The document discusses the growth of cloud computing and its implications for finance, highlighting common myths related to security and data privacy. It emphasizes that the safety of data in the cloud depends on the security measures in place, regardless of whether the systems are managed in-house or by a vendor. Furthermore, it advises companies to rigorously evaluate cloud service providers based on their security standards and compliance capabilities.

1. Securing the Office of Finance in the Cloud --
Separating Fact from Fiction
Dr. Lothar Determann
Partner, Baker & McKenzie LLP
John Hugo
Vice President and Corporate Controller, Life Time Fitness
Stan Swete
Chief Technology Officer, Workday
Moderated by: Russ Banham, Contributing Editor, CFO magazine
Thursday, April 12, 2012

2. Securing the Office of Finance in the Cloud --
Separating Fact from Fiction
According to Forrester Research, the global cloud
computing market is valued at an estimated $40.7 billion. In
the future, this market is expected to grow exponentially, as
companies accelerate their adoption of cloud computing.
It's clear that cloud computing is being widely adopted as a
cost-effective strategy for deploying mission-critical
applications within the enterprise. Yet, myths regarding
privacy and security often cloud the decision making
process.

3. About Workday
Workday is the leader in enterprise-class, Software-as-a-Service (SaaS)
solutions for managing global businesses, combining a lower cost of ownership
with an innovative approach to business applications.
Founded by PeopleSoft veterans Dave Duffield and Aneel Bhusri, Workday
delivers unified Human Capital Management, Payroll, and Financial
Management solutions designed for today's organizations and the way people
work. Delivered in the cloud leveraging a modern technology platform,
Workday offers a fresh alternative to legacy ERP.
More than 280 customers, spanning medium-sized organizations to Fortune 50
businesses, have selected Workday. Visit us at www.workday.com.

4. Myths About Cloud Security
• Myths about security, data
privacy with Cloud
Computing cloud decisions
• Entrusting data to specialized
service providers is not new
• Cloud computing does not
necessarily increase security
risks

5. On-premise vs. Cloud Security
• Whether personal data is safer on a system secured by
the data controller in-house or an external vendor
depends on security measures deployed by each
particular organization.
• Fact is that many organizations find it difficult to stay
in control over modern IT systems, whether they hire
service providers to provide IT infrastructure or
whether they host, operate, and maintain systems
themselves.
• It is important for customer and vendor to reach a
reasonable agreement about what level of security is
appropriate for particular types of data and who
should be doing what… for either type of provider.

6. Expansion of SaaS for B2B
Sales Force Automation
Payroll
Human Resources
Expense Management
Financials
Payments

7. Key Stakeholders
 Comprehensive Evaluation
– IT
– Legal / Procurement
– Corporate Leadership
 Look for vendors who:
– Have successful local & global
deployments
– Are able to respond in detail to
requirements
– Invest to keep abreast of regulatory
changes

8. Questions Regarding SaaS/Cloud
• Senior management and Board of Directors early concerns
included:
- Initially, “what is SaaS”?
- Followed by, “what is the “Cloud”?
- Are we comfortable operating our key financial systems this way?
• Business Review Meetings and Audit Committee of BOD quarterly
updates were
(and still are) provided, focusing on:
- Emphasis on maintaining strong internal controls
- Focus on security
- Physical and environmental security
- Data integrity
- Code and Logic security
• Reliance on SSAE 16 (formerly SAS 70) reports
• Reliance on success of management with prior company

9. Business Drivers & Benefits
• Initial interest was with Workday, with cloud an eventual “bonus”
• The off-premise concept, including integration management was
intriguing
• Access to all traditional ERP applications, without traditional
ERP arrangement
• Currently, Workday applications in the cloud:
- Human Capital Management, Expenses (reimbursement), Payroll [all live at least 2 years]
- Procurement, Supplier Accounts (AP), Banking [go live during 2012]
- Financials (GL), Customer Accounts (AR), Fixed Assets, Projects [go live during 2013]
• Cloud strategy supports our project requirements of:
- Increased efficiency (speed of system and business processes)
- Improved accuracy and reporting
- Lower overall cost
• Managing security and data privacy with third party vs. internal
- Ensure highest level of controls around cloud security (internal vs. external expertise)
- Cost – Benefit of internal controls maintenance internally vs. reliance on third party
- Zero tolerance for breach

10. Standards & Certifications
 Key Certifications
–SOC-1 / SSAE-16
–ISO 27001
–Safe Harbor

11. Advice to Companies Evaluating
the Cloud
• Besides operational, functionality and pricing
considerations, consider:
– does the vendor's data security safeguards meet
legal requirements and match or exceed your own
standards?
– does the vendor give you what you need for your
own compliance program (information,
contractual commitments, EU 'adequacy')?

12. Is Cloud Computing Bad
for Security?
• No, not inherently. However, it must
be supported with a culture of
security, but this is not specific to
cloud computing.
• Using a cloud system doesn’t mean
you can shirk responsibility for the
security of your systems to vendors.
• Whether personal data is safer on a
system secured by you or your vendor
depends on who you and your vendor
are and on the security measures
deployed by each particular
organization.

13. Q&A
Dr. Lothar Determann
Partner, Baker & McKenzie LLP
John Hugo
Vice President and Corporate Controller, Life Time Fitness
Stan Swete
Chief Technology Officer, Workday
Moderator: Russ Banham, Contributing Editor, CFO magazine