It’s the middle of the middle month of a choppy year and I’m thinking about how we stay steady. I’m thinking about ballasts, the heavy things—weighty, substantive—employed in ships to lend balance. My ballast is my family, and I’m lucky enough to have a few. There’s the family of my blood, those mad geniuses who share my last name; the family of my friends, wild spirits exploring the limits of what’s possible; and, last but not least, the family I walked into when I came to Google.
This Pride, Google and Google’s LGBTQ+ community are celebrating families big and small, chosen or inherited, as part of #ThisIsFamily. We encourage you to post on social media about the people who make up your family (no matter how you define it) and to donate to nonprofits like PFLAG, It Gets Better and GLAAD. Google.org has pledged to match up to $100,000 in total in donations to these three organizations during the month of June.
That’s not the only way we’re celebrating Pride. In typical Google fashion, we’re helping you connect with the world around you (and having a bit of fun) across our products:
In Google Maps, this year’s parade routes are paved with rainbows.
You’ll find rainbow “easter eggs” scattered through Google Search and G Suite, and you can join the fun from your desktop by switching your Gmail to a Pride theme for the month of June.
Google Play Newsstand has a special feature page for Pride-related coverage.
On YouTube, we’re celebrating the LGBTQ+ creators who are #ProudToCreate a better future with their imagination, creativity, talent, and truth through our YouTube Spotlight Channel, Twitter, and Instagram.
We continue to help businesses declare their establishments “LGBTQ+ Friendly” or “Transgender Safe Space” on their business listings in Google Maps and Google Search.
One year on from our initial donation to the LGBT Center of New York in collaboration with the National Parks Foundation, Google.org is contributing another $500,000 (for a total of $1.5 Million) to the Center to help with the digitization of LGBTQ+ history. The project is called Stonewall Forever, and we need your help to find, preserve, and share the untold stories of LGBTQ+ history.
Google Arts & Culture has a dedicated Pride collection celebrating LGBTQ+ history, with 20 exhibits and over 2,700 artifacts, part of which comes from the Stonewall Forever project.
Ballasts, like families, help us stay steady amidst commotion. Paradoxically, maybe, these heavy things also lift us up.
As organizations adopt a comprehensive teleworking policy, creating a reliable, scalable, and secure connectivity solution for their expanded remote workforce has become extremely important. Many organizations have already migrated some or all of their workloads and applications to Amazon Web Services (AWS) to take advantage of the elasticity, reliability and scalability of the public cloud. As a result, customers demand a solution that not only integrates with AWS native services, but also enables their remote workforce to connect to enterprise applications deployed in hybrid cloud environments in an agile and reliable manner.
Fortinet Next Generation Firewall (NGFW) Virtual Appliance is available in the AWS Marketplace. The FortiGate NGFW supports various Amazon EC2 (Elastic Compute Cloud) instance types and configurations to offer customers scalable SSL VPN and IPSec capabilities. This allows hundreds of users to concurrently and securely connect to applications deployed in their AWS accounts via an encrypted connection (like IPSec or SSL). Additionally, FortiGate-VM leverages AWS c5n instances to distribute packet processing workloads across all available vCPUs. It also leverages the redundancy and resiliency of AWS to ensure business continuity in the event of a natural disaster. In this blog, we will discuss some of the design considerations to deploy a scalable, secure solution in AWS using FortiGate-VMs. We will also outline how the solution can be launched in AWS.
Multi-Region Deployment with AWS Transit Gateway and AWS Route 53
While there are different ways to design a resilient architecture in AWS, most designs consider deploying services in at least two AWS regions to enable disaster recovery and avoid service disruption in the event of a natural disaster, such as an earthquake. Additionally, by deploying resources in two or more availability zones within an AWS region, customers can ensure fault tolerance. Figure 1 depicts a multi-region FortiGate deployment that leverages AWS Route 53 to help connect SSL clients (FortiClient) to a region with the least latency. In this architecture, two regional cloud security services hubs (us-east-1 and us-west-1) have been deployed. Each cloud security services hub is comprised of two FortiGate instances.
Figure 1. Multi-region teleworker deployment with FortiGate-VM and AWS Route 53
As shown, Route 53 enables VPN clients to get an IP address from a FortiGate endpoint to terminate VPN connections based on latency. In addition to regional redundancy, an AWS design best practice includes deploying at least two FortiGates, each in a distinct availability zone. Multiple FortiGate design options, such as active/active and active/passive, are available. Multivalue Answer Routing in Route 53 can be used to distribute the IPSec VPN traffic across FortiGates in each region, as shown in Figure 1.
Most customers deploy applications in multiple VPCs that need to be accessible by remote clients. AWS recommends leveraging the AWS Transit Gateway for connectivity between centralized shared services VPC and all application VPCs. As depicted in Figure 2, FortiGate-VMs in the cloud security services hub can be connected to an application VPC via an AWS Transit Gateway. In this architecture, an AWS NLB load balances SSL VPN traffic across the two FortiGates in the hub VPC using 5 tuple hash (Source IP/Destination IP, Source Port/Destination Port and Protocol).
