Monday, April 27, 2015

Want to host cloud apps for Legal? Get some documents together.

Read a post from Julian Buss the other day about what he has done recently and it reminded me of something I wanted to post.

First, business is going very well.  We just added more staff and more customers in what is typically our off-season and we're strengthening what we already felt was a strong offering.  Been an adventure so far.  Have a superb team and am looking forward to the future which seems very positive.

Still, we're a cautious bunch so "irrational exuberance" is not going to be the order of the day and there are always new challenges.

Second, I believe I can see the end of our XPages use on the distant horizon.  Distant=2-3 years.  I just renewed an SSL certificate in straight Domino over the weekend.  What a croc!  OpenSSL + KYR tool.  Really?  If you felt the old Domino way was cumbersome wait until you get into this.  We use a network device for SSL offloading for our application and the process is, uh, better.  Kudos to IBM for doing the whole POODLE, TLS1.0 to TLS1.2 thing but the whole situation impressed upon me that this platform may not really be getting the attention it deserves, or that we require,  over the next few years.  Things could change but we've got a yacht to run now, not a dinghy, and skippering a yacht takes a lot more planning and forethought than a rowboat.

Finally, one of the things I do these days: Security Reviews.  A couple of weeks ago we successfully completed a couple of security reviews which are always required for each new customer.  Sometimes these reviews are conducted by the customer IT Security folk, sometimes an outside security firm on behalf of the potential customer and sometimes both.



Security reviews are a bit of a hassle, well, more than a bit since they can be very time consuming, and,  as one can imagine, there is sometimes an adversarial tone that emanates from the reviewers.  Let's be frank, they are not here to be our friends.  They are here to make sure we can properly host their data and it is their job to vouch for their opinion on whether our security is up to the task.  Despite the resources needed to do these reviews on our end, I appreciate them because they keep us on our toes and our philosophy is that if there is an issue we want to know about it so we can address it.

The last review I completed asked for an unusually large number of items so I made lists of everything they requested to make sure I provided all of it.  Missing documents = grumpy security reviewers.

This ain't Facebook with an " I agree to do anything Facebook tells me to do" Terms of Service kind of offering.  There are contracts, insurance, attorneys and security reviews all before we get to do a single thing for any customer.  (I occasionally wistfully think of writing an application where we just do what we want and millions of folks just agree but then I think "Meh.  That's child's play for a Domino XPager.  Maybe when I get older and tired.")

I thought some might find it interesting to see some of what it takes to go through a single security review.  You know.  Just in case you're thinking about hosting applications for Legal.