Financial Force: meeting security demands head-on
Financial Force has jumped ahead of the pack in providing levels of security assurance: is such a move necessary?
I recently caught up with Jeremy Roche, CEO FinancialForce.com at the company's San Francisco office.
Top of mind was a press release the company had put out about upgrades to its recent compliance measures. Per the website:
FinancialForce.com provides our customers with a Service Organization Control 1 (SOC 1) Type II report prepared by an internationally recognized Big 4 auditing firm.
The SOC 1 report is in addition to the reports and certifications of the underlying platform provided by salesforce.com. The report is prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization.
These kinds of conversation run the risk of being somewhat dry but on this occasion, Roche and I had a spirited discussion about just how good (or otherwise) these kinds of 'assurance' really are and recorded a video about the certification debate.
During the conversation, Roche was keen to point out that FinancialForce.com was able to take advantage of the existing security and other assurance arrangements that Salesforce.com has built into the Force.com platform. But more to the broader point about assurance, FinancialForce.com has done something that, as far as I am aware, is unique in the SaaS apps world: they have detailed the types of assurance, quality controls and methodology applied in the building of the application.
They also provide copious links to the various 'threat' reports that Salesforce.com makes publicly available. The company stopped short of providing a link to the report, which I am told can be made available to prospective customers, but my sense is they have put enough onto the website for this particular tick box to be completed in the pre-sales cycle.
Quality assurance and security are always talking points among businesses considering SaaS apps and especially those considering financial applications, which are often considered, erroneously in my view, to contain the most sensitive data.
I say erroneously because I cannot see how raw data from a general ledger can possibly be of value to anyone unless they are capable of reassembling it into something that makes sense to an accounting type. To the best of my knowledge, that has never happened, although I am sure security buffs will argue the possible, even though it might be improbable. Be that as it may, perception is often reality so to see FinancialForce.com take a strong position on this topic should provide a good level of comfort among potential buyers.
If recent discussions are anything to go by, the standards waters can at times be very murky and bedevilled by the ambition of European politicos, eager to make their mark. Neelie Kroes, Vice President of the European Commission and Commissioner for the Digital Agenda and the person in charge of European cloud strategy has for instance laid out three objectives to be completed by 2014, the year her time in office runs out. Per Phil Wainewright:
- European standards body ETSI to co-ordinate work on reviewing the "jungle" of existing cloud standards to identify those necessary to deliver interoperability, data portability and reversibility
- Work with ETSI, ENISA and others to support EU-wide certification schemes for "trustworthy" cloud providers
- Defining model contract terms and service level agreements for cloud computing
- Establishing a European Cloud Partnership designed to provide consistency in how the public sector purchases cloud services across Europe
This is a tall order and no-one can be sure whether the work necessary to meet these goals will be completed either to time or to the necessary agreed detail. My guess is they won't based upon past performance and the fact that there are plenty of competing standards 'bodies' each with an axe to grind that easily gum up the discussion works.
In the meantime, vendors like FinancialForce.com have to plough their own furrow in the hope that the extent to which they are being transparent is sufficient to satisfy customers both now and in whatever the future holds. The last thing anyone needs is pointless - or worse still toothless - regulation or regulation that flies in the face of what has already been broadly accepted within the industry.
Most important, no-one needs the imposition of fresh standards that serve to ratchet up vendor costs at a time when many are still trying to achieve a break even position.
Disclosure: FinancialForce.com is a client but not on this topic.