One of our featured DAM vendors, WebDAM Solutions have written an article: The Battle Between Cloud & On-Premise: 5 Things to Consider. The 5 points raised are:
- How will the solution affect my company’s IT team and resources?
- What happens when we want to scale?
- How are updates handled?
- Which solution provides more security?
- Where and when can I access my DAM?
Given that WebDAM are a SaaS vendor, it’s no surprise that they come down in favour of Cloud based DAM systems. The article is not bad and contains some reasonably well argued points, but I have to take issue with a number of them.
This is from the security section:
“Gartner research, a leading information technology research company, states that cloud computing security is typically more secure than what you have today. Of course it depends on the cloud service provider, but if they’re a high esteemed company with a good list of enterprise clients, their security has probably been tested and approved time and time again.” [Read More]
Note the word ‘probably’ here, which is different to ‘definitely’.
The security line especially seems to be one that SaaS vendors are eager to wallpaper over and assure end users that everything will be OK. In reality, you are at risk whether you host with a Cloud platform provider, internally on your own servers or using a third party data centre that your vendor may recommend (or your own IT department). If you have no access to the software, however, you also have no option to verify any claims yourself and must rely on compliance certification and third parties to do this for you.
Nick Brookes (who writes on DAM technical/implementation topics) and I have recently been working with a client who are moving their own marketing oriented internal DAM to an external AWS (Amazon Web Services) server. The IT department require a SAS 70 compliance certificate. This involved no small amount of internal bureaucracy as the client is a large corporation where doing anything takes days of effort and multiple levels of authorisation. Amazon also require an NDA before they will agree to hand these over. Ironically, here’s another Gartner article where they doubt the value of SAS 70 compliance anyway:
“Gartner analysts said SAS 70 is too often treated by vendors and their customers as a certification “proving” security and compliance with privacy or other regulations that require enterprises to monitor their exposure to vendor risks. ‘SAS 70 is basically an expensive auditing process to support compliance with financial reporting rules like the Sarbanes-Oxley Act (SOX),” said French Caldwell, research vice president at Gartner. “Chief information security officers (CISOs), compliance and risk managers, vendor managers, procurement professionals, and others involved in the purchase or sale of IT services and software need to recognize that SAS 70 is not a security, continuity or privacy compliance standard.” [Read More]
Granted, the first point from Gartner (in the WebDAM article) does not preclude the second being correct, but the implicit assumption that the platform is secure just because lots of other people have put their trust in it is reminiscent of the sub-prime loan crisis in financial services a few years ago where there was a disconnect between all the different parties and everyone else assumed each other had been carrying out all the necessary lender checks – then found out they had not when it was far too late for anything to be done. As recently as four months ago, DropBox, which is still widely used by many as a ‘drive by DAM’ system is being described as the problem child of cloud security because of the various security incidents which have affected it, not least of which was when they claimed to be encrypting data but subsequently were proved not to be.
So far, Amazon have not yet suffered the same fate, but they have had several outages where design flaws in their EBS storage system were revealed (and did cause actual lost data for cloud vendors who had not backed up adequately in multiple regions). All these incidents make buyers wonder whether they can take Cloud providers claims at face value (and their reseller vendor partners too).
I would need to say, I’ve seen a number of Cloud or SaaS DAM applications (including WebDAM) and quite a few are reasonable products as examples of DAM software, but I have reservations about any product where you do not get a choice about whether you want to host it or use the vendor and you can’t see their product to know how they have chosen to implement a given feature. It’s not sufficient to be able to just take it on trust that a Cloud vendor meets all the security criteria required of them (and will continue to remain so – even after launch). Software companies get bought and sold with personnel changing constantly so it’s hard to have any certainty that the people who have diligently maintained and prepared the virtual infrastructure one year are still in charge of the ship in another. I personally have more confidence about recommending a product where the end user has the option to cancel a hosting agreement and host the software themselves if they so wish.
Since mid-2011, I have noticed a trend where IT managers will want to take on a DAM system but host themselves using a Cloud provider like Amazon, taking the advantages of on-premise but with the scalability of the Cloud (which is an undeniable benefit). Initially this seemed to be with open source products, but now I see it with all kinds of different licence options and the vendors being requested to either deploy it to a Cloud hosting provider or provide instructions to let the IT people do it themselves.
This ‘having their cake and eating it’ preference (as one disgruntled SaaS DAM vendor put it to me) seems quite likely to be a popular trend and while marketing departments have often bought DAM systems independently of their IT colleagues in the past, the increased popularity of DAM means it is no longer some ‘photo library system’ which they are likely to just ignore and let marketing departments get on with it. In part, this trend is being driven by security fears about Cloud hosting which the industry are not doing much to assuage. IT managers seem to mind less if they can actually get at the product and maintain it themselves. While their role also might well diminish, I predict a lot more demand for this ‘cherry picked’ approach to hosting, support and enhancement of DAM systems in the future.