I read a piece at CloudAve that stunned me to the point where I had to read it several times, rub my eyes, swig a cup of tea and then lie down. This is what CloudAve is saying:
The other day Duane Jackson from KashFlow pinged me and explained that user permissions is a feature that KashFlow is quite light weight – at the moment one can have multiple users logged in but their access is “all or nothing”. He explained that it’s a huge amount of work to set up and outside of their current focus (and, one assumes, sufficiently enough of an edge case as to not be seen as core functionality). He did tell me however that a third party had created an application that leveraged the openness and breadth of the KashFlow API to provide user permissions as an add-on.
For £2 per user per month businesses can sign up to KashGuard and set granular permission for different users – allowing, for example, an accounts clerk to create invoices but not create customers. The granularity of permission options is detailed in the image below;
In other words – Kashflow has no security once you get past the login front door and has exposed the ability to refine that to a third party. They’ve created a security hole that renders their existing security model useless. I’ll get to what it means in a moment.
I called up FOUR developer organizations involved with saas just to check that what I thought was correct. Two laughed out loud, one said ‘weird’ another said ‘bizarre’ and one said: ‘Wow, this is freaking insane.’
I called up Duane and asked him point blank: “Have you gone out of your f*@$ing mind? You’ve effectively handed over the keys to the kingdom to someone your users have to assume is trusted and then pay for the pleasure. That’s nuts.” Over the course of the next hour, I tried to explain the importance of this issue but Duane would only say that while he understood my point, he wasn’t seeing enough people asking for this level of security to make it commercially viable given restricted resources and that in any event, he is only appealing to mom and pop shops. The ‘not asked for it’ piece is the worst excuse anyone could mention. It’s up to developers to imagine what will be required and offer to the market but some things – like security – are not optional, they’re essential. It gets worse. Again from CloudAve:
Simon Swords, manager of Atlas Computer Systems who created KashGuard is looking at this application as the beginning of a series of add-on applications for KashFlow, ones which can leverage KashFlow’s existing customer base, offer them useful features, and dribble in some revenue in the process.
Paraphrased: Atlas owns Kashflow’s ass. And it doesn’t stop there. According to Duane, two people can edit the same record simultaneously. There is NO record locking so who knows which is the right record at any point in time?
Here are a few scenarios:
- I am your accountant, you use Kashflow. I have full access to your stuff as I need to make adjustments. What if I want a clerk to manage the checking process? Would I necessarily want them to be able to change things? I now need KashGuard but why would I pay for it? What happens when staff leave?
- I am a Kashflow customer. I am also a KashGuard customer. KashGuard develops something but there’s a problem. To whom do I point the finger?
- As above but now I am also an intern. I have access to invoices. What’s to prevent me from changing bank details, issuing genuine invoices and then changing those details back the following day? Who would notice?
- I have a sniffer application – how easy will it be for me to break the API and effectively get between Kashflow and KashGuard and so gain control of the application at the detailed level? The suggestion is that if security is already weak, then the API is unlikely to be much better.
There is a reason why CODA developed against the Force.com platform. Salesforce.com handles security as part of the infrastructure. As a developer, I must maintain my application in compliance with Salesforce.com security code and policies. When we were developing ESME last year, one of the key attractions of doing so against the SAP environment was because we could leverage the SAP NetWeaver security model. It was a highly welcomed feature and meant that we could confidently say that communications within ESME shared SAP’s security. That allows customers to seamlessly control who has access to what – vitally important in a business environment. According to David Terrar, “Twinfield has 12 levels of security and even that’s not enough for some customers.” I know of a free application that has four levels of security in case it is able to monetize. I’ve never heard of a business app developer effectively outsourcing security. It doesn’t make sense.
I pointed out to Duane that he is limiting his market because larger firms that might otherwise wish to recommend Kashflow will find that the current method of having two parties involved is unacceptable. It also means that Kashflow customers cannot reasonably extend access to customers and business partners without KashGuard because without it, anyone has access to everything. Granting customer access for say: account detail checking would be a valuable service but if I see everything once I am past the front door then who knows what might happen?
While there is nothing to stop Kashflow from building its own version of KashGuard, that will almost certainly require significant engineering effort. The best scenario would be if Kashflow acquired KashGuard and then embedded it within the existing security model, tweaking it so that Kashflow absolutely controls security. Right now however, Kashflow has a problem on its hands – a major one because KashGuard owns the detailed securuty model. CloudAve doesn’t see it that way:
As I mentioned earlier – being this tied to one particular application is a little risky but given the size of the market for SaaS accounting applications, it makes more sense for vendors like KashFlow to broaden their customer base rather than trying to cannibalize their ecosystem partners.
I think that in this one announcement, Kashflow doesn’t have to cannibalize the ecosystem. It’s just put a bullet through its brain.