As shown in Figure 2, two subnets in the cloud security services hub terminate VPC attachments connected to the Transit Gateway. Once SSL VPN tunnels are terminated at one of the FortiGates, remote users can then access applications deployed in the application VPCs. For example, if a remote user needs to access a workload in the Application VPC B, a specific route (10.20.0.0/16) in the private subnet’s route table will be used and the traffic will be routed to the transit gateway via a Transit Gateway attachment as shown in Figure 2. Note that the route table in each private subnet contains routes to the application VPCs via the Transit Gateway attachment. Additionally, they contain a default gateway route that points to the FortiGates’ private ENI in each availability zone. The return traffic will be routed via transit gateway back to the hub VPC. The route table in the FortiGate entry subnet, where the VPC attachment is terminated, has the default gateway set to the private ENI of the FortiGate – this way, the return traffic can take the same path back to the remote user. Customers can create IPSec VPN connections from their on-premises to FortiGates in the Hub VPC or Transit Gateway. This will enable remote users to access the on-premises resources as well.
Figure 2. Remote Access SSL VPN with FortiGate-VM and AWS Transit Gateway
Additional Design Considerations
The architectures discussed earlier in this document are meant to provide a reference design for a scalable teleworker solution in AWS. However, there may be additional important design considerations that need to be accounted for when deploying the solution in your AWS environment. These may include:
Scaling out with FortiGate Autoscaling – Customers can deploy a FortiGate ASG integrated with the AWS transit gateway. This feature is built into the FortiOS (FortiGate’s purpose-built operating system) to allow for a smooth scale in/scale out solution. This can be deployed using a CloudFormation template available at Fortinet’s official GitHub repository.
Inside tunnel CIDR (classless inter-domain routing) – Plan your hub VPC CIDR (where the FortiGates reside) to accommodate all remote clients. For instance, if you expect 300 employees to connect to a FortiGate, a VPC with /24 CIDR won’t have enough IP addresses for one to be allocated to each client. Although it is possible to apply source NAT at each FortiGate, it is generally not a recommended practice since many organizations require full client visibility.
FortiGate instance type/size – as mentioned previously, there are several different instance types/sizes of FortiGate solutions available in the AWS Marketplace. FortiGate-VM can achieve the best performance (up to 20Gbps IPSec traffic ) when turned on with the C5n.18xlarge instance due to the enhanced networking capability that the FortiGate-VM can fully achieve, as well as other optimizations such as auto CPU affinity. Note that to support a greater number of tunnels and higher throughput, a FortiGate-VM can be scaled up to a higher instance size.
Launching FortiGate-VM from AWS Marketplace
To launch a FortiGate-VM from the AWS console, log in to the AWS Management Console, select the AWS region where your resources are located, and navigate to EC2 landing page. Click on launch instance and enter FortiGate in the search field. This will bring up the associated links in the AWS Marketplace. Click on the link to choose the FortiGate-VM.
FortiGate-VM for AWS supports both on-demand licensing and bring-your-own-license (BYOL) models. The On-Demand Model offers a free trial that will let users try FortiGate-VM in AWS without incurring software charges. You can choose the licensing model that best suits your licensing needs.
Once you select the right Amazon machine image (ami) for the FortiGate-VM, you can subscribe to the Fortinet FortiGate Next Generation Firewall software and click on Continue. At that point, it will let you select the instance type for your FortiGate-VM. Fortinet supports a wide variety of instance types in AWS, ranging from 1 vCPU t2.small to 72 vCPU C5n.18xlarge instances. Fortinet strongly recommends utilizing the C5n instance type to take advantage of AWS enhanced networking to achieve maximum network throughput. In the next step, choose the VPC where you want to deploy the instance and the subnets that you want the FortiGate-VM instance to be deployed in.
Figure 3. Choosing an instance size when launching FortiGate in AWS
You can leave the storage (Step 4) and tags (Step 5) as default, and navigate to the Security Groups section. Once there, click on Create New, choose a name for the security group, and add the ports that you intend to use for managing the firewall as well as the ports used for traffic. By default, the recommended FortiGate ports will have HTTP (TCP Port 80), HTTPS (TCP port 443), SSH(TCP Port 22), and other management ports. For SSL-VPN, you can use 10433 or any other custom port other than 443, since 443 is used for FortiGate’s HTTPS management.
Choose “save” once all the required ports are added to the security group along with the right source. The source can be anywhere (0.0.0.0/0 and ::/0) for SSL-VPN, or a specific range of IP addresses for things like source IP access control. The next step is to select the key pair. For key pairs, you can select an existing key pair or choose “Create a key pair in EC2” to create a new key pair. The public key will be added to the EC2 instance, which allows you to access the instance using the corresponding private key. After making the selection, review all the settings and launch the instance.
Figure 4. Adding inbound rules to a Security Group
Once your FortiGate-VM instance is running, associate an Elastic IP address to the internet facing interface of that instance. The Elastic IP will be used to manage the FortiGate-VM (on HTTPS) and to complete the configuration of IPSec/SSL-VPN. IPSec VPN uses UDP port 500 and 4500 (if NAT is used). Allow these ports in the security groups if you choose to use IPSec VPN for remote access. SSL-VPN users would also be using the Elastic IP on the custom port that was selected for SSL-VPN in the security Group. A single FortiGate-VM in AWS for SSL-VPN solution would be a single point of failure, so to provide high availability, fault tolerance, and resiliency we recommend deploying a FortiGate HA Cluster across multiple availability zones in a single region.
