21 st Annual IL Statewide APA Conference

1. 21st Annual IL Statewide APA Conference August 21, 2014 Stir Up Knowledge on Payroll Data Security and “The Cloud”

2. Stir Up Knowledge on Payroll Data Security and “The Cloud” Fiona Nolan Principal Workforce Management Consultant Fiona.nolan@kronos.com 21st Annual IL Statewide APA Conference – August 21-22, 2014

3. Major Security Breaches • Large, Multinational Corp. – Attackers obtained credit card details for more than 52,000 customers by hacking the servers of a Multinational Corp. internet shopping unit. • Specialty Hospital – Sensitive information was compromised when a hacker breached the center’s computers. More than 30,000 patients were affected. • Government Agency – A laptop was stolen containing personal information for approximately 131,000 former and current government employees.

4. Hacking Trend Continues…

5. Consequences of Unsecured Data • Identity Theft • Government Fines • Public Relations Nightmares • Bank Fraud • Are there pitfalls for: • SSN’s on checks? • Single-sign on? “The Federal Trade Commission treats breaches of employee data as a breach of consumer data” William Dunn, 2012

6. Ingredients of TLA’s and more Private Person Information Private Health Information Personally identifiable information Data Controller Data Protection Directive Cloud Service Provider Framework which the Commission considers providing an adequate level of protection • PPI • PHI • PII • DC • DPD • CSP • Safe Harbor

7. What Constitutes Personal Information? The law defines "personal information" to be an individual's first and last name in combination with any of the following:

8. What Constitutes Personal Information? • The law defines "personal information" to be an individual's first and last name in combination with any of the following: • Social security number and/or • Driver's license number or CA identification card number and/or • Financial account number, credit or debit card number, in combination with any security code, access code, or password that would permit access to the individual's account and/or • Medical information (medical history, mental or physical condition, medical treatment or diagnosis) and/or • Health insurance information (policy number, subscriber information number, individual's application and claims history including appeal records)

9. Private vs. Personal Information?

10. Personal or Private? Valuable?

11. Recipe Ingredients for Chili

12. Recipe Ingredients for Chili • Garlic • Masa Harina • Limes • Bell Peppers • Thyme • Choclate • Garlic • Cilantro • Chipolte • Oil • Meat(s) • Broth • Beans • Beer • Cumin • Chili powder • Worcestershire sauce • Salt • Black Pepper • Cayenne pepper • Paprika • Sugar • Oregano • Basil • Chile peppers • Onions • Tomato paste States and Countries are similar: Each with their own level of data security/spice

13. Data Protection Checklist • Implement Corporate Privacy Strategy • Corporate Data Protection Policy • Security Awareness Training • Personal Data Encrypted (regardless of where it resides)? • If external, is the transmission of personal data encrypted? • Encrypted passwords: changed regularly with 3-levels of strength • Paper Documents? Storage and disposal. Stick to legal guidelines for aging. • Clean Desk Policy • Secure printers • Computer Security • Corporate Espionage Education/PubTalk!

15. Security Awareness Training • CIA • Confidentiality: Limit to only those who should have access • Integrity: Preventing intentional or unintentional modification of data • Availability: Making sure the data is available when it should be • Quiz • Who is responsible for Information Security? • Are anti-virus software and firewalls 100% effective? • Should systems have an auto-logout after inactivity?

16. Recipe for PPI Exercise • 1 oz Facebook • ½ cup of Wikipedia • Dash of LinkedIn • 1 oz of Zabasearch • 1.5 cups of White pages • ½ stick of InstantCheckmate • Carefully mix the ingredients, one at a time until blended. Sprinkle into Excel.

