Horrors of Password Management

June 14th, 2012 Comments off

I’ve seen plenty of commentary on the LinkedIn password hacking, but from the SaaS providers view there’s a few areas where there seem to be a really low bar for improvement. It’s made me step back and think about what we need to ensure for our systems. Here’s the first and most obvious one:

Password Change

I went through and changed all my passwords – LinkedIn, Facebook, Google etc. Finding where to change your password on LinkedIn and Facebook was horrendous. The most important thing security wise wasn’t easy to do. I had to walk a couple of people through how to find where to reset their LinkedIn password.

Suggestion #1 Maybe we should have some standard on a specific one or two click access to change your password. It should be the simplest thing to do for the most naive user. Most sites have standardized on having your name at the top right of the page, and clicking gets to some sort of account/profile info. How about always having password change info at the top of that page on your first click.

It also seems crazy that we spend so much time and effort on educating corporate users on the need to manage passwords, force regular changes etc. and none of this exists in the consumer space. There’s no reinforcing message between corporate and consumer spaces. LinkedIn can be excused to some extent, but Facebook is a de-facto identity provider for multiple sites and applications. You could set your password on Facebook and never change it again.

Suggestion #2 If we don’t want to force password changes, at least have some prominent message display periodically if you haven’t changed your password in the last 6 months or a year

Suggestion #3 If we want to educate users, we could have them self-select their security level, i.e. get the user to agree to password changes with a specific frequency, e.g. choose your security level – Low (remind me to change my password once a year), to high (force me to change my password every 3 months), even just asking the question forces a bit of reflection on the part of the user

Categories: Uncategorized Tags:

Multi-tenancy Architecture

April 9th, 2010 1 comment

This is a good opinion piece on why multi-tenancy matters as an architecture choice for SaaS providers.

http://www.informationweek.com/cloud-computing/blog/archives/2010/02/why_multitenanc.html

From the customer perspective, it’s really a long-term investment issue. If you’re going to invest time and energy in effectively using a piece of SaaS software, you want to know that there’s going to be future functionality updates and competitive pricing that will keep pace with your business.

In some cases, this isn’t a concern – the selected SaaS solution might just be for the short term, though anyone in IT knows the big gap between how long something is expected to be in service, and how long you actually use it for. Remember those Y2K app issues?

So the theory is that if you have a true multi-tenant solution you can manage your operations and service more effectively. I think that’s true, but usually, it’s more about the people and processes than technology, so I’m sure there will be examples that prove us wrong either way.

Categories: Uncategorized Tags:

Paying for Usage

February 17th, 2010 Comments off

From a paying for what you use perspective, paying for use of a feature or per minute of usage is much more appropriate. A big technical barrier to this though is the connectionless nature of the web. Many users log into an application, then leave their browser idle for hours. What’s the usage here? If they load a survey page, then it’s submitted an hour later – can you reasonably claim there was an hour usage? Did they spend an hour reading the questions, thereby “using” the system, or did they just go for a coffee break and come back. This varies from page to page so would be impractical to instrument.

This can be determined approximately by a combination of usage statistics, walkthroughs with users and user feedback. It would be interesting to know if there is a dollar figure per minute that purchasers consider appropriate for different types of software.

By my (very) rough guesstimate, a dollar a minute seems to be in the ballpark for general purpose employee applications. Tools such as Salesforce.com, hosted MS Project/Sharepoint and related apps are around $60/month/user and users and users probably spend around an hour a month on them. For a 360 survey, there may be 10 raters spending 20 mins each which is $200, which is in the ballpark for a high end 360 tool. For a performance management system, a user might spend 30 mins completing appraisals once each year, which would be a cost of about $30/seat/year, again in the ballpark for this type of system. Let me know if there’s any research on this.

Categories: Uncategorized Tags:

SaaS Pricing Strategies

December 4th, 2009 Comments off

Clear pricing models seem to be developing for infrastructure as service, with price competition based on CPU usage, storage and data transfer. However, pricing models for software are more complex for a variety of reasons.

Software is not a utility service – the value of different software applications varies widely, based on the ROI of its use. For applications that are not focused on people-related processes there can be clear benefits – e.g. a new inventory management system may clearly reduce warehouse space requirements and the software vendor can tout the financial benefits as on offset against the software cost.

For HR and people processes the picture is less clear. There is an ROI and should be able to be measured. But measurement, and linking process improvement to top line revenue for an organization is a big issue in general, and in particular for the HR profession. Also, benefits vary widely from company to company, so it’s not something a software provider is likely to be able to come up with a good estimate of.

Service pricing is generally based on a unit price, then a multiplier for the number of units used. A unit could be the number of users, usage time, or whatever is the primary thing that is being managed by the software.

From a purchasers perspective, the user as the unit is the main problem with this licensing model. The “traditional” software licensing model has a lot of the revenue being made by software sitting on computers and never being used. The proposed benefits of SaaS that are touted are paying for what you use. So to get the value from SaaS, this pricing method surely can’t remain over the long term unless the per user cost is clearly shown to relate to actual usage. I don’t see much evidence of pricing that is based on actual usage rather than a per user/month model at present.

Categories: Uncategorized Tags:

SQL Azure Security

September 11th, 2009 Comments off

The Community Technology Preview (CTP) of SQL Azure is out, but I’m looking for good information on how the data will be appropriately secured. The CTP allows you to provision a database, set a sql username and password, and you’re all set. To access the database all you need is the url, username and password.

