cloud security: bringing clarity to common myths and misconceptions
DESCRIPTION
Want to get some CLARITY on common myths and misconceptions about Cloud ERP system? Read this whitepaper to find out what really is and isn’t a security issue in the Cloud. Who should read this–CEOs, CFOs, CIOs and Finance & Accounting and Info Tech executives and managers considering a new ERP system, especially one in the Cloud Top 3 things you’ll learn: 1. What the top myths and misconceptions are of Cloud security 2. The top 10 questions you should ask your potential Cloud ERP provider 3. What the value proposition is of combining a Cloud-based ERP with finance & accounting outsourcing servicesTRANSCRIPT
Cloud Security: Bringing CLARITY to Common Myths and Misconceptions © 2012 Sutherland Global Services. Page 1
Authors: Dan McCue, Senior Vice President, Finance & Accounting, Sutherland Global Services Bill Burke, CEO, Merit Solutions
Cloud Security: Bringing CLARITY to Common Myths and Misconceptions
Finance and Accounting Services
Table of Contents
Introduction 2
The Rise of Cloud Computing 3
Physical Location 4
Transmission 4
Access Security 5
Security From Disaster 6
The New Reality of Cloud ERP Solutions 6
Security Checklist 7
CLARITY es: Cloud-‐Hosted –Microsoft Powered 8
Sutherland Global–A Practical Overview 10
Contact Information 10
About Sutherland Global Services 11
Cloud Security: Bringing CLARITY to Common Myths and Misconceptions © 2012 Sutherland Global Services. Page 2
Introduction
Companies in today’s economic environment are all facing the age-‐old business conundrum: how can we do more with less? To help improve capacity but drive down costs, organizations are increasingly turning to cloud-‐based technologies.
Cloud-‐based Enterprise Resource Planning (ERP) can be deployed quickly, minimizes the initial investment, reduces the Total Cost of Ownership (TCO) and offers seamless upgrades. Although many CEOs, CFOs, CIOs and key stakeholders look to cloud computing to help realize tremendous savings, there are concerns about cloud-‐based data solutions.
In the age of cyber attacks and the seemingly ever-‐growing list of online security threats, senior executives worry about the safety of their cloud-‐based information. Physical location, data transmission, access security and disaster recovery represent the four top-‐of-‐mind security concerns.
This white paper will look at some of the key aspects of cloud security and examine some of the myths and misconceptions. Research also shows that while senior executives are apprehensive about cloud-‐based security, only a small percentage conduct due diligence on their providers. This white paper also includes a checklist of 10 questions that SMBs, mid-‐market companies and large organizations should ask their potential providers.
Cloud Security: Bringing CLARITY to Common Myths and Misconceptions © 2012 Sutherland Global Services. Page 3
The Rise of Cloud Computing
A 2011 survey by CDW found that 28% of US-‐based organizations are using cloud computing today, and 73% of those organizations took their first step by implementing a single cloud application. Interestingly, the vast majority of the survey respondents (84%) say they “have already employed at least one cloud application.” So, in essence, there are a lot of first steps being taken, and wider cloud adoption is foreseeable. There’s no doubt the cloud is garnering attention as companies cautiously explore cloud applications. According to an April 2011 Forrester Research report titled “Sizing the Cloud” the global cloud computing market is estimated to reach $241 billion in 2020. Yet, despite the rise of cloud computing, there are a number of misconceptions floating around, with security at the top of the list. As companies transition from low-‐risk “testing the waters” to taking the plunge with cloud ERP for more mission-‐critical functions like Finance and Accounting, the issue of cloud security is inevitable. The question most often asked is, “Just how secure is our data?” It’s a legitimate question. It was only a few short years ago that cloud-‐based ERP systems were the exception rather than the norm for most companies. The idea of not having all data, infrastructure, software and hardware on-‐site was new, intriguing and fraught with concerns. Entrusting private business data and applications to an outside hosting service made (and continues to make) some organizations uncomfortable.
