HR Data Security: How Secure is Your SaaS Deployment?



Similar documents
Softscape Web Services TM

Top Five HR Process Integrations That Drive Business Value

Driving Growth Through Workforce Empowerment: The Business Case for Integrated HCM

Improving Employee Engagement to Drive Business Performance

HR Field Guide: 5 Tips To Effective Workforce Performance Management

HR Field Guide: 5 Tips To Effective Hiring & Recruiting

The CEO s Guide to Succession Planning Managing Risk & Ensuring Business Continuity.

HR Field Guide: 5 Tips To Effective Succession Planning

ENABLING ENTERPRISE AVEPOINT ONLINE SERVICES. For Microsoft Office 365 COLLABORATION. For how you work, where you work

ATS. The. The Staffing Agency s Guide to Buying an Applicant Tracking System

Executive s Guide to Cloud Access Security Brokers

INTRODUCING TALEO 10. Solutions Built for the Talent Age. Powering the New Age of Talent

THE CORNERSTONE DIFFERENCE

How To Use An Employee Performance Management System

Repave the Cloud-Data Breach Collision Course

CHECKLIST: Top 10 reasons to move to the cloud

Simplifying Human Resource Management

Cloud Computing: A Question of Trust Maintaining Control and Compliance with Data-centric Information Security

Fact Sheet Yellowfin & Cloud Computing

Top 10 reasons to move to the cloud

Cloud-Based Project Information Management from Aconex: A Guide for IT Professionals

Moving Network Management from OnSite to SaaS. Key Challenges and How NMSaaS Helps Solve Them

Securing the Borderless Enterprise

Moving to the Cloud? Take Your Application Security Solution with You. A WhiteHat Security Whitepaper. September 2010

WhiteHat Security White Paper. Evaluating the Total Cost of Ownership for Protecting Web Applications

Accelerating Insurance Legacy Modernization

Make the Most of your SaaS Solution.

Making HR Strategic: Integrated Human Capital Management Holds the Key

10 Reasons Why Enterprises Select Symantec.cloud for Archiving

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Security in the Cloud

DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention. symantec.com

Moving Beyond User Names & Passwords

Archiving: To SaaS or not to SaaS?

What You Need to Know About CLOUD INFORMATION PROTECTION SOLUTIONS

Sage ERP I White Paper. ERP and the Cloud: What You Need to Know

Human Capital Management Express

Whitepaper Multi-Tenancy HRO Solution

Who Controls Your Information in the Cloud?

Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance with Data-centric Information Security

VMware vcloud Networking and Security

Sage X3 People. A powerful, simple and flexible human resource management software

Epicor. Human Capital Management Express Overview

Moving Beyond User Names & Passwords Okta Inc. info@okta.com

Beyond Simple Total Cost of Ownership

HR IN THE CLOUD. Basil Sommerfeld Partner Operations Excellence & Human Capital Deloitte

Buyers Guide to ERP Business Management Software

How to Achieve Operational Assurance in Your Private Cloud

Workspace-as-a-Service Defining Security and Mobility for Healthcare. vertiscale.com

Easy, practical and affordable

How To Use Syncplicity Panorama On A Mobile Device

Cloud Executive Perspective January 2015 CLOUD EXECUTIVE PERSPECTIVE. Cloud Computing. Changing the Role and Relevance of IT Teams.

Modern Cloud Security for HR

Marketing and Data Security

On Premise Vs Cloud: Selection Approach & Implementation Strategies

SAVVION MANAGEMENT SYSTEM

A COMPLETE GUIDE HOW TO CHOOSE A CLOUD-TO-CLOUD BACKUP PROVIDER FOR THE ENTERPRISE

Services. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure

Privilege Gone Wild: The State of Privileged Account Management in 2015

Secure, private, and trustworthy: enterprise cloud computing with Force.com

Business Case for Voltage Secur Mobile Edition

White paper: Information Rights Management for IBM FileNet. Page 1

Zone Labs Integrity Smarter Enterprise Security

Five Drivers of the Cloud in Asset Management

Cyber Risks in the Boardroom

The Informatica Solution for Data Privacy

Trends in HR-technology + tips regarding the make or buy decision

The Benefits of an Integrated Approach to Security in the Cloud

Informatica Dynamic Data Masking

Moving Service Management to SaaS Key Challenges and How Nimsoft Service Desk Helps Address Them

Securing the Cloud Infrastructure

SOLUTION BRIEF SEPTEMBER Healthcare Security Solutions: Protecting your Organization, Patients, and Information

SERENA SOFTWARE Serena Service Manager Security

Enabling HR service delivery

Design and deliver cloudbased apps and data for flexible, on-demand IT

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?

