Coupa’s VP Service Delivery, Ravi Thakur throws his hat into the opinion ring regarding security in the cloud

Posted on June 11, 2011


This week’s series on cloud computing has been one of the most interesting and one of the, if not the most popular series of posts since the Procurement Insights blog was launched in May 2007.

Besides your tremendous interest faithful readers, the feedback from industry experts as well as those from the vendor community has been insightful and to a certain extent surprising.  One of the great things about these types of series is that it actually gets those within the industry to expand beyond the common discussion themes such as spend management and SaaS models etc. to really tell us what they think about the space in which they have chosen to earn a living.

Cloud Security

This afternoon for example, I am happy to share with you the views of Coupa’s Ravi Thakur on the issue of security in the cloud, especially as it relates to protecting critical data from prying eyes including the US Government’s.

Concerns about security are real, but manageable. Not all cloud applications are created equal, so buyers need to treat each situation differently. While Coupa may not be storing social security numbers, we are storing customers’ spending data, which can be an indicator of company performance. So clearly, security is of critical importance to us and a top priority for our operations team. Our cloud hosting provider is Amazon, which is a true pioneer in cloud computing and has excellent security controls. In addition, Amazon has strong operational controls, including SAS 70 Type II and other independent audits. In addition, Coupa takes specific measures to ensure the security of our customers’ data. Those measures include robust monitoring, additional firewalls to prevent unauthorized access to our servers, and external security penetration tests. From an application development perspective, we are careful to adhere to development and web design best practices so we do not do anything that could introduce security risks. For example, you will not find cross-site scripting or SQL injection in our software because those techniques are known to pose security risks. We have also supplemented Amazon’s audits with our own SAS 70 Type II audits on our business operations for the past three years.
One mistake that too many SaaS companies make is to avoid the IT department. We do the opposite, and work very hard to make sure that the IT organization is supportive of the business unit’s desire to subscribe to Coupa. We sell to some of the largest companies on the planet, and often go through stringent security audits to prove their data is safe. We’ve passed security audits with firms as varied as one of the world’s largest fast food franchises, to publicly traded SaaS companies, to one of the most prominent technology brands in the world. Bottom line – security concerns in the cloud are real, but every bit as manageable as concerns a buyer might have about traditional on-premise software. Don’t take vendors at their word. Check references. Perform your own security audits. Just don’t be surprised when they pass with flying colors. 

Ravi also shared the following video:

Based on the popular response to our cloud series look for additional posts over the next week including further industry feedback on what is without a doubt, the new frontier for enterprise solutions.