Who is in Charge of Cloud Security?

Cloud service providers believe their customers are responsible for security, and license accordingly. That is the message cited by David Rosenbaum in his article on security risk and liability in the cloud.

“Cloud,” says Bruce Lynne, managing partner of Financial Executives Consulting Group, “is just a fancy word for outsourcing.” And, as smart CFOs know, when a company outsources, it sheds work, not responsibility.

Anyone contemplating cloud computing should read this article to get at key licensing issues which tech industry hype glosses over. Rosenbaum identifies a key point about cloud – it is a financial decision and requires intense effort by the CFO and company lawyers to be successfully implemented. The big issue is security, the related liability from security failures, and what can be done about managing the business and financial risks of the cloud.

But while the policy may be familiar, the ramifications could be huge. That’s because the cloud — which enables companies to outsource everything from e-mail to ERP and then access it all through a browser — is inherently insecure. The same ease of access that makes it appealing also makes it vulnerable. Yet many non-tech-savvy buyers of cloud services are not adequately aware of the security issues, says James Reavis, director of the nonprofit Cloud Security Alliance.

The recommendations include negotiations advice, things to learn about your vendor, and encouragement to be bold about getting the security your firm needs. Security needs may trump some common cloud architectures. For example the need to “find out who’s in the cloud with you. If the provider has an insecure customer, that makes you less secure” argues against common multi-tenant approaches to cloud applications. This advise also applies to “private cloud” offerings (anything delivered via a browser even if it is implemented on premises). In short, by selecting a vendor that you can reliably partner with, you gain an opportunity to manage cloud security risks.

Posted in Cloud computing | Tagged , | Comments Off on Who is in Charge of Cloud Security?

Implications of Changes in Investment

Charles Stewart dives into the numbers behind the economy to focus on gross private domestic investment. The outlook and policy options he presents are bleak – almost anything the government does will lead to reduced employment. However he does offer a path to better outcomes for individual firms:

Total factor productivity has risen 3.2% in each of the last 2 years, the highest rate since the BLS started keeping tabs in 1987. The average long-term rate has been around 1%. We know that it is investment, not labor, that is mainly responsible, because labor productivity increased by only half, to 3.6%, while total factor productivity tripled. We can produce the same output today with 7% less labor than two years ago. Investment in equipment and software is reducing employment.

Stewart’s insight has several implications for domestic manufacturers looking to improve their chances in today’s economy. First is a hard lesson — if you are not getting the same output from 7% less labor, you are falling behind your competitors. This benchmark comes from national statistics, so half of all manufacturers have plenty of room for improved results. Even those getting by on a 7% labor reduction may be falling behind, that is the average not the top performance.

To catch up to and potentially leap ahead of your competitors requires investment. This investment must be carefully targeted. Adding staff exposes manufacturers to uncertain regulatory costs. Adding inventory is trickier, unless it moves it is dead weight on the balance sheet and prevents investments with real returns. The key is investment in equipment and software to increase total productivity of the firm. This is not an either / or investment, modern CnC machines and ERP software work together to generate greater returns than either alone. Work with vendors to fit these investments within your balance sheet.

When you set investment priorities, focus on the business value, and on enabling strategies that take advantage of opportunities in the current environment. Identify a business opportunity tied to a successful business strategy for today, then invest in a solution to that problem. A troubled economy is the wrong time to get misled by industry hype about technical nuances of competing products. If the vendor isn’t focused on direct business value, no value will be realized. Potential success strategies include processing faster and more flexibly than foreign competitors by combining lean production techniques with automated product configuration. Investments include better ERP plus modern factory equipment. Results include dramatically reduced order processing time, fewer production errors, reduced inventory, and reduced labor costs. If you can invest before your competitors do you may achieve growth in spite of the poor economy.

