Cloud Computing: Keying on Transition, Security Issues


As many companies move key parts of information technology systems to the cloud, where service providers essentially house digital data and functions off site, payroll departments needs to be cognizant of how such moves  affect them, speakers said Sept. 21.

Roger Smith, CPP, a consultant with PayrollProf, provided several definitions of cloud computing, including that it may mean applications and services are offered from data centers around the world and the style of computing allows services to be scalable and delivered to multiple customers.

Cloud computing is different from software as a service, or Saas, a system that licenses software by subscription and hosting occurs at a central location. In some cases, SaaS may be offered outside of the cloud, Smith said.

Companies have been looking to get away from maintaining certain systems infrastructures by moving them to a cloud service provider, said Stephanie Salavejus, CPP, chief operating officer and vice president of PenSoft, a payroll software provider in Newport News, Va.

Salavejus said she once asked cloud system professionals to explain in layman’s terms the way such systems operate. She was told that the cloud was “like an apartment building. All tenants have their own place, but they all share an elevator and they all share the pool.”

Smith and Salavejus, who spoke at a workshop session during the American Payroll Association’s fall forum in Las Vegas, said the development of cloud-based management systems and processes has advantages and concerns in general, and specifically for payroll applications.

Moving systems to the cloud can involve infotech staff cuts, and there are concerns about losing control of the information by placing it all on the cloud, participants said.

Payroll affects the bottom line as the most expensive component, Salavejus said. Payroll’s role in selecting a cloud solution is important, and must involve all stakeholders, such as the departments of information technology, human resources and finance.

There is a need to involve everyone, and getting and keeping all engaged is a “quite daunting task,” she said. A lot of due diligence is necessary for organizations to make the transition to cloud-based services.

Organizations choose to consider cloud services for several reasons, not just cost, Salavejus said. She listed security and mobility were highlighted in a recent survey of small businesses as two factor, in addition to reducing costs, allowing for scalability and providing redundancies and backups to the data.  

However, the cloud is a “treasure trove for identity thieves,” Salavejus said. Employers should sign off on cloud service providers before committing payroll data to the cloud. Among the questions: Are the security components meeting your policies? Does the provider have enough security protocols in place? Is the system robust enough support growing needs?

Built-in redundancies of cloud-based offerings are many, Salavejus said, but clients should ask: Who has access to the backups? What is the archive period?

With regard to cost savings and scalability, can this be quantified? How are the savings determined?  An employer’s reputation is on the line to effectively answer these questions, Salavejus said.

Employers should determine from the provider where the data are to be located, Salavejus said.  “It is important to understand how broadly spread your sensitive data is,” she said. When outsiders are allowed in a system, there can be a lot of risk. Ask the vendor: Do you allow outside product development in your system in a safe zone?

Each vendor takes a level of pride in what is provided, said Salavejus, and should be forthcoming when asked about these issues. Other aspects to weigh when cloud computing is being considered include:

--Where is the data center? Does the vendor have a broad scope of locations?

--Is the data center applying SAS 16/70 procedures and can that be verified?

--Is there multifactor authentication for users? Data encryption? Background checks on all employees?

--What procedures are in place to ensure the system does not crash during an update? How is data backup redundancy set up?

--Will clients in rural areas have the bandwidth/speed to draw on the information needed?

--What security policies are in place? What security protocols are in place?

Significant involvement by upper management is necessary for success, Salavejus said. They need to know the basics, such as the cost and what is being delivered. Include management in discovery process and implementation. As long as they have access to the resources, they can see the information and ask questions, she said.

For payroll professionals, “you set the culture—demonstrate this is as important to you,” she said.

 The cloud environment is not a replica of the desktop environment, Salavejus said. It may be difficult to explain, but sometimes prior services not available in the cloud environment.

Organizations that invest in discovering and vetting cloud-based offerings typically have better outcomes when moving processes to the cloud. Employers should questions until there are no more questions to ask, Salavejus said.

Take a free trial to Bloomberg BNA’s  Payroll Library, your one-stop resource for reliable, up-to-date guidance and analysis in every area of payroll administration and compliance.

Follow Michael on Twitter @MichaelTBaer and join the Bloomberg BNA U.S. and Global Payroll group on LinkedIn.