Is your HR & payroll information as valuable as gold?
Most organizations today consider employee and salary information to be highly confidential. People are a competitive advantage, and it's risky for employee information to land up in the wrong hands.
Naturally, you would want HR information to be as secure as gold in your house. This begs the question, is it a safer in-home, or is the cloud a safer place?
I came across this interesting post by Bhavin Raichura called Cloud Computing: Where are you going to keep your gold?
Most executives are excited by cloud computing economics but have one significant concern: what about security? Bhavin takes us this question head-on and asks: "Would you buy or rent a house?" and "Where would you keep your gold?". I recommend that you read the rest of his post on the NASSCOM blog...
Once you put things in a proper perspective, fears melt away, and clarity reigns.
But...
(there is always a but, isn't it?)
The devil is in the details.
While gold can be secured by having airtight physical security, adequate data security requires many more security levels. There a dozen different ways of stealing information without having physical access to the server. Also, it would help if you kept your guard up 100% of the time. One little lapse, and you will get compromised.
However, before giving away the gold, you need to make sure the safe keeper is trustworthy and competent. It would be foolish to assume that "it's on saas; ergo, it is safe." (see: Sage Live - Serious SaaS Security Issues) A saas service provider with poorly implemented security would be the equivalent of keeping the gold in a hole in your backyard because the house is insecure.
Here are a few points to consider before you choose a saas provider
- Are the servers located in level-3 or better data centers?
- Are the servers hardened and regularly updated?
- Are there firewalls in place?
- Is penetration and vulnerability testing done frequently?
- Is the application designed with web vulnerabilities in mind (e.g., OWASP Top Ten)
- Is all information between the server and the browser encrypted using SSL?
Closer home, I notice a lot of HR and payroll SaaS providers not even providing SSL protected pages for the login page, let alone other pages. Whatever the reasoning behind such a lax attitude, it just doesn't inspire confidence in your customers.... (I'm not sure if 'name and shame' would have a salutary effect, but I will err on the side of being nice.)
Here is a recent article on cloud computing by the security guru, Bruce Schneier, to wrap up. Quote:
IT security is about trust. You have to trust your CPU manufacturer, hardware, operating system and software vendors, and ISP. Anyone of these can undermine your security: crash your systems, corrupt data, allow an attacker to get access to systems. We've spent decades dealing with worms and rootkits that target software vulnerabilities. We've worried about infected chips. But in the end, we have no choice but to trust the security of the IT providers we use blindly.
Saas moves the trust boundary out one step further -- you now have to trust your software service vendors -- but it doesn't fundamentally change anything. It's just another vendor we need to trust. (ed - emphasis mine)
and...
Trust is a concept as old as humanity, and the solutions are the same as they have always been. Be careful who you trust, be careful what you trust them with, and be careful how much you trust them. Outsourcing is the future of computing. Eventually, we'll get this right, but you don't want to be a casualty along the way.
