June 8th, 2009 by Duane Jackson
We offer a free trial of our online accounting software and we tend to follow up those who don’t go ahead to become paying subscribers to find out why they chose not to go ahead.
Typically we’re told that they love the software, it’s by far the easiest to use and easiest to understand application they’ve ever tried for managing their accounts for their small company or sole-trader business. But they just don’t like the idea of their data being held on the web.
There’s a perception, especially amongst non-technical users, that data held on their PC or Mac is more secure that it would be on our servers.
So let’s look at this for a moment:
Home/Office PC: Free copy of Zonealarm (software firewall) – probably not updated very often.
SaaS solution: Incredibly expensive hardware firewall with sophisticated intrusion prevention. Most SaaS providers, ourselves included, have to be what is called PCI compliant and are scanned regularly by a third party to check for security weaknesses.
Home/Office PC: No monitoring. Sometimes there might be a software product to alert you to attempted attacks – but this is of no use if you leave the computer on and connected to the internet whilst no one is using it.
SaaS solution: Monitored 24/7 by security specialists at data center
Home/Office PC: High risk. The computer is often in use and is used to visit websites and has other software installed
SaaSsolution: Virtually non-existent. The computer is only used to serve the application
Home/Office PC: Backups may be taken once a month if at all. And that’s only if you remember to do them (honestly, when did you last backup your data?)
SaaS solution: We have real time live synchronisation to a remote location, so if London (where our main data center is) disappeared overnight, we’d be back up and running with zero data loss very quickly. We also take regular “snapshot” backups throughout the day.
Home/Office PC: Your computer is often located under the desk or in the spare-room at home. Physical security is usually limited to a burglar alarm (which keeps going off accidentally so now gets ignored by all)
SaaS solution: SaaS companies use secure data centers. Appointments are needed to visit hardware. Often biometric scans and photo identification are used to gain access
Home/Office PC: Smoke alarm under the stairs (no battery)
SaaS solution: Sophisticated ‘dry’ fire suppression system, ensuring no damage to hardware
So by far a SaaS solution is more secure than your home/office system. Logically it’s very easy to prove this. Often though, when faced with the above arguments people say it “just doesn’t feel right” and talk about “gut feelings”. As a programmer by trade I find it really hard to change someones mind when their opinion is based on emotions. So when someone says they’re just “not comfortable” with their data being online, we don’t try to change their minds (we don’t know how!)
Thankfully though, these objections are becoming less frequent. We hear it significantly less often than we did a couple of years back or even 6 months ago. But I think this is by far the biggest hurdle SaaS companies have to overcome when selling
![[Post to Twitter]](http://blog.kashflow.com/wp-content/plugins/tweet-this/icons/tt-twitter-micro3.png){kind=icon}
![[Post to Delicious]](http://blog.kashflow.com/wp-content/plugins/tweet-this/icons/tt-delicious-micro3.png){kind=icon}
![[Post to Digg]](http://blog.kashflow.com/wp-content/plugins/tweet-this/icons/tt-digg-micro3.png){kind=icon}
![[Post to StumbleUpon]](http://blog.kashflow.com/wp-content/plugins/tweet-this/icons/tt-su-micro3.png){kind=icon}
Tags: SaaS, Security
Posted in Cloud Computing / SaaS, Technology | 7 Comments »
January 21st, 2009 by Duane Jackson
Seeing as my wife is spending most of the evening on Facebook complaining about being kicked from the inside by our unborn second daughter, I thought I’d spend the evening online poking around Sages new online offering – Sage Live. I’ve already had a play with the functionality and reported my thoughts on that. This time I was interested in the technology and security side of things.
A couple of years ago selling web-based software to SMEs was hard. Everyone was concerned about security. Over the years, it’s been accepted that us SaaS providers seem to know what we’re doing. We’ve built up a lot of trust.
Sage seems to be aware that securty is important. They have a few pages about security that all say the right things. But in reality they fail on the most basic security measures. There’s no point in sticking your servers with Rackspace and shouting about how great the security is if the end-users password isn’t protected. After all, that’s all that is needed to get into a Sage Live account.
Defaults to “Remember me”
The default option on the Sage Live homepage is for it to remember your username and password. You can untick it if you like, but you’ll have to remember to untick it every time you log in. Other wise, all someone needs to do is fire up your computer, put in the url and click the Login button. Your password is already there!
Password shown in clear text
I really had to struggle to stop myself adding 3 exclamation marks to that sub-heading. Almost unbelievably, they show your password on-screen when you log-in – in plain text.
It’s sent to their central “passport” servce using a GET rather than a POST – so your password is actually in the requested URL which is displayed in the status bar. See the circled red area in my screen grab below. (click to enlarge)
Make sure noone is looking at your screen when you log in.
Obsolete technology
A little bit of paying around on the web site indicates that the whole thing is powered by a product called BEA Aqualogic. BEA were acquired by Oracle in April last year and the BEA Aqualogic range of products have been discontinued. So before the product even made it in to public beta, the underlying technology was obsolete. This is why the pure-play SaaS companies develop their own stuff from the ground up.
[Edit: Whoops, factual error. As pointed out by a reader below; the link above doesn't actually say that this product is being discontinued]
Waiting for the Feds!
I’m allowing myself the luxury of an exclamation mark for this sub-heading. A little bit of prodding around the site and I found myself looking at these two pages (click to enlarge)
I know one of them says I only have read-only access. But these are undoubtedly pages that only authorised people should be seeing.
It’s at this point I realised that if I went any further then I could possibly fall foul of all sorts of laws about unauthorised access to remote computer systems. I started to worry that the FBI would be knocking on the door any minute (only half-joking – some of the Sage servers are in the US) and decided I’d better leave well alone.
The security blurb on their site says they have some sort of intrusion detection system that should have locked me out. I think someone might have forgot to put the batteries in it.
Conclusion
Myself and the head honchos at other SaaS accounting firms have been waiting a while for Sage to make a play in the SaaS market. We were pleased when they did. Even the fact that their product was pants didn’t matter. By just getting involved in SaaS, Sage have added credibility to the whole concept.
Now I’m wondering if we’ve all been a bit short sighted. A high-profile security cock-up could set us back years. By the looks of things, Sage are more likley to have a security problem than any of the proper SaaS players. That makes sense. Programming for the internet is a totally different thing to programmig for the desktop. Whilst Sage undoubtedly have years of experience building robust desktop apps, how much experience do they have in building for the web?
UPDATE: Sage took Sage Live offline on 28Tth Jan ‘09 due to these security issues.
Tags: SaaS, Sage, SageLive, Security
Posted in Cloud Computing / SaaS, Technology, Uncategorized | 21 Comments »
