HR Data Security: How Secure is Your SaaS Deployment?
HR Data Security: How Secure is Your SaaS Deployment? Whitepaper HR Data Security: How Secure is Your SaaS Deployment? November 2009 Introduction Human Resources (HR) data is one of the most sensitive forms of information any organization maintains. Ensuring the security of this data is therefore critical not only to preserve the sanctity of employees highly personal information, but also to minimize legal risk to the organization as a whole. This issue takes on even more importance as organizations choose to deploy their talent management systems via a software-as-a-service (SaaS) delivery model. With the costs of a data breach estimated at an average of $6.6 million per incident in 2008 1, organizations need to ensure that they choose vendors that have secure SaaS solutions. To further illustrate the risks of choosing an inadequately secured HR solution, here are a few high-profile examples from the more than 310 reported incidents of data loss reported in the first nine months alone of 2009 2 : Kaiser Permanente had the records of 29,500 employees stolen Federal Aviation Administration had 45,000 employee names and social security numbers stolen by hackers Aetna had 65,000 current and former names and social security numbers exposed on the web Heartland Payment Systems had 130 Million credit card numbers stolen by a former government informant (2008) The good news is that there are talent management vendors that provide both secure SaaS deployment and on-premise options to ensure strong security for your HR data. This guide on HR data security outlines key issues in evaluating SaaS solutions from talent management vendors and provides questions important to ensure the success of your talent management project. Understanding SaaS for Talent Management Aetna 65,000 current & former names & social security numbers exposed on the web FAA 45,000 employee names & social security numbers stolen by hackers Software-as-a-Service (SaaS) has become one of the fastest growing deployment models for talent management applications in the past few years. This success has brought about many benefits including lower up-front fees, reduced administration costs, less burden on IT resources, among others. However, many SaaS vendors neglect the fundamental requirements of ensuring your HR data is as secure as it can be. Whitepaper
For any size organization, it is important to determine whether the vendor can provide a robust set of deployment options, such as a dedicated or secure SaaS or an on-premise model, as well as understand how the system handles data privacy. These critical capabilities and options can guarantee specific application and data security standards are met. However, all vendors are not able to offer these options. Some specific, important differences between standard SaaS and a secure SaaS or on-premise deployments include: Dedicated hardware for each customer environment Physically separated customer data from all other customer instances Ability for unique high-security measures to be implemented as needed Upgrade and update schedules dictated by the customer and not the vendor Ability to uniquely configure the application to suit specific customer needs Understanding vendor Understanding vendor deployment offerings and choosing the correct one to suit your organization s needs can be the difference between a successful talent management project and a failed one. Understanding vendor deployment offerings and choosing the correct one to suit your organization s needs can be the difference between a successful talent management project and a failed one. Risks with Multi-tenant SaaS Solutions The multi-tenant nature of SaaS applications makes security an essential concern. One of the first things to consider when looking at a SaaS option is whether your deployed solution will be residing in a multi-tenant environment. While multi-tenant SaaS can often cost less on an annual basis then other deployment options, they can come with a greater risk of having your employee data breached. This additional risk exists because in a multi-tenant environment many customers reside in one application environment simultaneously. While vendors can provide security within their applications and databases to prevent customer data from being breached or accidently leaked, these security measures are sometimes not robust enough. As a result, sensitive employee data may end up being visible to unauthorized individuals inadvertently. Here are the key risks to consider when evaluating a multi-tenant SaaS deployment: a. Are all customers data kept in one shared database? The largest risk is if all customer data is kept shared in one database. Some talent management SaaS vendors provide no database-level segregation for customer data. This means all customer data is co-mingled in the same tables in one database and data security is only in the application. As a result, a simple application code error can breach data security enabling all customers in an environment to see each other s data. Are all customers data kept in one shared database? www.softscape.com 3