Posted in Uncategorized | Tagged , | Comments Off on Implications of Changes in Investment

ERP Lessons Learned

Frank Scavo posts an excellent review of the history of and lessons learned from ERP systems over the past 20 years. Both Frank’s post, and his keynote video are well worth your time. Some key points from the post:

ERP is not primarily a planning system, it’s a transaction processing system. Its benefits are primarily in standardizing and automating business processes.

In particular ERP automates the reconciliation of money, products, people, and time to provide a clear record of what is and has happened in your business, with the full audit capabilities required by regulations such as Sarbanes-Oxley. Without this foundation added systems like CRM, SCM, and BI are only marginally effective.

Today, I find that business leaders have a better understanding of best practices for successful ERP implementation. They realize that ERP means changing how the organization does business. They usually recognize that top management needs to be committed and that it will require participation by all affected functions. They often realize that it is best to pick a system that fits the business, and as much as possible to avoid customizing software code.

That ERP is about the business, and not about the technology is a point that cannot be emphasized enough. Too often ERP decisions are driven by technology based factors (cloud vs on-premises, .Net vs PHP) while the core business requirements remain unexplored.

According to our 2011 survey, 38% of ERP projects exceed their budgets for total cost of ownership. Furthermore, as I indicated in my keynote, the risks of ERP go beyond cost overruns: ERP is particularly subject to functionality risks (the project was within budget, but the system doesn’t satisfy key requirements), adoption risks (the project was within budget, but the organization is not fully using it), and benefit risks (the project was within budget, but the expected benefits are not realized).

That is when technology is placed before business need, the ERP disasters we all fear come to pass. Learn the lessons Frank shared, focus on your business needs, and benefit from your ERP.

Posted in Uncategorized | Tagged , | Comments Off on ERP Lessons Learned

Head in the Clouds

ERP analyst Derek Singleton posted a paean to the SaaS variant of cloud computing. With his head firmly in the clouds looking for rainbows covering five points, Derek does trip over one salient feature of modern computing—the user experience should be the focus of vendor efforts (everyone has feature / function these days). For Derek, here is some ground level perspective on his key points.

First, he notes that cloud companies “have momentum and attract great talent.”

SaaS companies have an intangible that’s working to their benefit – they’re recruiting exceptionally bright, young talent.

The same could be said of the “Dot-Coms” of a decade ago, images of a bubble economy are hard to avoid here.

His second point is the wonder of multi-tenant architecture and ”smoother scalability.” To the usual claim of overnight upgrades across an entire customer base, Derek adds a new one:

A further advantage of multi-tenancy is that company-specific customizations are left in tact when the system is updated. This is because customizations are made in metadata. For the non-techies out there, metadata is data that defines the settings and customizations for each customer, but is maintained separately from the core application code.

Multi-tenant architecture is a mixed bag for ERP installations – one swoop upgrades can cause problems for any firm covered by Sarbanes-Oxley (whether directly or through bank loan terms). The meta-data approach is indeed an appropriate development technique, but preceded multi-tenant architecture and SaaS by at least a decade. Traditional ERP vendors have employed meta-data approaches for quite a while. For example HarrisData restructured its applications to a meta-data base starting in 2000, while HarrisData’s RTI Software division began using meta-data in 1992.

The third point that the “cloud is changing enterprise software consumption” is a recycling of a three (four?) decade old argument over how to license software for enterprise use. Many pricing models exist, from the enterprise wide license, to the cpu license, to various user based license schemes (including SaaS licensing). For each pricing model there is an equivalent array of payment options from upfront cash to lease terms. The arguments and distinctions between the pricing / payment options amount to deciding whose ox is being gored at any point in time.

The fourth point on the importance of user experience is a very strong point, “great user experience equals happy customers.”

Historically, enterprise software hasn’t been overwhelmingly friendly when it comes to the user interface (UI) or user experience (UX). It’s why a standing army of consultants and professional services firms exist to help buyers customize their systems and learn how to use the software.

