Cloud Computing Security at Concur

When Amazon announced late last week that their cloud services in Virginia had some prolonged outages, these services outages caused a number of companies to go off-line. Not only were people unable to access data, but in some cases entire sites were shut down. As that particular cloud server farm hosted the websites of companies like Reddit, CoTweet, FourSquare and Netflix, the situation has drawn a lot of attention to cloud computing.

The term “cloud computing” is actually a catchall phrase. The term refers to different and distinct kinds of services:

  • Software-as-a-service makes applications available over a network, in most cases the Internet. The application is delivered through a web browser or mobile application specifically tailored for a company’s needs. Also known as “on-demand software,” SaaS is what Concur offers with our travel and expense solution.


  • Infrastructure-as-a-service outsources items like servers, network equipment and software to companies. IaaS alleviates the need to research, provide and manage these resources in their business by essentially “renting out” these resources. Companies have full access to these resources from mammoth companies that have a huge amount of capacity to spare. This is the service that is in the news right now with Amazon Web Services.


  • Platform-as-a-service gives developers the ability to build applications for the web without having to install special programming languages and tools. Typically, this is through an API interface which have cloud infrastructure on the back end. from SalesForce and AppEngine from Google are two examples of PaaS.

The big question has been, could what happened in Virginia be prevented? Well, yes and no. “A single piece of infrastructure will fail, and the certainty of that happening is 100 percent, so everything has to be built not only for redundancy but for complete site failover as well,” says Drew Garner, Director of Architecture Services at Concur. “A server will fail. A system will fail. Disasters—while rare—will happen. This is a guarantee. Companies must design for this basic fact or accept the risk of running without a proper safety net.”

But the part that could have been prevented was that the companies impacted by the server failure needed to have planned for that failure with a recovery plan. It’s why customers of Netflix never went without service during the outage: they were prepared for this kind of situation. It’s also why Concur customers have the same peace of mind with their data and service. “At Concur, we have designed our systems to have multiple levels of local redundancy and also have full site failover options tested and available,” says Garner.

We invest in disaster recovery and business continuity plans. That plan and our cloud system are audited annually by a certified third-party auditor in accordance with ISO standards. Utilizing a major, tier-one hosted datacenter and cloud provider, the infrastructure at Concur is secure and private. We built our systems in such a way that if something happens (disasters big and small), we can recover quickly and accurately. During our audits, we simulate a disaster (full loss of primary datacenter), recover from it, and then show what we did to reach that recovery. Our multi-site redundancy allows for 100 percent complete recovery of our clients’ data.

As a leader in software-as-a-service, and as a company that was one of the first to the cloud, we remain convinced of the power and possibilities of cloud computing. The accessibility, speed and security that the cloud offers are absolutely paramount to the success of Concur and the service commitment we offer our customers.

Loading next article