Month: February 2016

Three questions you should ask your cloud-based software provider

Back in the day, if you were a software company pitching to investors, the first questions they asked you were much the ones you might expect: your turnover, margins, how many customers you have and so on. Smarter investors asked about things like retention rates and cost of customer acquisition. Around 2005 or so, all that changed: the question at the top of the list became “What’s your SaaS strategy?” A couple of years later, that morphed into “What’s your Cloud strategy?”

A few years later, I run a business which is small (9 employees) but complex (multi-currency, multi-lingual, multi-country). And indeed, pretty much everything that isn’t on our own server is run in the cloud: I finally moved our accounting system from Intuit’s Quickbooks desktop to Quickbooks Online eighteen months ago.

The move to Online has resulted in some small wins. The main one is that I don’t have to run a Windows Virtual Machine any more (I run Macs because I develop software and the tools require a Unix-family operating system). And it’s occasionally but infrequently useful to be able to get some of the accounts done at home in the evening. But the truth is that most of the product works very similarly and, broadly speaking, going cloud hasn’t affected things much either way.

Except that I’m now terrified. For three reasons.

What happens, it’s fair to ask,  if I do something really stupid with a transaction – of the sort that can’t be reversed. I’m accident-prone, after all, like anyone else. On the desktop product, it was easy to deal with: I would simply have reverted to the previous night’s or previous month’s backup and re-input a bunch of transactions. On the online product, backup and restore isn’t an option that’s provided. This isn’t unique to Intuit, by the way – the norm seems to be that most cloud vendors simply don’t offer this.

Lest you think this is unlikely to happen, I can tell you that when you advance payroll a month, there’s a large warning saying “This cannot be undone”: any mistakes and you’re toast. And when I have needed to work around bugs or omissions in Quickbooks, their technical support people have recommended with gay abandon that I do things that affect transactions in now-closed periods (i.e. would potentially make my VAT return illegal).

The next question for your vendor concerns their attitude to bugs. Not “technical support issues,” not “stray transactions that can be corrected,” but bugs – the real thing, where the system isn’t working. Perhaps intermittently, and perhaps just on your database. In desktop days, you had the option to simply not upgrade. Or to roll back an upgrade if it all went pear-shaped. In cloud days, you don’t. You really, really want your vendor to be completely committed to doing whatever it takes to bring you back on-line and running. And the truth is, these vendors are not. A missing feature deep in the multi-currency handling of Quickbooks Online kept my ledgers out of balance for most of a year until someone clever in Intuit figured out a workaround. Problems with my online banking interface are approaching their second birthday: the software worked fine when I evaluated it; two months in, Intuit deployed a rewrite which broke it. And there is no sign of them showing any commitment to getting it fixed: they work on it for a bit, and then give up. Fortunately, it’s only a time waster rather than a complete showstopper: because remember, I don’t have data portability of any viable sort. I have no easy way of exporting my data such that I could rapidly start again with another vendor.

The scariest problem (albeit the least frequent) is what happens if you or a vendor messes up your login credentials. You can all imagine the situation: you try to log in one morning and you get told that one of your passwords is wrong, or the software asks you to re-authenticate using one of your “memorable phrases,” and your phrase turns out to be less memorable than you thought.

With one of my cloud service vendors, that’s just what happened: I got locked out of certain areas of my account, and the vendor refused point blank to take the required steps to re-authenticate me. I was unable to satisfy them with the data they required in their online form, most probably because I couldn’t remember the month and year in which I originally joined the service, around a decade earlier, or which of my many email addresses I used at the time – but I can’t be sure.

And no, this wasn’t a small, fly-by-night operator: this was Microsoft. I actually had to stop using my old account (which still exists, by the way: they are unable/unwilling to delete it) and open a new one. Now losing a Skype account wasn’t the end of the world. I shudder to think how I would deal with the situation if this happened to my accounting system, or web host, or Gmail.

And that, by the way, is without considering the possibility of criminal malice: although, thank goodness, I’ve never personally had my identity stolen, I’ve watched it happen to one of my employees (who had a common first name and whose surname was Smith, which didn’t help) and I can assure you that it was a truly horrific experience.

So before you dive into the Cloud, here are three questions you should ask:

  1. What strategy do you support for me to back up and restore my data? (And while we’re on the subject, if I wish to move my data to another provider, how is that supported).
  2. If I hit a bug in my installation, what guarantees and timescales can you provide me that you will (a) provide a fix to get me up and running, and (b) fix the problem permanently?
  3. What, if any, data do you require me to hold to guarantee that, in the event of my being denied access to the system (whether because of identity theft or just my own forgetfulness), you will accept or replace my user credentials ?

The chances are that the answers to these will be something along the lines of (1) you don’t need to back up your data because we guarantee you 99.999% uptime; (2) our technical support team is available to help you 24/7 but we don’t provide specific guarantees and (3) we don’t publish security-sensitive information of this sort.  If they are and you’re a large organisation, you will need to write a set of large, ugly items into your corporate risk register.

