Paylocity: Sustainable, Secure Business Growth

Inaccurate and time-consuming manual scanning tools were not offering this leading payroll and HR services software provider an efficient and effective way to maintain the security of their systems.

Since 1997, online payroll and HR services provider Paylocity has delivered innovative payroll services and human resource software to employees and businesses throughout the country. Paylocity now serves nearly 5,000 clients and maintains an enviable 97 percent client retention rate.

"We constantly are growing the scope of our product, including its features and capabilities," says Edward Fortune, director of information technology at Paylocity. "With those changes and growth in customers, our underlying systems always are changing and expanding. Our IT infrastructure and systems are growing so fast, and complex, that it's become very easy to make mistakes."

That was Paylocity's challenge: rapidly build its applications and provide the dynamic infrastructure necessary, while also making certain the systems are resilient to failure and resistant to breaches. "We want to make sure we always provide highly-available and secure systems to all of our clients," Fortune says.

Keeping those systems secure means staying on top of the latest software vulnerabilities, announced at a rate of about 15 a day, according to the NIST National Vulnerability Database. Yet, being able to spot and quickly deploy updates to unpatched systems and rectify system misconfigurations is the way to keep systems secure from the vast majority of attacks. "We try to stay up on the latest exploits, but so much is happening so quickly that keeping up on software vulnerabilities is almost a full-time job in itself," he says.

Previously, to keep systems secure, Fortune had relied on a number of manual vulnerability scanners. But, as the number of systems and the complexity of applications grew, those scanners could not keep pace. "They required a lot of updating and maintenance," he recalls. "And there were too many false positives for us to deal with," he says.

Fortune began to look for a more efficient way. "I read about Qualys in an article that listed the top 10 vulnerability assessment tools, and Qualys was high on the list. After going to the company's site, I took advantage of the 14-day free trial the company offers," he says. "That would give us enough time to evaluate and compare Qualys with what we were doing," he says.

After conducting the first assessment, Fortune was impressed. "I was simply amazed by how many items Qualys was able to accurately identify," he says. After that initial assessment, Paylocity selected Qualys, as its primary network assessor. Qualys is the leading provider of on-demand IT security risk and compliance management solutions – all delivered as a service. Qualys Vulnerability Management (VM) automates the life cycle of network auditing and vulnerability management across any size organization. Qualys is driven by the most comprehensive vulnerability KnowledgeBase in the industry.

And it's that KnowledgeBase that gives Fortune the accuracy he appreciates. "The information Qualys provides is something that normally would take me an entire day, or even a week, depending on how many vulnerabilities we're managing, if I were to research all of that manually," he says. "Now, it's done in hours. And I understand everything: the problem, the potential exposure, and all of the available fixes."

"This is a significant amount of time savings, month after month, especially when you consider the amount of effort it takes to manually identify vulnerabilities and research the potential impact of vulnerabilities on your system. It's just tremendous," Fortune says. "The service is just impossible for me to replicate locally within my team using an internal solution."

In addition, the speed and accuracy of the scans are greatly enhanced. "With our previous scanner, it seemed to take a tremendous amount of time to get to the point to perform the actual scan," he says. "And the false positives were an ongoing problem. We would be alerted to vulnerabilities that just didn't turn out to be there."

Now, all of those issues are problems of the past. Paylocity relies on Qualys every week to review all of the company's systems for potential weaknesses. All issues uncovered are sent to Qualys’ integrated remediation and trouble-ticketing workflow systems. The automated ticketing system generates tickets based on internal policies, and tracks each until its fix has been verified. Each ticket includes detailed vulnerability information and remediation history.

And, because Qualys also provides concise reports that business managers can grasp easily, they have the insight they need to understand the precise status of their systems. "They're very powerful, easy to read," he says.

Fortune set out to streamline Paylocity's vulnerability and IT risk management, and that's exactly what he managed to do through Qualys’ automated scans, maintenance-free SaaS delivery, accuracy, and insightful vulnerability information. "Qualys allows me to focus on more things. I'm now able to gather more pertinent and direct information about vulnerabilities and act on them right away," he says. "I haven't yet seen another vulnerability management tool that provides all of this as well as Qualys."