Despite the cloud’s shift into the mainstream, security and compliance still top the list of apprehensions inhibiting cloud adoption. Some of this apprehension is caused in part by confusion around a lack of industry standards; expectations and definitions of security can vary from industry to industry. Different regions and countries are subject to different data protection policies and legislation that could compromise data privacy. Companies need to conduct due diligence on their prospective cloud providers.
Data security and privacy issues are very real concerns no matter whether SMBs implement a cloud ERP solution or on-‐premise ERP. Both require knowledge of data: which data is sensitive, the degree of sensitivity and the protocols required to protect it.
Yet, the pervasive myth that cloud-‐based ERP simply isn’t as secure as on-‐premise solutions continues to linger. The myth persists based on four misconceptions about the security of physical location, transmission, access security, and disaster security.
Top 5 Cloud ERP Misconceptions
1. With a cloud ERP solution, our data isn’t as secure as it is onsite.
2. Cloud ERP solutions provide only basic ERP functionality.
3. Cloud ERP solutions can’t be customized.
4. It’s difficult to integrate cloud ERP systems with other systems.
5. If the Internet goes down, the business goes down.
Cloud Security: Bringing CLARITY to Common Myths and Misconceptions © 2012 Sutherland Global Services. Page 4
Physical Location
The Misconception: A cloud-‐based solution is nebulous and can’t be secured.
The Reality
Cloud computing is new, unknown and eyed suspiciously. It has the appearance of being risky because you cannot secure its perimeter—where are a cloud’s boundaries? A May 2010 study by the Ponemon Institute found that IT professionals believed security risks were more difficult to curtail in the cloud, including securing the physical location of data assets and restricting privileged user access to sensitive data. Yet, as CIO Magazine pointed out:
“…respondents only gave the on-‐premise alternative a 56% positive rating! In other words, nearly half the respondents believe that their own internal data centers do not do a good job of securing the physical environments of their data centers.”1
The reality is that often on-‐premise ERP security does not measure up to the same standards as a world-‐class data state-‐of-‐the-‐art facility.
An ideal data center should be secure, free of windows, and built with cement or steel fortifications with 24/7 on-‐site security. Most SMB IT departments reside in a department or on a floor of commercial buildings and office towers, which rarely have these conditions.
In comparison, the CLARITY es data centers are housed in multi-‐million dollar facilities with building fortifications. The main data center is housed underground in a facility that is designed to withstand an 8.3 magnitude earthquake. The data centers also have 24/7/365 security, monitored by staff as well as security guards.
Transmission
Misconception: Cloud-‐based solutions are more vulnerable to hacking and other attacks.
The Reality
SMBs typically invest in hardware, software and applications to thwart specific security challenges: spam, security breaches, malware, non-‐compliance, and so forth. Unfortunately, many of these products have limited life cycles, are difficult to scale and, from a security point of view, often only produce single points of failure. Additionally, the latest technologies to scramble and encrypt data – RSA, Secure Socket Layer (SSL), Data Encryption Standard (DES), or Triple DES, etc. – can quickly drain SMB IT budgets.
With traditional licensed ERP software, organizations typically must wait for the next release to benefit from the latest features, upgrades, or security patches. Sometimes limited resources can mean that upgrades aren’t always deployed in a timely manner. In fact, two-‐thirds of mid-‐size businesses are running outdated versions of their ERP software2. This can leave these companies vulnerable.
1 Golden, Bernard. "Cloud Computing Security: IT's Take on State of Play." CIO Magazine. N.p., 17 May 2010. Web.
2 "Why Cloud Computing Matters to Finance," Ron Gill, CMA, CFM: Strategic Finance, January 2011.
Cloud Security: Bringing CLARITY to Common Myths and Misconceptions © 2012 Sutherland Global Services. Page 5
Under the SaaS (Software as a Service) delivery model that forms the basis of cloud ERP, the provider continuously and unobtrusively adds the latest features and upgrades, which means that users can be assured that they’re actually using—rather than waiting for—the latest security technology.
By their very nature, external applications like cloud-‐based technologies must adopt a “trust no one” approach. Layers of security controls, encryption of all sensitive data and security testing at the application level, as well as countless other safeguards are necessary for cloud security.