Privilege Gone Wild: The State of Privileged Account Management in 2015

An Oracle White Paper June Oracle Database Firewall 5.0 Sizing Best Practices

WHITE PAPER Mapping Organizational Roles & Responsibilities for Social Media Risk. A Hootsuite & Nexgate White Paper

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

10 How to Accomplish SaaS

Proving Control of the Infrastructure

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

ITRC Forum 2014 萬 雲 皆 有 險 : 雲 計 算 的 安 全 怎 影 響 你 的 管 理 概 念

PEOPLESOFT HUMAN RESOURCES

HR TECHNOLOGY UPDATE

Whitepaper. Compensation Planning On-Premises or SaaS.. Making the decision. : Feb 2015 : HCM Team. Presented on Author

SaaS A Product Perspective

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Creative Shorts: Twelve lifecycle management principles for world-class cloud development

Effective End-to-End Cloud Security

2012 Key Trends in Software Pricing & Licensing Survey

Critical Privacy Questions to Ask an HCM/CRM SaaS Provider

Protecting Your Data On The Network, Cloud And Virtual Servers

VORMETRIC CLOUD ENCRYPTION GATEWAY Enabling Security and Compliance of Sensitive Data in Cloud Storage

Real-World Scale for Mobile IT: Nine Core Performance Requirements

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

HP and netforensics Security Information Management solutions. Business blueprint

How Virtualization Complements ShoreTel s Highly Reliable Distributed

Transcription:

HR Data Security: How Secure is Your SaaS Deployment?

HR Data Security: How Secure is Your SaaS Deployment? Whitepaper HR Data Security: How Secure is Your SaaS Deployment? November 2009 Introduction Human Resources (HR) data is one of the most sensitive forms of information any organization maintains. Ensuring the security of this data is therefore critical not only to preserve the sanctity of employees highly personal information, but also to minimize legal risk to the organization as a whole. This issue takes on even more importance as organizations choose to deploy their talent management systems via a software-as-a-service (SaaS) delivery model. With the costs of a data breach estimated at an average of $6.6 million per incident in 2008 1, organizations need to ensure that they choose vendors that have secure SaaS solutions. To further illustrate the risks of choosing an inadequately secured HR solution, here are a few high-profile examples from the more than 310 reported incidents of data loss reported in the first nine months alone of 2009 2 : Kaiser Permanente had the records of 29,500 employees stolen Federal Aviation Administration had 45,000 employee names and social security numbers stolen by hackers Aetna had 65,000 current and former names and social security numbers exposed on the web Heartland Payment Systems had 130 Million credit card numbers stolen by a former government informant (2008) The good news is that there are talent management vendors that provide both secure SaaS deployment and on-premise options to ensure strong security for your HR data. This guide on HR data security outlines key issues in evaluating SaaS solutions from talent management vendors and provides questions important to ensure the success of your talent management project. Understanding SaaS for Talent Management Aetna 65,000 current & former names & social security numbers exposed on the web FAA 45,000 employee names & social security numbers stolen by hackers Software-as-a-Service (SaaS) has become one of the fastest growing deployment models for talent management applications in the past few years. This success has brought about many benefits including lower up-front fees, reduced administration costs, less burden on IT resources, among others. However, many SaaS vendors neglect the fundamental requirements of ensuring your HR data is as secure as it can be. Whitepaper

For any size organization, it is important to determine whether the vendor can provide a robust set of deployment options, such as a dedicated or secure SaaS or an on-premise model, as well as understand how the system handles data privacy. These critical capabilities and options can guarantee specific application and data security standards are met. However, all vendors are not able to offer these options. Some specific, important differences between standard SaaS and a secure SaaS or on-premise deployments include: Dedicated hardware for each customer environment Physically separated customer data from all other customer instances Ability for unique high-security measures to be implemented as needed Upgrade and update schedules dictated by the customer and not the vendor Ability to uniquely configure the application to suit specific customer needs Understanding vendor Understanding vendor deployment offerings and choosing the correct one to suit your organization s needs can be the difference between a successful talent management project and a failed one. Understanding vendor deployment offerings and choosing the correct one to suit your organization s needs can be the difference between a successful talent management project and a failed one. Risks with Multi-tenant SaaS Solutions The multi-tenant nature of SaaS applications makes security an essential concern. One of the first things to consider when looking at a SaaS option is whether your deployed solution will be residing in a multi-tenant environment. While multi-tenant SaaS can often cost less on an annual basis then other deployment options, they can come with a greater risk of having your employee data breached. This additional risk exists because in a multi-tenant environment many customers reside in one application environment simultaneously. While vendors can provide security within their applications and databases to prevent customer data from being breached or accidently leaked, these security measures are sometimes not robust enough. As a result, sensitive employee data may end up being visible to unauthorized individuals inadvertently. Here are the key risks to consider when evaluating a multi-tenant SaaS deployment: a. Are all customers data kept in one shared database? The largest risk is if all customer data is kept shared in one database. Some talent management SaaS vendors provide no database-level segregation for customer data. This means all customer data is co-mingled in the same tables in one database and data security is only in the application. As a result, a simple application code error can breach data security enabling all customers in an environment to see each other s data. Are all customers data kept in one shared database? www.softscape.com 3

