Hyland Software's Document Management Blog

Why Education Might be Your Most Vital Software Investment

// September 13th, 2011 // No Comments » // Document Management, Enterprise content management, Software as a Service // Tom Tennant

The value of “been there, done that” is rapidly becoming a conference mantra at OTTC 2011, Hyland Software’s annual training and technical conference. What that means, as we’ve related in previous posts, is harnessing the power of industry peers and technology experts – who have already experienced all the ups and downs anyone might encounter – to solve problems and create new ideas.

Nowhere is that more prevalent than in the training and education component of this conference. In fact, training and education might be the single most important software investment you can make.

Why so? Because education is a component many companies overlook, or assume comes “standard,” with any technology purchase. What they later discover is that education and training is often cloistered behind their vendor’s four walls, creating barriers to vital information.

Furthermore, access to industry peers post-implementation, if not discouraged, is at the very least neglected, leaving a company with limited choices. Create expensive-to-maintain custom-code? Increase or divert head count to tackle the problem? Abandon the software solution altogether? These are choices an organization shouldn’t have to make.

That’s why a robust training program, one that encourages customer involvement and customer connection, is vital to the longevity of any technology solution, says Mark Davis, VP, Technical Services. It also allows companies to become vendor independent – even promotes it – so that a company can attack a solution on its own with confidence and expertise.

“Adoption of any technology is a profound challenge,” says Davis. “That’s why technology companies should be actively promoting and participating in conversations with and between their end-users, so that organizations can implement technology faster and with more reliability.”

Before investing in any technology, companies should explore a vendor’s end-user community. And deeper than simply making sure the community exists. It should be easy to tap into that community, share ideas and experiences, good and bad. Then see how deep the training goes. Does the company hold regular training conferences? Offer 24/7 training online? Develop and host end-user groups?

“The very best technology vendors get this,” says Davis. “They understand that it’s all about sharing both best practices and challenges and connecting peers who can say, ‘You’re encountering this problem? This is how we overcame that.’ Or even ‘You’re finding it hard to get the budget for the implementation? Here’s how we proved ROI.’”

A-listers focus on building partnerships with their customers and helping organizations build confidence. Confidence in their investment, sure, but more than that, confidence in their ability to adopt and adapt their technology over the long-haul, and then transfer that knowledge to others in the organization.

“Great companies want rich partnerships with both sides able to contribute to the conversation, the innovation and the solution,” says Davis. “And they dedicate themselves to getting you there.”

What We Can Learn About the Enterprise Content Management Market from the Launch of iCloud

// June 6th, 2011 // 1 Comment » // Cloud Computing, Software as a Service // Justin Alexander

Today, Apple announced its new iCloud service, which follows on the heels of similar “media locker” service announcements from Amazon and Google. At first glance, this set of new hosted consumer services seems completely unrelated to enterprise content management. But, if we dig deeper, I think the reflection of three larger trends can be observed.

Mobile Media

The explosion of mobile devices has been well-documented. And now, this trend transcends consumer and business boundaries. We’ve become accustomed to having access to email and websites no matter where we are. I personally live on the coast of Maine. I can still remember feelings of astonishment the first time I responded to a work email while I was on one of the small islands in my community. Today, this kind of “anywhere computing” isn’t even noteworthy. It’s just expected.

As I’ve previously noted on this blog, the amount of data being generated and stored is also expanding rapidly. For consumers, the most significant source of data is media files. iTunes and NetFlix are probably the two most obvious examples.

Apple’s iCloud, Amazon’s Cloud Player, and Google Music are all attempting to capitalize on these trends by adding hosted services that complement their existing mobile and/or e-commerce platforms. Microsoft is rumored to be working on a similar strategy to more closely tie their Windows Phone 7 platform to their Zune marketplace.

Everywhere Computing

Within the enterprise, these same trends are pushing ECM beyond the corporate firewall and office building. Employees will increasingly be empowered to work “anywhere” by a new generation of software applications commonly known as “smart clients,” like Hyland’s client that was released in OnBase 10.0. These applications typically include “off-line” functionality that allows information to be retrieved, taken off-site, updated when network access is not practical and then synchronized with those changes once they are back in the office.

These feature-rich clients will be complimented by a variety of lighter-weight productivity tools. The simplicity of these mobile applications is currently being offset by the fractured smart phone and immature tablet markets. As a result, difficult decisions will need to be made by many organizations because their preferred ECM vendor may not support the mobile devices which their IT department has already standardized on.

