Michelle Murrain's blog

Is SaaS more secure?

By Michelle Murrain, May 3, 2009

Peter Campbell and I have had an ongoing conversation/argument about whether or not Software-as-a-Service (hereby known as SaaS) is more secure than in-house facilities in a small, IT resource-poor organization. So we decided to "have it out" so to speak, on the Idealware blog.

First - we are talking here about small or medium-sized nonprofit organizations with no dedicated IT staff. And the question is, basically, "is it more secure for that organization to house their data and services 'in the cloud', instead of in-house?" My answer is "no." Don't get me wrong, I think SaaS is a great thing - my company implements it, and I've been thinking a lot about SaaS using open source tools. And it's not less secure, at all, either. But it is not a security panacea, and it shouldn't be thought of that way.

Why is this? I want to start by asking the questions "what is security?" and "what are they risking?" Security is, in my mind, is their data safe from getting in the wrong hands? And the risks are not only stolen data, but also corrupted and lost data.

People who spend a lot of time thinking about security do get lost in the depths of encryption, blocking ports, protections against attacks, and virus/worm protection and the like. And I think it gets easy to imagine that if someone (a SaaS vendor) does security "right" and a nonprofit, who has little or no access to good IT expertise, will inevitably do it "wrong", then SaaS will be more secure for them.

But lack of access to good IT expertise means a few things:

Yes, it does mean that their in-house network is likely insecure
It also means that they might not know how to understand or choose SaaS products that are known to be stable and secure, with solid business models.
It means they likely won't know how to get their data out when they need to, for whatever reason
It means there is a lack of understanding of the risks of SaaS, especially in organizations, like human rights or activist organizations, with sensitive data.
And the human factor in security doesn't pay attention to where the data lives.

What do I mean by the "human factor?" I mean using "password" for passwords. I mean sharing passwords among staff, some of whom eventually leave the organization. I mean not doing backups (yes, having backups are important for SaaS, too.)

So my opinion is that we can't say definitively which is more "secure," because there are too many factors at play. And the most important thing is education of organizations around security and risk.

How much should you spend on a CRM?

By Michelle Murrain, April 13, 2009

I get this question a lot "is there a good, low-cost donation management software package for my nonprofit?" I have to admit, I cringe when I hear that, because it means that an organization hasn't thought about the value of a DMS/CRM to them. On the other hand, I also hear "we spent [insert large sum of money here] for our donor database, and have to spend [insert egregiously large sum] each year for maintenance." And I cringe at that, too.

Figuring out how much to spend on a donor management/CRM package seems like rocket science, sometimes. It's like figuring out how much you should spend on your website. I've heard various guidelines bandied about, from some percentage of your annual budget, to something related to how many development staff you have.

One thing is true - the adage "you get what you pay for" is both true, and untrue in this realm. I know, not helpful. In general, the more expensive the software, the more features it has. But, there are several reasons why more expensive doesn't mean better. For one, you can get very powerful software (such as Salesforce.com, CiviCRM, and OrangeLeap) for no cost of acquisition. And their features rival those of expensive packages. But you won't get an implementation of any of those packages in a way that will work for most organizations without significant investment in consultant expertise.

Also, the most expensive packages, even though if they are considered the "gold standard" are overkill for many organizations. I know organizations that have paid an order of magnitude more for their DMS/CRM than they should have. And, frankly, sometimes they are just simply too expensive for what you get. But, on the other hand, some organizations have opted for the cheapest alternative they could find, and they are limping with a package that doesn't suit their needs.

Different organizations are different in what they track, and their dependence upon donations. A very large nonprofit that is primarily funded by grants or government funds needs a very different package to manage their very small numbers of individual donors than a small or medium-sized organization that entirely depends on small donations. And you should think a lot about the value of a DMS/CRM to your organization. How much staff time will it save from the current system? How much easier will it be to follow up with donors? Will it help increase donations?

So, how much should you spend? You should spend what you need to get a DMS/CRM that fits your needs. Finding out how much that is will take some time and research. Sometimes that's going to be more than you think (or would like to spend) and sometimes that's actually going to be less.

