Securing the Office of Finance in the Cloud -- Separating Fact from Fiction

Dr. Lothar DetermannPartner, Baker & McKenzie LLP

John HugoVice President and Corporate Controller, Life Time Fitness

Stan SweteChief Technology Officer, Workday

Moderated by: Russ Banham, Contributing Editor, CFO magazine

Thursday, April 12, 2012

Securing the Office of Finance in the Cloud -- Separating Fact from Fiction

According to Forrester Research, the global cloud computing market is valued at an estimated $40.7 billion. In the future, this market is expected to grow exponentially, as companies accelerate their adoption of cloud computing.

It's clear that cloud computing is being widely adopted as a cost-effective strategy for deploying mission-critical applications within the enterprise. Yet, myths regarding privacy and security often cloud the decision making process.

Workday is the leader in enterprise-class, Software-as-a-Service (SaaS) solutions for managing global businesses, combining a lower cost of ownership with an innovative approach to business applications.

Founded by PeopleSoft veterans Dave Duffield and Aneel Bhusri, Workday delivers unified Human Capital Management, Payroll, and Financial Management solutions designed for today's organizations and the way people work. Delivered in the cloud leveraging a modern technology platform, Workday offers a fresh alternative to legacy ERP.

More than 280 customers, spanning medium-sized organizations to Fortune 50 businesses, have selected Workday. Visit us at www.workday.com.

About Workday

Myths About Cloud Security

• Myths about security, data privacy with Cloud Computing cloud decisions

• Entrusting data to specialized service providers is not new

• Cloud computing does not necessarily increase security risks

On-premise vs. Cloud Security

• Whether personal data is safer on a system secured by the data controller in-house or an external vendor depends on security measures deployed by each particular organization.

• Fact is that many organizations find it difficult to stay in control over modern IT systems, whether they hire service providers to provide IT infrastructure or whether they host, operate, and maintain systems themselves.

• It is important for customer and vendor to reach a reasonable agreement about what level of security is appropriate for particular types of data and who should be doing what… for either type of provider.

Expansion of SaaS for B2B

PayrollSales Force Automation

Human Resources

Expense Management

FinancialsPayments

Key Stakeholders

Comprehensive Evaluation– IT– Legal / Procurement– Corporate Leadership

Look for vendors who:– Have successful local & global

deployments– Are able to respond in detail to

requirements – Invest to keep abreast of regulatory

changes

Questions Regarding SaaS/Cloud

• Senior management and Board of Directors early concerns included:

- Initially, “what is SaaS”?- Followed by, “what is the “Cloud”?- Are we comfortable operating our key financial systems this way?

• Business Review Meetings and Audit Committee of BOD quarterly updates were (and still are) provided, focusing on:

- Emphasis on maintaining strong internal controls- Focus on security- Physical and environmental security- Data integrity- Code and Logic security

• Reliance on SSAE 16 (formerly SAS 70) reports

• Reliance on success of management with prior company

Business Drivers & Benefits

• Initial interest was with Workday, with cloud an eventual “bonus”

• The off-premise concept, including integration management was intriguing

• Access to all traditional ERP applications, without traditional ERP arrangement

• Currently, Workday applications in the cloud:- Human Capital Management, Expenses (reimbursement), Payroll [all live at least 2 years]- Procurement, Supplier Accounts (AP), Banking [go live during 2012]- Financials (GL), Customer Accounts (AR), Fixed Assets, Projects [go live during 2013]

• Cloud strategy supports our project requirements of:- Increased efficiency (speed of system and business processes)- Improved accuracy and reporting- Lower overall cost

• Managing security and data privacy with third party vs. internal- Ensure highest level of controls around cloud security (internal vs. external expertise)- Cost – Benefit of internal controls maintenance internally vs. reliance on third party- Zero tolerance for breach

Standards & Certifications

Key Certifications–SOC-1 / SSAE-16

–ISO 27001

–Safe Harbor

Advice to Companies Evaluatingthe Cloud

• Besides operational, functionality and pricing considerations, consider:– does the vendor's data security safeguards meet

legal requirements and match or exceed your own standards?

– does the vendor give you what you need for your own compliance program (information, contractual commitments, EU 'adequacy')?

Is Cloud Computing Badfor Security?

• No, not inherently. However, it must be supported with a culture of security, but this is not specific to cloud computing.

• Using a cloud system doesn’t mean you can shirk responsibility for the security of your systems to vendors.

• Whether personal data is safer on a system secured by you or your vendor depends on who you and your vendor are and on the security measures deployed by each particular organization.

Q&ADr. Lothar Determann

Partner, Baker & McKenzie LLP

John HugoVice President and Corporate Controller, Life Time Fitness

Stan SweteChief Technology Officer, Workday

Moderator: Russ Banham, Contributing Editor, CFO magazine