Showing posts with label Cloud Computing. Show all posts
Showing posts with label Cloud Computing. Show all posts

Saturday, December 1, 2012

Adidas Heads to the Cloud to Control IT Spending


Adidas Latin America decided to implement cloud-based procurement software to improve internal compliance and consolidate spending management. The company is a regional subsidiary of theAdidas Group sporting goods empire, which includes brands such as Adidas, Reebok and Rockport.
Procurement at $1.4 billion Adidas Latin America was complex--involving different currencies and languages--and disjointed. Some countries had developed homegrown procurement solutions; others had paper-based processes.
"If we were a small organization, that might have continued to work," says Adidas Latin America's head of IT Christian Bader. "But we were growing fast, and we weren't getting the visibility we needed."
Seeking to improve internal audit compliance and streamline spending, Bader evaluated several spending-management solutions and decided on Coupa for its multinational support, total cost of ownership, integration with the ERP system, and capacity for customization.
By opting for a hosted system, Bader was able to fully implement Coupa in Panama--where the company's Latin American operations are based--in six weeks earlier this year. Bader started with the country that had the most advanced procurement processes already in place and adopted an 80-20 attitude. "You will never cover all the cases you need to handle in one system," Bader says.
"We wanted to address the most common processes and keep it simple." Cash advances for travel, for example, will not be done in Coupa. "I'd rather leave it out than blow up the whole system to get it in," Bader says. Next up is Chile, where there was no software in place, so the implementation will take longer, one department at a time, starting with human resources. Later this year will come Argentina, Peru, Brazil and finally Mexico--simply because they were already deep into a massive warehouse management system implementation. IT is managing the introduction of the cloud-based system remotely from Panama City, keeping the cost of the project low. Bader opted to add on Coupa's business intelligence tool, the Spend Optimizer, so employees can see on their own how much they're spending and on what.
"We shifted the ownership and workload [associated with that] from finance, which should not have to do it, to the people actually doing the procurement," Bader says. Soon, Adidas Latin America will centralize its spending management and consolidate its business with certain vendors, leading to lower costs.
Adidas Latin America's complex account structure made integration between Coupa and SAP difficult. "It created a lot of stress, but we solved it," says Bader. "We should have addressed it before we started the project, but we were moving too fast."
But change management was the biggest challenge. "Our experience, especially in Latin America, is that you have to get the buy-in of the full organization, from the warehouses to marketing to HR to IT," says Bader, a German who joined the Latin American subsidiary in 2004. Bader held town meetings to address doubts and concerns.
"You can't just go out there and force it," he says. "Especially in Brazil--forget it! You have to do this with them and take the time to convince them, or you will fail."
Stephanie Overby is regular contributor to CIO.com's IT Outsourcing section.
Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google + .
Read more about cloud computing in CIO's Cloud Computing Drilldown.

Read more »

Thursday, November 15, 2012

Nine security controls to look for in cloud contracts


To help ease the concerns of cloud security, which Gartner says is still a chief inhibitor to enterprise public cloud adoption, buyers are looking to contracts and service-level agreements to mitigate their risks.
But Gartner cloud security analyst Jay Heiser says SLAs are still "weak" and "unsatisfying" in terms of addressing security, business continuity and assessment of security controls.
"A lot of these things are getting a lot of attention, but we're seeing little consistency in the contracts," he says, especially in the infrastructure-as-a-service (IaaS) market. Software-as-a-service (SaaS) controls are "primitive, but improving."
Below are some of the common and recommended security provisions in cloud contracts and how common and effective they are.
Customer audits on demand
These clauses allow customers to audit vendors.
Effectiveness: Partial, depending on how much the vendor allows the customer to inspect
How common? Sometimes
Data deletion certificate
Proof that data is deleted when service expires.
Effectiveness: High, legally defensible
How common? Never
Disaster Recovery
Many vendors claim cloud services, by their nature, equate to disaster recovery, but that cannot always be the case. If, for example, data is only stored in a single location of a cloud provider without an offline backup, that creates a single point of failure.
Effectiveness: High, but difficult to verify. While vendors may claim they have robust systems, they are often reticent to provide evidence, citing security concerns.
How common? Not typically in contract clauses.
Downtime credits
These provide the user credits or some sort of reimbursement in case of downtime.
Effectiveness: Partial. While a credit may be helpful, it is a post-factor remedy and does not prevent an outage from happening in the first place
How common? Often found in contracts
Encryption
Effectiveness: Varies. There are multiple encryption methods. If encryption is done by the vendor when the data reaches the provider's cloud, it is less expensive and less secure compared to if the user encrypts the data before sending it to the cloud. Important factor is who stores and has access to the encryption keys. The more copies of the keys, the less secure it is. Beware of vulnerabilities related to losing keys.
How common? Varies by provider. Third-party tools can also be used to provide encryption as a service
Evaluations
Many buyers use third-party security services to verify their providers' security controls, such as ISO27001 or SOC1 and SOC2 audits. But, a vendor simply reporting that it complies with these audits in many cases does not provide end users with the information they need to evaluate the provider's system for their specific security needs.
Effectiveness: Believed insufficient
How common: Common
Full indemnification for security failure impact
In this situation, a contract would outline that if there is a security breach that the provider would be responsible for losses of the customer.
Effectiveness: Theoretically high
How common? Never
Hacking insurance
Insurance by a third party, or by the vendor could help displace costs resulting from a security or data loss issue.
Effectiveness: Potentially helpful, but like the downtime credits, does not necessarily create incentive for provider to avoid a breach
How common? Rare, but growing
Negotiate security clauses
These allow customers to negotiate higher levels of security for certain programs or data.
Effectiveness: Potentially high
How common? Mostly for large customers only
Network World staff writer Brandon Butler covers cloud computing and social collaboration. He can be reached at BButler@nww.com and found on Twitter at @BButlerNWW.

Read more »