That’s great for easy access, but a single username/password combination away from system administrator access to the entire database isn’t exactly a recipe for secure data. To get to my corporate data, I need get past security, have an access pass, log into a computer on the corporate network with a restricted access acount, then I get to run my sql login credentials.

Without additional protection, someone just needs to look over your shoulder as you login when you’re in the office, then they can go home, log in from their computer and have access to everything. Your only protection is rigorous access auditing.

Hopefully Microsoft have thought this all out, and there’s some layered security options – or maybe that’s due after the CTP. I would think that some sort of two factor solution needs to be available – something you have and something you know. A simple solution like issuing a time-limited key file that needs to be physically on the computer where you’re running SQL Management Studio would provide that kind of protection. On with my research…

Categories: Uncategorized Tags:

Security Accountability in the Cloud

August 28th, 2009 Comments off

Microsoft Azure has the potential to be a great long-term infrasture bet for my company. But I have to ask the question – will my clients sign-on for having their applications, and particulary their data in the Microsoft cloud. We service a lot of financial services clients. I spend a significant part of my time responding to current and future client requests for information about our security and infrastructure. This runs the gamut from a one pager summary to a 20 page document, to on-site visits and penetration testing.

I will be interested to see how much detail Microsoft is willing to provide, and to whom about its datacenters, physical and data security and where my data would actually reside. It’s a bit of a Catch 22. A situation we run up against is a client wants to see a copy of the SAS 70 Type II audit of the datacenter, but depending on the datacenter security policy, they may consider it a security breach to show the report to another third party.

They will provide documented evidence of their general security practices and audit confirmation but not the details. In reality, distribution is restricted, not eliminated, so if you’re a big volume client at an individual datacenter, then you can work something out. But when you go out to a large cloud, you become a much smaller fish in a bigger pond. The cloud provider can’t go around giving out a lot of information about its operations to anyone who asks – where do you draw the line (though the whole argument about security through secrecy vs. open peer reviewed information probably applies as much to physical security as it does to code security).

So we’ll see how this develops. It will be interesting to see how successful providers are at luring different types of client companies, and how much information they will disseminate about their practices.

Categories: Uncategorized Tags:

Financial Risk in the Cloud

July 27th, 2009 Comments off

After seeing our entire financial industry fall apart at the seams, and the demise of the auto industry, one has to wonder what industry is going to be hit when the next major downturn comes.

Cloud computing seems to be a redistribution of risk. Companies that had to pony up for a fixed infrastructure investment can now scale up and down, thereby pushing the risk out to their service providers.

These service providers in turn are pushing their infrastructure capital costs onto cloud computing providers who are assuming all the aggregated capital risk. The likes of Amazon, Google, Microsoft and Rackspace are all vying for large market share.

This works well if these providers have diversified risk. At present, cloud infrastructure is a minor part of their product portfolio. But what happens when we get a few large providers with all the capital investment, and this becomes their main revenue stream? What happens when there is a “run at the bank” – a big downturn and everyone’s needs shrink, or a security scare that sends those who can running, and the company can’t sustain itself?

Will these providers be “too big to fail”? What happens to all their customers who don’t have the ability to switch quickly to another provider? Sure, this may be a worst case scenario. When capacity requirements go down you can just shut off the power and reduce a lot of your costs. We’ll have clear operability standards and you will be able to just switch seamlessly to another provider (OK, maybe not). But it does make you think…

There’s a lot of hype around Cloud Computing, but it is going to lead to some major business model changes, we’re just trying to peer into our crystal balls and work out what they are, and what the long term consequences will be.

Categories: Uncategorized Tags:

Azure Providers

July 16th, 2009 Comments off

I thought Microsoft’s statement that Azure would only be available in it’s own data-centers would be a problem. It seemed like there would be a need for it to be hosted by other providers with different security/service levels for enterprises. On Tuesday, CSC announced it would be providing Azure services to its enterprise customers (ComputerWorld July 13, Eric Lai) (DataCenterKnowledge), and it looks like Rackspace might go that route too. I’m sure this list of providers will expand once Azure has got through it’s teething stage.

Categories: Uncategorized Tags:

Infrastructure as a Service

July 13th, 2009 Comments off

Infrastructure hosting is critically important to any SaaS provider. Hosting infrastructure is a major fixed cost. This is especially true for small and mid-size companies providing services to large multi-nationals. We provide solutions for a number of Fortune 500 companies, who have very stringent availability and security requirements. On the internet scale, the volumes are fairly low – most corporate applications are serving less than 100,000 users, but the standards imposed by the companies being served are very high. This results in a high cost of entry, and a lot of unused capacity. So the ability to seamlessly scale up and down with a pay-per-use model that matches incoming revenue is very attractive to a SaaS provider.

This type of capability is starting to become available. Amazon is well underway with its services providing infrastructure for those in the Java/Sun camp. Microsoft is playing catchup with it’s Azure services platform, putting it’s Windows Server OS into the cloud. Our platform is .NET based, so I’ll be closely watching the evolution of Azure, with a view to whether and when our company might consider moving to an Azure platform. Microsoft is due to announce it’s pricing model this week – then we’ll see how attractive this solution is from a cost standpoint.

Categories: Uncategorized Tags:

Welcome to “Hosting in the Cloud”

July 11th, 2009 Comments off

Welcome to my blog on Hosting in the Cloud. I wanted to share some of the challenges, opportunities and technology associated with running a business developing and hosting applications. I hope this will prompt some discussion, and provide an opportunity for contact between individuals sharing the same challenges that I do on a day-to-day basis.

Categories: Uncategorized Tags: