Google Apps Can Win in the Enterprise if they Leverage the Business Trust Fabric
Posted by Bob Warfield on September 10, 2007
Lots of chit chat in the blogosphere about the announcement that CapGemini will be distributing Google Apps in the Enterprise–an apparent threat to Microsoft’s Office.
The reasons to do this seem to focus around the improved ability for teams to collaborate with Google Apps, and because it lets people who don’t have PC’s gain access to these productivity apps.
These are weak advantages at best. The team collaboration thing has to do with not having to send files as attachments, big deal. People are used to it, and it works. Not a strong reason to change. As for folks not having access to PC’s, I have to wonder how valuable it can be to give them access if their employers didn’t see fit to do it in the first place.
Techcrunch says that Nick Carr said (yeah, I hate that too, but it’s what happened) the problem was Sarbanes Oxley and security. Companies can’t afford to have their data on Google’s servers because it goes against Sarbanes Oxley. Whoa! Nothing could be further from the truth! And nothing gets us closer to a real opportunity for web apps to show Enterprise Strength over the desktop. BTW, I saw none of that in the Nick Carr post they linked to, but whatever, we’re on to something, let’s run with it:
Sarbanes Oxley, commonly called SOX, is all about requiring companies to button down processes for key areas. The theory is that if you button down a process, you eliminate potential for corruption, fraud, and other misdoings. It was enacted in the wake of scandals such as Enron in an effort to make future scandals less likely. As the accounting folks say, it mandates a set of internal procedures designed to ensure accurate financial disclosure.
SOX is extremely costly for most companies to implement, yet it is a requirement for public companies. It shaves millions off the bottom line and requires a considerable amount of process automation to be brought into an organization. Often, this is best accomplished by installing new software. Is the light beginning to dawn? Pray, let me continue.
There is no requirement by SOX that data has to be on a company’s own servers, just that the data be carefully controlled and audited. It should be possible to control exactly who has the ability to change the data, how they can change it, and automatic audit trails need to be kept of what changes are being made. Given how much information is commonly kept in Office-style documents, this is the real opportunity for Google and other web apps to take advantage of. It is actually the opposite of collaboration. Rather, it is applying better governance, security, and controls. It is enabling the creation of a Business Trust Fabric around the requirements of Sarbanes Oxley. This is something that current desktop apps do relatively poorly. I was at a public Enterprise software company when SaaS came into being, and I can tell you we bought some SaaS applications to help automate internal processes.
Do you still think it’s better to keep your data on the desktop in a SOX world? Phil Wainewright thinks your data is safer with a SaaS vendor. I agree. Being able to better satisfy SOX and other governance requirements is a golden opportunity for the SaaS world to kick it up a notch competitively. My biggest concern is that companies like Google don’t necessarily get the Enterprise world yet. They’re still thinking Socially. They need to understand that Business Web 2.0 demands a different Trust Fabric than Social Web 2.0. Once they figure that out, they’ll realize that SaaS and SOX are highly compatible bedfellows.
Related Articles:
Rational Security wonders how to use Google Apps securely
Zimbra claims SaaS apps have SOX problems: Google must have scared them for that kind of FUD to be launched!
I can’t believe how many are just reprinting Zimbra’s bogus claim that SaaS fails SOX!
Submit to Digg | Submit to Del.icio.us | Submit to StumbleUpon
5 Responses to “Google Apps Can Win in the Enterprise if they Leverage the Business Trust Fabric”
You must log in to post a comment.
christoferhoff said
I just wanted to make sure that we’re in agreement with respect to SOX. Specifically, I agree that there’s nothing at all that suggests you cannot use outsourced storage of SaaS and still be in compliance; far from it. If this were a requirement, 90% of the Fortune 500 would be in a panic by this time.
I hope you didn’t read that into my post because I, too, cited that tangential Carr reference.
The reference I was making in my post was to the general approach to managing risk in any SaaS play; I’ve used quite a few in my time, and the level of
diligence we performed was substantial. It had to be. The reality is that an assessment is made to determine whether the compensating controls
satisfy what translates to an acceptable level of risk. This could mean “more” or “less” controls than one might put in place if one were managing the
data onesself. “Good enough,” in other words.
That being said, I’m not sure that you can generalize in saying that your data is “safer” with a SaaS vendor; I don’t think they are any less “safe” but
I’d like to empirically understand how one arrives at metrics substantiating this hypothesis. In fact, I asked this very question in a post a few weeks
ago.
…and by the way, satisfying SOX or any compliance initiative does not make you more “secure.” It simply means that you’ve done the bare minimum of
what is required to achieve a standard of due care and diligence. To risk managers (or security weenies,) security does not equal compliance. Perhaps
to auditors, though… 😉
Thanks for the ping.
/Hoff
smoothspan said
Don’t worry, Chris, I’m not at all trying to paint you into the “SaaS apps are insecure” corner any more than I want to paint you into the “only SaaS apps are secure” corner, LOL.
Take a look at my post on Business Trust Fabrics, Chris. You’ll see right away that a lot of what you worry may be open to question and requiring diligence is addressed when the SaaS vendor creates a Trust Fabric that is compatible with what Enterprise Governance and Security concerns want to see in place. In other words, I think we’re in violent agreement (always loved that term) that substantial diligence needs to be done, and that Google is perhaps not focusing on the right problem yet (i.e. having the right answers for that diligence).
As to establishing quantitative metrics on where the data is safer: good luck. There are no quantitative metrics for most of what the world takes for granted when it comes to security and governance. There are a lot of reasons for this, not the least of which is that neither the one breaking the security nor the one whose security has been broken have any special desire to publicize the statistics on it. Hence, most of the world’s security boils down to compliance with whatever initiatives the organization deems are appropriate.
Most organizations I’ve talked to have no illusions that SOX makes anything more secure. They simply see it as a painful cost of doing business that they’d like to minimize any way they can. Being able to apply a SOX-compatible Business Trust Fabric to ordinary office files like spreadsheets would hugely simplify and cheapen that undertaking. This is the opportunity that companies like Google and other SaaS vendors are uniquely positioned to seize upon.
Cheers!
BW
iAdvert.mobi » Zimbra: Google Apps Not Quite Ready For Enterprise said
[…] companies would face big Sarbanes-Oxley compliance issues if they deployed Google Apps. [Update: Bob Warfield points out that “there is no requirement by SOX that data has to be on a company’s own servers, just that […]
Zimbra: Google Apps Not Quite Ready For Enterprise « iBrian said
[…] companies would face big Sarbanes-Oxley compliance issues if they deployed Google Apps. [Update:Bob Warfield points out that “there is no requirement by SOX that data has to be on a company’s own servers, just that […]
It’s a Huge Week And We’re Just Getting Started! « SmoothSpan Blog said
[…] by Yahoo for $350M, which changes the complexion on the Desktop SaaS Wars. I wrote recently about Google, and now Yahoo is jumping in. I still think Microsoft can be beaten by leveraging the web to give […]