b. What level of data security at application level does vendor offer? The SaaS vendor must be able to detail exactly how their application ensures that your data is kept secure and should provide sophisticated role-based and field level security that can be configure prior to deployment. c. Does the vendor offer a more secure version of a SaaS solution that provides a dedicated environment? For many organizations, the risks of multi-tenant SaaS solutions are not acceptable but the SaaS model from a cost perspective is still attractive. Some vendors will provide a secure version of their SaaS offering which has similar cost structures but provides physically separate instances of the application and database, as well as other security services, which dramatically increase the overall security of the solution. d. Do the benefits of a multi-tenant solution outweigh the risks? Understand and weigh the risks and benefits of multi-tenancy. The benefits may be lower initial price and total cost of ownership. The risk could be that data is co-mingled or has the possibility to be breached. Do the Do the benefits of a multi-tenant solution outweigh the risks? Typical SaaS Forces You to Upgrade One of the most controversial policies with a SaaS-only model is the forced upgrade policy. This policy of some SaaS vendors requires that customers upgrade to the next version of the application on the vendor s time frame, generally monthly or quarterly. This can have many bad downstream effects on the customer s organization. Some of the most costly are: a. The upgrade has issues or fails to work: If the vendor does not manage the testing and QA process well, new releases can be unstable and existing features can stop working correctly. This is actually one of the more common issues with some talent management vendors who are enforcing the automatic upgrade policy. Beyond the direct issue(s) that application errors cause, it can also erode confidence and usability across your user base. As a result, any benefit achieved from new features can be more than offset by negative consequences. b. Re-training the user community is constantly required: Often new releases change how an important part of the application works or in some cases it can even update the entire user interface. As a result, users often require re-training on how to use the new version of the application. This is a hidden cost of a forced upgrade policy that is not small. In large organizations especially, constant training and re-training can be very expensive. Therefore, if required to re-train frequently, any cost savings of going with a typical SaaS solution quickly disappears. Some vendors will provide a secure version of their SaaS offering which has similar cost structures but provides physically separate instances of the application www.softscape.com 4

c. Added overhead for administrative change management: When an application upgrade is applied it can do more than just change how an end-user feature works, it can also change how a core process in the application works. This can mean significant change management on complex and established processes within an organization. An example would be updates to a compensation planning which may require that compensation administrators restructure their existing plans to work with the new application release. These requirements can be a significant effort on the part of the customer. Application Architecture can be a Risk for SaaS While most vendors offer a SaaS deployment package option for their solutions, some are not architected to be secure. Even if the datacenter is perfectly secure, if the application is poorly architected to address the unique security requirements of a SaaS environment, your data may be at risk. Some of the most common architecture issues to pay attention to are: a. Why an n-tier architected web application matters: The most important single issue in choosing a secure SaaS solution is whether it is developed using a current n-tier architected model. The two leading architectures in this category are J2EE and Microsoft Dot-Net. Using a contemporary architecture is inherently more secure than using an older architecture, such as.asp or ColdFusion. These older architectures are inherently less secure because they are vulnerable to several current methods of attack, such as SQL injection (a form of attack which will let the attacker gain control over the database and have access to all information stored within it). b. Need for fine-grained security in a SaaS solution: Core to a secure SaaS application is the security model that the application has imbedded within it. The most effective model for security in SaaS applications is a field-level security model. This means that every single data-element in the application can be individually secured. This matters because multiple customers are sharing one core application so the application needs to secure each user s instance and all the data elements which are being viewed by that user. Solutions must ensure that by design they do not make copies of data on the client machine as a part of the standard operation of the application Data Privacy & Global Compliance Requirements Application design can also have a direct effect on whether an application complies with data privacy requirements in different parts of the world, and especially in the European Union (EU). Specifically, solutions must ensure that by design they do not make copies of data on the client machine as a part of the standard operation of the application. A very good instance of this problem is any solution that has part or all of it developed around an e-mail platform such as Microsoft Exchange or Lotus Notes. www.softscape.com 5

