Trouble with clouds
I hate my server. I hate it with a burning passion. It is the source of 85% of the glitches that plague my business life. I sit down to use one of my four critical applications and - nope - not today, sorry. Just random shit all the time. So I've been contemplating how to take my business to the cloud. It's not easy: there are several components:
1.) Shared application files. Where our data is kept.
2.) Being able to run those data files from our two Intuit applications, which both are assuming we have servers. (We can host the servers, but it's a separate issue that just storing Excel documents on Dropbox or whatever.)
3.) Additional cloud-based needs including Client database / workflow or ticketing / scheduling and calendaring / document management and document sharing with clients over a portal / electronic signatures / website / data archiving (SEC requires that I archive social media) and backups. Ideally some of the programs I use will do many of these functions and integrate well with the ones that it doesn't do.
I'm reviewing a ton of software. Just tons. I find all sorts of things that do one thing well, but I'm really looking for something that will combine document management with a customer-focused interface rather than an email-focused interface or a folder-focused interface. Meaning, I want to look at John Smith and see his appointments, the status of his projects, emails to or about him and his files. CRM/DMS/Calendaring/Email all in one place. (We use Google Apps for business so calendaring and email are reasonably easy to integrate.)
I found an application that is just perfect. I'm testing it and it's doing everything I want and the annual subscription price is half what I'd pay if I cobble together other products, but the company is SMALL. Really small. That's okay, I am too. But I have procedures in place to protect my data, they must, too. I'll just confirm these and check their references, make sure they're not a boiler-room fraud designed to get small accountants to hand them all of their client's data.
So I start checking.
Who owns their website? An accountant who has registered 90 other domains. That's okay, I register domains for my clients, too. And it's obvious an accountant is involved in this product, it's ideal for me.
Who owns the building that they call their address? A corporation. That's okay, my building is owned by a LLC, too.
What other corporations use that same address? Dozens. Um, okay. Weird. Is this a Mailboxes Etc dropbox?
What does the assessor say this address is? A 1400 square foot single residence. What does zillow show? Nothing. Um, okay, I keep going.
What happens if I call the accountant who's on the whois? I google that accountant, he has the same address as the software business, I call his number during normal business hours. I hear the phone rollover to an answering service (the ring changed slightly, I recognized it.) I ask the receptionist if she gets other calls for this number is the course of normal business, if she knows that accountant in person, how is this different that a faux-front operation? She has no personal knowledge of him ever getting other business calls or of him being an actual person, he's just someone on her customer list with a script. I leave a message saying I'm calling him as a reference for someone.
He calls back instantly from a cellphone. Where? There's no discernable time delay so I'm not thinking China, but there's no particular reason to guess it's the location they list for the company. (Later I looked at Google streetview and saw that the building is a storefront with the accountant's name on it, but I didn't do this until after I got off the phone with him.)
I tell him I want to talk about his experience with this software and how it's helped his business, and what does he think about the data security element. He gets offended that I called. He says data security isn't that big a deal. He says the business is a start-up but the product is good. He says they use a server farm that's the same one that Wall Street financial firms use. He thinks I'm impugning their reputation to act like they're fraudsters. (I'm feeling a bit weird here: you don't call references because you THINK people are fraudsters, you just avoid them in that case. You call references to determine they're NOT. How come this guy doesn't know that? He's supposed to be a CPA. We're supposed to speak the same language. I'm not feeling a "click" here.) I look at the accountant's website (he has two with different names that I found) and it has pictures of his diplomas on his website. Um, sure. (Have you heard the Freakonomics podcast about diploma mills?) I go to his list of clients and get a 404 website. (Some of my clients allow me to link to them on my website as a form of reference for me. Any client listed on my website would be willing to speak to someone about my services. I update it at least annually.) Also, all his pictures - on his website, on LinkedIn, in google images, in a newspaper article from 2008, are the same headshot.
I did not start out this search thinking that they were running a store-front fraud operation. I really didn't. I just needed to verify that they weren't, and that there were procedures in place that would prevent my client's data from being stolen when at rest. Now I'm not even sure if the guy posing as "CPA" on the website isn't a stolen identity.
I email the company back and tell them I'd like to speak to an existing customer, they can pick any one.
I also asked for the phone number or email of their rep at Equinix NY 4, figuring that a vendor relationship would show that it's a real operation and that they really use those servers in that secure location. (I intend to verify that the number reaches Equinix, not the same boilerroom.)
It still won't ensure that their employees can't harvest information from SQL database on their servers, though. Firewalls don't keep out bad actors ON STAFF. So I also asked them if they do background checks on their employees and/or are bonded and/or if my data is encrypted on their servers at all times so that their own staff can't see my data.
I got an email back saying they were outraged at the level of due diligence i was doing for a retail product, that they want me to sign a NDA before they'll proceed, that I should give my questions to their Equinix rep to them and they'll forward them and let me know what Equinix says, if anything.
These guys either do not grasp that I'm trying to get third-party confirmation that they're an operating business, do not grasp why a financial services firm would wish to have SEC-compliant data security, or are actually a front trying to steal data from accountants.
