1 Presents: Cloud Security: Bringing Clarity to Common Myths and Misconceptions Authors: Dan McCue, Senior Vice President, Finance & Accounting, Sutherland Global Bill Burke, CEO, Merit Solutions Copyright 2012 Sutherland Global Services
2 INTRODUCTION Companies in today s economic environment are all facing the age-old business conundrum: how can we do more with less? To help improve capacity but drive down costs, organizations are increasingly turning to cloud-based technologies. Cloud-based Enterprise Resource Planning (ERP) can be deployed quickly, minimizes the initial investment, reduces the Total Cost of Ownership (TCO) and offers seamless upgrades. Although many CEOs, CFOs, CIOs and key stakeholders look to cloud computing to help realize tremendous savings, there are concerns about cloud-based data solutions. In the age of cyber attacks and the seemingly ever-growing list of online security threats, senior executives worry about the safety of their cloud-based information. Physical location, data transmission, access security and disaster recovery represent the four top-of-mind security concerns. This white paper will look at some of the key aspects of cloud security and examine some of the myths and misconceptions. Research also shows that while senior executives are apprehensive about cloudbased security, only a small percentage conduct due diligence on their providers. This white paper also includes a checklist of 10 questions that SMBs, mid-market companies and large organizations should ask their potential providers.
3 THE RISE OF CLOUD COMPUTING A 2011 survey by CDW found that 28% of US-based organizations are using cloud computing today, and 73% of those organizations took their first step by implementing a single cloud application. Interestingly, the vast majority of the survey respondents (84%) say they have already employed at least one cloud application. So, in essence, there are a lot of first steps being taken, and wider cloud adoption is foreseeable. There s no doubt the cloud is garnering attention as companies cautiously explore cloud applications. According to an April 2011 Forrester Research report titled Sizing the Cloud the global cloud computing market is estimated to reach $241 billion in Yet, despite the rise of cloud computing, there are a number of misconceptions floating around, with security at the top of the list. Top 5 Cloud ERP Misconceptions 1. With a cloud ERP solution, our data isn t as secure as it is onsite. 2. Cloud ERP solutions provide only basic ERP functionality. 3. Cloud ERP solutions can t be customized. 4. It s difficult to integrate cloud ERP systems with other systems. 5. If the Internet goes down, the business goes down. As companies transition from low-risk testing the waters to taking the plunge with cloud ERP for more mission-critical functions like Finance and Accounting, the issue of cloud security is inevitable. The question most often asked is, Just how secure is our data? It s a legitimate question. It was only a few short years ago that cloudbased ERP systems were the exception rather than the norm for most companies. The idea of not having all data, infrastructure, software and hardware on-site was new, intriguing and fraught with concerns. Entrusting private business data and applications to an outside hosting service made (and continues to make) some organizations uncomfortable.
4 Despite the cloud s shift into the mainstream, security and compliance still top the list of apprehensions inhibiting cloud adoption. Some of this apprehension is caused in part by confusion around a lack of industry standards; expectations and definitions of security can vary from industry to industry. Different regions and countries are subject to different data protection policies and legislation that could compromise data privacy. Companies need to conduct due diligence on their prospective cloud providers. Data security and privacy issues are very real concerns no matter whether SMBs implement a cloud ERP solution or on-premise ERP. Both require knowledge of data: which data is sensitive, the degree of sensitivity and the protocols required to protect it. Yet, the pervasive myth that cloud-based ERP simply isn t as secure as on-premise solutions continues to linger. The myth persists based on four misconceptions about the security of physical location, transmission, access security, and disaster security. PHYSICAL LOCATION The Misconception: A cloud-based solution is nebulous and can t be secured. The Reality Cloud computing is new, unknown and eyed suspiciously. It has the appearance of being risky because you cannot secure its perimeter where are a cloud s boundaries? A May 2010 study by the Ponemon Institute found that IT professionals believed security risks were more difficult to curtail in the cloud, including securing the physical location of data assets and restricting privileged user access to sensitive data. Yet, as CIO Magazine pointed out:
5 respondents only gave the on-premise alternative a 56% positive rating! In other words, nearly half the respondents believe that their own internal data centers do not do a good job of securing the physical environments of their data centers. 1 The reality is that often on-premise ERP security does not measure up to the same standards as a world-class data state-of-the-art facility. An ideal data center should be secure, free of windows, and built with cement or steel fortifications with 24/7 on-site security. Most SMB IT departments reside in a department or on a floor of commercial buildings and office towers, which rarely have these conditions. In comparison, MAXCloud data centers are housed in multi-million dollar facilities with building fortifications. The main data center is housed underground in a facility that is designed to withstand an 8.3 magnitude earthquake. The data centers also have 24/7/365 security, monitored by staff as well as security guards. TRANSMISSION Misconception: Cloud-based solutions are more vulnerable to hacking and other attacks. The Reality SMBs typically invest in hardware, software and applications to thwart specific security challenges: spam, security breaches, malware, noncompliance, and so forth. Unfortunately, many of these products have limited life cycles, are difficult to scale and, from a security point of view, often only produce single points of failure. Additionally, the latest technologies to scramble and encrypt data RSA, Secure Socket Layer (SSL), Data Encryption Standard (DES), or Triple DES, etc. can quickly drain SMB IT budgets. 1 Golden, Bernard. "Cloud Computing Security: IT's Take on State of Play." CIO Magazine. N.p., 17 May Web.
6 With traditional licensed ERP software, organizations typically must wait for the next release to benefit from the latest features, upgrades, or security patches. Sometimes limited resources can mean that upgrades aren t always deployed in a timely manner. In fact, twothirds of mid-size businesses are running outdated versions of their ERP software 2. This can leave these companies vulnerable. Under the SaaS (Software as a Service) delivery model that forms the basis of cloud ERP, the provider continuously and unobtrusively adds the latest features and upgrades, which means that users can be assured that they re actually using rather than waiting for the latest security technology. By their very nature, external applications like cloud-based technologies must adopt a trust no one approach. Layers of security controls, encryption of all sensitive data and security testing at the application level, as well as countless other safeguards are necessary for cloud security. A world-class cloud ERP provider will perform rigorous internal vulnerability scans, log threats, and are audited for SSAE 16 Type 2 compliance. Data is fully secured, both in transmission and at rest. For example, MAXCloud runs on a Microsoft Dynamics AX platform. It uses the RPC_C_AUTHN_LEVEL_PKT_PRIVACY call, which provides the highest security level available through a remote procedure call (RPC). There are no software or hardware purchases, and updates are seamless. ACCESS SECURITY 2 "Why Cloud Computing Matters to Finance," Ron Gill, CMA, CFM: Strategic Finance, January 2011.
7 The Misconception: An on-premise solution offers more security over who may access information. The Reality The myth that a cloud solution simply cannot be as secure as an onpremise solution has very much to do with the notion of seeing is believing. Often companies feel more in control of their data when it resides under their own roof. When ERP is on-site, it is the sole responsibility of the IT department to authenticate and log all access to data in order to prevent unwanted users, both internal and external, from accessing information or resources. Access security for on-premise ERP systems may be enforced through business logic or at the database layer. This authenticates users and provides them with specific rights to data objects. For example, a payroll clerk would only have access to payroll data, not customer records. A cloud-based ERP is no different. With MAXCloud, you control access to data throughout by managing security restrictions on forms, records and data fields for specific user groups and domains, and define and assign rights according to how you want security restrictions managed. Also, because MAXCloud is a single-tenant environment, there is no risk of data being inadvertently exposed to other users due to poor implementation of the access management process. While a secure cloud ERP system doesn t increase the vulnerability of your business data, authenticated users have anywhere, anytime, any device access, which is a tremendous advantage for global collaboration, monitoring and managing.