A world-‐class cloud ERP provider will perform rigorous internal vulnerability scans, log threats, and are audited for SSAE 16 (formerly SAS 70 Type II) compliance. Data is fully secured, both in transmission and at rest. For example, CLARITY es runs on a Microsoft Dynamics AX platform. It uses the RPC_C_AUTHN_LEVEL_PKT_PRIVACY call, which provides the highest security level available through a remote procedure call (RPC). There are no software or hardware purchases, and updates are seamless.
Access Security
The Misconception: An on-‐premise solution offers more security over who may access information.
The Reality
The myth that a cloud solution simply cannot be as secure as an on-‐premise solution has very much to do with the notion of “seeing is believing.” Often companies feel more in control of their data when it resides under their own roof.
When ERP is on-‐site, it is the sole responsibility of the IT department to authenticate and log all access to data in order to prevent unwanted users, both internal and external, from accessing information or resources.
Access security for on-‐premise ERP systems may be enforced through business logic or at the database layer. This authenticates users and provides them with specific rights to data objects. For example, a payroll clerk would only have access to payroll data, not customer records.
A cloud-‐based ERP is no different. With CLARITY es, you control access to data throughout by managing security restrictions on forms, records and data fields for specific user groups and domains, and define and assign rights according to how you want security restrictions managed. As well, because CLARITY es is a single-‐tenant environment there is no risk of data being inadvertently exposed to other users due to poor implementation of the access management process.
While a secure cloud ERP system doesn’t increase the vulnerability of your business data, authenticated users have “anywhere, anytime, any device” access, which is a tremendous advantage for global collaboration, monitoring and managing.
Cloud Security: Bringing CLARITY to Common Myths and Misconceptions © 2012 Sutherland Global Services. Page 6
Security From Disaster
Misconception: It’s better to handle backups internally to be able to access data more quickly in case of a disaster.
The Reality
Companies must examine how often they back up data and where the backups are the stored. SMBs looking to third-‐party back-‐up systems and business continuity facilities must thoroughly examine the security standards that are in place. The truth of the matter is that SMBs need to invest in a rigorous program for data backups with offsite storage in a secure location separate from the main data center.
Key questions to ask before choosing an external backup partner include: Does the third-‐party data recovery service abide by recognized security standards and compliance requirements? What happens if there is a power failure? How long will my data be kept?
Cloud-‐based solutions, like CLARITY es, ensure full nightly backups, which are stored in an off-‐site location and are maintained for seven years. As well, the data centers have multiple power sources and redundant incoming lines provisioned in an N+1 configuration for continuous power.
The New Reality of Cloud ERP Solutions
Traditional and cloud ERP share many of the same security issues, from preventing unauthorized access to safe and secure backups. As the “new kid on the block”, cloud technology is unfamiliar and not fully trusted.
SMBs that adopt a cloud-‐based ERP solution, like CLARITY es, find that security is actually improved. Unlike large enterprise companies, SMBs usually don’t have the high security infrastructure, processes or best practices knowledge readily on hand. In the case of cyber attacks, cyber espionage, malware, human error and disasters, cloud-‐based service providers have higher levels of security.
Microsoft released research in May of 2012, that verified the significant IT security advantages from using the cloud. One of the most interesting facts to emerge from the survey was that "35 percent of US companies surveyed have experienced noticeably higher levels of security since moving to the cloud."3
Security is always a top concern for companies, but it’s time to put to cut through the fog, and bring a little clarity to the situation: Cloud ERP systems and the data they contain are as secure, if not more secure than traditional ERP systems.
3 Microsoft. News Center. Cloud Computing Security Benefits Dispel Adoption Barrier for Small to Midsize Businesses. 14 May 2012. Web.
Cloud Security: Bringing CLARITY to Common Myths and Misconceptions © 2012 Sutherland Global Services. Page 7
Security Checklist
CompTIA's 9th Annual Information Security Trends survey of U.S. executives with IT responsibilities reported that only 29% of organizations report conducting a heavy review of their cloud service provider's security policies, procedures and capabilities.