The Importance of Benchmarking

By Michelle Murrain, April 9, 2009

You're about to launch your brand-spanking new website, and maybe you've even spent time (or money) getting your SEO ducks in a row. How will you know whether or not your efforts have paid off in terms of more people finding you? And sticking around longer? And perhaps even donating more?

The way you know is called "benchmarking". Benchmarking is the process of looking at current metrics, so that you have a way of knowing truly whether or not what you've done has made a difference.

I've been doing this kind of stuff for a while now, and part of it is fun, and some is grunt work. But it's worth it. Some of the benchmarking (like measuring how long people spend on your site, and how many pages they visit) is easy with good web metrics software like Google Analytics. But the most important thing is: don't wait until you've launched your new site to start measuring - start before, if you can. Install GA on your old site a month or two before launch, so you'll have a baseline of measurement to go from.

The kind of benchmarking that is grunt work is finding out where your site comes up on search engines based on the keywords you want people to find you with. You should do searches with at least 10 important keywords or phrases, with at least two of the major search engines (one of which, of course, starts with "G".) You certainly can outsource this kind of work - it's pretty straightforward. But it is also important to do this task with a bit of knowledge about the organization - it's good to know where you show up in relation to organizations like yours. I've done a couple of projects where with some keywords, organizations came up higher in searches that had less domain expertise than the one I was working with. It's good to know these things going into a new website launch and SEO process.

And then, the idea is to do the same benchmarking a month or so after site launch, and see how your site rebiuld and SEO efforts fared, and see what tweaks need to be happen. And keep benchmarking and tweaking as time goes on.

Options for creating organizational social networks

By Michelle Murrain, March 31, 2009

I've heard it a number of times: "Our organization wants our own Facebook." After you've gone through the strategic planning, and made sure that, indeed, building your own social network is exactly what you want to do (instead of building on networks already there, which, I think is what should be done 80% of the time), how do you go about doing it? I've been working on this for a while, and here's what I've found.

You have several options:

Ning. This is, in fact, the option I'd almost never choose, unless this is a very short-term, or throw-away, project. Ning is a Web 2.0 startup in search of a sustainable business plan, and who knows when it will fold, or what will happen to it. The community and data is not your own, and there is some evidence that they might be using that data in social networks on their platform in ways that they shouldn't be.
Elgg. Elgg is an open source social networking platform that had a previous life as an e-learning platform. It's meant for developers - although it does provide an out-of-the-box social network, it takes a fair bit of work to get it looking and working like you'd want it to. And, it's a young project, so that adding custom functionality is going to be harder than with established projects like Drupal or Joomla. I've installed and played with it a fair bit, and there is a lot to like about it, but the lack of a solid developer ecosystem, and the dearth of add-on modules and themes makes it a hard choice.
Drupal. Drupal has a module called Organic Groups, which is incredbily popular, and there are lots of other modules that add functionality to it. Building a social network on Drupal will take more work, but since you are starting from a really solid grounding of Drupal, and can extend this site in all sorts of ways, this might be the best option. It's the option I've chosen for two ongoing projects that are creating social networks.
Joomla. Joomla has a number of components that provide social networking functionality, including Community Builder and Group Jive. I haven't had a chance to play with these yet, but they are worth a look, and there are some great Joomla web shops out there that can help with this.
Proprietary platforms. There are quite a number of proprietary platforms that can also provide a social network site for your organization. In general, these are going to be fairly pricey, and not as customizable as the open source platforms are.

Final work: look before you jump into creating a new social networking site. Careful planning and investment are necessary for success.

Why is it free?

By Michelle Murrain, March 2, 2009

Piggy backing a bit on Peter's recent post, I thought that it would be worth spending a little time talking from a different perspective about free (as in beer) software and services. After seeing umpteen requests for "free or cheap" things to do this or that, I thought that it was worth explaining a bit about why things are free, and what you should take into consideration when adopting free or cheap software or services for mission critical functions. Also, of course, I'm not talking about the cost of implementation. Software and services, no matter how cheap to obtain, costs something in time and/or consultant resources to implement.

