costs vs. outright software purchase and onsite implementation services

– Support - 24/7/365 maintenance and support included in the price & guaranteed uptime, commonly 99%+ uptime• Minimize need for internal IT resources• Patches and upgrades are generally automatic• Scales up on demand

– Deployment Time - Generally much faster than a local software implementation• Software already installed and ready to configure• Infrastructure in place and ready to go

Engaging Your IT Department• Be part of the discussion– Voice your issues and concerns

• Trust your IT department – They understand the technology, risks,

company policies, their resource constraints, etc.

• Work together in the vendor selection process– Weigh functional requirements vs

supportability– Gain consensus

Summary

• Trust your IT staff to design the safest environment for your needs

• Use VPN and other encryption technologies• Select only SAS 70 Type II certified providers• Consider Disaster Recovery options

(redundancy)• Frequent offsite data backups (at least daily)• Plan ahead for your worst case scenario

LBi Software

• Established 1982• Primary Focus on Human Capital Management

(HCM) Solutions• Legacy in custom HCM development• Custom & Packaged solutions• Web 2.0 Development expertise• IVR/CTI/Speech Recognition expertise• Mission/Business Critical solution delivery

LBi Software Products

Q&A