b. What level of data security at application level does vendor offer? The SaaS vendor must be able to detail exactly how their application ensures that your data is kept secure and should provide sophisticated role-based and field level security that can be configure prior to deployment. c. Does the vendor offer a more secure version of a SaaS solution that provides a dedicated environment? For many organizations, the risks of multi-tenant SaaS solutions are not acceptable but the SaaS model from a cost perspective is still attractive. Some vendors will provide a secure version of their SaaS offering which has similar cost structures but provides physically separate instances of the application and database, as well as other security services, which dramatically increase the overall security of the solution. d. Do the benefits of a multi-tenant solution outweigh the risks? Understand and weigh the risks and benefits of multi-tenancy. The benefits may be lower initial price and total cost of ownership. The risk could be that data is co-mingled or has the possibility to be breached. Do the Do the benefits of a multi-tenant solution outweigh the risks? Typical SaaS Forces You to Upgrade One of the most controversial policies with a SaaS-only model is the forced upgrade policy. This policy of some SaaS vendors requires that customers upgrade to the next version of the application on the vendor s time frame, generally monthly or quarterly. This can have many bad downstream effects on the customer s organization. Some of the most costly are: a. The upgrade has issues or fails to work: If the vendor does not manage the testing and QA process well, new releases can be unstable and existing features can stop working correctly. This is actually one of the more common issues with some talent management vendors who are enforcing the automatic upgrade policy. Beyond the direct issue(s) that application errors cause, it can also erode confidence and usability across your user base. As a result, any benefit achieved from new features can be more than offset by negative consequences. b. Re-training the user community is constantly required: Often new releases change how an important part of the application works or in some cases it can even update the entire user interface. As a result, users often require re-training on how to use the new version of the application. This is a hidden cost of a forced upgrade policy that is not small. In large organizations especially, constant training and re-training can be very expensive. Therefore, if required to re-train frequently, any cost savings of going with a typical SaaS solution quickly disappears. Some vendors will provide a secure version of their SaaS offering which has similar cost structures but provides physically separate instances of the application www.softscape.com 4
c. Added overhead for administrative change management: When an application upgrade is applied it can do more than just change how an end-user feature works, it can also change how a core process in the application works. This can mean significant change management on complex and established processes within an organization. An example would be updates to a compensation planning which may require that compensation administrators restructure their existing plans to work with the new application release. These requirements can be a significant effort on the part of the customer. Application Architecture can be a Risk for SaaS While most vendors offer a SaaS deployment package option for their solutions, some are not architected to be secure. Even if the datacenter is perfectly secure, if the application is poorly architected to address the unique security requirements of a SaaS environment, your data may be at risk. Some of the most common architecture issues to pay attention to are: a. Why an n-tier architected web application matters: The most important single issue in choosing a secure SaaS solution is whether it is developed using a current n-tier architected model. The two leading architectures in this category are J2EE and Microsoft Dot-Net. Using a contemporary architecture is inherently more secure than using an older architecture, such as.asp or ColdFusion. These older architectures are inherently less secure because they are vulnerable to several current methods of attack, such as SQL injection (a form of attack which will let the attacker gain control over the database and have access to all information stored within it). b. Need for fine-grained security in a SaaS solution: Core to a secure SaaS application is the security model that the application has imbedded within it. The most effective model for security in SaaS applications is a field-level security model. This means that every single data-element in the application can be individually secured. This matters because multiple customers are sharing one core application so the application needs to secure each user s instance and all the data elements which are being viewed by that user. Solutions must ensure that by design they do not make copies of data on the client machine as a part of the standard operation of the application Data Privacy & Global Compliance Requirements Application design can also have a direct effect on whether an application complies with data privacy requirements in different parts of the world, and especially in the European Union (EU). Specifically, solutions must ensure that by design they do not make copies of data on the client machine as a part of the standard operation of the application. A very good instance of this problem is any solution that has part or all of it developed around an e-mail platform such as Microsoft Exchange or Lotus Notes. www.softscape.com 5
