-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Thanks, all, for your submissions thusfar: it's good to know that 1) we have similar tastes to y'all, and 2) there are others out there for whom some of the "big names" don't do it all. We have, in fact, auditioned (to varying degrees) SugarCRM, tinyERP, Basecamp, and dotproject, along with Project Open, OpenXChange, Scalix, Zimbra, and host of others. To date, only Sugar and Project Open[1] remain in the running. (Zach is less weirded-out than I am at the fact that Project Open runs atop OpenACS[2] rather than LAMP.) I hadn't considered Salesforce.com, but it sounds interesting, and investigation might at least help us develop some more requirements we don't yet realize we have. Bradley Holt wrote: | Obviously the biggest problem is trusting them with your data. My | opinion is that it's there job to keep your data secure and if they | don't do their job, they're taking on a huge risk of losing customers | - there's market pressure to keep your data safe and secure. | [snip] | I find it interesting that FOSS advocates tend to cringe at the idea | of Software as a Service. What is it that people find offensive about | the concept - that your data is stored by someone else, that it's a | proprietary platform (what if standard protocols are used?), or is it | something else? I can't speak for all FOSS-types, of course, but I can tell you this: for me, it's not "software-as-a-service" that's worrisome, it's the "storage-as-a-service" model, as you've observed. While I agree that there's some market pressure to maintain data security (albeit not as much as there might be), the fact remains that very little in the realm of heartfelt apologies and financial remuneration can make up for the very fact of a security compromise. (Read: all the market pressure in the world can't make a breach "unhappen" once it's happened.) So what if the SAS provider's clients all leave them for greener pastures after someone's breached their defenses? My stuff (and more to the point, my client's stuff) is still "out there". At the risk of sounding the bitter curmudgeon, I'll trot out what really is just one recent such occurrence. Please note that I'm not trying to sow the seeds of FUD, and forgive the long-winded story: I promise there's a point. ;-) Our payroll company (big national brand; you've certainly heard of them, even if they're not the ones cutting your paycheck this week) literally mailed a few pages of our year-end payroll summaries to another of their clients. These pages contained all our employees' SSNs. (My own included.) To their credit, Big National Payroll CorpĀ® (BNPC, for short) immediately sprang into damage-control mode, granting us each a year of free credit reports (at whatever frequency we wish, IIRC) and securing a commitment from the unwitting recipient to forget that he ever saw them. (BNPC tells me that the recipient was the person who brought the error to light, primarily out of concern that I might be staring at all of HIS employees' SSNs.) If I can read people at all, though, all of BNPC's efforts to restore goodwill only succeeded in reducing our staff's reactions to the point of "nonplussed". I'm not sure we've seen a return to "trusting those people who have access to our personal financial data" yet. Did I mention that BNPC drafts funds directly from one of our corporate bank accounts? Where have they sent the printouts of THAT information? We could dump BNPC, of course. (There's your market pressure.) Knowing what I know of IT and breaches of corporate confidence, I'm sure they'll recover and they'll Improve Their Processes and Do Things Even Better Than Before. (Truth be told, they were very good before. This was an honest slip.) I doubt another such company would be any better, or even different, in this respect. But the fact remains: somebody who has no business knowing a vital piece of my private data has had unsupervised access to it, and now I have to run credit reports more often than usual to ensure that they're not using that information to perpetrate fraud. And: who's to say that frequent credit checks will detect everything that someone could possibly do in my name? Who's to say they'll unleash their nefarious misdeeds this calendar year, while I have access to free, frequent reports? Back to the point: I understand the lure of SAS as a model: ease of deployment, reduction in the costs of administration; the whole nine yards. It certainly has its place. But, as the custodian of private information about our customers' systems, networks, and operations, I have a hard time outsourcing the security of that data entirely*. Especially since, from the client's point of view, we're 100% accountable for such security. The other consultants out there are sharing a communal groan because of clients' near-universal ability to forget the 40% or so of the responsibility for security that rests with them; "security" is a social contract, but that's another discussion. ;-) * (Yes, it'd go a long way if the service allowed the data to be encrypted prior to storage. If Salesforce.com is doing so using standards-based ciphers and methods, that's totally awesome and it deserves a look.) Anyway, we could talk about the traditionally-security-conscious client base (financial institutions, school systems, etc.), sure, but they all have some manner of assurance against fallout from the disclosure of private data (mostly in the form of insurance policies and/or accountability to elected officials). In these cases, there's always a preordained scapegoat, and that person (or pool of underwriters) is compensated accordingly. The stick by which I measure security regimens, however, has for a long time been the domestic-violence-focused nonprofits with whom we've worked. These are people with something real to lose (the personal safety of their own clients or staff), for whom there are scant few laws defining standards for information security (maybe none, depending upon jurisdiction), and for whom no amount of heartfelt apology or financial remuneration will adequately compensate from a truly catastrophic disclosure of certain private data. That sets a certain tone for us at ClearBearing, and we've found over time that it's just easier to architect our systems to that standard and apply it across the board. It's for this reason, primarily, that the idea of "someone else has our data" rings with all the resonance of a cardboard bell. And you all thought I just ENJOY being paranoid. ;-) Cheers, - -sth [1] http://www.project-open.com [2] http://openacs.org sam hooker|[EMAIL PROTECTED]|http://www.noiseplant.com Yes, my television runs Linux, too. Yes, really. http://mythtv.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgEFbQACgkQX8KByLv3aQ3gkgCdETdkB7pu+0p/UdViOO7AbNNI bpUAoPIszTexhJ5Bkx5hg37aygpqAizd =ZBjM -----END PGP SIGNATURE-----