Development and maintenance of software or services always costs somebody something. It might just be a bit of time, or it could be very significant resources (thousands or millions of dollars.) These are basically the reasons software is free (or really cheap):

It is free and open source.
It scratched a particular person's itch, and they want to give it to the world for free.
It is a loss leader for a company who is trying to upsell.
It is a "lite" version of a more expensive package or service.
It is in search of a business model, or is trying to be bought.
Revenue is driven primarily by advertising.
It is a donation from a software behemoth.

Software like Drupal, Plone, CiviCRM, OpenOffice.org, Firefox, etc., are free and open source software packages, and were built and maintained by a combination of volunteer and corporate resources over the years. If they have a healthy community around them, you can be quite sure that they will be around for a while.

Services like Twitter are in search of a business model. Chances are they'll be around, but some of them might not be (like Magnolia).

Services, by nature, are more risky beasts than software, because they can go away in the blink of an eye, and you could lose everything, and people do. At least with software, if you've downloaded it, even if the company goes belly up, you still have use of the software.

Unless software is open source, and has a community around it, you can't really guarantee it's future. A company can decide it's tired of the loss. It can decide not to give it away anymore. It can decide to change the feature set of the "lite" version.

All of this is to say, look carefully at why a particular software is free or cheap before you adopt it for a mission critical organizational function. It's likely to save you grief, later.

What I've learned

By Michelle Murrain, February 12, 2009

As you might have noticed, I haven't been blogging so much lately. It's because I've been very busy researching and helping to write the upcoming Open Source CMS review that Idealware is going to publish.

I've learned a lot about each of the four systems that we reviewed, and you'll hear all about that soon, but for now, I thought I'd share a little of the over all wisdom that has come from working on this report.

Maintaining a CMS is hard work. Way back when, I was the lead developer on a now-dead open source CMS, so I know intimately what hard work it takes to write one. But I didn't realize how much work it takes, by how many tens and hundreds and thousands of people, to maintain a world-class CMS.
Communities count. Piggy-backing on the above - it is the communities that make these four systems what they are.
Different people have different assumptions about what is the right way to do things. One of the big challenges of writing the review was figuring out how to review these based on equivalent criteria, when each system was actually trying to solve the CMS problem in their own, completely valid, but somewhat different, way.
We are lucky. We are really lucky (well, it probably isn't totally luck) that these open source systems (and others) have emerged, and are able to finally get nonprofits out of the "the executive director's nephew designed the site and we can't put up that event announcement because he went snowboarding" problem in a way that is cost-effective for them.

Should you move you email to "the cloud"?

By Michelle Murrain, January 27, 2009

A report from Forrester Research (outlined in this ReadWriteWeb post) suggests that for most enterprises, hosting email with Google is the cheapest option available. In general, outsourcing your email, and putting it into "the cloud" is most likely going to be more cost effective than hosting it yourself.

As nonprofit organizations look to trim budgets in this coming tough climate, is this the time to outsource email? Outsourcing email saves you from buying new servers, paying for Exchange seats, worrying about spam filtering, etc.

So what are the downsides? The downsides come from the basic fact that your email is not really in your total control anymore. If you are using something like GMail, you need to find a way to back it up. You can use a mail client like Outlook or Apple Mail, which loads a copy of the email locally. There are other ways to back up Gmail if you want to stick to using the web client.

For some organizations that do sensitive work (Chinese democracy activists for example, or anarchists and the like) using a service like GMail is a security risk - if Google or most providers are asked to hand over information, you can bet they will, since it is in their best interest to do so, not to fight a government. If your organization runs the risk of coming to the attention of the powers that be, GMail or a service like it is probably not a good option. Nor is it a good option if you need to share confidential client information.

However, there are good nonprofit-focused email/hosting providers, like May First/People Link, or Electric Embers, that can be much more secure places to keep sensitive data, since they are smaller, and work with a lot of activist groups.

