What’s the matter with people? It seems that ever time there is some sort of discussion around saas accounting then some clown has to bring up security. This has been going on for several years and it is time to put this issue to bed. First a wee history lesson:
SaaS accounting has been around about 10 years. NetSuite is the grand-daddy in the days when it was called NetLedger. In all those years I do not know of a single recorded case of catastrophic data loss. Going back further in time, ADP has been running outsourced payroll globally for 30+ years. Successfully. What is more sensitive than payroll data?
Contrast that with utterly failed projects in the on-premise world. Again, from memory, I can recall SAP projects going pear shaped as far back as 1996. They are still happening. My colleague Mike Krigsman has a continuing blog on this topic. As far as I can tell he has a job for as long as on-premise exists.
To the specific point about security. We’ve had online banking for years. We have numerous other online services such as GMail. Does anyone think twice about using those? Maybe some but speaking from personal experience, I do not recall a single occasion where my data has gone missing, pear shaped or been compromised. Do not confuse this with people who are duped into providing details of their bank to only find their account has been hacked. That is a different issue. Do not confuse this with having your data mined. That’s another issue. I’m talking about the service I get from these providers. So what’s different about SaaS?
SaaS accounting HAS to be secure. Why? Almost all services currently on offer are on a pay as you go basis. If the provider screws up then they’re dead in the water. Why would a provider be stupid enough NOT to build enterprise grade (and better) security into their platform?
Now – does that mean all SaaS providers are equal? No. There are plenty of ways to compromise a system and some take the issue more seriously than others. As always, anyone considering entrusting their data to a SaaS provider MUST conduct sensible due diligence across multiple dimensions. It’s not enough for example for the provider to say they are SAS 70 Type II compliant. You MUST check for yourself what this means, who has audited it and what those audit reports have to say. My colleague David Dobrin talks about this albeit in a broader context.
Do not confuse security with uptime. This is a frequent source of confusion. Availability of service and security are NOT the same thing. All SaaS providers have unplanned downtime. Even so, if they’re doing their job, your data should be secure and should not be compromised.
Workbooks provides a technical checklist of the things it does to secure your data. It’s a good starting point and well worth the reading. At a more basic level, check to ensure your provider has a web page devoted to the topic. It is often dull but essential reading. If your provider doesn’t offer this facility then ask why.
For those that want more information on this topic, the realities, myths and legends then please feel free to contact me. But remember, if you’re flying solo without advice – caveat emptor.