HR wants a rewards platform. how do I evaluate the API and security without over-engineering it?

Posted by LeftyOne22@reddit | sysadmin | View on Reddit | 16 comments

Im an IT Manager for a mid-sized company (250 employees, mostly remote). our HR team got budget for an employee recognition platform. they want something to automate gift cards, swag, and anniversary rewards.they came to me with three options. two are big names everyone knows. one is a smaller platform that looks flexible but I’ve never heard of it.

my job is to figure out can this thing integrate without breaking everything else? Is our data safe? and how much work will this be for my team to maintain?API basics- does it have a real API or just a CSV import? HR wants automatic triggers from our HRIS (we use BambooHR) for work anniversaries and birthdays. if I have to write middleware or use Zapier for everything, that’s a red flag.

Security: Do they have SOC2 or something similar? what happens if we cancel the contract - do we get a data export? I don’t want to explain to leadership why past gift card redemptions are locked in a vendor’s database forever.

Authentication: SAML or Okta integration is a must. I’m not creating separate logins for 250 people and dealing with password reset tickets.

User provisioning: can I sync our employee list automatically? when someone leaves or changes roles, their access should disappear without me manually removing them.

I’ve looked at their API docs and they seem complete, but I don’t want to miss something basic that becomes a problem later. How do you evaluate a smaller vendor’s stability when they’re not a household name?not looking for sales pitches. want a checklist from people who already went through this.Thanks guys!

[-]

jc6359135@reddit

From the IT side, I’d check the same stuff you listed: BambooHR sync, Okta/SSO, export terms, and offboarding. We’ve had a way better time with tools like PerkUp when HR can run the day to day on their own. IT should just sanity check security and integrations, not become the unpaid owner of the whole thing.

servantotb@reddit

We use Bonusly through Okta. Works just fine and wrt the business we are in I’m pretty sure that our infosec team wouldn’t have approved it if it wasn’t secure

fckmeelmo@reddit

For user provisioning, see if they have a SCIM. That’ll make your life easier, especially with SSO

LeftyOne22@reddit (OP)

oh good call, SCIM totally slipped my mind.

Serafnet@reddit

If not SCIM then JIT provisioning based on group membership.

bobsmith1010@reddit

but keep in mind with JIT when you run a report you'll see people with wrong group assignments or maybe suppose to have been deactivated. Simply because JIT only updates everytime someone logs in and if they don't login to the application then it doesn't get updated on App side.

I've had auditors who go to auditor some financial SAAS app because it was setup with JIT and instead of looking at the IDP side they look at the app for the permissions.

Absolutely. You need to document it properly and firmly show the controls in place from the IDP.

That said, some services that run JIT may also have mechanisms to accept uploads to clear out old accounts.

Good point; most places will have a JIT provisioning over SCIM

wannito@reddit

Some good suggestions in this thread already for this piece - "what happens if we cancel the contract - do we get a data export?" - that should be defined in the contract. For something like this I'd expect to see verbiage along the lines of they'll delete your info after 30/60/90 days on contract termination.

Id ask what fields they're looking to sync over, for this is should be some light employee data (name, email, anniversaries, maybe address for shipping, etc). Risk is pretty low in those cases, make sure the API permissions are read only and scoped.

If you want to dive deeper you could ask for data flow diagrams.

Temporary-Library597@reddit

Honestly intergration policies need to have something about mission criticality. If the staff's reward program is mission critical (the comapny exists for staff, not customers), then sure, spend the time.

If not, HR can maintain their own 3rd party app.

RoytripwireMerritt@reddit

Awardco does a pretty great job.

ExceptionEX@reddit

The older I get, the less integration directly I want to do, I'll write a piece of middle ware to act as a broker between the two, or a CSV import. But giving 3rd party systems access to our data, is just not something I can safely endorse most of the time.

Coming from a startup background, I can tell you than like 80% of the companies out there are basically a duct taped minimally viable product, that security was certainly one of the last aspects. Sure there is a lot of talk about security and all that, but the truth is that is almost never the case.

Even with larger vendors it is hard to trust with an actual integration.

xxdcmast@reddit

We use ascend by work human. On the rewards end it’s fine. On the it side we have it tied in with okta, set up to provision, sso, etc.

It really is just another saml app at that point.

Frothyleet@reddit

The unhelpful answer is: what does your vendor management policy say you do when you evaluate a potential vendor?

If you haven't spent time aligning with a framework like SOC2, you probably don't have one, although this is an example of why there are real practical benefits to compliance frameworks.

Honestly it sounds like you've got your head around it from a practical standpoint. You need to determine how and how well it will integrate into your existing infra.

For your broader concerns, like whether the company is a shitshow internally, there's really not a ton you can do. The evaluation shortcut that is your best option is exactly what you mentioned - ask/look for a SOC 2 or ISO attestation. If they are SOC they should have their type 3 published as a starting point.

This doesn't mean they are secure or functional, but it means they put effort in trying to look like it, which is better than nothing.

BasementMillennial@reddit

Your job should be focusing and integrating sso with your current identity provider and ensuring employees can log into it. It should be HRs job to trigger the automation from their HR platform when "x" occurs.

Draw the line in the sand now before they get a hint and try to get you to implement a million things

SpotlessCheetah@reddit

It's really the same as anything else. Nothing special about this being a rewards platform. fckmeelmo has a good suggestion.. if you can use SCIM that would be a good route.