As with the majority of business software, HR and payroll solutions are increasingly available through the cloud as a pay-as-you-use model and are today, considered as mainstream as any other business application.
However, a fundamental issue for any user looking to move their HR and payroll systems to the cloud is the common, yet incorrect assumption that cloud solutions are somehow less secure than their on-premises counterparts.
There are several trends that are having an impact on payroll data security, says Sandra Crous, MD of PaySpace, a leader in cloud-based payroll and human capital management software. “As more and more solutions and goods go digital, the pace of change increases, and at the same time physical borders become blurred, as applications are accessed on mobile devices outside of the organisation, by those needing instant, anytime access.”
“We have seen a massive rise in the use of and delivery of online payslips, mobile self-service, the growing use of automation, and the consumption of payroll services via the cloud, due to their promise of high configurability, fast implementation and increased flexibility. However, on the downside, whenever you are dealing with data-sharing over the cloud as opposed to on-premise, the risk to data increases.”
Remember too, that as the use of tablets and smartphones to access business applications and systems remotely skyrockets, a company’s data might now be stored on a plethora of outside devices instead of within a single, on-premise network. In addition, this slew of devices are all attached to the Web, and many may not be pre-configured by the company with security in mind. Leaving security at the discretion of the employee is never advisable.
Without realising it, businesses are trading convenience for security. “Our reliance on cloud services has seen our dependency on third parties increase too and has obscured our view of the protocols and measures that are in place to guarantee data security. This can cause serious issues because once a company has signed up with a particular provider, they now have to deal with all the risks associated with compliance, legal, and of course integration with other systems.”
One way to ensure your data stays safe, says Crous, is to partner with the right cloud payroll vendor. “Ask them questions such, as to how they handle, and what they do with your data that they have access to. Also question them on their practices, to ensure they are legal and fully compliant with current regulation. Finally, when reading your SLA agreement, read the fine print too. Many unscrupulous businesses like to cloak how they might use your data in legalese that no one bothers to read properly.”
“A reliable vendor with a well-established brand will host your data in a secure environment,” she says. “Moreover, its solutions will also have an interface that is simple and accessible, as well as powerful mobile apps that enable your employees to work on the move. It will also be 100% transparent about data security and have this built-in from the ground up.”
She says PaySpace, for example, goes way beyond what most providers offer in terms of security. “We believe that security has to be considered at every level, from the internal user level, and application layer, to the facilities and network level, and in fact, are one of the few providers who are ISO 27001 certified.”
For the internal user, PaySpace’s security model is flexible, operating on a “need to know basis” and a “who you can see” basis, where the principle of least privilege is applied, users access is restricted to selected screens or to read-only access.”
At the application layer, PaySpace is powered by a single instance, multi-tenant architecture, in which all users and applications share a single, common infrastructure, but is logically and uniquely separated for each customer, with a TenantID in place to ensure that each user’s data is kept separate. “Moreover, all users have a unique email address and password, and all access to PaySpace as a whole is governed by the most stringent password security policies, and all passwords encrypted before they are stored within a database that is encrypted too.”
Crous says PaySpace also employs 128 bit encryption on every form within the system, the reports which are emailed to users are sent in a password protected zip file, and an audit trail exists at every stage for traceability purposes. “Finally, we use safe bank EFT transfer technology for financial account validations as well as communication with banks.”
At a facilities level, PaySpace stores its data at one of Africa’s most modern and state-of-the-art data centre facilities. “Our data is backed up every 15 mins to an offsite server, with a full back up happening every evening. In terms of access, public access is strictly prohibited, and the facility is monitored with live video surveillance 24/7/365.Physical access is controlled by access cards, with access to the facility restricted to Certified Technical Points of Contact. Biometric systems add a third layer of security, with fingerprint scanners used to restrict access and ensure only the appropriate individuals have access to the data centre.”
To ensure network security, PaySpace has proven security practices in place, a perimeter firewall that guards our network against malicious activity by scrutinising data entering or leaving the network. This protects us from DDoS and Zero-Day attacks, as well as malware and spoofing attacks, explains Crous. “We also have IPS in place to scan for any anomalous behaviours that might indicate an attacker is trying to infiltrate our network and block it immediately.”
Finally, she says PaySpace’s vulnerability scanning process protects its systems by pinpointing vulnerabilities that could be exploited by threat actors and reporting them immediately.
“Choosing the right provider means it is possible to harness all the benefits of the cloud without compromising security. Do your research, and make sure your cloud provider is adequately addressing all security risks.”