17. An Exercise in PPI Futility! 21st Annual IL Statewide APA Conference – August 21-22, 2014

18. David Recordon 21st Annual IL Statewide APA Conference – August 21-22, 2014

19. Do we have enough information to cause damage?

20. Before Deconstructing The Cloud Recipe…

21. What’s wrong with this picture? (Payroll Data Technology Example) • The databases are located on a Windows 2008 SBS server and the client application is installed on a Windows 7 64bit workstation • The server is locked in the secure server room preventing unauthorized accessed. • The database files are not encrypted but will be protected by access control list (user ID and password) • The fields in the database are not Encrypted • Transmission across the network is not encrypted • No private Vlans on the network and no hardware that supports it at present. We will be upgrading shortly • App developed in the 90’s so I’m guessing no encryption over transmission and probably not securely developed by todays standards. 21st Annual IL Statewide APA Conference – August 21-22, 2014

22. Let’s Put That Payroll System In The Cloud… Is the payroll data secure? 21st Annual IL Statewide APA Conference – August 21-22, 2014

23. Jeopardy. What is… • a visible mass of condensed water vapor floating in the atmosphere, typically high above the ground? • a white or gray mass in the sky that is made of many very small drops of water? • a large amount of smoke, dust, etc., that hangs in the air? • a large number of things (such as insects) that move together through the air in a group? • the delivery of computing as a service rather than a product? • amodel for delivering information technology services in which resources are retrieved from the internet through web-based tools and applications, rather than a direct connection to a server 21st Annual IL Statewide APA Conference – August 21-22, 2014

24. Definition of Cloud Computing • ” Cloud computing is so named because the information being accessed is found in the "clouds", and does not require a user to be in a specific place to gain access to it. Companies may find that cloud computing allows them to reduce the cost of information management, since they are not required to own their own servers and can use capacity leased from third parties. Additionally, the cloud-like structure allows companies to upgrade software more quickly.”* • “The practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer.” *Source: Investopedia

25. Picture from Wikipedia

26. Cloud FUD (Fear, Uncertainty, Doubt)! Reliability SLA’s ASP Hosted Encryption Saas TCO Security HTTPS Firewalls Multi-Tenant Private or Public? CITRIX or Web access? Single Tenant Active Intrusion Detection System Hybrid Data Sovereignty 21st Annual IL Statewide APA Conference – August 21-22, 2014

27. Mom’s Recipes • The idea of the Cloud has been around since the 1950’s • Initial services started in 1991 • ASP: Application Service Provider

28. Private vs. Public Cloud? • Public • Majority are used for web servers/development systems where security and compliance requirements is not an issue • No control over hardware performance because it’s shared • Self-managed • Sarbanes Oxley, HIPAA cannot be delivered through public cloud • Private • Dedicated hardware to you and only you • Compliance: SOX and HIPAA CAN be delivered • Configurable/customizable • Hybrid Deployments: dedicated and virtual servers

29. Cloud Provider Considerations • Define what you need. • TCO over 10 years? • Can you use a Box cake or do you need your own Individual Recipe? If you need something complex, how do you achieve it? • Do your homework: • Does the provider have a good track record? • Do they have a single repository or do they have to interface their own stuff (Read the instructions AND warning label on the cake mix!) • Ask them the tough questions that your CIO ask your IT folks. Better still, have the IT folks ask the questions! • Talk to other customers, not just the first reference they give you.

30. Total Cost of Ownership

31. Outcome?

32. Tasting the Finished Product (Also known as ‘Summary’)

33. Ingredients of TLA’s and more Private Person Information Private Health Information Personally identifiable information Data Controller Data Protection Directive Cloud Service Provider Framework which the Commission considers providing an adequate level of protection • PPI • PHI • PII • DC • DPD • CSP • Safe Harbor

34. Recipe for Ensuring Payroll Data Security • Know the differences between different types of data. • Log out or lock your screen. • Do not transmit unencrypted PII data. • Clear papers from your desk. • Detected new hardware? Check it out. • Take your company’s Security Awareness Training. • Know where your data is at all times.

35. Cloudy with A Chance Of Chili…or Cake! • Do your homework: reliability, security, structure • Can you live with a “cookie cutter” HCM/Payroll, or do you need your own flavors? • Multi tenant • Single tenant • SaaS or Hybrid? • TCO

36. Always Check the Recipe!

37. Thank You for Attending! 21st Annual IL Statewide APA Conference – August 21-22, 2014