To provide disaster recovery, the same setup can be replicated in another region, with the traffic load balanced by Amazon Route53. Amazon Route53 supports multiple routing policies one of which is latency-based routing policy which serves the user’s requests from the AWS region that has the lowest latency. Within each region, additional record sets can be created with multivalue answer routing to load balance connections to the FortiGates. Multivalue answer routing policy let’s users configure Amazon Route53 to return multiple values in response to DNS queries. Detailed information about Amazon Route53’s latency based routing can be found here. To configure multivalue answer routing, refer to the documentation here. Traditionally, FortiGate’s clustering protocols work over multicast, but in AWS the configuration synchronization happens over unicast (UDP and TCP). It also leverages AWS features like AWS Lambda, API Gateway, and CloudWatch metrics for the failover process.
In a FortiGate (Active-Active) A-A solution in AWS, FortiGates are launched in two different availability zones. This solution does not provide failover for ingress traffic, as this should be handled by external resources such as AWS ELB or Route53 services. In a FortiGate (Active-Passive) A-P solution in AWS, FortiGates are launched in two different availability zones. During failover, the Elastic IP of the Active Device is disassociated from the Active FortiGate and associated with the Passive FortiGate. In both Active-Active and Active-Passive soltuions, if one of the FortiGate-VM fails, the route tables for the private, protected subnets are also changed so that the traffic now flows to the active FortiGate-VM.
FortiGate NGFW Active-Active Solution can be deployed using a CloudFormation template from Fortinet’s official GitHub repository. FortiGate NGFW Active-Passive Solution can also be deployed using the related CloudFormation template from Fortinet’s official GitHub repository.
Virtual Private Network
Virtual Private Networks (VPN) let sites and users connect to private networks over the public network (internet) to gain secure access to their resources. Instead of using expensive leased lines or other infrastructure, organizations can use utilize the relatively inexpensive, high-bandwidth internet. Since the internet is universally readily available, VPNs are used extensively for remote connectivity both for site-to-site and remote access VPNs. Two of the most used types of remote access VPNs are IPSec and SSL-VPN.
A managed client-based VPN service provided by AWS is the AWS Client VPN. It enables you to securely access your AWS resources as well as datacenter environments. FortiClient is Fortinet’s Client VPN software, and the added value FortiClient brings is in its embedded security features, increased flexibility and configurability, and lesser restrictions on the client computers and networks.
Remote Access to Data Center Networks via VPN Through FortiGate-VM in AWS
FortiGate-VM can act as an SSL-VPN Gateway and IPSec VPN Gateway to terminate AWS VPN connections. The FortiClient software that runs on the Client computer manages all the details of encrypting, encapsulating, and sending packets to the remote VPN gateway (a FortiGate-VM in AWS).
Users who can connect to VPN should be defined on the firewall. The user configuration becomes much simpler if you integrate it with existing authentication servers through LDAP or RADIUS. Integrating with existing authentication servers, such as Windows AD, lowers the chance of making mistakes in the configuration of users and user groups.
FortiToken can be used for two-factor authentication (2FA) to ensure that the end-user is who they claim to be by requiring authentication information as well as a dynamic token code that FortiToken Generates.
Split tunneling lets users access the corporate network through the VPN but still access the internet – which is prevented from going through the SSL VPN tunnel. Split tunneling can be enabled on FortiGate-VM for both SSL VPN and IPSec VPN.
IPSec VPN
On the Client computer, the FortiClient application acts as the local VPN gateway. Packets destined for the AWS VPC networks are encrypted, encapsulated into IPSec packets, and sent through the VPN tunnel to the FortiGate unit. Packets for other destinations are routed to the internet as usual. IPSec packets arriving through the tunnel are decrypted to uncover the original IP packets.
This document shows how to configure FortiGate-VM to act as a VPN Gateway.
The following configuration enables split tunneling for the VPN connections in the phase 1 configuration:
config vpn ipsec phase1-interface
edit “for_AWS”
set ipv4-split-include “local_network”
next
end
Also, using chacha20 as the encryption mode in phase 2 improves the IPSec connection performance. It can be enabled in phase2 config, as shown below.
config vpn ipsec phase2-interface
edit “for_AWS_Ph2”
set proposal chacha20poly1305
next
end
With firmware release 6.2.3, we have added auto-affinity to spread the load of encrypting and decrypting IPSec packets across available vCPUs.
With the FortiGate hardware platform, it is possible to offload IPSec processing to a specific ASIC. In a virtualized environment like the public cloud, FortiOS does not have access to hardware acceleration. To optimize IPSec encryption and decryption through a FortiGate-VM running in AWS, a user has to disable the software decryption asynchronization that is used by the FortiGate hardware platforms.
config system global
set ipsec-soft-dec-async disable
end
If the number of IPSec connections or throughput requirements increase, FortiGate-VM can be scaled up to a higher instance type to get IPSec throughput as high as 20Gbps and also support more IPSec connections. This is made possible by selecting the correct instance type and also configuring the IPSec optimizations above. FortiGate’s IPSec throughput can reach up to 20 Gbps. One instance type that can achieve that throughput in AWS is C5n.18xlarge, which uses an Intel Xeon Platinum 8124M (turbo GHz 3.5) processor.
SSL-VPN
There are two modes of operation for SSL-VPN, which include tunnel mode and web mode.
