What’s the matter with people? It seems that ever time there is some sort of discussion around saas accounting then some clown has to bring up security. This has been going on for several years and it is time to put this issue to bed. First a wee history lesson:
SaaS accounting has been around about 10 years. NetSuite is the grand-daddy in the days when it was called NetLedger. In all those years I do not know of a single recorded case of catastrophic data loss. Going back further in time, ADP has been running outsourced payroll globally for 30+ years. Successfully. What is more sensitive than payroll data?
Contrast that with utterly failed projects in the on-premise world. Again, from memory, I can recall SAP projects going pear shaped as far back as 1996. They are still happening. My colleague Mike Krigsman has a continuing blog on this topic. As far as I can tell he has a job for as long as on-premise exists.
To the specific point about security. We’ve had online banking for years. We have numerous other online services such as GMail. Does anyone think twice about using those? Maybe some but speaking from personal experience, I do not recall a single occasion where my data has gone missing, pear shaped or been compromised. Do not confuse this with people who are duped into providing details of their bank to only find their account has been hacked. That is a different issue. Do not confuse this with having your data mined. That’s another issue. I’m talking about the service I get from these providers. So what’s different about SaaS?
SaaS accounting HAS to be secure. Why? Almost all services currently on offer are on a pay as you go basis. If the provider screws up then they’re dead in the water. Why would a provider be stupid enough NOT to build enterprise grade (and better) security into their platform?
Now – does that mean all SaaS providers are equal? No. There are plenty of ways to compromise a system and some take the issue more seriously than others. As always, anyone considering entrusting their data to a SaaS provider MUST conduct sensible due diligence across multiple dimensions. It’s not enough for example for the provider to say they are SAS 70 Type II compliant. You MUST check for yourself what this means, who has audited it and what those audit reports have to say. My colleague David Dobrin talks about this albeit in a broader context.
Do not confuse security with uptime. This is a frequent source of confusion. Availability of service and security are NOT the same thing. All SaaS providers have unplanned downtime. Even so, if they’re doing their job, your data should be secure and should not be compromised.
Workbooks provides a technical checklist of the things it does to secure your data. It’s a good starting point and well worth the reading. At a more basic level, check to ensure your provider has a web page devoted to the topic. It is often dull but essential reading. If your provider doesn’t offer this facility then ask why.
For those that want more information on this topic, the realities, myths and legends then please feel free to contact me. But remember, if you’re flying solo without advice – caveat emptor.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=c95eae0e-acc2-48ae-9842-ee528132bbc9)
Comments on this entry are closed.
Get into the conversation
I couldn’t agree more….
I’m sure Duane@Kashflow will point it out but nice to see you’ve come over to our side seeing previously it seemed you held another perspective –
http://accmanpro.com/2009/08/13/kashflows-security-nightmare/
So welcome back
I don’t understand what you mean about ‘coming over to our side.’ Whose side would that be? My position is entirely consistent with what I’ve said in the past. If you are referring to the API issue, I still hold that which I have previously discussed. It’s a matter for due diligence.
That’s really funny! Thanks for brightening my Sunday.
I couldn't agree more….
I'm sure Duane@Kashflow will point it out but nice to see you've come over to our side seeing previously it seemed you held another perspective –
http://accmanpro.com/2009/08/13/kashflows-secur…
So welcome back
I don't understand what you mean about 'coming over to our side.' Whose side would that be? My position is entirely consistent with what I've said in the past. If you are referring to the API issue, I still hold that which I have previously discussed. It's a matter for due diligence.
That's really funny! Thanks for brightening my Sunday.
SAP BusinessByDesign – Looks like those SAP consultants will never be lost for work with the availability of SAP’s on-demand SaaS service!
With Netsuite consultants advertising “re-implementation” services, for reasons remarkably similar to the failure of on-premise software projects, it doesn’t look as if increased take-up of cloud services is going to do much to stop project disasters.
It may be more likely that people will be able to can a failing cloud project earlier, with lower cost and less embarrassment. But I wonder if people cut more corners with the cloud, and heighten the risk of failure.
Anyway, as to the relevance of failed SAP projects to loss of confidential data, can you run that past me again? Surely the latter is more about the quality of the cloud provider, as you mention later on?
SAP BusinessByDesign – Looks like those SAP consultants will never be lost for work with the availability of SAP’s on-demand SaaS service!
With Netsuite consultants advertising “re-implementation” services, for reasons remarkably similar to the failure of on-premise software projects, it doesn’t look as if increased take-up of cloud services is going to do much to stop project disasters.
It may be more likely that people will be able to can a failing cloud project earlier, with lower cost and less embarrassment. But I wonder if people cut more corners with the cloud, and heighten the risk of failure.
Anyway, as to the relevance of failed SAP projects to loss of confidential data, can you run that past me again? Surely the latter is more about the quality of the cloud provider, as you mention later on?