SaaS Goes To Work At Motorola And The Humane Society

BEATING THE PCI BLUES
While Motorola serves its customers, the Humane Society has a different constituency--10 million members who support its animal rights advocacy efforts.

CIO Beverly Magda is acutely aware that security is critical. "Most of our funding comes from donations," she says, and most of those donations come in via the Web site. Failure to protect donor information could hurt the group's reputation and choke off funding.

Magda joined the organization a month after it learned it needed to meet the Payment Card Industry Data Security Standard, which requires companies that process credit card transactions to comply with best practices for protecting credit card data and submit an annual assessment of how they're implementing those practices.

Vital Stats

Humane Society

Donations in '06
$86 million Members
10 million Employees
About 400 E-mails sent to members
47.6 million Animals treated
24,539

Those practices include quarterly vulnerability scans of Internet-facing systems and remediation of any vulnerabilities discovered. PCI also requires organizations to submit quarterly reports with the results of the scan to their merchant banks.

Magda needed help. The Humane Society has 14 offices across the country that would have to be scanned, and failing to comply carries severe penalties: The Humane Society could be fined $50,000 a day for failing to file a report with its merchant banks, Magda says. So she hired a consultant to conduct the scans and file the paperwork. The consultant was using a service from Qualys, a vulnerability management service provider.

QualysGuard PCI remotely scans customers' Internet-facing machines, including firewalls, network devices, and Web servers. Using customer-provided credentials, it can log on to these systems to check for software and operating system vulnerabilities and assess system configurations. It reports its findings via a Web browser and provides links to fixes. It rescans systems to ensure that updates and software patches have been applied. The service can also submit scan result reports to merchant banks and provide them as a PDF to customers.

When the consultant explained the service to Magda, she realized her organization could do it itself, saving time and money--the consultant had talked himself out of a job. Magda says she's grateful for the work the consultant did. However, she notes, "we're a nonprofit. We have to be concerned about how we spend money."

Magda's experience with the service has been positive. "They do a lot of research for us and recommend what we need to do for PCI compliance, or even better than PCI compliance." She's evaluating Qualys' full vulnerability management service, which also includes scanning machines behind the firewall.

Magda's also a believer in the SaaS model for other aspects of the operation. She's evaluating a hosted CRM provider that works exclusively with nonprofits. "We have a small staff, so keeping things off-site reduces the burden on IT," she says.

SaaS isn't a magic pill that makes all IT's difficulties vanish. Security and privacy risks as well as integration issues can turn a deployment into a nightmare. And outages will continue to be a looming threat. But IT shops that are cognizant of these issues can use SaaS to streamline business processes, reduce capital expenditures, and alleviate operational burdens. Whether SaaS is deployed to a single department or an entire company, this application delivery model is mature enough to be a standard component of an IT playbook.

Continue to the sidebar:
The Best And Worst Parts Of Being The Humane Society's CIO