SSL-VPN Tunnel Mode: In this mode, once the tunnel is established between the client and the FortiGate-VM in AWS, the SSL VPN client encrypts all traffic from the remote client computer and sends it to the FortiGate-VM through the SSL VPN tunnel. This mode provides a transparent experience for the end user. There is no proxying done on the FortiGate, and it can be used for accessing a wide range of applications.
Enabling split tunneling for tunnel mode in SSL-VPN is done at the portal level.
config vpn ssl web portal
edit “aws-ssl-portal”
set tunnel-mode enable
set split-tunneling enable
set split-tunneling-routing-address “10.212.1.0”
set ip-pools “SSLVPN_TUNNEL_ADDR1”
next
end
SSL-VPN Web mode: In web mode, there is no need for an SSL-VPN client on the client computer. It is a clientless access mode that allows network access using a web browser and its built-in SSL encryption. Remote Users can authenticate to FortiGate-VM’s SSL VPN Web Portal, which provides access to network services and resources, including HTTP/HTTPS, Telnet, FTP, SMB/CIFS, VNC, RDP, and SSH. When a user starts a connection to a server from the web portal, FortiOS proxies this communication to the requested resources.
Since Web mode proxies all its communication through the FortiGate-VM, it places an overhead on the FortiGate’s resources and supports only certain applications. For most teleworkers who remain connected through the VPN for longer periods, Tunnel mode is the better option. It is transparent to the user after a successful connection and it allows the users and networks to exchange a wide range of traffic regardless of protocols or applications.
This link has the instructions for configuring the FortiGate-VM and the FortiClient software for remote access through SSL-VPN in split tunnel mode.
In our design depicted earlier in this document, we showed end users connecting to the FortiGate-VM in AWS through SSL-VPN and then allowing them to access the on-premises networks through Direct Connect or VPN. This document shows how to configure SSL-VPN to IPSec VPN for such a use case.
SSL VPN operates on HTTPS protocol at Layer 7. If the FortiGate-VM in AWS needs to handle a large number of SSL-VPN connections, you can scale out the FortiGate-VM in an autoscaling group and use an Application Load Balancer to load balance the SSL-VPN connections between the FortiGate-VMs, as explained in the “additional design considerations” section of this document.
Conclusion
In this blog post, we discussed how organizations can leverage FortiGate-VM in AWS to provide teleworkers with secure connectivity and best-in-class network throughout. FortiGate-VM’s integration with native AWS services such as Transit Gateway and Route 53, as well as important design considerations were explained. Finally, we outlined steps to launch FortiGate-VM in AWS, and the configurations required to take advantage of FortiGate-VM’s optimization features. The Fortinet teleworker solution enables organizations to securely connect their remote workforce to AWS workloads and applications, and ensures business continuity by leveraging the purpose-built FortiOS software as well as the scale and resiliency of AWS.
Discover how Fortinet Teleworker Solutions enable secure remote access at scale to support employees with a wide array of access requirements.
Learn how Fortinet’s dynamic cloud security solutions provide increased visibility and control across cloud infrastructures, enabling secure applications and connectivity from data center to cloud.
Read these customer case studies to see how Cuebiq and Steelcase implement Fortinet’s dynamic cloud security solutions for secure connectivity from data center to the cloud.
Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.
In 1958, U.S. corporations remained on the S&P 500 index for an average of 61 years, according to the American Enterprise Foundation. Fast forward to today and companies are being replaced approximately every two weeks. In this rapidly changing market, traditional companies are looking for ways to stay competitive and more and more enterprises, including Nielsen, Colgate and Airbus, are turning to G Suite to help them reimagine how they work to keep pace.
We know that enterprises want to move to cloud-first collaboration to transform how they work, but, understandably, they have questions about how to make it work in a business of their size. What happens with email security? How can they manage their data? How does G Suite work with the tools and systems they already have in place?
Yesterday we announced new products to help businesses reimagine how they work, and today we’re sharing additional solutions we’ve built to address these concerns.
Here’s a snapshot of what we’re announcing today. Read on for more detail.
New Gmail (Redesigned security warnings, Snooze, Offline Access and more generally available for G Suite users)
Cloud Search (being deployed by an initial set of customers)
Google Voice for G Suite (available in our Early Adopter Program*)
Drive Enterprise Sku (available for purchase)
Keeping businesses (and emails) secure
Keeping your data secure is our top priority, which is why we use machine learning to analyze threat indicators across billions of messages in Gmail to help quickly identify potential security attacks in the making. Machine learning helps protect more than 1.4 billion active Gmail user accounts from nearly 10 million spam and malicious emails every minute.
Today, we’re making the new Gmail generally available to G Suite customers so that, in addition to these baked-in security features, more companies can take advantage of features like redesigned security warnings, snooze, offline access and more. You can learn more in this post.
Bringing the best of Google Search to enterprise data
Searching through your company’s data should be as easy as doing a web search. But the reality is most companies’ information is spread across different silos and systems that don’t talk to each other, which makes finding things a lengthy chore. We introduced Cloud Search last year to make it easy to find information across G Suite in a way that’s intuitive and assistive. Today, we are announcing new Cloud Search functionality to help companies intelligently and securely index their third-party data beyond G Suite, whether that data is stored in the cloud, or on-prem.