Too few traditional vendors take this point seriously, focusing instead on capturing the monopoly rents derived from providing the standing army of consultants and professional service people. However as with meta-data above, a focus on user experience is independent of cloud and SaaS deployment of applications. HarrisData emphasized the user experience beginning in the mid 90s, and has held training and services costs to less than 5% of revenues annually since 1996. Reducing training and services required to deploy our applications is still number one on HarrisData’s to do list.

The final point is that since cloud and SaaS is on the web, and young people “get the web,” the cloud is youthful and innovative and magically better than sliced bread. Apparently young people want

web demos, trial versions of the system and user ratings of the product.

This is hard to argue with, as young (and old) people have wanted these thing in the 80s and 90s as well. Perhaps all people would be better off focusing on the business value of various ERP options rather than the hype and fluff of analysts.

Posted in Cloud computing | Tagged , | Comments Off on Head in the Clouds

PHP on IBM i – Adding new value to old applications fast

The IBM Systems Magazine PowerUp blog is talking about PHP on IBM i, a thread started by Laura Ubelhor with her post “There’s No Doubt PHP is an Awesome Fit on IBM i“.

For the average IBM i shop, PHP is a great way to extend existing applications to the web. Laura’s post highlights success in dramatically improving efficiency of AP – using a web application to deliver the details of the remittance advice when no paper check is used. Self-service applications delivered through the web offer significant savings in reduced paperwork, eliminated mail charges, and fewer inbound phone calls. PHP allows IBM i developers to quickly deliver self-service applications to new groups of users – such as vendors, customers, and suppliers.

One HarrisData manufacturing customer used vendor self-service applications over the web to share raw material requirements plans (from MRP) directly with suppliers. The results? Suppliers were able to better manage their own manufacturing capacity, improving efficiency and reducing costs at the supplier. Further, because the suppliers could see the forecast and any changes, they were able to substantially improve on-time delivery, giving manufacturing management the confidence to optimize processes and lower costs.

Success stories like these are really based on delivering web-based applications that provide external users significant value, and only require the external users to have a web browser available. Well-designed self-service applications are available anywhere, anytime, with no training. IBM i shops can quickly and successfully extend applications to the web using PHP. The skills are easy to learn, and focused applications can be developed and deployed quickly – with the entire application stack (including the web server) on your IBM i.

At HarrisData, we made the choice years ago to move our user interface to a web paradigm, to take advantage of the how quickly and easily users took to browser-based solutions. We’ve developed comprehensive ERP, CRM, and HRIS applications using PHP to drive browser-based interfaces to our traditional RPG applications, allowing us to deliver high-impact solutions without having to completely re-write the RPG business logic that has been tested and working for our customers for decades.

Posted in PHP | Comments Off on PHP on IBM i – Adding new value to old applications fast

Is Enterprise Integration the Next Hurdle for the Cloud?

Stephanie Neil poses an interesting question on whether SaaS and Cloud solutions create as much work in enterprise integration as they solve in reduced hardware and storage management.

Enter software as a service (SaaS) applications, which might seem to be an IT manager’s dream: no server and storage systems to buy and maintain. But their emergence presents a whole new integration problem between on-premise legacy apps and those that live in the cloud.

According to the recent InformationWeek Analytics 2011 Enterprise Applications Survey, 43% of SaaS users are very happy with the ability to deploy the applications quickly, but are much less satisfied with the complexity of integrating hosted apps with on-premise systems and data sources.

To the extent that enterprise vendors (either cloud or on-premises) utilize Service Oriented Architectures and document required data structures this may seem like a small problem. However, all it takes is one key application which is not SOA and the enterprise integration problem rears its ugly head. At that point IT skills developed by integrating current applications are useful. Unfortunately in many SaaS and cloud implementations, the IT staff does not have access to the application source code necessary for successful integration efforts.