The Cloud is Foggy

Finally, (in my opinion) the launch of iCloud confirms that the term “cloud computing” has lost almost all of its meaning. Apple isn’t the first company to re-categorize traditional “online services” as “cloud services.” They’re just the most recent and obvious example.

From a technical perspective, the Cloud has always been a nebulous concept. Now that it’s become mainstream, it’s even harder to pin down. In my personal opinion, John Gage’s original vision that “the network is the computer” has basically evolved into what we now refer to as “the cloud.”

Many have argued that “the cloud” refers to a specific business model. Indeed, usage-based pricing is one of the most consistent qualities shared by the major cloud vendors. The fact that iCloud appears to use a flat annual fee structure further supports the assertion that pricing is a key aspect of what the term “cloud” has come to embody. But, it’s just as easy to prove that usage based pricing has been around for decades. In my opinion, most of these concepts are part of larger business trends, like outsourcing and the mythical realignment of business and corporate IT.

In short, “the cloud” has devolved into a loosely defined marketing term, easily bent to serve the interest of entrenched technology companies. As a technology professional, this is disappointing. But, for technology buyers, this will almost certainly result in confusion, misunderstandings, and disappointment. Caution is warranted.

Over the coming weeks, I will attempt to highlight key concepts that (I hope) will empower companies to look beyond trendy marketing terminology and silver bullets in favor of clearly defined value propositions.

HIMSS Day 1, Part II: What About the Cloud?

// February 22nd, 2011 // 1 Comment » // Cloud Computing, Healthcare, Software as a Service // Kaitlin McCready

What’s my favorite part about HIMSS? You never know who you’re going to run into.

Waiting for the hotel shuttle yesterday, I ended up having a conversation about the future of healthcare IT with none other than the founder of Quality Systems Inc. and NextGen, Sheldon Razin. Sheldon is the classic entrepreneur – he knows so much about a field – healthcare IT – and wants to share it with anyone who’ll listen.

So, naturally, he lit up when I asked him, “What do you think is the future of healthcare IT?”

In short, he said, “the cloud.” We didn’t have a lot of time, but we did discuss how there are so many healthcare solutions needed to really impact patient care, and that at some point, it’ll make more sense for some healthcare organizations to outsource the management of the infrastructure and data management.

This brings up an interesting point. At the CIO Forum on Sunday, a major theme was how CIOs have to focus not on the cost of technology, but rather on how risky the investment is and how much value it’s going to provide long term.

The healthcare field is changing a lot now. With all the competition and big systems only getting bigger, the needs of the healthcare organization are continuing to change. So if a healthcare organization is looking to invest in technology now, wouldn’t it make sense for the long-term value of the solution to at least have the option of being SaaS-based? With larger systems purchasing home healthcare providers and smaller physician systems, the healthcare field needs to be ready to accommodate that kind of IT environment.

Something that Sheldon and I didn’t get into on the topic of SaaS was security. Many other industries have acknowledged that the risk isn’t really as high as was first perceived, but healthcare is still holding tight to that perception.

On that note, is cloud a viable option for healthcare? Or do the words “patient information security” inspire too much fear into even try it out?

IT strategy rapidly evolving as virtualization grows

// December 30th, 2010 // 1 Comment » // Cloud Computing, Enterprise content management, Government, Healthcare, Insurance, Software as a Service // Glenn Gibson

Just when you thought it was safe to get back to work, your IT world is changing again. Or at the very least evolving.

It’s been doing so since at least 2008, when Gartner, the well-known information technology research and analyst firm, spotlighted one trend, which it calls “the highest-impact issue, changing how organizations plan, buy, deploy and manage IT through 2012.”

And that’s virtualization.

It sounds a bit Matrix-y, and that’s okay, because it is in a way.  Virtualization refers to the virtual rendering of an actual thing, like an operating system, storage device, server and so forth. Your employees encounter it most often when they’re running virtual desktops from their computers at home.

If you’re avoiding it, you might want to rethink your approach. Agile businesses are moving quickly to adopt virtualization, allowing their employees to access information anywhere, anytime with any device. Powerful, powerful stuff, as workforces become more nimble, mobile and spread out. WiFi, 3G, 4G, smartphones and tablets connect workers to their work – and each other – like never before. And virtualization is letting it happen.