8 SECURITY FROM DISASTER Misconception: It s better to handle backups internally to be able to access data more quickly in case of a disaster. The Reality Companies must examine how often they back up data and where the backups are the stored. SMBs looking to third-party back-up systems and business continuity facilities must thoroughly examine the security standards that are in place. The truth of the matter is that SMBs need to invest in a rigorous program for data backups with offsite storage in a secure location separate from the main data center. Key questions to ask before choosing an external backup partner include: Does the third-party data recovery service abide by recognized security standards and compliance requirements? What happens if there is a power failure? How long will my data be kept? Cloud-based solutions like MAXCloud ensure full nightly backups, which are stored in an off-site location and are maintained for seven years. As well, the data centers have multiple power sources and redundant incoming lines provisioned in an N+1 configuration for continuous power. THE NEW REALITY OF CLOUD ERP SOLUTIONS Traditional and cloud ERP share many of the same security issues, from preventing unauthorized access to safe and secure backups. As the new kid on the block, cloud technology is unfamiliar and not fully trusted. SMBs that adopt a cloud-based ERP solution like MAXCloud find that security is actually improved. Unlike large enterprise companies, SMBs
9 usually don t have the high security infrastructure, processes or best practices knowledge readily on hand. In the case of cyber attacks, cyber espionage, malware, human error and disasters, cloud-based service providers have higher levels of security. Microsoft released research in May of 2012, that verified the significant IT security advantages from using the cloud. One of the most interesting facts to emerge from the survey was that "35 percent of US companies surveyed have experienced noticeably higher levels of security since moving to the cloud." 3 Security is always a top concern for companies, but it s time to put to cut through the fog, and bring a little clarity to the situation: Cloud ERP systems and the data they contain are as secure, if not more secure than traditional ERP systems. 3 Microsoft. News Center. Cloud Computing Security Benefits Dispel Adoption Barrier for Small to Midsize Businesses. 14 May Web.
12 database. It is our belief that an isolated single tenant environment best maximizes performance, security, privacy and integration. 10.) How safe is your data center in terms of natural disasters? Your potential provider should be prepared for any number of natural disasters. In addition to a windowless, cement building with steel fortifications, the provider should have multiple power sources and redundant incoming lines provisioned in an N+1 configuration for continuous power. For example, our main data center s backup generators can power a city of 25,000 people - which allows us to go off grid for 28 days without water, electricity, sewer, or natural gas feeds.
Microsoft Dynamics The Business Benefits of Hosted ERP Solutions for Small & Midsize Organizations Executive Summary Today s small and midsize organizations are increasingly looking for more flexible and
Microsoft Dynamics The Business Benefits of Hosted ERP Solutions for Small and Midsize Organizations November 15, 2009 Contents EXECUTIVE SUMMARY... 1 WHAT IS ERP HOSTING?... 2 BENEFITS OF A HOSTED ERP
Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational
Take Your Vision to the Cloud Executive Summary Many Professional Service firms are moving their Deltek Vision solution to cloud with the aim of focusing limited IT resources on core business requirements
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
MANAGED SERVICES PROVIDER Dynamic Solutions. Superior Results. REVOLUTIONIZE YOUR INSTITUTION BY FULLY LEVERAGING THE BENEFITS OF TECHNOLOGY MAXIMIZE YOUR TECHNOLOGY INVESTMENTS ENHANCE SECURITY OF YOUR
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
Dispelling the vapor around Cloud Security The final barrier to adopting cloud computing is security of their data and applications in the cloud. The last barrier to cloud adoption This White Paper examines
Defining Data Security in 2015 and Beyond What you need to know about physical and virtual data security in a complex business environment Colocation Managed Cloud & Hosting Services Business Continuity
Cyber Security An Executive Imperative for Business Owners SSE Network Services www.ssenetwork.com 77 Westport Plaza, St. Louis, MO 63416 p 314.439.4700 f 314.439.4799 Pretecht SM by SSE predicts and remedies
THE 5 BIGGEST MISTAKES LAWYERS MAKE WHEN CHOOSING A CLOUD SERVICE PROVIDER ( and how to fix them ) In recent years, an increasingly large number of law firms have moved their software and data to the cloud.