An appropriate vendor offering in today’s environment should take advantage of what the cloud offers (no server and storage systems to buy and maintain) while providing source code access IT still requires for successful implementation. HarrisData offers ERP through a Platform as a Service structure to directly address this problem. In addition to managed hardware and source code access, PaaS allows the customer to control application upgrade timing – an important consideration in the era of Sarbanes-Oxley.

Posted in Cloud computing | Tagged , | Comments Off on Is Enterprise Integration the Next Hurdle for the Cloud?

Ultimate Justification for Cloud ERP

Chris Chappinelli identifies what may be the most important justification for moving your ERP to the cloud – cyber-security. Given the increasing complexity and frequency of attacks on customer and employee data, many IT departments are ill prepared to face the challenges. As Chappinelli notes even the experts get hacked (RSA Security was a recent victim).

Against the advanced persistent threats that exist in today’s networked world, even paragons of cyber-security can become victims. Wouldn’t you want to shift that responsibility to another company if you could?

Your management and business insurer would both be pleased to offload such risk. The question is how prepared are the cloud providers to accept and manage the risk? It may take time for an acceptable security standard to emerge, and even longer for security to find its way into cloud license / service agreements. However anyone contemplating cloud computing should start thinking about security today.

Posted in Cloud computing | Tagged | Comments Off on Ultimate Justification for Cloud ERP

Promise of the Cloud

What, exactly, is Cloud Computing?

Some degree of skepticism about cloud computing is understandable. The marketing hype surrounding it smacks of previous campaigns by consultants and technology companies to lure corporate investment. To wit: Y2K paranoia, dot.com hysteria and fiber optic mania.

The above quote is from an article by William J. Holstein wherein he focuses on practical business issues raised by the promise of Cloud Computing. His advice is to use the promise of cloud computing to dive in and understand the full costs and value of whatever information systems are in place in your organization today, then aggressively manage those resources to provide the greatest benefit at the least cost. When evaluating the Cloud, Holstein notes an important reality:

Defining “cloud” isn’t easy. The term does not refer to a pie in- the-sky IT heaven open to all. The cloud is distinctly proprietary.

He follows with some cautionary advice:

Of course, CEOs must tread carefully in the cloud and not take wild plunges into unknown territory.

As with any business decision (information technology should be considered a business decision, not a technology decision), carefully evaluate and uncover any risks of the alternatives before committing. Holstein points out that in many cases a Cloud vendor may handle risks better than your inhouse resources – but it is imperative that you confirm the risks are handled. He identifies security, privacy, and availability as key risks so investigate a Cloud vendors approach to encryption, failover to a remote location, and backup before committing.

But smart CEOs are using it to strip out costs and give their businesses a competitive shot in the arm—and conducting tough analyses to make sure it delivers on its promise.

Excellent advice. Remember that everything Holstein discusses applies to selecting an on-premises solution as much as it applies to a Cloud solution. Dive in and understand the benefits and risks of each approach before making your decision.

Posted in Cloud computing | Tagged | Comments Off on Promise of the Cloud

Reliability of Cloud vs On-Premises Software

Lauren Carlson at Software Advice makes the point that the cloud reliability problems we have seen lately should not be considered in isolation. That is a very helpful point. She holds up the service level agreement as guarantor of cloud reliability, along with a quoted observation that cloud vendors have the latest technology while on-premises deployments do not. Does her comparison hold water?

In her analysis Lauren relies on a 2008 survey of email uptime comparing Gmail to Lotus and Exchange, where Gmail compares favorably. In this study Gmail users experience less unscheduled downtime and no scheduled downtime for about an hour more uptime per month. No explanation is provided, but assume the Gmail service makes better use of hot-site backup for scheduled/unscheduled maintenance than on-premises operations and the results back the idea of cloud vendors using better technology than inhouse data centers on average.