Companies, like Whirlpool Corporation, have started deploying Cloud Search’s new capabilities to unify search across multiple data sources. Using Cloud Search’s new SDKs, APIs and connectors for third-party connectivity, Whirlpool created a custom app called Whirlpool SearchPro that indexes more than 12 million documents across different on-prem and cloud systems and returns results in 100s of milliseconds on average. Moreover, search results reflect the specific permissions and access controls from each of the source systems to ensure that individuals only see the information they should.
Unless you are an accountant or you are us, you probably might not be too excited about the topics on payroll. Primarily because it is usually thought of as a boring or complicated process. However, as a business owner, you need to understand the intricacies involved in payroll because not only it is one of your top expenses every month, but getting payroll wrong has serious consequences. We are writing this for more than 60 million small business owners in India, breaking down the entire process to help you get payroll right, and also to show you how simple it actually is.
In this guide, you will learn the basics of what payroll is, why is it important, how it’s done in India, how does a successful payroll process looks like, and more. Let’s start with the basics first.
In simple terms, payroll can be defined as the process of paying a company’s employees. It includes collecting the list of employees to be paid, tracking the hours worked, calculating the employee’s pay, distributing the salary on time, and recording the payroll expense.
In order to get these done, there’s tons of background work involved because payroll is more than just about calculating paychecks. It’s an intricate set of process which requires different teams to work in tandem. But all these complexities can be managed effortlessly by the standardization of processes, selecting the right service delivery model, and using modern technology to manage payroll operations.
As a business function, here’s a high-level overview of the series of steps involved in completing payroll successfully from scratch.
What is the need for businesses to do payroll?
Keeping a record of the salaries paid to employees is an instant thought that comes to mind. But there’s more at stake for businesses. Payroll has a serious impact on the net income of an organization. It is also a business function that is subject to several laws and regulations. Because of the legal and ethical factors involving payroll, it is very crucial for businesses to do payroll and keep a spotless record of its payroll.
In cases where they are unable to maintain a clean record, some of the common notions that spread within the employees about your business include financial instability of the company, poor and untrustworthy management.
What are the challenges involved in processing payroll?
Payroll management or administration can be a mundane task, but it’s not easy to get it right. The challenges can include:
Coordinating multiple teams
Payroll staffs spend countless hours collecting information from the HR, Finance, Expense, and Attendance management teams. Even employees submit information like bills for reimbursement claims and tax-saving records.
It takes a lot of dashing around to get all of this information on time, every month, and if you’re a small business owner trying to do it all alone, it is nothing short of overwhelming.
Staying compliant with payroll laws
For businesses in India, all the statutory computations including PF, ESI, PT, LWF, IT, Shops and Establishments have to be taken into consideration. Any issue with tax remittance or miscalculation of any of these components could leave your business at a serious disadvantage.
Caring for employees’ morale
Depending on legacy methods
You might feel more at home using a paper-and-pen approach for calculating work hours because it’s what you are used to it before, but this approach puts you in the danger zone. Papers can be misplaced, torn, or even thrown away. They also open the door to inaccurate calculations and eat up a lot of your time.
The immediate alternative, a spreadsheet-based payroll system, can bail you out in some ways but it doesn’t really solve your problems. Spreadsheets are familiar and seem easy, but they take a lot of expertise to use well. You’ll need to hire employees who understand advanced concepts like pivot tables, concatenate functions, split fields, and v-lookup, and who can audit your formulas regularly to ensure that the calculations are working correctly every time. You’re dependent on your staff’s knowledge to keep the system running smoothly.
Blue-print of a successful payroll practice
At the start of this guide, we spoke about how you can effortlessly take care of payroll by standardizing the practices. Since it involves numerous activities among multiple teams, the payroll staff needs to be on top of their game every single day monitoring the employee count, changes to statutory policies, new deduction rules, and more. To simplify the entire process for you, let’s classify it into three large stages.
Pre-payroll phase (setting up the organization, collecting payroll input, and validating the input)
Setting up the organization
Every day, thousands of new businesses sprout all over the world. Each business has its own philosophy, approach to employee engagement, and work culture. The first step in standardizing payroll input is to set clear organizational policies, including:
Business profile
Ensure that you have a registered business number associated with your PAN and TAN. Payroll forms rely on registered numbers to send tax forms, payslips, and more.
Work location
Leave policy
Every employee is entitled to take leaves in various categories, like sick leave, casual leave, vacation leave, and privileged leave. Setting a leave policy is of paramount importance, as you’ll need to consider it when calculating paychecks.
Attendance policy
Integration with Biometric devices and timesheets also has a direct influence on the employees’ pay.
Define organization policies that compute attendance for regular hours, shift hours, half-day permissions, and on-duty requests. Integration with Biometric devices and timesheets helps you to gather employees’ attendance data.
Statutory components
Adherence to Indian payroll laws is necessary to keep your business on a legal footing. You have to decide what you will offer your employees from the standard list of statutory components including PF, LWF, ESI, PT, IT, and Shops and Establishment Act.
Salary components
Design with salary components that can embrace diverse compensation structures. Select the right earnings, allowances, deductions, reimbursements, and flexible benefit plans according to your organization’s policy.
Pay schedule
Employee information
Gather mandatory information like employees’ DOJ, designation, and department.