CloudCheck Compliance Certification Program Ensure Your Cloud Computing Environment is Secure with CloudCheck Certification Organizations today are increasingly relying on a combination of private and/or
PROTECTING YOUR VOICE SYSTEM IN THE CLOUD Every enterprise deserves to know what its vendors are doing to protect the data and systems entrusted to them. Leading IVR vendors in the cloud, like Angel, consider
IBM Connections White Paper September 2014 IBM Connections Cloud Security 2 IBM Connections Cloud Security Contents 3 Introduction 4 Security-rich Infrastructure 6 Policy Enforcement Points Provide Application
This cybersecurity health check provides a quick view of compliance gaps and is not intended to replace a professional HIPAA Security Risk Analysis. Failing to have more than five security measures not
IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System
INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,
What is Cloud-Based Security? Cloud-based Security = Security Management + Cloud Computing. What is Cloud-Based Security? Cloud computing is: IT services via the internet from an external service provider
GiftWrap 4.0 Security FAQ The information presented here is current as of the date of this document, and may change from time-to-time, in order to reflect s ongoing efforts to maintain the highest levels
In-House Vs. Hosted Email Security 10 Reasons Why Your Email is More Secure in a Hosted Environment Introduction Software as a Service (SaaS) has quickly become the standard delivery model for critical
White Paper Secure, Scalable and Reliable Cloud Analytics from FusionOps A FusionOps White Paper FusionOps 265 Santa Ana Court Sunnyvale, CA 94085 www.fusionops.com World-class security... 4 Physical Security...
WHITE PAPER How to choose and implement your cloud strategy INTRODUCTION Cloud computing has the potential to tip strategic advantage away from large established enterprises toward SMBs or startup companies.
with Cloud-Based Security Services > White Paper It s a phenomenon and a fact: employees are always on today. They connect to the network whenever they want, from wherever they happen to be, with laptops,
Privacy + Security + Integrity Docufree Corporation Data Security Checklist Security by Design Docufree is very proud of our security record and our staff works diligently to maintain the greatest levels
WHITEPAPER Three Things to Consider Before Implementing Cloud Protection Cloud Backup vs. Cloud Recovery VS Cloud Backup http://www.quorum.net/ 2013 QuorumLabs, Inc. All Rights Reserved. Cloud Recovery
Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware
BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...
HITS HR & PAYROLL CLOUD MODEL WHITEPAPER Deciphering Total Cost of Ownership Total Cost of Ownership, or TCO, is commonly defined as the estimate of all direct and indirect costs associated with an asset
TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for
RL Solutions Hosting Service Level Agreement April 2012 Table of Contents I. Context and Scope... 1 II. Defined Terms... 1 III. RL Solutions Responsibilities... 2 IV. Client Responsibilities... 4 V. The
Cloud security with Sage Construction Anywhere Table of Contents Cloud computing s advantage for construction companies... 3 Security concerns... 3 The Sage commitment to security... 4 Sage application
Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies
Open an attachment and bring down your network? Many people think this will never happen to them, but virus attacks can come from unlikely sources and can strike when you least expect it. They can wreak
Deltek First - The Business Case Executive Summary Many organizations that do business with the government are adopting cloud-based versions of specialized business solutions with the aim of focusing limited
Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance Presenters John Montoro
custom hosting for how you do business 24775 League Island Boulevard Philadelphia PA 19112 gibraltarit.com 866.410.4427 Gibraltar s replicated cloud architecture and PCI/HIPAA compliant data centers provide
Cloud Contact Center Security White Paper Introduction Customers communicate with organizations in a variety of forms from phone conversations to email, web chat and social media. As each interaction may
Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft
Is Your IT Environment Secure? November 18, 2015 Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting Clark Schaefer Consulting Serving elite and emerging companies with practical solutions
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
Cloud Contact Center Security White Paper Introduction Customers communicate with organizations in a variety of forms from phone conversations to email, web chat and social media. As each interaction may
GETTING THE MOST FROM THE CLOUD A White Paper presented by Why Move to the Cloud? CLOUD COMPUTING the latest evolution of IT services delivery is a scenario under which common business applications are
Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential
Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices
Whitepaper Best Practices for Securing Your Backup Data BOSaNOVA Phone: 866-865-5250 Email: firstname.lastname@example.org Web: www.theq3.com DATA PROTECTION CHALLENGE Encryption, the process of scrambling information
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
Presented by Luke Downing What is the Cloud? Market research 5 key benefits Considerations/Risks ABA rules Questions to asks Q&A Incorporated in 2002 Founded by Luke Downing & Matt Bakey Located in Norfolk,
Debunking Security Concerns with Hosted Call Centers TABLE OF CONTENTS Executive Summary The Changing Call Center Landscape Identifying and Mitigating Security Risks a. Data b. Applications c. Disaster
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
A clearer view Security, compliance, and the cloud 2 A Clearer View ecurñ This document examines the current regulatory climate around the cloud and explains what to look for from a security standpoint
About Dorset Connects Dorset Connects, a Chadds Ford, PA based IT consulting firm, was founded on the premise of providing businesses with a simplified way to procure, implement and manage their technology
Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director
PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST Application Name: Vendor Name: Briefly describe the purpose of the application. Include an overview of the application architecture, and identify the data
Approved 1/30/15 by Dr. MaryLou Apple, President MSCC Policy No. 1:08:00:02 MSCC Gramm-Leach-Bliley INFORMATION SECURITY PROGRAM January, 2015 Version 1 Table of Contents A. Introduction Page 1 B. Security
ADVANCE YOUR MISSION WITH THE CLOUD DO MORE WITH LESS CLOUD SOLUTIONS CDW NONPROFIT 2 CLOUD SOLUTION Cloud/hosted software spending by nonprofits and associations increased by 43% while technology hardware
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized
ISSUE BRIEF Cloud Security for Federal Agencies Achieving greater efficiency and better security through federally certified cloud services This paper is intended to help federal agency executives to better
September 18, 2015 Security from a customer s perspective Using a cloud-based talent management program can deliver tremendous benefits to your organization, including aligning your workforce, improving
Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices
ProjectManager.com Security White Paper Standards & Practices www.projectmanager.com Introduction ProjectManager.com (PM) developed its Security Framework to continue to provide a level of security for
IBM Solution scalability with rapid time to value Cloud-based deployment for full performance management functionality Highlights Reduced IT overhead and increased utilization rates with less hardware.
Private Cloud Computing Essentials The 2X Private Cloud Computing Essentials This white paper contains a brief guide to Private Cloud Computing. Contents Introduction.... 3 About Private Cloud Computing....
I White Paper ERP and the Cloud: What You Need to Know Table of Contents Executive Summary... 3 Increased Interest in Cloud-Based ERP and SaaS Implementations... 3 What is Cloud/SaaS ERP?... 3 Why Interest
FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development
Whitepaper Brainloop Cloud Security Guide to secure collaboration in the cloud www.brainloop.com Sharing information over the internet The internet is the ideal platform for sharing data globally and communicating
GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share
Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture 2 Data Security and Privacy Principles for IBM SaaS Contents 2 Introduction
EXTENDING THREAT PROTECTION AND WHITEPAPER CLOUD-BASED SECURITY SERVICES PROTECT USERS IN ANY LOCATION ACROSS ANY NETWORK It s a phenomenon and a fact: employees are always on today. They connect to the
Cloud Security: An Independent Assessent A Quantix White Paper Dec 2010 Call us on: 0115 983 6200 Visit us on-line at: www.quantix-uk.com E-mail us at : email@example.com Why are people concerned
Cole p01.tex V3-07/28/2009 3:46pm Page 1 Network Security Landscape COPYRIGHTED MATERIAL IN THIS PART Chapter 1 State of Network Security Chapter 2 New Approaches to Cyber Security Chapter 3 Interfacing
security in the cloud White Paper Series 2 THE MOVE TO THE CLOUD Cloud computing is being rapidly embraced across all industries. Terms like software as a service (SaaS), infrastructure as a service (IaaS),
Managing internet security GOOD PRACTICE GUIDE Contents About internet security 2 What are the key components of an internet system? 3 Assessing internet security 4 Internet security check list 5 Further
AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals
DOWNTIME BREACHES DATA LOSS. SYMANTEC TECHNICAL SERVICES HELP YOU AVOID THEM. Symantec Technical Services 2015 Symantec Corporation. All rights reserved. Go ahead, you ve got There s More to Protect By