That's not to say that pricing is not a factor. It is. Keep in mind that these systems are all priced by the number of users who can access the system. So end users will need to be alert to every user linked to their system.

Intacct costs $49.95 per user per month, while NetLedger is priced at $4.95 per user per month, with an additional $9.95 per month to use the payroll module.

ManagedOps.com provides Great Plains for $450 per month per user, for users that enter data into the system. There's a second level, users who only need to display or print reports, and for them, the charge is $50 per month.

The difference in price reflects the complexity and functionality of the products.

In addition, Great Plains and other classical accounting systems can be customized for your business, provided that you're willing to pay some stiff consulting rates to the ASP.

However, Internet-only accounting systems use an entirely different mass audience business model where no code customizations are permitted.

Of course, both kinds of systems allow you to customize forms, displays and reports.

Misgivings
As I was preparing this column, several misgivings arose. You can decide for yourself whether my misgivings are important to you, or whether you feel I'm being overly anxious.

First, NetLedger was the only software company willing to even estimate how many paying customers it has -- 2,000 paying customers, and 35,000 that have tried the free online demo. I commend Stephen Wolfe, VP of product management at NetLedger, for his openness about this figure, which is very important for getting a sense of a vendor's credibility.

Intacct and ManagedOps.com were unwilling to give me any clue as to how many paying users they have, but since they're priced quite a bit higher than NetLedger, my (unproven) assumption is that they have far fewer users.

However, I did speak to a ManagedOps competitor, Genesis Innovations (www.genesisinnovations.com) of St. Paul, Minn., who tells me that they have nine paying customers using their Great Plains ASP service, and over 1,300 trying out their full- featured demo.

Now all of these vendors have 100-200 employees, and so have $5 million to $15 million going out each year just for payroll and related expenses. How many paying customers do the ASPs need to continue to meet their payroll after the investors start demanding to see some profits? Do the math yourself, and you'll see why I'm concerned.

There are millions of small businesses in the U.S., so there's no doubt that any of these vendors could survive, if only it can get even a tiny market share. But that hasn't happened yet, and no one appears to be even close.

What about free demos? Intacct and NetLedger let you try out their online accounting systems for free for a few weeks, with a demo account, as does Genesis Innovations. ManagedOps.com appeared to be shocked! shocked! that I even suggested such a thing as a free online demo of their systems, and refused to even consider it. So it appears that some ASPs are willing to permit demos, and some aren't.

I believe that online demo versions are going to be increasingly important marketing tools for all ASP vendors.

In fact, online demos can alleviate the risk of switching to a new accounting package sight unseen. One of a financial officer's worst nightmares is that a new system simply won't work.

According to Charles Chewning of Solutions Inc., a Richmond, Va., based consultant who evaluates accounting software products, failure of an accounting system happens pretty often. "I just talked to someone who got [a major vendor's product], spent $80,000, and got rid of the system because they didn't like it," says Chewning. "The cost of a failure is quite substantial -- much more than the cost of just the software."

What this means to me is that vendors have an obligation to users to become increasingly generous in providing as much information online about their products, including extensive online demo capabilities, in order to give users the opportunity to "live with" the system before making a full commitment to it.

Gartner Group's Security Test
The Gartner Group has provided a test that your technical staff should apply to any ASP that you're thinking of using. A "no" answer to any of these questions represents a serious vulnerability that will put applications and data at risk.

• With regard to the ASP's network layer, does the ASP require the use of two-factor authentication for administrative control of all routers and firewalls?
  Support 128-bit encryption and two-factor authentication for the connection from the customer's local area network to the ASP production backbone?
  Provide redundancy and load-balancing services for firewalls and other security-critical elements?
  Perform (or have an experienced consulting company perform) external penetration tests on at least a quarterly basis and internal network security audits at least annually?
  Show documented requirements for customer network security (with audit functions) to ensure that other ASP customers will not compromise the ASP backbone?

• With regard to the ASP's operating system (OS) platform (usually Windows NT or Unix), can the ASP provide a documented policy for hardening the OS on its Web and other servers? (Hardening an OS entails: eliminating any unnecessary OS services (e.g., Telnet or FTP), disabling all communications paths that are not needed (e.g., TCP/IP ports), installing all required security patches and minimizing system administration accounts and access to system logging/auditing.)

• If the ASP co-locates customer applications on physical servers, does it have a documented set of controls that it uses to ensure separation of data and security information between customer applications?

• With regard to the actual accounting application software, does the ASP review the security of scripts and integration code that are added to the commercial applications it provides? How is it done?
  Provide application or transaction-based intrusion-detection services?
  Document the security standards and processes used for creating interfaces to other systems on the ASPs systems?

• With regard to operations, does the ASP perform background checks on personnel who will have administrative access to servers and applications?
  Show a documented process for evaluating OS and application vendor security alerts and installing security patches and service packs?
  Use write-once technology for storing audit trails and security logs?
  Show documented procedures for intrusion detection, incident response and incident escalation/investigation?
  Have membership in the Forum for Incident Response and Security Teams (FIRST) (www.first.org/about/first-description.html). or use a security service provider that is?
  Use "hot site" failover services that have the same security operations and procedures?
  Provide authentication services for system users?
  Have documented processes for adding, removing and validating security keys for all users?

• When using outsourced authentication services, does the outsource agent have a documented process for managing and validating member security keys?

• With regard to end user services, does the ASP security staff average more than three years of experience in information/network security?

• Do more than 75 percent of the ASP's security staff have CISSP (see www.isc2.org/isc2faq.html) or other security industry certification?

• Can the ASP show documented help desk procedures for authenticating callers and resetting access controls?

(Send John Xenakis your questions and comments for Xenakis on Technology (XOT) to xot@jxenakis.com.)

• « previous
• 1
• 2