As IT infrastructure and datacenter strategy moves toward this new reality ­­­– and we believe it is a reality that’s here to stay – more and more companies will rely on vendors who have the virtualization experience and understanding needed to support their long-term business goals.

We’re so sure this is one of the main avenues business IT is heading down, Hyland regularly updates its virtualization support statement to underscore our commitment to making OnBase run seamlessly on our customers’ virtual infrastructure. And it’s why we find maintaining our VMware ready and Citrix ready certifications so important.

And it’s not just talk. 

Hyland’s own Software as a Service solution, OnBase OnLine, runs almost entirely on virtualized servers hosted by VMware ESX Server.  Many of our customers also host their OnBase solution on virtualized servers. 

One customer runs 30 physical VMware ESX Servers which host ample virtualized servers, providing a server environment that can sustain some 22,000 users. 

So there you have it. Virtualization is the future. And the future is already here.

Part IV – The trouble with data center audits

// August 11th, 2010 // 1 Comment » // Cloud Computing, Software as a Service // Justin Alexander

So far, I’ve explored compliance issues pertaining to the world of cloud computing. Last time, I shared the trouble with SAS 70 audits. Now, in the final installment of this series, I’m going to look at data center audits.

If you’ve been paying close attention, you probably realize that there is actually a much deeper problem that needs to be addressed. Let’s go back to Joe’s sub shop for one last visit.

After a brief meeting with your accountant, you’ve finally had a chance to read Joe’s menu. You return to the shop feeling well prepared to enjoy the great dining experience all your friends keep telling you about.

“I’d like a roast beef sandwich, hold the onions and horseradish, please.”

The employee at the counter enters your order and hands you a ticket. You wait for them to call your number. As you’re waiting, it suddenly hits you… they’re not making the sandwich in front of me anymore. They’ve moved everything into the back kitchen! It’s taking a while for your order to come out of the kitchen, so you decide to express your displeasure with this change.

“Hey, you used to make the subs right out here where I could watch. I liked that! I could see everything that happened, which made me confident that my sandwich was being prepared the way I like it and that the ingredients were being handled in a sanitary fashion.”

The employee hardly acknowledges that you’re speaking. So, you press a little harder.

“So, now that the food is being prepared [pointing with an exaggerated motion] BACK THERE, how do I know the employees are taking appropriate safety precautions like washing their hands, wearing gloves and using hairnets?”

The employee responds quickly and confidently. Clearly, Joe has trained them on how to answer this question.

“Oh, that’s no problem! We have an audit report from the owner of the strip mall, Strip Malls of America, Inc.!”

Instantly, you start to feel that same strange sense of confusion you felt when you first asked to see the menu at this place. Hesitantly, you ask,

“So the audit report for Strip Malls of America says that YOUR employees wear gloves and hairnets when handling food?”

For the first time, the employee seems a little annoyed with your never-ending series of questions.

“Well,… no, not exactly. Our employees don’t actually work for Strip Malls of America, they work for Joe. But, it does say that every tenant in a Strip Malls of America owned property must mop the floor, wash the windows and sweep the sidewalk in front of the store. That’s pretty much the same thing!”

The problem should now be obvious. Having clean sidewalks, floors and windows is a good thing, but these environmental factors have a fairly remote relationship to your sandwich. The people and processes that are directly involved with handling your food are much more relevant. Yet, they are not addressed by the audit report provided by Joe’s Subs.

The same problem exists for customers when their cloud vendor relies exclusively on an audit report from their third-party data center provider. The data center provider isn’t provisioning and managing your data or applications… your cloud vendor is!

Demand what you need
So, the next time someone attempts to prove that their cloud hosting service is secure, available and private by citing some OTHER company’s audit report, my advice is to take your business elsewhere. If that’s not practical, then insist that the vendor extend the right for you to perform an independent audit of their operations. By doing so, you’ll protect your company’s interests and help to make the cloud computing marketplace more mature and responsive.

Part III – The trouble with SAS 70 audits

// August 4th, 2010 // 2 Comments » // Cloud Computing, Software as a Service // Justin Alexander

In my last post, I wrote a bit about Joe’s sub shop. Specifically, I used an analogy to show there are certain things you should expect and be able to see when it comes to safety, whether it’s gloves and hairnets for food preparation or an audit report like SysTrust for data center compliance. Now, I’m going to build on the same analogy to get into some of the specific shortfalls of the common SAS 70 audit.