A few talent management solutions are designed in this way. These are dangerous to choose because they have the ability to make local copies of data within each user s machine. As a result, these solutions are by design breaking EU data privacy regulations. By contrast, an n-tier architected solution stores data centrally in the data center and only shows authorized data to the user. In addition, data privacy regulations in the EU and other geographies have specific requirements that data about employees be stored locally within a specific country. However, several of the vendors in the talent management market do not have the ability to provide SaaS anywhere other than the United States. For global organizations, this will not work. SaaS Datacenter Security Issues For any enterprise application, datacenter security is also important; but for SaaS vendors this is especially so, as not just one, but many copies of customer data are stored in the datacenter. However, not all vendors provide adequate security when it comes to their datacenters. Below are a few of the most important security-related points to be aware of: a. Evaluate the infrastructure: Ultimately the largest difference between purchasing a license and renting a SaaS solution is the infrastructure service received as a part of the sale. Therefore, it is very important to evaluate the datacenter services the vendor provides as a part of the offering. One good approach to this is to ask for a technical overview document that outlines the datacenter services provided as part of the SaaS offering. All vendors should be able to provide you this document. b. Dedicated hosting environment option: As discussed previously, multi-tenant SaaS can offer risks which organizations may find unacceptable. Dedicated hosting for SaaS can provide a truly secure deployment, while still offering the benefits of a SaaS deployment. Dedicated hosted SaaS deployments provide this additional security benefit by giving the customer a stand-alone hardware environment which runs the clients web, application, and database instances. This can also have the added benefit of shielding the customer from any application performance issues experienced from having multiple customers on one hardware environment. c. Ability to configure your application in a SaaS environment: Often vendors that provide a SaaS offering do not allow customer configuration. In fact, the vendor must provide the (expensive) professional services to affect any change in the application. For larger organizations, this can pose a barrier to project success. Examples of these issues include handling non-standard single sign-on platforms (SAML), uniquely configured workflows, and changes to performance or compensation forms. Some vendors simply do not allow these configurations or will only allow them at an extreme price increase. www.softscape.com 6

Conclusion SaaS has been a successful deployment option for many customers within the talent management market. But it is important to look at vendors SaaS offerings to ensure your organization is receiving strong security for your HR data. Because the costs of a data breach are very high ($6.6 million and rising), any short-term cost savings with an inadequately secured SaaS offering are quickly erased if your HR data is compromised. In addition, understanding the indirect costs that can come with a standard SaaS offering are important as well. These include items like having a forced upgrade policy or having restrictions on configurations within a standard SaaS deployment. Evaluating vendors that offer secure SaaS alternatives can provide the economic benefits without the risk of HR data being compromised or the additional indirect costs. Softscape is one of the only talent management vendors that offers customers flexible SaaS options, include secure dedicated database and hosting options, and also provides the most sophisticated role and field-based security capabilities available. www.softscape.com 7

Endnotes 1 2008 Annual Study: Cost of Data Breach, Ponemon Institute and PGP Corporation. 2 DATALOSS DB, Open Security Foundation. www.softscape.com 8

Authored By Stephan Millard, Product Marketing Director For more information, contact cfaust@softscape.com About Softscape Softscape is the global leader in complete people management software solutions that enable organizations to more effectively drive their business performance. Softscape s vision and history of innovation is consistently recognized by industry analysts and luminaries. The company s complete, end-to-end platform natively connects all human resources (HR) and talent functions, including performance management, succession planning, learning, career development, compensation, hiring and recruiting, workforce planning, social networking, and core HR records. Softscape s customers span 156 countries, 30 vertical industries, and include global Fortune 500/Global 2000 enterprises, mid-market companies, higher education institutions, and public sector agencies. Current customers include AstraZeneca, Seagate, GKN, Sony Electronics and KPMG. Softscape is based in Massachusetts with offices in London, Sydney, New York City, Chicago, San Francisco, Hartford, Washington, D.C., Bangkok, Hong Kong, and Johannesburg. For more information, or to request a demo, please call +1 (508) 358-1072 (international) +1 (800) 881-2546 (US/Canada) or visit our website: www.softscape.com. www.softscape.com worldwide headquarters: softscape, i n c. 526 b o s t o n post r o a d w a y l a n d, m a u s a 01778 p h o n e (u s/ca n a d a): +1 (800) 881-2546 p h o n e (inter national): +1 (508) 358-1072 softscape emea ltd: m i m e t h o u s e 5a praed street, t h i rd f l o o r w21n j u n i t e d k i n g d o m p h o n e (+44) 118 969 5634 softscape a s i a p a c i f i c pty ptd suite 1702 level 17, 111 p a c i f i c h i g h w a y n o r t h s y d n e y n s w a u s t r a l i a 2060 p h o n e: 011 +61 2 9191 7400 2010 softscape, inc. all rights reserved. the softscape l o g o and marks related to softscape products are either trademarks o r registered trademarks o f softscape, inc. o t h e r brand & product names contained herein m a y be trademarks o r registered trademarks o f their respective holders. LS10_0524

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information