Comments on: Cloud-Based BPM Vendors: Geography Matters

By: Sandy Kemsley

Sandy Kemsley — Tue, 27 Apr 2010 20:27:09 +0000

JB, thanks for passing this on. I would love to be able turn this around, and ask how many US companies would allow their data to be stored in another country, especially one that allowed those records to be accessed without them being informed (much less giving consent). I would guess that the reaction would be much the same as Canadian companies are having to storing their data in the US.

By: JB

JB — Tue, 27 Apr 2010 20:08:05 +0000

I recently got a response to my Patriot Act inquiry form a vendor. I am sharing it here as a discussion point. I still don’t think it is valid but they made some good points. I did not take the time to point out my concerns in this post, like without a court order that you mentioned.

“Third, we appreciate your concerns about the U.S. government’s potential usage of the USA Patriot Act to access your customer’s information. However, existing treaties between the U.S. and the Canada that were in place before the USA Patriot Act already permits the U.S. and Canadian governments to share information when cooperating in law enforcement activities, and it is highly unlikely that the U.S. government would use the USA Patriot Act to obtain your customers’ records if they were stored with our solution in the U.S.

The Mutual Legal Assistance Treaty of 1985 governs the sharing of personal information between Canadian and U.S. government agencies for law enforcement purposes. The treaty states, that “[a] Party seeking to obtain documents, records, or other articles known to be located in the territory of the other Party shall request assistance pursuant to the provisions of this Treaty,” except when both countries otherwise agree. Pursuant to this treaty, for law enforcement purposes, the U.S. government may request Canada’s assistance to access information stored in Canada. Therefore, the ability of the U.S. government to legally access to Canadian records, even if such records are stored in Canada, already existed before the passage of the USA Patriot Act.

Also, it is highly unlikely that the U.S. government would use the USA Patriot Act to access your information. In a 2004 Submission to the Information and Privacy Commissioner of British Columbia concerning the risks of outsourcing the personal information of British Columbians to the U.S., British Columbia Attorney General Geoff Plant stated that the “risk of access to Canadian information under the Patriot Act” is “minimal.”"

By: Sandy Kemsley

Sandy Kemsley — Fri, 19 Feb 2010 21:40:31 +0000

Alex, I completely disagree — SaaS is worth the risk, but you just have to be aware of what those risks are, and manage the appropriately. On-premise systems have shown to be insecure for a number of reasons ranging from social engineering to firewall breaches, so nothing is absolutely safe, but most of us are protected by the fact that we don’t do anything interesting enough for anyone to want to hack into it.

By: Alex Neihaus

Alex Neihaus — Fri, 19 Feb 2010 21:27:09 +0000

I know that I am asking for the neo-Luddite label, but from Google transferring blame to China for what was a huge “cloud burst” with Gmail to the security issues Sandy raises here — all mixed liberally with ever declining hardware prices, SaaS just ain’t worth the risk.

By: Sandy Kemsley

Sandy Kemsley — Fri, 19 Feb 2010 19:26:10 +0000

Scott, I think that using a SaaS process modeling tool is a pretty low risk for privacy, since it shouldn’t contain any of your internal or customer data — it’s your process models, not the executing processes. The only thing that it likely to be gleaned from process models is intellectual property or trade secrets, which the US government is probably not interested in. If these were executing processes, as in Appian, then customer identification and financial data could be accessed, which is what both financial companies and governments are more concerned about.

By: Scott Francis

Scott Francis — Fri, 19 Feb 2010 18:58:58 +0000

Sandy -
I agree with the premise – that geography/location matters for your hosting locations. And that a lot of companies will care about it – and some of them care A LOT.

However, to be fair, there ARE canadian companies that use blueprint, and other hosted modeling tools (that, to my knowledge, don’t have hosting in Canada). Also, Blueprint is in use by customers in something north of 80 countries… and in particular, some big financial firms in Europe.

Also, not to delve to far into politics, but the Patriot act is much more of a concern for email hosting and other services that individual consumers use. You’re at more risk of having your privacy violated by placing a phone call to someone in the US than you are using a hosted BPM modeling tool. I’m not arguing the patriot act is right, I’m just pointing out that it actually gives much broader latitude on phone tapping than electronic surveillance.

Doesn’t change the fact that lots of companies would feel more comfortable having hosting in their home territory for all kinds of local-law issues/reasons, which is the core point you’re making

By: Sandy Kemsley

Sandy Kemsley — Fri, 19 Feb 2010 16:36:24 +0000

It’s a bit of a “if you build it, they will come” sort of thing: if you don’t have Canadian data centers (excuse me, “centres” ), then you won’t see a lot of growth in Canadian financial services and, apparently, federal government. The fact that you see growth in US and EU financial services is, in part, related to the fact that you’re hosting in the US and EU. Think about the inverse: how many US companies would select a SaaS product that is not hosted in the US?

Migration between SaaS and on-premise is important (although not at all the point of my post, so congrats for getting in a plug for something that Appian does well). With modeling, however, the risk of the SaaS platform disappearing is mitigated by the use of standards: if Blueprint goes away, then you just have to export all your models in BPMN 2.0 and import them to another modeling tool. You’d lose the collaboration, but not the models that you developed. I think that we’ll see Blueprint integrated into Blueworks in some way, rather than shut down, although it’s likely to be a bit of a painful transition.

By: Malcolm Ross

Malcolm Ross — Fri, 19 Feb 2010 13:08:58 +0000

SaaS is certainly still maturing and there are not consistent requirements between customers. Surprisingly, we have seen at Appian the largest growth of our SaaS customers coming from Financial Services in both the US and EU.

I believe the biggest requirement for SaaS vendors will be to offer the option to seamlessly transfer between an on-premise and SaaS environment to avoid Coghead type situations.

http://www.infoworld.com/t/platforms/coghead-customers-have-two-months-save-their-data-815

It’s a critical issue in vendors who only provide the SaaS option. For example, what would Blueprint customers have done if IBM decided to just turn off the Blueprint service and tell customers to switch to Blueworks. It seems implausible that a company would do such a thing to their customers, but SAP did just that with Coghead.

Malcolm

By: Sandy Kemsley

Sandy Kemsley — Fri, 19 Feb 2010 03:50:48 +0000

I stand corrected, I must have recalled something from a pre-release time of Appian Anywhere.

Although I agree that EU privacy laws satisfy many Canadian companies’ concerns, the person from the Canadian federal government who I spoke with yesterday said “only if hosted in Canada”, not “only if not hosted in the US”. I’ve had financial services clients with the same restriction. For me personally, EU is fine.

By: Malcolm Ross

Malcolm Ross — Fri, 19 Feb 2010 03:28:50 +0000

Hey Sandy,

We’ve never had a US-only hosting option. We have two separate hosting providers we work with who both have multiple international locations, including US and EU.

EU data privacy laws typically satisfies Canadian companies concerns on privacy.

We’ve always been aware of the data privacy concerns of customers and adherence to their national laws.

Malcolm