SMBs must vet their cloud providers by conducting due diligence and asking for proof of physical audits and physical access controls. Here are 10 questions you can ask your provider.
1.) What is your privacy policy?
Your potential solution provider should have a well-‐defined and clearly articulated privacy policy that spells out exactly who has access to various types of information. It should also describe the organization’s standard operating policies and procedures for ensuring privacy. Your prospective vendor should voluntarily provide you with a copy of this policy information.
2.) What level of security do you use to ensure the safety and integrity of critical data?
To safeguard your data onsite, your prospective solution provider should use a combination of intrusion detection system (IDS) and intrusion prevention system (IPS) products and apply antivirus at various network layers. It should also utilize deep packet inspection (DPI) or an application-‐level firewall technology that scans all levels of packet transmission. Finally, it should also use secure socket layer (SSL) or https-‐encrypted transmission to ensure Internet security.
3.) Is your production equipment housed in a state-‐of-‐the-‐art facility?
Your prospective vendor’s data center should be secure, free of windows, and built with cement or steel fortifications. It should also be located somewhere that is not prone to inclement weather.
4.) What are your facility’s physical security arrangements? Are they in place 24 hours a day, seven days a week, and 365 days a year?
Similar to its privacy policy, your potential hosted ERP solution provider should have well-‐defined and robust security arrangements that are in place at all times.
5.) Do you contract with an independent, third-‐party organization to conduct periodic external and internal vulnerability scans?
In addition to maintaining an intrusion response system and a prepared response plan, your prospective solution provider should frequently commission both routine and unannounced security audits.
6.) How often do you back up data, and where are the backups stored?
Your potential hosting provider should have in place a rigorous program of data backup and offsite storage in a secure location remote from its main data center.
Cloud Security: Bringing CLARITY to Common Myths and Misconceptions © 2012 Sutherland Global Services. Page 8
7.) Do you offer full hardware redundancy to avoid the negative consequences of a power failure?
Your prospective solution provider’s data center and backup location should have redundant power supplies, such as battery and diesel generator backups, to avoid the negative consequences associated with a power failure.
8.) Does your staff include a highly qualified operations team that monitors the site 24 hours a day, 365 days a year?
Your prospective vendor should have on staff many certified security experts, including those with the preferred CISSP designation.
9.) Is my data stored in a multi-‐tenant or single tenant environment?
A multi-‐tenant cloud-‐based ERP is a set of pooled computing resources, shared among many different organizations (tenants). In short, various organizations share the same database. In a single tenant environment, customers operate with their own individual database. It is our belief that an isolated single tenant environment best maximizes performance, security, privacy and integration.
10.) How safe is your data center in terms of natural disasters?
Your potential provider should be prepared for any number of natural disasters. In addition to a windowless, cement building with steel fortifications, the provider should have multiple power sources and redundant incoming lines provisioned in an N+1 configuration for continuous power. For example, our main data center’s backup generators can power a city of 25,000 people -‐ which allows us to go off grid for 28 days without water, electricity, sewer, or natural gas feeds.
CLARITY es: Cloud-‐Hosted –Microsoft-‐Powered
The ERP platform of the CLARITY es solution is cloud-‐hosted and powered by Microsoft Dynamics AX, considered by Gartner as a market leader. The cloud-‐hosting ensures rapid implementation and low up-‐front costs.
CLARITY es provides multiple customized portals and tailored solutions for all aspects of your business:
• Finance & Accounting • Procurement • Human Capital Management • Sales & Marketing (CRM) • Project Accounting • Supply Chain Management • Production / Manufacturing • Business Intelligence & Reporting
CLARITY es is a composite and customizable solution with core industry-‐specific functionalities. All elements of the solution from application implementation, support and hosting to service delivery with guaranteed metrics are provided by Sutherland Global Services – one of the world’s largest pure-‐play BPO service providers.