If you make a careful choice, and make sure you've got backup plans, outsourcing email could be a good money saver during this time of trimming budgets.

Web2.0 won't be free for much longer

By Michelle Murrain, January 14, 2009

Free Web 2.0 services abound. From flickr to Twitter, from Gliffy to delicious. Many of us have come to completely depend on them for our daily workflow. But today, one of them, SproutBuilder, announced that it would no longer be free (or even have a free level of service.)

Of course, these web services cost money to run. They have servers to keep going, staff, developers, and the like. In this economy, raising money for a business with no revenue stream must be trying. Business credit has dried up. Venture capital isn't flowing. And hopes of acquisition in this kind of climate must be dimming.

So what does this mean for nonprofit organizations that depend on these services? Some of these services have already started monetizing a while ago. More will, like SproutBuilder. It means dropping free plans, or creating free plans that include less resources (accounts, storage space, etc.) than you need. It means advertising, and increasing intrusion of ads (or the need to pay for services without advertising.) It also probably means that a lot of them are going to start going under.

So, have backup plans, and have backups!

The Dangers of Online Services

By Michelle Murrain, January 7, 2009

This week was a bad week for online blogging services. First the blogging service JournalSpace, with hundreds of users, just, well, died, because they didn't have a proper backup. Today, the blogging service SoapBlox, which was used by many progressive political bloggers, such as Pam's House Blend, was hacked, and it is currently unclear how many sites have survived, and what will happen to them.

These are two fairly small, fairly low-profile services (although SoapBlox is considered an extremely important part of the progressive blogosphere.) They hosted a small percentage of the blogs out there (in comparison to, say, TypePad or Blogger.) However, this is, of course, devastating to those who had their blogs there.

Lessons to learn:

Always have your own backup of your data/content
Remember when setting up a website or blog that if you use a service, the data is not in your hands, but in someone elses
Always have a disaster recovery plan

Can open source source software save you money?

By Michelle Murrain, December 19, 2008

Next year, given what is likely to be a grim funding year, nonprofit organizations are going to be hunting for ways to save money on technology. There are, of course, arguments that IT budgets should be, at least, level funded during slim times, but the reality is that organizations are going to reduce budgets across the board. One question that will inevitably be asked: can free and open source software save organizations money?

The answer, of course, is a solid maybe, but also a resounding yes. Confusing, huh? Open source software is both free as in "beer" as well as free as in "kittens." There are no license fees, but it takes care and feeding.

The most important part of the equation is what you are implementing, and whether or not you need to factor in migration costs. Nonprofit organizations that did migrations to open source software from proprietary packages with large license fees during relatively fat economic times are reaping the benefits of that change now, and are in good shape to weather the storm. Organizations that haven't been able to do that migration might find those costs to be prohibitive at this time - which is unfortunate.

But if you have a migration planned anyway, now is absolutely the time to look at open source software. At this point in the maturity of most open source packages that nonprofits would want to use, the implementation cost is very much in line with the implementation costs of proprietary software. So that means that you are saving money - no cost to acquire, and no long term license or maintenance fees.

All of the above adds up to that solid maybe - implementing open source software in your organization might save you money depending on what you are implementing, and what the costs are for migration. Where does the resounding yes come from?

This, if any, is the time for organizations to reject the standard "every organization for themselves" mentality of software acquisition and development. Find a solid open source package (like CiviCRM, for instance,) and help fund extensions to that software with other organizations that help make it what you need. Find 5 organizations that do similar work, and collaborate to build an open source application that can work for your part of the sector. Release it so a community can develop around it, make sure to make it modular so that it can be easily extended. Make it full of APIs so you can hook other software to it. Build it with open standards so the data is readable in perpetuity. Doing this will mean you will get far more application for the money you spend. Of course, it all takes effort and work. But it's worth it - and the entire community benefits by an enriched software ecosystem.

It also ends up not just being about saving money. It also ends up being about building community - and community will be an incredibly important asset in the coming years. There is an appropriate popular culture reference: "live together, die alone."