Data Security – Europe vs USA

Thursday, 5 May 2011

My friends and colleagues will tell you that I can get really boring about the different cultural and ethical stances that Europe and the USA take on data protection – a free-for-all in the USA, regulated (or not) by market forces; and a heavily regulated legal environment in Europe. For once, both regions’ legal system reflect the mood of the people. In the USA people seem happy (or are just resigned to the fact) that their personal data will be collected, bought and sold by unscrupulous web sites. In Europe, people expect their data to be held in confidence and abusing that trust can be a criminal offence. At Really Simple Systems we occasionally get calls from US customers asking us if we will sell the data that they enter into their CRM system. We don’t say we don’t do this on our site because – well, it is simply unimaginable that we would. Over here, anyway.

But last week I came across another twist in the data protection saga. We had a customer checking that their data was not stored in the US, not because of data compliance issues (they were not in the EC) but because their own customers would be unhappy if their personal (and financial) details would be stored in the US. Every since the USA passed the Patriot Act any government agency can demand to see any data stored on a computer in the US, or any computer anywhere in the world owned by a US organisation, and they can demand this without the inconvenience of a court order.

It is a well known fact that any law intended to be used for one purpose ends up being used for many other purposes not intended when the law was passed. The UK’s Anti-Terrorist laws being one example, having been (ab)used to eject hecklers from political conferences (the Labour Party) and threaten friendly countries (Iceland) who might not compensate UK savers in their failed banks.

So it is with the Patriot Act, and the concern of this customer’s customers was that agencies like the IRS might use such data to try and extend their tax reach beyond the shores of the USA.

If you think they are paranoid, coincidentally ZDNet posted a blog on the same theme this very day.


SaaS Escrows – useful or pointless?

Friday, 26 November 2010

I keep getting called by traditional software escrow companies who are looking to move into providing such a service for vendors and customers of SaaS products. However, despite the glossy brochures I just don’t see how it can work.

With a traditional software escrow a trusted third party, such as lawyer or specialist escrow like the NCC, would hold a copy of the source code in trust for subscribing customers. If the escrow was triggered, by the vendor going out of business or even simply ceasing to support the product, the  customers could apply to the escrow company to release them the source code. All this made sense when the software product cost 100k or more, the escrow subscription cost the customer a few hundred and the customer had a large in-house team of programmers who could, in theory, maintain the inherited code. In practice I can’t think of a single example where an escrow was triggered, and I pity the poor programmer who would have had two million lines of COBOL dumped on him or her and told to update the system for a new tax rate.

But for SaaS the story is more complex. SaaS customers purchase a service, not a product, and what they would ideally like to know is that should the SaaS vendor go out of business then their application will keep running. To deliver the service you need the whole hardware & software stack: servers, firewalls, load balancers, operating system(s), web server, backend databases, plus a whole pile of add-ins for charting, pdf generation etc. And of  an up-to-date copy of the data, ideally sync’ed in real time. To make sure that all this would work in the event of an escrow being triggered the whole stack would have to built and tested, otherwise the chances of it working on the day are minimal. And, just to make life more interesting, whereas traditional software worked on a six month or yearly release cycle, SaaS systems get updated much more frequently, almost every day in our case. So what you end up with is a replicated datacentre that has to be tested every week to make sure that it still works. Which is basically what we at Really Simple Systems do, keeping a complete system on hot standby for instant switchover.

Doing all this is a lot more work than keeping a CD in a safe, and that cost would have to borne by either the SaaS vendor or their customers. As most customers are paying very little for their SaaS solution (because that’s the point!), paying the same again for an escrow protection doesn’t seem great value. And as customers aren’t clamouring for such a protection, it is hard to see why SaaS vendors would stump up a lot of money for something that their customers’ don’t see the value in.

A better solution is for SaaS vendors to put in their contracts that should their businesses fail, then the data legally belongs to the customer. After all, it is the data that is the most important asset in most systems – once you have the CRM data, then moving into another CRM system is not such a large task and could be done within a few days, even for the largest systems.

Which (he said smugly) is exactly what we do here at Really Simple Systems.

SaaS Attitudes Survey

Friday, 6 February 2009

Yesterday Really Simple Systems published the results of its attitudes survey on SaaS applications, and the results make interesting reading. Firstly, it’s nice to see that most people (60%) are confident in using a hosted CRM application. Readers of this blog may think there is nothing new in that, but there is a often huge disconnect between what we in the IT industry accept as a given, and what the man in the street actually believes.

What also came out of the survey though, and took me by surprise, was how uncomfortable people were with hosted Accounts, Payroll and HR applications. Only 35% were confident with the idea of Accounting/ERP solutions, and only 42% with hosted Payroll. Is this because they have more concerns about data security/availability, or because hosted CRM vendors have achieved greater visibility than have other SaaS application vendors?

It is not because accountants are more conservative than sales people, we asked the same people their opinions on both, and most of the people surveyed were CEOs, senior commercial managers and IT people, not accountants. If I had a choice between losing my accounting system for a day, or the CRM system, I’d opt for losing accounting – without CRM we’d have a lot of people twiddling their thumbs and no sales activity, and that would be more painful that no accounting activity. We can always catch up with that later if needed, while customers and prospects won’t wait. And as for confidentiality, losing the sales pipeline could do us more damage than somebody seeing our accounts, which (in the UK) are semi-public anyway.

Perhaps in another year when the likes of Kashflow and Aqilla have blazed the trail, people will be as comfortable with hosted ERP as with CRM.

Fog Computing

Sunday, 1 February 2009

I was interested in reading the controversy this week about Oracle offering their customers the ability to run their CRM On Demand product on their own servers (see Eric Krangle’s article in Silicon Valley Insider, and also Phil Wainewright’s blog). The comments have ranged across challenging Oracle’s claim that their product is really SaaS (if the product is installed on your own box, what’s the difference between this and conventional in-house software apart from the pricing model?), insinuating that one of Oracle’s motivations is so that that the press will never notice any downtime (if one customer’s server crashes for a day only one customer is affected, whereas if a large shared platform goes down for an hour everybody screams and the press pick it up), and picking up on Europe’s stricter data protection laws (legally, if you want to store the personal details of European citizens outside of the EU you need each and every one of them’s individual permission, not that many people seem to know or care about this).

As Cloud Computing becomes the must-have technology for this and the next decade we’ll see lots of more traditional vendors claiming that their offering is Software-as-a-Service, all with their own definition of what Cloud Computing is about: pure play vendors with browser based applications and no (or minimal) local software, shared tenancy and monthly pricing (, NetSuite, Kashflow, Really Simple Systems); browser based software offered on in-house or single servers (Oracle); local software and the data in-house or hosted (Microsoft); traditional software running on in-house servers but accessed through the like of Remote Desktop Connection. Only when the fog around Cloud Computing clears and customers work out what they want and at and what price will the terminology and offerings stabilise.