Cloud Security: Bringing CLARITY to Common Myths and Misconceptions © 2012 Sutherland Global Services. Page 9
Dynamics AX Power
Powerful Foundation Gives You More Value Faster
Pre-‐built industry-‐specific functionalities enable users to streamline mission-‐critical business processes with workflow functionality and alerts that provide automatic notification of pending tasks and events. These features provide management real-‐time visibility into critical business data through customized dashboards and reports. With powerful embedded business intelligence and analytics, you will be able to run ad-‐hoc reports rapidly and streamline workflows.
CLARITY es Cloud Advantage
Supply Chain
CLARITY es has complete supply chain integration and is customizable to your industry and business.
Flexible & Agile
CLARITY es gives you flexible deployment options, allowing you to switch between the cloud and on-‐premise deployment, implementing your solutions all at once or in phases. This unified natural model offers companies improved forecasting, reporting, and budgeting abilities. Extend these models with industry-‐specific capabilities as the company evolves.
Web Access
CLARITY es gives you anywhere, anytime access with 97.99% Up Time. This user-‐centric platform provides access to more people, including customers and partners, while guaranteeing data control maintenance and integrity. You get a dedicated environment (not multi-‐tenant) that replicates on-‐premise configuration, the administrative rights to the servers, and a secure VPN access. Your data will be available where you need it, when you need it. CLARITY es is certified SSAE 16 (formerly SAS 70 Type II) compliant.
Simplified Solution Drives Adoption & Lowers Costs
The interface is familiar and intuitive, allowing for easy-‐to-‐use collaboration with colleagues, partners, vendors, and customers using integrated email, instant messaging, and presence information through unified communications.
Cloud Security: Bringing CLARITY to Common Myths and Misconceptions © 2012 Sutherland Global Services. Page 10
Sutherland Global – A Practical Overview
Structure
• Globally distributed delivery capacity and domain capability • The Deloitte-‐established Tulsa FAO Centre of Excellence has been servicing
clients since 1995 • Strategic global locations designed to satisfy SSAE 16 (formerly SAS 70 Type II) standards
and Sarbanes-‐Oxley requirements
Capability
• Full suite of BPaaS services – transaction processing to financial and management reporting
• Integrated analytics to support Collections, Financial Planning and Analysis functions • Onshore, offshore and hybrid solutions tailored to meet client-‐specific needs
Expertise
• Dedicated team experienced in business transformation, process optimization and transition services
• Expertise in utilizing existing client applications and/or SGS-‐hosted ERP systems • Robust set of add-‐on technologies supported by in-‐house application management team
Flexibility • Custom-‐crafted Pricing and Commercial Structure aligned to client needs and objectives • Output/Outcome Based Pricing and No Termination penalties
If you would like to continue the conversation and get information about our CLARITY es offering please contact: +1-‐800-‐388-‐4557
Cloud Security: Bringing CLARITY to Common Myths and Misconceptions © 2012 Sutherland Global Services. Page 11
About Sutherland Global Services
Sutherland Global Services is a multi-‐national technology-‐enabled business process outsourcing (BPO) services company providing a unique combination of vast BPO resources as well as extensive expertise and industry knowledge in Finance and Accounting. We help you build a high-‐performance finance organization by combining accounting best practices with proven BPO processes. Our global service delivery infrastructure and full range of outsourcing solutions – from specific transactional processes to controller and compliance functions –help you reduce costs while gaining better visibility and control of financial processes and data. All of our finance and accounting engagements are led by our Controllership & Management Center, based in Tulsa, Oklahoma.
Our strategy quickly improves your F&A operations by adapting a set of standardized processes and using technology and automation to improve efficiency. We begin by analyzing your existing accounting workflows, then we design an outsourcing solution based on your business objectives and available resources. Ongoing processes are transferred to our organization. Once this transition is complete, we follow through to ensure flawless service delivery. The Result: You gain access to higher quality, more complete financial information to support effective tactical and strategic decision-‐making across your business. Our outsourcing solution not only reduces the cost of the finance function; it provides CFOs the opportunity to focus the organization on what is strategically important to the business.