Uptime is not the full story of reliability. Lauren does note that the recent Google Blogger downtime event spanned 20 hours, but fails to note deeper problems beyond downtime in the Blogger event. Many Blogger users lost their blog content for several days, received poor support from Google during the outage, and permanently lost the blog comments — blogs are about conversations between the author and reader and the Blogger outage erased these. Data loss is a serious reliability problem, and one not captured by a focus on uptime/downtime.

More troubling was the cause of Google’s Blogger outage — it occurred because of a scheduled upgrade affecting all Blogger users. In effect Google’s use of the latest and greatest technology caused the downtime. Data Center Management 101 suggests testing all upgrades and holding a full backup in case of problems — Google failed to use good Data Center practices at the expense of every single Blogger user. The service level agreement was/is useless in such a circumstance.

Reliability has many factors. Uptime, data security / protection / restoration, customer service quality, new technology, and data center management practices are factors highlighted in one event. It may be that a service level agreement focuses attention on uptime over other factors, but that is no guarantee of reliability on the whole. How the user / customer and vendor work together to ensure reliability is what is important, not whether they choose to do so on-premises or in the cloud.

Posted in Cloud computing | Tagged | Comments Off on Reliability of Cloud vs On-Premises Software

The Slippery Slope of Software Services (Part 2)

Don’t buy software from services-driven vendors

In Part 1, we looked at how to keep services from exploding out of control and blasting your project budget. In part 2, we look at why a software vendor who depends too much on services is a bad choice.

Software vendors have viewed traditional revenue sources through three lenses:

  • Initial license fees

    The ‘up front’ costs of acquiring the right to use the software. These fees are frequently viewed as an offset to sales and marketing (customer acquisition) costs.

  • Recurring license fees

    These are typically maintenance fees paid periodically to gain access to fixes, upgrades, hot line services, and the like. These fees support research and development, customer support, and administration functions.

  • Services fees

    These are the fees paid for consulting and training services provided by the vendor, and are typically billed by man-hour.

The Software-as-a-Service (SaaS) or cloud models have changed the perspective only a bit – SaaS revenue models have essentially zero Initial License fees, and charge higher recurring fees for the right to use the software.

In each case, software vendors seeking revenue growth will frequently look to the services group. Services revenues can quickly dwarf initial license fees – for many years, the services revenue associated with ERP implementation projects was more than 4X the initial license fees. More recently, implementations of big ERP systems have been cut back to a little more than 1X initial license fees due to improved experience and customer push-back. Unfortunately, I’ve heard some healthcare enterprise implementations driving services revenue at 7X initial license fees or more. Even SaaS companies frequently look to services fees for revenue growth.

So what’s wrong with driving lots of services revenue? After all, IBM used growth in Global Services to meet ever higher revenue targets for much of the last decade or so. And if you look at the hourly rates typically charged for services, they must make money, right?

The problem

A services business makes money based on two key metrics: rates and utilization. The higher they can keep their rates, the more money they’ll make. But utilization is the tougher metric to manage. Consultants cost the same whether they are billing or not. And vendors can’t just fire consultants during lean times and hire them back during growth years – consultants take time to educate and gain experience. But having them ‘on the bench’ is a sure way to kill profitability.

There’s a slippery slope here. Vendors will staff up services to meet peak demand in order to grow revenue. They’ll avoid quick-hit high-value projects that can help you achieve a high ROI in favor of long-term engagements that improve utilization. Then, when demand is down, they’ll have consultants spending a long time ‘on the bench.’ Then the vendor will try to sell services – probably services you don’t need – to avoid under-utilization. While management’s attention is on resolving the services problem, the software suffers.

As a buyer, you may have been tempted to look for a vendor that has lots of consultants available for your project. Or, after reading this, you may be tempted to look for a vendor that has lots of consultants that are heavily utilized. Don’t give in to either temptation. Both are examples of vendors that have started down the slippery slope of services dependency. You’d be better off selecting a software solution that minimizes (or eliminates) the consulting services you need.

Posted in Uncategorized | Comments Off on The Slippery Slope of Software Services (Part 2)