A few talent management solutions are designed in this way. These are dangerous to choose because they have the ability to make local copies of data within each user s machine. As a result, these solutions are by design breaking EU data privacy regulations. By contrast, an n-tier architected solution stores data centrally in the data center and only shows authorized data to the user. In addition, data privacy regulations in the EU and other geographies have specific requirements that data about employees be stored locally within a specific country. However, several of the vendors in the talent management market do not have the ability to provide SaaS anywhere other than the United States. For global organizations, this will not work. SaaS Datacenter Security Issues For any enterprise application, datacenter security is also important; but for SaaS vendors this is especially so, as not just one, but many copies of customer data are stored in the datacenter. However, not all vendors provide adequate security when it comes to their datacenters. Below are a few of the most important security-related points to be aware of: a. Evaluate the infrastructure: Ultimately the largest difference between purchasing a license and renting a SaaS solution is the infrastructure service received as a part of the sale. Therefore, it is very important to evaluate the datacenter services the vendor provides as a part of the offering. One good approach to this is to ask for a technical overview document that outlines the datacenter services provided as part of the SaaS offering. All vendors should be able to provide you this document. b. Dedicated hosting environment option: As discussed previously, multi-tenant SaaS can offer risks which organizations may find unacceptable. Dedicated hosting for SaaS can provide a truly secure deployment, while still offering the benefits of a SaaS deployment. Dedicated hosted SaaS deployments provide this additional security benefit by giving the customer a stand-alone hardware environment which runs the clients web, application, and database instances. This can also have the added benefit of shielding the customer from any application performance issues experienced from having multiple customers on one hardware environment. c. Ability to configure your application in a SaaS environment: Often vendors that provide a SaaS offering do not allow customer configuration. In fact, the vendor must provide the (expensive) professional services to affect any change in the application. For larger organizations, this can pose a barrier to project success. Examples of these issues include handling non-standard single sign-on platforms (SAML), uniquely configured workflows, and changes to performance or compensation forms. Some vendors simply do not allow these configurations or will only allow them at an extreme price increase. www.softscape.com 6
Conclusion SaaS has been a successful deployment option for many customers within the talent management market. But it is important to look at vendors SaaS offerings to ensure your organization is receiving strong security for your HR data. Because the costs of a data breach are very high ($6.6 million and rising), any short-term cost savings with an inadequately secured SaaS offering are quickly erased if your HR data is compromised. In addition, understanding the indirect costs that can come with a standard SaaS offering are important as well. These include items like having a forced upgrade policy or having restrictions on configurations within a standard SaaS deployment. Evaluating vendors that offer secure SaaS alternatives can provide the economic benefits without the risk of HR data being compromised or the additional indirect costs. Softscape is one of the only talent management vendors that offers customers flexible SaaS options, include secure dedicated database and hosting options, and also provides the most sophisticated role and field-based security capabilities available. www.softscape.com 7
Endnotes 1 2008 Annual Study: Cost of Data Breach, Ponemon Institute and PGP Corporation. 2 DATALOSS DB, Open Security Foundation. www.softscape.com 8
Authored By Stephan Millard, Product Marketing Director For more information, contact cfaust@softscape.com About Softscape Softscape is the global leader in complete people management software solutions that enable organizations to more effectively drive their business performance. Softscape s vision and history of innovation is consistently recognized by industry analysts and luminaries. The company s complete, end-to-end platform natively connects all human resources (HR) and talent functions, including performance management, succession planning, learning, career development, compensation, hiring and recruiting, workforce planning, social networking, and core HR records. Softscape s customers span 156 countries, 30 vertical industries, and include global Fortune 500/Global 2000 enterprises, mid-market companies, higher education institutions, and public sector agencies. Current customers include AstraZeneca, Seagate, GKN, Sony Electronics and KPMG. Softscape is based in Massachusetts with offices in London, Sydney, New York City, Chicago, San Francisco, Hartford, Washington, D.C., Bangkok, Hong Kong, and Johannesburg. For more information, or to request a demo, please call +1 (508) 358-1072 (international) +1 (800) 881-2546 (US/Canada) or visit our website: www.softscape.com. www.softscape.com worldwide headquarters: softscape, i n c. 526 b o s t o n post r o a d w a y l a n d, m a u s a 01778 p h o n e (u s/ca n a d a): +1 (800) 881-2546 p h o n e (inter national): +1 (508) 358-1072 softscape emea ltd: m i m e t h o u s e 5a praed street, t h i rd f l o o r w21n j u n i t e d k i n g d o m p h o n e (+44) 118 969 5634 softscape a s i a p a c i f i c pty ptd suite 1702 level 17, 111 p a c i f i c h i g h w a y n o r t h s y d n e y n s w a u s t r a l i a 2060 p h o n e: 011 +61 2 9191 7400 2010 softscape, inc. all rights reserved. the softscape l o g o and marks related to softscape products are either trademarks o r registered trademarks o f softscape, inc. o t h e r brand & product names contained herein m a y be trademarks o r registered trademarks o f their respective holders. LS10_0524