A recent conversation on a nonprofit technology mailing list got me thinking about what people know about where they want to put their data, and what the risks are of having data in one place or another. Particularly, what are the pros and cons and risks and benefits of
software as a service , and
cloud computing when it comes to the control and security of your data.
You can think about this on three axes:
security, access, and control. First,
security; to get it out of the way, I'm going to assume, for the purposes of this post, that the person administering the application and/or the company hosting your data have done everything right to secure the data. If this is true, the security difference boils down to a somewhat increased risk due to increased exposure of your data outside of the firewall, vs. a somewhat decreased risk inside the firewall. These are important considerations, and, really pretty straightforward.
Second:
access. What do I mean by access? On one level, it means physical access - can you physically access the data? Ultimately, it really means the ability for you to look at, manipulate, download, remix, integrate, back up, or in any way handle your data as you please. The spectrum goes from the most access in an open source application hosted locally in a box physically in your sight at the moment, to the least access in proprietary applications hosted offsite. Why does the location as well as the license of the software matter? As many of you have noticed with many proprietary applications, it can be very hard to get your data out of them. Open source applications are generally based on open standards, and since the source code is available, it is
always possible to get your data out. Of course, it is critical to make sure that any application you choose gives you the level of access that you need at a cost that you can afford. However, there are some interesting examples inside those extremes. If you compare many on-site proprietary fundrasing packages to externally hosted Salesforce.com, Salesforce.com will come out way ahead on data access, because most proprietary fundraising packages make it hard to easily access your data (and many times, you have to pay for APIs and the like,) and Salesforce's basic strategy is to be a completely open platform. As well, some open source applications don't have as mature APIs as some proprietary applications.
Lots of software services don't really give you easy ways to, for instance, create a backup of all of the data that is recreatable in a useful manner. For instance, there is no easy way to backup your google apps data - you need to use third party tools to back up a lot of it, and some of it requires a fair bit of manual labor. If your google account is suspended or deleted by accident (yes,
it happens ) you are out of luck unless you've taken those precautions.
The third axis is
control. By
control I mean, to what extent do you actually have control over exactly how your data is used. Again, this ranges from the most control in open source applications in servers hosted physically in your presence, and the least is proprietary applications hosted elsewhere.
There are several aspects to
control. One is simply: can the service/company use my data as it pleases? Read the Terms of Service. You'd be surprised how many online services (especially Web 2.0 services) basically say that by using the service, you agree to give them license to use
your content as they please.
Another aspect of control has to do with what a service can do with your data under certain situations. You know if the activities of your organization might raise suspicions, or might risk skirting the line of the terms of service (this is true of many activist and human rights organizations.) Companies care way more about their bottom lines than they do about any one particular client's data. Be sure that they will happily close your account, or hand your data over to the authorities if it looks to be in their best interest to do so. And you will be out of luck if that happens.
Another aspect of control is what might happen to the company holding your data. Is it a startup? How's the financial situation? Has the hosting company been around a while? In the current climate, where startups are bleeding staff left and right, and venture capital is drying up, it's even more important than ever to make sure that the company hosting your data is going to be around for a while.
There are lots of benefits to software-as-a-service and "cloud computing." But they are not without risks. Think about
security, access and control of your data when you are evaluating your options.