After hours of trying, I can't tell, which means, damn it, I need to keep looking for software. Uggh, I really wanted this to work. It was such a great combination of ticketing/workflow and document management and client databse.
1.) Shared application files. Where our data is kept.
2.) Being able to run those data files from our two Intuit applications, which both are assuming we have servers. (We can host the servers, but it's a separate issue that just storing Excel documents on Dropbox or whatever.)
3.) Additional cloud-based needs including Client database / workflow or ticketing / scheduling and calendaring / document management and document sharing with clients over a portal / electronic signatures / website / data archiving (SEC requires that I archive social media) and backups. Ideally some of the programs I use will do many of these functions and integrate well with the ones that it doesn't do.
I'm reviewing a ton of software. Just tons. I find all sorts of things that do one thing well, but I'm really looking for something that will combine document management with a customer-focused interface rather than an email-focused interface or a folder-focused interface. Meaning, I want to look at John Smith and see his appointments, the status of his projects, emails to or about him and his files. CRM/DMS/Calendaring/Email all in one place. (We use Google Apps for business so calendaring and email are reasonably easy to integrate.)
I found an application that is just perfect. I'm testing it and it's doing everything I want and the annual subscription price is half what I'd pay if I cobble together other products, but the company is SMALL. Really small. That's okay, I am too. But I have procedures in place to protect my data, they must, too. I'll just confirm these and check their references, make sure they're not a boiler-room fraud designed to get small accountants to hand them all of their client's data.
So I start checking.
Who owns their website? An accountant who has registered 90 other domains. That's okay, I register domains for my clients, too. And it's obvious an accountant is involved in this product, it's ideal for me.
Who owns the building that they call their address? A corporation. That's okay, my building is owned by a LLC, too.
What other corporations use that same address? Dozens. Um, okay. Weird. Is this a Mailboxes Etc dropbox?
What does the assessor say this address is? A 1400 square foot single residence. What does zillow show? Nothing. Um, okay, I keep going.
What happens if I call the accountant who's on the whois? I google that accountant, he has the same address as the software business, I call his number during normal business hours. I hear the phone rollover to an answering service (the ring changed slightly, I recognized it.) I ask the receptionist if she gets other calls for this number is the course of normal business, if she knows that accountant in person, how is this different that a faux-front operation? She has no personal knowledge of him ever getting other business calls or of him being an actual person, he's just someone on her customer list with a script. I leave a message saying I'm calling him as a reference for someone.
He calls back instantly from a cellphone. Where? There's no discernable time delay so I'm not thinking China, but there's no particular reason to guess it's the location they list for the company. (Later I looked at Google streetview and saw that the building is a storefront with the accountant's name on it, but I didn't do this until after I got off the phone with him.)
I tell him I want to talk about his experience with this software and how it's helped his business, and what does he think about the data security element. He gets offended that I called. He says data security isn't that big a deal. He says the business is a start-up but the product is good. He says they use a server farm that's the same one that Wall Street financial firms use. He thinks I'm impugning their reputation to act like they're fraudsters. (I'm feeling a bit weird here: you don't call references because you THINK people are fraudsters, you just avoid them in that case. You call references to determine they're NOT. How come this guy doesn't know that? He's supposed to be a CPA. We're supposed to speak the same language. I'm not feeling a "click" here.) I look at the accountant's website (he has two with different names that I found) and it has pictures of his diplomas on his website. Um, sure. (Have you heard the Freakonomics podcast about diploma mills?) I go to his list of clients and get a 404 website. (Some of my clients allow me to link to them on my website as a form of reference for me. Any client listed on my website would be willing to speak to someone about my services. I update it at least annually.) Also, all his pictures - on his website, on LinkedIn, in google images, in a newspaper article from 2008, are the same headshot.
I did not start out this search thinking that they were running a store-front fraud operation. I really didn't. I just needed to verify that they weren't, and that there were procedures in place that would prevent my client's data from being stolen when at rest. Now I'm not even sure if the guy posing as "CPA" on the website isn't a stolen identity.
I email the company back and tell them I'd like to speak to an existing customer, they can pick any one.
I also asked for the phone number or email of their rep at Equinix NY 4, figuring that a vendor relationship would show that it's a real operation and that they really use those servers in that secure location. (I intend to verify that the number reaches Equinix, not the same boilerroom.)
It still won't ensure that their employees can't harvest information from SQL database on their servers, though. Firewalls don't keep out bad actors ON STAFF. So I also asked them if they do background checks on their employees and/or are bonded and/or if my data is encrypted on their servers at all times so that their own staff can't see my data.
I got an email back saying they were outraged at the level of due diligence i was doing for a retail product, that they want me to sign a NDA before they'll proceed, that I should give my questions to their Equinix rep to them and they'll forward them and let me know what Equinix says, if anything.
These guys either do not grasp that I'm trying to get third-party confirmation that they're an operating business, do not grasp why a financial services firm would wish to have SEC-compliant data security, or are actually a front trying to steal data from accountants.
After hours of trying, I can't tell, which means, damn it, I need to keep looking for software. Uggh, I really wanted this to work. It was such a great combination of ticketing/workflow and document management and client databse.