Let’s start by reevaluating what our visit to the sandwich shop might look like when using a vendor that only provides a SAS 70 audit from their data center provider. I think you’ll find that the experience would likely be very different and much less enjoyable.

Just as before, you pull into the parking lot, drive past the other stores, and then park in the back where Joe’s is located. But, when you walk up to the counter, there’s no menu.

You see, in a SAS 70 audit, the cloud vendor’s report can only be distributed to existing customers… and even then, it’s only intended to be read by other auditors. This is why most cloud vendors will only offer a letter from an executive affirming that they have completed a SAS 70 audit when a prospective customer asks for proof that they’ve completed an audit.

They’re not being intentionally difficult by withholding the full report. They’re just following the AICPA’s (American Institute of Certified Public Accountants) own guidance for how SAS 70 reports should be distributed.

After looking to the left, to the right, up at the ceiling, down at the floor, back behind you and under the stack of napkins (that menu has to be here somewhere!!), you shrug and ask the employee by the register:

“Do you sell roast beef sandwiches?”The employee responds: 

“Yes, that’s my favorite sub!”As you watch another customer exit the store with a sub sandwich that is packed with a variety of exotic ingredients, you realize you better not make any assumptions about what Joe puts on his roast beef sandwich.

“Can I see a menu so I know what’s in your roast beef sandwich and what options I have?”The employee responds:

“I can’t give you a copy of the menu until AFTER you’ve bought something. Sorry.”You sigh heavily, look to the heavens hoping for an explanation of why you have to endure such foolishness and reluctantly buy a soda.

The employee thanks you for your purchase and then hands you a letter from the owner of the store, Joe. It essentially states that the menu does in fact exist and then goes on to celebrate that their financial auditors have observed the sub shop over the course of several month and have concluded that the ingredients listed within the menu are accurate.

The employee clearly expects you to be impressed with this letter, but you instead feel disoriented… like everyone else is in on the joke except you.

“But I still don’t know if the roast beef sandwich contains onions?!?! I’m allergic to onions. My doctor says I shouldn’t eat them.”The employee gleefully responds that the full menu, including the ingredient list for their roast beef sandwich, is being sent to your accountant.

Hopefully, you get the point I’m making. Because the SAS 70 audit format was designed to support the need of financial audits, they can represent a serious challenge for customers attempting to use them as the primary means of ensuring a cloud vendor’s services meet their particular compliance needs.

ALL of the information is in the audit report but gaining access to that report involves jumping through a series of silly hoops or ignoring the AICPA’s own guidance for how SAS 70 audit reports should be distributed.

To be clear, I’m not saying that SAS 70 is a bad audit format. It just ill suited for this particular purpose. The SAS 70 audit format was originally designed to support financial audits. The self-defined objectives and limited report distribution portions of the standard are perfectly reasonable within that context. Problems arise only when a SAS 70 audit is used for a general purpose IT audit for services delivered at Internet scale.

Next time, in the final part of this series, my topic will be, “the trouble with data center audits.” Stay tuned, but in the meantime, please let me know if there are questions or concerns I can address.

Part II – Compliance: A cloud services pitfall disguised as the solution

// July 29th, 2010 // No Comments » // Cloud Computing, Software as a Service // Justin Alexander

I kicked off this series about compliance and the cloud with a piece about the false comfort of data center audits. In my next two posts, I’m going to drill down into the most common “solution” offered by today’s cloud vendors — a SAS 70 audit from the data center provider.

To start, it’s important to note that cloud vendors typically buy space within a data center that is owned by a third party. As part of the cost, the owner of the datacenter will often provide a “free” SAS 70 audit report. This allows them to lower their cost of entry into the cloud market, focus immediately on selling new business and lobby the for press coverage about their commitment to compliance, as evidenced by their SAS 70 designation.

Unfortunately, a SAS 70 audit that only covers the data center aligns quite poorly with the customer’s needs. It doesn’t fully address ANY of the three areas we defined in my last piece. As a result, my advice is to seek out cloud vendors that offer their own audit report. I also recommend giving strong preference to prescriptive audit standards that are explicitly targeted toward information technology systems and processes, such as SysTrust^® and ISO 27000.

Joe’s Sub Shop
I certainly don’t expect you to just take my word for it. I need to make my case. But, it can be difficult to explain the problems customers are typically confronted when selecting a cloud vendor that relies exclusively on a SAS 70 data center audit without devolving into an endless barrage of auditor jargon. So, let’s try using an analogy that we can all relate to… eating at the local sub sandwich shop.

