What Keeps Hotel IT Up At Night?

Mark G. Haley, ISHC, CHTPThe Prism Partnership

HAMA September 26, 2013Orlando, FL

2

What Keeps Hotel IT People Up At Night?

September 26, 2013

3

What Keeps Hotel IT People Up At Night?

HSIAData

Security

CloudComputing

September 26, 2013

4

High Speed Internet Access

• It Costs How Much?

• But we just spent $350,000 on HSIA three years ago!

• Why the treadmill?

September 26, 2013

5

HSIA - Demand

• Demand for bandwidth continues to increase!

• No end in sight

September 26, 2013

6

HSIA - Demand

• From a hotel company

2009 2010 2011 2012 2013E0

100,000,000

200,000,000

300,000,000

400,000,000

500,000,000

600,000,000

Bandwidth Consumption (MB)

September 26, 2013

7

HSIA - Standards

• Standards changing, performance improving• Evolution of the 802.11 Wireless Standards– 802.11b >“a” > “g” > “n”– 802.11n is the current standard– Still many “g” devices out there– Generally, access points and client devices are backwards

compatible• Next: 802.11ac

September 26, 2013

8

HSIA – 802.11ac

• What will 802.11ac do for guests?

• 802.11ac DrawbacksSeptember 26, 2013

9

HSIA – 802.11ac

• When?

• Client Devices FollowSeptember 26, 2013

10

HSIA - Implications

• “n” network now?– OK !

• “g” network?– Satisfaction scores?– Invest in “n”• Specify field-upgradeable to ac• Ensure site survey to support greater WAP density

September 26, 2013

11

HSIA

• Elements of cost– Wireless Access Points (WAP)– Switches and cabling– WAP Controllers– Subscriber Management Server– Load Balancing/Bandwidth Aggregation Appliance– Intrusion Detection/Prevention Appliance– Bandwidth

September 26, 2013

12

HSIA – What’s Next?

• 802.11u

• 802.11ad (60Ghz)

• More bandwidth

• More bandwidthSeptember 26, 2013

13

HSIA - Takeaways

• Consumer demand will require continuous re-investment– Try to get on the wave of upgrades instead of under it– Anticipate buying more bandwidth every year

• Upgrade when you guest satisfaction scores tell you that you need to, not when a salesman tells you

• Continuous re-investment requires a revenue stream to support it– Find revenue in HSIA, resist the “Free HSIA” meme– Deliver an Internet experience worth charging for

September 26, 2013

14

DATA SECURITY….What Keeps Hotel IT People Up At Night

September 26, 2013

b

15

Data Security• Fear, Uncertainty & Doubt

September 26, 2013

16

Data Security

• Hotels are targets

• But statistics are improving!

– Why?

September 26, 2013

17

PCI Compliance

• PCI Compliance– Self-regulation imposed by credit card brands– Establishes minimum standards for securing data

and networks from breaches

– Common-sense, but difficult to execute

September 26, 2013

18

PCI Compliance - Risks

• Costs of a Breach– Fines from issuing brands– Costs to address vulnerabilities– Costs of Level 1 audits in future– Lawsuits from card-issuing

banks for card replacement costs

– FTC/CFPB Lawsuits– Loss of customer trust and

goodwill– Loss of business– Tarnished reputation

September 26, 2013

19

PCI Compliance - Players

September 26, 2013

• Key Players & Roles

• Standards “owned” by PCI Security Standards Council

• Enforcement reserved to the issuing brands

20

PCI Compliance - Responsibility

• Always the merchant

• Does that mean the owner is free of responsibility?

September 26, 2013

21

PCI Compliance - Implications

• If manager as merchant is responsible for compliance…..….and they work for you….

• Find out what they are doing!

September 26, 2013

22

PCI Compliance – Owner Questions

• Ask the manager and brand:– Who “owns” compliance in the company?– What budget assigned to PCI Compliance?– What aspects of operation are “in-scope” for PCI

compliance?– Are all in-scope Payment Applications certified as

compliant under PA-DSS?

September 26, 2013

23

PCI Compliance – Owner Questions

• Ask the manager and brand:– What self-attestations have been submitted to

acquirers?– What self-attestations have been submitted to

others? – What is their internal assessment of risk of a

breach?– What processes in place to drive a culture of data

security and privacy in the organization?September 26, 2013

24

Data Security – Other Aspects

• PCI not the only risk in data security

• Hotel-Specific Data Security

• Credential Breaches• Privacy Regulation• Employee DataSeptember 26, 2013

25

CLOUD COMPUTING….What Keeps Hotel IT People Up At Night

September 26, 2013

26

Cloud Computing

• What is it?– Complicated NIST definition:

“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. “

http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

– Simply:• Hosted elsewhere by someone you pay to do it well for you

September 26, 2013

27

Cloud Computing

• Complicated definition includes concepts of self-provisioning, multi-tenancy and on-demand scalability

• Basic hosting can be as simple as a rack you lease in a co-location facility

September 26, 2013

28

Cloud Computing

• Private Cloud: One company maintains the cloud for exclusively for their own use or their customers’ use

• Public Cloud: A service provider sells computing resources in their cloud to all comers

September 26, 2013

29

Cloud Computing - Benefits

• Benefits of Cloud Computing– No people required in hotel to maintain system– Higher level of resources available in hosting

facility– Eliminate/reduce need for data synchronization

between enterprise and property systems– Lower cost of operation*

*usually

September 26, 2013

30

Cloud Computing - Benefits

• If a brand embraces the cloud…

• Reduced CapEx by owner• Reduced OpEx by manager• No work or risks for backups, upgrades,

system maintenance, etc.• PCI scope simplified

September 26, 2013

31

Cloud Computing - Risks

• Lack of control of data• 100% dependence on Internet connection• No control over updates, etc.• Still need to manage interfaces locally• Theoretical risk of compromise of network or

cloud security• Risk of one cloud tenant activity impacting

anotherSeptember 26, 2013

32September 26, 2013

Thank You!