Anything-As-A-Service Paranoia

February 11, 2009

There is a lot of talk about how <insert letter(s) here>AAS, especially in BI, is going to dominate 2009, mainly due to low startup costs and the hope of expert analysis of any organization’s complex business model by outsiders.

This is all well and good, but as a cynic and a slightly paranoid one at that, I can see certain risks that others with a more sunny disposition may not entertain.

I’m not alone though and in good company at that.  For example Larry Ellison (“It’s insane”), Richard Stallman (“It’s worse than stupidity”), Bill McDermott (“It just won’t work). Admittedly they have their own agendas, but they give good quote.

5 nines?

The top tier providers do have a pretty good record here, but there is still the odd outage or two, even for Google Apps and Salesforce.  I know that it is fairly rare for internal IT to be more reliable, but you can be more granular.  For example, if you have a critical campaign or similar event, then you can step up the level of investment in disaster recovery with more hardware/software/staffing etc for the critical event and then ramp down again.  In addition, some of these stats don’t take into account an internal IT’s PLANNED downtime, which when done correctly should have very minimal impact on the business.  With SaaS, you’re in the pool with everyone else, no special treatment, no DEFCON 1 SLA on demand.  Same as disaster recovery – no 80/20 option of just getting something up and running or a small amount of data to be going on with while the whole thing is fixed, it’s all or nothing.

And what happens if you do suffer problems with business continuity? In most cases you can get your money back for a specific period (or a portion of it).  Some of the stories I have heard regarding downtime have ended up with much larger business impact costs than a month of SaaS payments, that’s for sure.

Who can you trust?

I started drafting this post even before the Satyam business (Yes, I know that’s a long time ago, but I’ve been busy).  The answer is you can’t really trust anyone, but you just have to make an informed decision and live with the compromise.

If you are in the UK, then Sage would certainly be a name you could trust, but their recent security faux-pas with their Sage Live beta would likely make any consumers of a future service from them think twice. 

A third party can certainly lose your data.

This is not so much about losing the data forever, in some kind of data disaster, where it cannot be retrieved by backups, it’s losing it outside the realms of who should be allowed to see it.  This happens all the time, as shown by the British Government’s suppliers, unknown small outfits like PA Consulting, EDS, Atos Origin, etc etc.  I could go on and on, but you can read about countless others here.

This can lead to it falling into the hands of those you don’t want to have the data, but in a passive way.  As we know, august organizations like SAP have allegedly filched data in a less passive way as well.

Another very recent one where they did actually lose it completely was magnolia.com, not really a business critical service, but certainly affected those users that had invested their IP for up to 3 years.

Your data can be easily converted into cash. For someone else.

For data that has been lost or stolen, there is almost certainly a ready market for that data if it is in the hands of a less ethical organization.  Of course, it requires an unethical organization to purchase and use the data, but I don’t think they are in short supply either, especially if the data can severely hurt a competitor or dramatically help the business.  In these lean times, it may be the case that the moral high bar is lowered even more.

This may be the unethical company itself, or far more likely, some disgruntled employee that wants to make a quick buck.

New territory in the Sarbox / Gramm-Leach-Bliley world.

Data bureaux are nothing new, industry has been outsourcing data processing for years, but this has been mainly in administrative areas such as payroll, or transactional such as SWIFT.  This stuff is pretty tedious and not easy to get any kind of edge on your competitors with.

Salesforce.com are the SAAS darlings, but they have already have had their data loss moment.  And that’s only the one that was public. One might say that the information held on Salesforce.com is not that critical, but it certainly might be very useful to your competitors.  However, you’re not likely to get hauled over the coals in the court of Sarbox for a competitor poaching your deals.

Once you start handing over key financial data to a third party, then the CEO and CFO are signing off on their deeds too, since you are responsible for the data, not the third party.

You probably need to think about buying insurance for this eventuality.

Another consideration is where in the world your data is stored, in the nebulous cloud, as not all geographic locations are equal, as regards privacy.

Under new management.

To use Salesforce as an example, they have Cognos as a customer. I don’t know if that’s still true, but let’s say it is.  Now, our old friends SAP decide to buy Salesforce.com.  Allegedly no strangers to a bit of data voyeurism, it would not be beyond the realm of the imagination (hypothetically, of course) that they may let the Business Objects folks (sorry, SAP Business Objects) take a sly peek.

On the more mundane side, should a more high quality vendor divest a SAAS business to a smaller, less blue-chip organization, you have a review and possible migration on your hands.  See the Satyam debacle for the sort of ructions switching an outsourcer creates, especially in the context of a disastrous event.

Who pays the integration costs?

The fly in the ointment in the nirvana of throwing the problem over the side and getting the low capital outlay, useful BI within weeks etc etc is the dirty old job of integration.  It’s generally one of the most painful aspects of the BI stack even working within the organization, but then dealing with the issues of feeding an external provider makes it even hairier. 

In the case of Salesforce or other outsourced data, it’s far less of a problem, since theoretically, the outsourcer can just easily suck that data using clean, documented APIs.  However, there are costs involved in moving the data to two sites, the usual operational use of the customer and the BI use of the outsourcer. That could be bandwidth or other charges for data exporting etc, or when the SAAS fraternity wake up and start creating a new license and premium for providing your data to external entities.  Kind of like the oil companies keeping the price of diesel high (in the UK anyway), so those folks trying to save money by buying a car with better economy end up paying roughly the same anyway.

So what’s the mood?

I observed a very interesting straw poll at the 2009 Gartner BI Conference in the Hague.  At a large session, Donald Feinberg of Gartner asked the audience how many were considering SaaS BI.  The show of hands was either non-existent or maybe just one.  The reason, trust.  I imagine the attendees at this type of conference are more at the larger end of the enterprise spectrum, so there may be more interest in the lower leagues.

Follow

Get every new post delivered to your Inbox.