You pull into the parking lot, passing several other storefronts within the strip mall. The best places are always tucked away in the back, and Joe’s Sub Shop is no exception.

You enter the store and walk up to the counter to place your order. The menu is huge, but easily read on the big chalkboard over the counter.

“I’ll take the roast beef sandwich. Ooh. I see that has onions on it. Yuck!! Hold the onions, please!”Your order is placed and your money is taken. You wait anxiously as a second employee prepares your sandwich right in front of you. He wears those plastic gloves, a hairnet and a hat to help ensure that the sandwich is safe to eat, which is reassuring.

In this scenario, the cloud vendor’s audit is sort of like those plastic gloves and hairnets. It ensures the people who are actively handling your data are doing so in a responsible manner based on a set of commonly accepted standards.

Similarly, a prescriptive IT audit standard like SysTrust is kind of like the menu at the sub shop. It allows you to know exactly what your company is receiving from the cloud vendor and allows you to customize your order if needed.

If you have any questions or concerns about what is or is not covered by the vendor’s compliance program, you can go read the audit criteria yourself, and it will tell you exactly what standards the vendor has demonstrated they conform to.

In part three of this series, I’ll expand on my analogy and get into the trouble with SAS 70.

PART I – Compliance: The false comfort of data center audits for cloud services

// July 22nd, 2010 // No Comments » // Cloud Computing, Software as a Service // Justin Alexander

Compliance and the cloud
Compliance is one of the most common sources of stress a company faces when moving solutions into the cloud. It’s a complex and arcane topic to begin with. When the inherent reduction in control that comes with outsourcing an IT service to the cloud is added, FUD (fear, uncertainty and doubt) can easily derail even the most carefully planned project.

Unfortunately, many of the cloud services vendors in the marketplace do more to add to the confusion than to address the very real compliance needs organizations face. My intent is to shed some light on this issue over the course of several posts. I’m also going to try to provide actionable advice that both IT and audit teams can benefit from when evaluating cloud-delivered solutions like SaaS, IaaS and PaaS (Software, Infrastructure, and Platform as a Service, respectively).

We all have needs
First, let’s define the needs of both parties. As outlined in part one and two of this series, these are the Wild West days of the cloud when thousands of vendors are driving a land grab for new business. Within this landscape, vendors both large and small are often motivated by:

• Mind share – The ability to gain consistent coverage by press and analysts. Cutting edge is sexy. When there are no clear leaders, the desire to create the perception of leadership is often considered an end unto itself.
• Market share – The ability to demonstrate growth, ideally at a rate higher than the competition. Within the land grab of an emerging market, capturing new business is often considered more important than profitability and customer retention.
• Cost Reduction – The ability to lower start-up costs. Although there is general consensus that the convergence of both technical and cultural trends we call “cloud computing” has huge potential, no one can guarantee that it will grow as rapidly as the analysts predict. Within an immature market, it’s often easier to lower costs than increase sales.

Today’s compliance landscape is very complex and constantly changing. Corporate initiatives could be driven by federal regulatory mandates, state laws, demands from business partners or even as a response to events on the nightly news. Yet, the compliance needs of a company that has chosen to outsource an IT solution to the cloud are deceptively straightforward. Stated broadly, they need to have transparent insight into:

• Scope – The ability to determine what business and technical objectives the vendor’s compliance program does and does not meet. Will the employees working with my data ensure that it remains private and secure as required by HIPAA? Do they have a password policy that addresses complexity, rotation and storage like our internal policy does?
• Quality – The ability to determine if the vendor’s policies and procedures adequately address each objective. Maybe they have a password policy, but it states that a password can be four alphanumeric characters, is only rotated on leap years, and advises employees to write their passwords on a post-it note to ensure they never forget it. The point is that a customer must have some assurance that a policy not only exists . . . but that it’s commonly accepted as an “adequate” or even strong policy.
• Execution – The ability to determine if work performed by the vendor’s employees and subcontractors complies with their policies and procedures. If the vendor has strong policies that no one follows, they’re not delivering much value to their customers.

In my next post, I’ll look at a pitfall disguised as a solution that goes by SAS70.

Please consider signing up – by e-mail or RSS – to get new posts from me and my fellow bloggers delivered automatically to your inbox. If you find our pieces intriguing and/or enlightening, please encourage your friends and colleagues to check us out. And if you have ideas for stories or ways to make this community better meet your needs, please let us know.