There’s a lot less talk these days about cloud-computing being a risky business for hotel operations. But the growing trend to cloud-based services does not mean security and privacy concerns have been laid to rest.
“There isn’t a conversation where email and web security doesn’t come up, whether it’s with a system engineer or executive,” says Roy Purtill, VP of Cloud Computing for Cisco Canada, a supplier of enterprise IT networking solutions in Toronto. In fact, Cisco surveys consistently show that the risk of data loss is the number-1 security concern.
For the most part, a hotelier’s security concerns tend to fall into two major categories, says D’Arcy Mathias, partner at Deloitte technology consultancy in Toronto. “The first is concern about data [being transferred] from the end user to the data centre. Whenever data is moving back and forth, [there’s a] worry about the risk of data loss or security breaches,” he explains.
The second major security concern within cloud-computing is the overall architecture of the system itself. With data being housed in a multi-tenant environment, where servers are shared, some operators feel competitors will be able to see data and that competitive information will leak out. “Hoteliers don’t have the physical comfort of seeing, touching and having their own team backing the systems,” says Mathias.
At the same time, advancements in security protocols used by reputable cloud providers are becoming robust. “In terms of security measures providers are putting into place, they’ve come a long way with encryption, login, auditing mechanisms and security procedures,” notes Mathias. “Data is always encrypted in motion and at rest.”
Frédérique Philip, co-owner of Sooke Harbour House in Sooke, B.C., trusts the security measures in place behind her cloud-based property-management system, WebRezPro, sold through World Web Technologies Inc., based in Calgary. “I always find it interesting that people get concerned about security when going online. It used to be way more dangerous for people to give their credit cards in restaurants, and nobody seemed to worry about that,” she notes. Each year, her property’s systems are transitioned to accommodate more cloud-based features as they relate to reservations, transaction processing, email services and surveys. “When you start with technology, you can’t go backwards. But it never occurred to me that security would be a problem — and it isn’t,” Philip says.
In fact, the security of cloud-computing is getting better thanks to the growing presence of data centres on Canadian soil. When services first came out, data centres were in the U.S., where data privacy rules are less strict. “Now the major cloud providers are beginning to build data centres in Canada that meet our more robust privacy laws,” Mathias explains.
And, a Payment Card Industry (PCI) Data Security Standard (DSS) was established in 2006 to eliminate the risks associated with cardholder data and payments — another critical area of concern, reports Dan Candido, principal of Amanico Information Technology & Management Solutions, a Toronto-based consultancy.
The hotel, spa and resort sector lagged behind other industries in adoption, despite the fact that more than 55 per cent of credit-card fraud occurs in these sectors, according to “The PCI Compliance Process for Lodging Establishments,” by the American Hotel & Lodging Association.
“Every hotel has to self-police this credit-card thing,” Candido says. “The biggest break [for cloud security] was a couple of years ago when six major hotels agreed upon the security encryption needed to allow information to be sent from hotels to a data centre securely. Once those standards were agreed upon, they could go ahead and follow through with cloud applications.”
Standardization was critical given the complexity of information transfer within the industry, he notes. “Guest information has to hit, on average, eight different systems. All of them have to [communicate] while maintaining security. So you can’t go to the cloud without some sort of standardized security token.”
PCI compliance shook a lot of operators into thinking about security, confirms Michael Manuel, GM at Point Pleasant Lodge in Halifax. “It was a big wake-up call for the industry, because it started encouraging operators to think more globally in terms of security,” he says. “The security hardware, software and ongoing maintenance involves a lot of work, because threats come up daily. Using a cloud service increases the ability to manage and prove compliance, because it’s all there.”
Point Pleasant Lodge initiated a progressive cloud platform evolution in 2005 when it transferred communications and email functions to the cloud. The most recent addition was the Maestro by Markham, Ont.-based Northwind web property-management system.
Security was top of mind when Manuel chose Maestro. “Anyone can put up a shingle on the web and say they’re a cloud host, but they could literally be running a PC in a storage room at their home,” says the GM.
In his years of research, Manuel has come up with a checklist for finding a good cloud host. When vetting, it’s important to investigate PCI compliance, infrastructure, the data-centre location and encryption along with the physical security measures, system redundancy and access. “Also, look at the agreements carefully to ensure you can get your data out should you choose to change providers or if the company dissolves or changes hands,” advises Manuel.
Cisco Canada’s Purtill adds that the level of security demanded by hoteliers is higher than many businesses because some are now connecting to entire cloud ecosystems that may include supply, travel and entertainment partners. “It’s not just rooms and management systems,” says Purtill. “Hotels are now looking at connecting data from multiple devices. The underlying infrastructure and access points needed are huge. But if hotels don’t accept the market change, the biggest danger is that they will be left behind.”
Either way, whether communicating in-house or by the cloud, nothing is perfect. “But, as long as you can stay one step ahead of the hackers, you’re doing well,” says Candido. “Hotels may not have [in-house] resources to dedicate 100 per cent to security, but be as prepared as possible.”