Clear skies? Implementation and security in industry, as explained by Bernard Ellis, Vice president of Industry Strategy, Infor Hospitality
There is a natural fit between hoteliers and cloud and as a result, numerous benefits for those hospitality businesses looking to exploit the technology. At the beginning of a project there are far lower up-front costs. Especially attractive is the fact that there is no need to purchase additional hardware or increase IT headcount.
After a swift deployment, typically much faster than on-premise, changes can be easily made as business needs expand over time. The long-term return on investment (ROI) is higher because the technology vendor will handle system upgrades and enhancements. And in the case of the worst case scenario, disaster recovery of data is also easier, as information is backed up in the cloud rather than on physical servers.
It is also worth remembering that none of these bonuses come at the expense of the same robust, hospitality-specific functionality as an on premise system. Indeed, the combination of specific capabilities plus a cloud infrastructure supports globalisation for hotels and resorts. With access via the cloud, users, partners and suppliers at locations across multiple continents can share real-time data on everything from guests to revenue. The inevitable result is that information flows more freely and managing daily operations becomes easier as teams are able to connect from different properties and departments – communication and streamlining go hand in hand. This is seen in more informed decision making, as hotel managers have visibility into comprehensive data and an enterprise-wide view of how their organisation is performing and operating.
The concerns over cloud
There are some issues to address and top of this list for the hospitality industry is security. Hoteliers are in a unique position because guest satisfaction, not the delivery of a physical product to market, is the top priority. Compromised guest data including contact and credit card information would mean a serious blow to both revenue and reputation for a hotel. With more ways than ever for customers to voice feedback, including social media and online rating sites, news of a security breach would travel far and wide.
It is therefore vital for hospitality companies to vet a vendor’s approach to cloud security before selecting a provider for their cloud technology. Hotels must own and manage the data, but they do not need to own its protection – indeed, a technology specialist is better.
Ensuring security in the cloud is a two part endeavour. Hoteliers must take steps internally to safely store and transfer data, staff need to be properly trained and the actual operational processes assessed to make sure that customer data is protected at all times.
The software vendors must also take measures to assess potential threats and implement effective security controls. Its own security approach must be robust and it is essential to confirm that any technology partner follows the industry-standard necessary protocols.
Vendors are the obvious choice as a starting place for each of these security measures. Technology providers should be a partner in ensuring cloud success. So, with security top of mind for cloud deployment, decision-makers should first ask potential technology partners how in-depth their security strategy is.
No vendor should rely on a single technique or device – there is safety in numbers. Data assurance should be confirmed through a multiple layer approach with overlapping security controls. For example, the cloud architecture should include different levels to protect against specific strikes like a Distributed Denial-of-Service (DDoS) attack, as well as more general information attacks such as vulnerability scanning. Real-time monitoring of potential internet threats and firewalls is also crucial in order to isolate critical components and prevent access from an external network.
The consistent cloud
The next issue is then how this strategy has led to the technology vendor developing products that are cloud secure. Software should secure from the ground up. Security features and performance for each product should be established from the beginning to guarantee that they are architected into the software design. Consistency is key to any defence and the only way that can be achieved is have a security-aware strategy in place from the point of product design.
Potential partners should also conduct frequent, routine testing to identify potential vulnerabilities and problem areas, as well as code reviews. And these reviews are not just limited to the products. In order to verify that developers are kept up-to-date, confirm that the software provider also conducts regular security training sessions to make sure that all security policies are followed.
The connected clouds?
A key point of security is to assess if the cloud network will be separated from the general corporate network. Independent cloud networks that exist separately from the general corporate network provide additional security against data corruption. It also means the cloud network can be designed, from the ground up, to feature increased security without impacting the performance of the corporate network. View the two as brother and sister, not the same child.
Part of this extra protection for the cloud network will then enable hoteliers to remain protected, even if users do not employ security best practices. For large international chains it is utterly impossible to confirm that each user at every location is running up-to-date anti-virus protection software and does not have a compromised system. The network should enforce security, even when employees do not.
For an industry based on physical buildings, one of the other top concerns should be the physical measures taken to protect the infrastructure. How the data centre will be physically protected is a vital consideration. Will there be registered guest restrictions, locked cage spaces or biometric safeguards? How will the vendor monitor, detect and alert necessary IT staff and decision-makers if there is a physical intrusion?
Beyond physical considerations, the traffic within the network should never be broadcast using an antenna or wireless transmitter. A virtual private network should be required to protect data. These should all be part of the strategic IT services offered by the vendor and they must include mandatory security requirements. These could include automated logging of security events, continuous management of backups, and administration of limited user-account permissions.
Services should be fully compliant with the security standards required for global data centres in order to enable the highest level of safety and of course, data should also be encrypted to ensure that the information of hotel guests is protected from potential threats.
The contained cloud
Best practice is provide options for tiers of user access within the network, allowing hotel staff to see only the information that is required to complete their job. The vendor should not allow hotel users to tap into supporting operating systems or lower functions, but rather requests should be managed in different segments, and then sent to protected back-end databases.
If this sounds like a lot of work for the vendor, it is, so check that the vendor has a specific group or business unit tasked with the implementation and deployment of cloud technology. Cloud security is no place for amateur. Confirm that those working to build and launch the system have extensive experience with SaaS-based implementations and have received extensive training on cloud security. Having a group dedicated to cloud technology also indicates that it is a priority for the vendor, and that they will actively work behind the scenes to enable the security of your data, as well as continue to develop system protection enhancements and optimise the application overall.
A vital role for this team should be security monitoring in order to identify attempted breaches. At the most basic level, the system should maintain centrally managed passwords to protect administrative access points to the cloud network. Unsuccessful password attempts and patterns that could potentially indicate a security breach are top priorities. The system should always have the ability to authenticate the server, which ensures that all user sessions are authenticated.
Additionally, vendors should log and monitor security incidents to certify that the system has not been compromised. By collaborating with hoteliers to investigate intrusion attempts, vendors can become a critical ally in mitigating safety risks.
Cloud technology has a massive array of benefits to offer hoteliers and indeed many of the above issues will be invisible to all but a select few within a company. But the security of customer data is critical for the hospitality industry and as such these best practices form the cornerstone of the exceptional ROI that cloud can deliver.
Vendors should demonstrate compliance with ISO-27001 – the internationally recognized credential for a securely designed information management system. This is often the first, and most concrete, box to check when selecting a technology provider for your project. It is designed to enable the security of financial assets, intellectual property, employee details, and third-party information, which for hoteliers includes guest-related data and should be viewed as “table stakes” in selecting a technology partner.