Notification of Potential Data Breach

Dear ... Employee,

We recently became aware of an incident involving information that may affect you. A laptop belonging to an ... director was lost during a business trip to Atlanta in late July. The laptop contained personal information on some employees, including you...The laptop was secured by a user name/password combination...

I received the letter above a few days ago from one of my former employers. It made me wonder what other sensitive data were on a laptop used by director of a large publicly traded company. And could this possibly happen if they used Software as a Service HR application?

SaaS will not make data on notebooks safer, but the chances are that this person would not need to download my personal information to his or her notebook. It is clear to me that incidents like this one prove that SaaS model is not inherently less secure...

Facebook Elastic Compute Cloud

I was never a big fan of Amazon Elastic Compute Cloud (Amazon EC2). I did not see a real need for it and it doesn't even fit into retailer's business model. Amazon EC2 "enables users to increase or decrease capacity within minutes, not hours or days". But the growth of majority of web applications can be handled by additional hardware and faster connectivity. And even though the occasional traffic spikes caused by Slashdot or Digg can turn any site inaccessible for a day or two I am not sure it can justify a paradigm shift in the hosting platform.

But after spending a few weeks on Facebook I've completely changed my mind. You don't need to build a user community on Facebook. Your users are already there and if you are lucky or smart (or both) enough to catch their attention with a new application you can see a dramatic increase in web traffic overnight. Being able to "obtain and configure capacity with minimal friction" may actually be your only option before the users go somewhere else.

Does it mean that Facebook should buy EC2 from Amazon.com and integrate it more tightly with the Facebook Platform? I believe so. It would make a lot of sense...

You read it here first ...

It looks like someone at The Economist magazine is reading this blog! They took two of my recent posts: Can Google be trusted? and MaaS - Money as a Service and combined them into one article called: Who's afraid of Google?:

Google is often compared to Microsoft (another enemy, incidentally); but its evolution is actually closer to that of the banking industry. Just as financial institutions grew to become repositories of people's money, and thus guardians of private information about their finances, Google is now turning into a custodian of a far wider and more intimate range of information about individuals.


It is a good article and it fully supports my belief that SaaS can be only successful if SaaS providers behave more like banks and less like software companies...

MaaS - Money as a Service

Money as a Service (a.k.a. banks) exists for more than a thousand years but we still experience occasional hiccups like the current credit crunch. And so we should not expect SaaS to be perfect in the first few years of existence. But I believe that it is the right model for software. And as nobody would keep their money at home stuffed in a mattress anymore, I don't expect users to go through the pains of installs, upgrades, re-installs and maintenance of complex software products. And possibly in a near future more companies will operate fully in a cloud. You can read more about the transition to SaaS in this article (free registration required).

Can Google be trusted?

Stefan asked the following question earlier today: "I couldn't imagine keeping my company's internal/confidential information on Google's servers. What are your reasons for not caring about this?"

I do care about confidentiality of our internal information. On the other hand I don't see a big difference between keeping the files securely on our internal servers or with a service provider. In the first case I trust our IT staff not to leave any doors open for hackers or any other intrusion and in the second case I trust Google to deliver the service as specified in the Service Level Agreement. I also read carefully the Google Apps security whitepaper.

But even if our internal systems are completely secure it doesn't prevent information leaks. Here are some Systinet examples:

- within five years of Systinet existence we had more than six notebooks full of confidential information stolen
- most of our internal emails were exchanged at some point with partners, legal counsels and external consultants over unsecured network
- we pitched our business plan and financial information to several VCs who ended up funding competing startups
- the first Systinet CTO came from a large computer company and even bigger software company claimed that our internal emails contain important information relevant to a lawsuit between these two giants. So we ended up printing most of our internal emails and delivering them on a silver plate to our biggest competitors...


PS. Stefan's comment is for some strange reason half blocked by Blogger/Google (see the link). Is it intentional? Can Google really be trusted?