Payroll calculation phase
Depending on how you process payroll, this phase depends on how you do the calculation part. If you are someone who works with a system, then the data collected in the pre-payroll phase is now fed into the payroll system to calculate every employee‘s paycheck. The outcome of this process will be the actual salary of each employee after considering all the withholdings, taxes, and deductions.
Post-payroll phase
Salary payments
Paying salaries to your employees forms the major part of the post-payroll process. Once the payroll calculation is completed, you can send the bank advice to your corporate bank for salary disbursement. But you can skip right over this process if you opt for a software that has an in-built direct deposit feature.
Payroll accounting
Salaries paid to your employees are one of the biggest expenses for your organization. As part of maintaining your organization’s accounts, you should ensure that employees’ salaries are recorded.
Payroll reporting and compliance
Statutory deductions like EPF, ESI, and TDS are automatically deducted at the time of processing payroll. The organization then has to remit the withdrawn amounts to the respective government agencies. The due date for each deduction is different. After the dues are recorded with the government, businesses can file their return forms (for example, for filing the PF return, an ECR is generated and filed).
How Cloud-based payroll software can uncomplicate payroll
While the above mentioned structured approach can introduce some much-needed organization to your payroll process, adding the right technology can help you to reduce your dependency on spreadsheets or eliminate it altogether. With good payroll software, mundane tasks can be automated, and complex ones can be simplified.
Increased efficiency
Typically, payroll staff spend countless hours collecting payroll inputs, but having an integrated payroll system helps to streamline the process. Software that includes employee self-service portals allows business owners to delegate routine documentation tasks to employees, reducing the time burden even further.
Payroll staff are always pressed for time, and disorganized spreadsheet-based data makes things even worse for them. Payroll software organizes your data and provides a cleaner user interface, which makes life much better for your payroll staff.
In-built compliance
Staying up to date with all the changes in payroll laws is an area where software really excels. Readily available reports make it easier for employers to pay their taxes and handle employees’ statutory component deductions including Provident Fund (PF), Labour Welfare Fund (LWF), Professional Tax (PT), Employee State Insurance (ESI), and Tax Deduction at Source (TDS) based on their pay scale, mandated percentage, and work location.
Increased accuracy
Payroll software eliminates the possibility of missing out on payroll inputs. For instance, tax-saving declarations and reimbursement bills are always included.
Payroll computations are fully automated, eliminating the need to calculate paychecks manually or check the formulas in a spreadsheet.
Effortlessly scalable
Growth is inevitable for any business that’s running successfully. A system that grows with you as you expand saves you the time of looking for alternatives as you outgrow previous solutions.
Secure employee self-service
Are you still dependent upon paper for collecting reimbursement bills, IT declarations, and POI data? Have you ever missed a reimbursement bill submitted by an employee and messed up their payroll calculation as a result? A self-service portal with in-built payroll validation helps you skip the chaos.
Powerful administration tools
Payroll is a crucial part of your finance operations, but exposing your financial data to all your payroll staff is a strict no. Payroll software that comes with finely-grained administration privileges helps you assign the right permissions to each employee.
Increased collaboration with other apps
An integrated HRMS system brings in crucial HR data for processing payroll automatically. It saves payroll staff from sifting through leave and attendance records, employees submitted reimbursement bills and more.
Tallying accounts can require many hours. A payroll system with the ability to automate your accounting process keeps your accounts organized, and saves you having to struggle through the numbers after every pay run.
Decreased cost
Infrastructure procurement and maintenance make up a huge part of your organization’s bills. Cloud-based payroll software eliminates the need for specialized infrastructure, resulting in savings for your organization.
Decreased liability
As an employer, it’s your responsibility to get payroll right. By enlisting payroll software to ensure that your calculations are spot on, you can reduce both your workload and your risk of liability.
The way forward
Messy payroll processing is a thing of the past. We’ll leave you some valuable tips on what to look for when you go choosing payroll software to streamline your payroll operations.
Core payroll features
Automatic payroll and payslip distribution
Statutory compliance
Customizable salary components
Online salary payments
Employee self-service portal
Payroll reports
Leave and attendance handling
Full and final settlements
Spreadsheets data import
Security features
User roles and permissions
Cloud security
Data privacy standards
Usability features
User-experience
Accessibility
About Zoho Payroll: Refreshingly simple payroll software
As part of an extensive suite of 45+ products, with more than 50 million users worldwide, Zoho Payroll is our cloud-based payroll processing software designed to transform the way you’ve done payroll over the years. Tailored to fit the Indian statutory system with a refreshingly simple UI, Zoho Payroll is the de-facto choice for many businesses to streamline their payroll operations end-to-end.
We launched the new Gmail earlier this year and packed it with features to help you prioritize and accomplish things right from your inbox. And it’s a good thing too, because it’s estimated that we send and receive more than 100 emails a day.
With this volume, it can be tough to stay focused on what matters. Here are five ways the new Gmail can help you save time and get more done.
1. You can prioritize emails more easily.
How many times have you read an email and forgotten to respond? It’s easy to do. To help you remember, Gmail will “nudge” you to follow up or reply to messages by sharing a quick reminder next to the email. Powered by machine learning, it uses cues like frequent contacts and more to remind you to respond to stuff that’s higher priority.
Inbox by Gmail has been a great place to experiment with new ideas like snoozing emails to later, as well as try the latest AI-powered experiences like Smart Reply, Nudges and high-priority notifications to help you stay productive.
Four years after launching Inbox in 2014, we’ve learned a lot about how to make email better—and we’ve taken popular Inbox experiences and added them into Gmail to help more than a billion people get more done with their emails everyday. As we look to the future, we want to take a more focused approach that will help us bring the best email experience to everyone. As a result, we’re planning to focus solely on Gmail and say goodbye to Inbox by Gmail at the end of March 2019.
We introduced the new Gmail in April this year, incorporating many of the same features you’ve come to love about Inbox plus newer features like Smart Compose, which helps you draft emails faster. Read more about how these features in Gmail can help you manage your inbox better in this post.
We know change is hard, so we’ve created a transition guide to help you switch from Inbox to the new Gmail with ease. All your conversations are already waiting for you in Gmail. See you there.
The unprecedented global COVID-19 situation has cut off several physical links in the way businesses operate and has forced them to go entirely remote. As a result, millions of organizations, both big and small, have adopted a multitude of digital applications and online tools to keep their wheels running.
Zoho Sign, Zoho’s digital signature application, helps businesses collaborate and collect signatures on documents and manage the signed paperwork entirely online in a secure and convenient manner. However, given the present circumstances, we understand that there is a lot more to conducting business than just moving paperwork remotely. Therefore, we are also actively expanding the list of integrations supported by Zoho Sign to help businesses connect it with the other tools and software they use to run and monitor their operations.
On that note, we are happy to announce that Zoho Sign is now available for use on Integromat, an advanced online platform that offers the functions of workflow automation software! This will help you connect Zoho Sign with 350+ other popular and powerful web applications by building business workflows that can automatically generate smart documents, collect signatures, track and manage your documents in real time, and much more.
This integration helps you combine the advantages of using electronic signatures, especially in times such as this, with the added benefits of automation by removing manual intervention in other business engagements that precede or follow the paperwork in your operations cycle. As a complete iPaaS solution, Integromat enables you to automatically set up payments, generate invoices, update your CRM records, send follow-up emails, assign tasks to your agents, and more with the help of customized scenarios built around e-sign workflows connecting your digital apps. Thus, this can vastly reduce not only your paper clutter and administrative costs but also the manual labor hours spent on others tasks, thereby boosting productivity.
What’s a Scenario?
A scenario is a workflow created on Integromat that automatically monitors one of your apps for changes or events and/or carries out one or more actions in the same app or other apps you use. Scenarios are built by adding and connecting blocks known as modules that help transfer data between apps. For example, imagine setting up an integration that monitors the status of documents on Zoho Sign and creates a new deal in your CRM when a document is signed.
To start building scenarios connecting your favorite apps to Zoho Sign, you simply need to add one of Zoho Sign’s offered modules in your scenario editor screen and create an authorized connection between your Integromat and Zoho Sign accounts.
What’s a module?
A module is a smaller block that represents an individual function or task carried out in the chosen app. For example, fetching the list of documents sent for signatures using Zoho Sign. Scenarios are built by adding one or more modules in a series and configuring how the data is transferred and the operation is performed.
Modules themselves can be categorized further into different types, of which Zoho Sign presently only supports trigger and action modules.
What’s a trigger?
A trigger is a conditional module that actively monitors your app for a specific event. When that event occurs, the trigger generates a bundle of data to be passed on to the next module in the scenario. Zoho Sign offers seven trigger modules on Integromat for interactions that take place with your documents: signed, completed, declined, recalled, expired, viewed, and re-assigned. You may use these to execute follow-up actions in your other apps when these events take place in Zoho Sign.
What’s an action?
An action is a functional module that executes a specific task in your app, either on its own or using the data passed on to it by a preceding module. Action modules also generate a bundle of data upon successfully executing their task that can be passed on to the next module in the scenario. Zoho Sign presently offers one action module on Integromat which performs a customized API call to a specific endpoint in the Zoho Sign app.
Do I need to learn coding to use Zoho Sign with Integromat?
Absolutely not! This integration simply requires you to build scenarios by choosing the applications you want to connect with Zoho Sign, adding the necessary modules, and configuring the flow of data, all done in just a few clicks and drag-and-drops. Once a scenario is set up, successfully tested, and enabled, all the associated tasks will be automatically taken care of by Integromat and you can divert your attention to other important business activities.
Where do I start?
This integration is readily available for all Zoho Sign users. Just visit our integration page on the Integromat website and take a look at some of our pre-made scenarios to get inspired and start using it. For more assistance, visit our help documentation.
So don’t wait! Explore this integration today and build scenarios with your favorite applications to automate your routine signing tasks. And, of course, let us know how it helps you transform the way you do business.
For alternate workflow automation options, feel free to check out Zoho Sign’s integration with Zoho Flow and Zapier.
If you’re not already a Zoho Sign customer, you can head over to zoho.com/sign and sign up for a free 14-day enterprise trial. For feedback, queries, and personalized demo requests, write to us at support(at)zohosign(dot)com.
I’m one of those people who always cuts it close at the airport—it’s a race through security, with just enough time to grab the airline essentials: water bottle, magazine, a soft pretzel if I’m lucky. But I just learned that I can whip out Google Maps to find my way around the airport (by searching the airport name and terminal number), so I no longer waste time running around looking for my snack of choice.
For two decades, Google has built products that make my life more useful. Eight of these products now have a billion users, and with all that extra time at the airport, I got to thinking—how many other unknown tips and tricks are out there? Since Google is celebrating its 20th birthday this month, I present a party favor: tips on Google’s most-used products, straight from the people who helped build them.
Search
For lovers of covers: Try searching for a song and then tapping “other recordings” for different renditions.
Don’t burn daylight: Make the most of your daylight hours by knowing when the sun will go down. Search [sunset] to get the time the sun will set today.
For content connoisseurs: If you’re a fan of bingeable TV shows or a movie buff, you can see all the places to stream any show or film by searching [watch] followed by the title. (Head’s up: this is available in the U.S., Great Britain, Australia, Germany and India).
Emily Moxley, Director of Product Management
Maps
Beat the crowds: Use Google Maps to find out the estimated wait times and popular times to visit your favorite restaurants and businesses.
Don’t get lost in the parking lot: If you’ve ever spent way too long searching for your parked car, this tip’s for you. After navigating to your destination, tap on the blue dot and then “Set as parking location” so you can always find your way back to your parking spot.
Quickest route to the airport snacks: If you’re flying to a new place, you can use Google Maps to help you find your way around an airport. A quick search for an airport terminal name, say “SFO Terminal 1,” will show you the lay of the land, including nearby gates, lounges, restaurants and stores.
Dane Glasgow, VP of Product
YouTube
Just add popcorn: Developed to cut down on glare and give you that movie theater experience, Dark Theme turns your background dark while you’re watching YouTube. It’s available on desktop, iOS and now rolling out to Android.
Pick your pace: Speed up or slow down the playback of a video by tapping on the three dots at the bottom right of any video.
Take a shortcut: While watching a YouTube video, use the numbered keys to seek in a video. For example, hitting “2” will take you 20 percent into the video, “6” will take you to 60 percent into the video, “0” will restart the video.
Brian Marquardt, Director of Product Management
Gmail
The ultimate to-do list: Open Tasks in your side panel within Gmail, then drag and drop emails to turn your messages into action items.
Shhhh: Declutter your inbox with Gmail’s mute feature, which pushes the entire conversation to your archive and any future conversations on the thread bypass your inbox to be automatically archived as well.
Take it back: Don’t fret over embarrassing typos, unintentional reply-alls, or other email taboos. In your Gmail settings, just implement a 5-30 second cancellation period on your sent emails and once you’ve fired one off, you’ll receive a prompt to “Undo.”
Kevin Smilak, Engineering Director
Google Drive
Give your docs a gold star: Find your favorite Drive items by starring your most important docs within the Drive main menu, and then bookmarking your Starred page.
File_name_V2: Freeze moments in time by naming different versions of the docs you edit frequently. In a Doc, Sheet, or Slides go to File > Version History > Name current version. Name any version then access it easily from “Version history” by name.
Your search is our command: Google Drive makes the text within all of the images and PDFs you upload searchable. Try searching for a phrase that you know is inside a picture or PDF, which is especially helpful when you can’t remember your filename.
Alexander Vogenthaler, Director of Product Management
Android
Lost and found: If you’ve misplaced your Android phone, Find My Device lets you locate it by signing into your Google account. Or you can call it directly from a browser by typing “find my device” on Google. Lock your phone remotely or display a message on the lock screen, so if someone finds it they know who to contact. If you’re convinced it’s lost for good, you can erase all your data.
Always reachable: Don’t miss any urgent phone calls and messages from important contacts like close family members or your child’s school, even when you have Do Not Disturb turned on. Just add a star to people that matter to you, and then allow calls and messages from “starred contacts only” in Do Not Disturb settings.
Use your voice: You can ask your Google Assistant to handle tasks on your Android phone (running Android 6.0 Marshmallow or later). Start by saying “OK Google,” then try “take a screenshot,” “turn on flashlight,” or “open WiFi setting.” You can even ask to “take a selfie”—this will open the camera app and start a countdown. Cheeeeeeeese.
Sagar Kamdar, Director of Product Management
Google Play
When you’re good with faces, but not names: Just hit pause on your movie, tap the circle around the actor or actress’s face, and learn more about them and what other movies they’ve been in.
Read like a superhero: When you’re reading a comic on your phone, tap on a voice bubble and use your volume buttons to zoom in on the dialogue between two characters.
What you wish for: You can create a wishlist to keep track of items you want to install or purchase on Google Play.
Kara Bailey, Global Merchandising Director
Chrome
Access history across devices: Open Chrome and click on “History.” From the drop down menu, click “Full History” and “Tabs From Other Devices.” If you’re signed into the same Google account on both your phone and your computer, you’ll see the article you were just about to finish on your way into work.
Keeping tabs on your tabs: You can save eight days of time per year using keyboard shortcuts. Try this one in Chrome: jump between tabs at light speed by pressing Ctrl and the tab number you want to go to (i.e., Ctrl+1, Ctrl+2, Ctrl+3).
👀☝😀 = 🎉. Right-click in any text field for a shortcut to access emoji on any platform Chrome can be found.
Ellie Powers, Group Product Manager, and Chris Beckmann, Product Management Director
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