Or, if you’re a small business, just lose some sleep.

Semi-ethics and blowback

It was in my business software days that I first came across the concept of a “semi-ethical” policy. We were looking at companies who wrote software for lawyers, and I remember with complete clarity one of their product managers explaining to me that you could have a “fully ethical” timesheet system (where the system printed precisely the time recorded on each job), a “non-ethical” system (where the lawyer could write in whatever time they wanted) or a “semi-ethical” system, which defaulted to the actual time recorded but then allowed the lawyer to modify the results before sending them on to the client. My younger and more naive self was shocked, not so much by the fact that the systems (or indeed the lawyers) behaved in this way, but by the brazenness of the nomenclature.

The late Robin Cook caused some seriously raised eyebrows in diplomatic circles when, upon becoming foreign secretary in 1997, he appeared to suggest that our future foreign policy should be an ethical one. But Cook’s exact wording was more nuanced: he said that our foreign policy should “have an ethical dimension” – in a speech that explicitly placed security as the first goal of foreign policy and included a commitment to “resolutely defend British interests”. A semi-ethical policy, in other words.

A couple of decades later, it strikes me that a semi-ethical policy is precisely what we are pursuing in the Middle East, and that this is a major cause of our present levels of confusion and muddle. The problem is that we’re prepared to be ethical, but only in isolated compartments (and, one suspects, when it suits us for other reasons). For example:

  1. Saddam Hussein is an evil tyrant, so something must be done. For the sake of his people, we must overthrow him at all costs.
  2. Bashar al-Assad is an evil tyrant, so something must….(repeat above)
  3. The Soviet Union was an evil empire, so when we had an opportunity to damage it at little risk to ourselves (such as in Afghanistan), it had to be seized at all costs.

The point here is that regardless of the ethical choice that you’re making (if, by the way, you accept the principle of self-determination, you have to be pretty doubtful about both 1 and 2), such choices made in isolation have a nasty habit of leading to results that are at best unpredictable and at worst seriously counterproductive.

The term “blowback” was originally coined to refer to the effect of battlefield poison gas when the wind changed and brought the gas back onto one’s own soldiers. Semi-ethical policies – or, to be more precise, policies in which one’s reliance on one’s ethics are limited to a particular, narrowly drawn issue, are particularly vulnerable to blowback. Our support for the Mujahideen in Afghanistan created the conditions in which Osama bin-Laden founded Al Qaeda. It turned out that the undoubtedly evil Saddam Hussein had been effectively keeping the lid on an explosive sectarian conflict, and it’s easy to trace the rise of IS directly to his removal. Our insistence on the deposition of Assad as a primary policy goal has led to the current crisis in Syrian refugees.

The difficulty faced by policy-makers is that most fully ethical policies look just as unappealing as ever, whereas in 21st century democracies, policies which disregard ethics altogether are becoming almost as unviable.

A fully ethical policy with the ability to prevent the Syrian crisis would have required the prevention of the global warming that caused or at least exacerbated the multi-year drought that triggered the crisis in the first place (see this graphic); our direct involvement could probably have been avoided only by getting rid of our dependence on Middle East oil, enabling us to be genuinely disinterested brokers. Both of the these things required sacrifices in lifestyle that Western electorates have found and continue to find unacceptable.

In the 19th century, ethics would have played little part in anyone’s thinking: a British or US government would have achieved its ends by a combination of overwhelming military force and diplomatic deviousness (there’s a reason for the name “Perfidious Albion”), without batting an eyelid. But times are different: as Robin Cook pointed out in that 1997 speech, “We are instant witness in our sitting rooms through the medium of television to human tragedy in distant lands.” The results of total ruthlessness in foreign policy are visible with considerable ease both to other nations and to our own electorates. Tony Blair’s prime ministership was very much a success until the Iraq invasion: for many, the results of the invasion and particularly the shenanigans surrounding the “dodgy dossier” that was used to justify it have turned Blair into a figure of hate.

So the chances are that semi-ethics will win, and that the processes of media spin and intensive muddling through will continue. At any given crisis, the cries of “something must be done” will be heeded and something will be done – even in the Middle East. But there’s little indication that the something will be the foundation of fair and lasting peace: that’s going to take a lot of luck, a commodity that’s been in short supply in the region.


Hello, from Polything

I’m lucky enough that writing is part of my job description. But on Bachtrack, I get to write strictly about opera and classical music. This blog is for all the other stuff: politics, software, business, cooking, the general randomness of living in London and anything else that I presume to think someone might want to bother reading.

The title was as close as I could get to “other stuff”, which someone else has already registered. I hope you enjoy it.

For tech and design heads, this is my first go with WordPress. Bear with me.