HomeArchitecture

Bob vs the cloud

Like Tweet Pin it Share Share Email

Help! I’m desperate!

Not really. To be more accurate I’m minorly inconvenienced.

As mentioned a few months ago, I’m looking for an alternative to Quicken (“Plausibility rules,” 3/12/2018), because it deprecated a feature I rely on, presumably to force me to buy an upgrade.

Not to be bullied into an unwanted expenditure I’ve been on the hunt for an alternative. Thus far, with just one exception, every other personal finance package I’ve found is cloud-based.

Which leads to the question, WHAT????

Look, I’m an open-minded sort, so maybe I’m missing something. Yes, I realize my personal financial data is already in the cloud, assuming we’re all willing to redefine “cloud” to mean “on the web.”

But it’s scattered among a bunch of providers and accounts. If I use any of the non-Quicken personal finance management alternatives I’ve found so far, I’ll be putting it all in one place, just waiting for the next data breach to happen.

There is an exception — a package called GnuCash. I’d use it and be happy, except that the instructions for automatically downloading transactions into it are both impenetrable and, as far as I can tell, don’t … what’s the word I’m looking for? … work.

All of which puts me dead-center in the ongoing debate as to whether data stored behind your corporation’s firewalls are more secure than data stored in a SaaS provider’s data farms.

Now I’m far from an authority on the subject, but I do know what the correct answer to the question isn’t: Yes. I also know it isn’t No.

I know this because I know that in addition to all the well-known information-security basics, the accurate answer depends in part on whether you push your own information security failings onto your SaaS providers.

Here’s what I mean: If I decide to use a cloud-based personal financial management solution, and if I don’t change my password on a regular basis, properly protect myself from Trojans, phishing attacks, and keystroke loggers, and keep my OS properly patched and up to date, it won’t be the solution provider’s fault if someone borrows my data.

This all scales up to the enterprise: If you use, say, Salesforce.com and do a lousy job of key rotation, or your administrators share a super-user login, or you don’t conduct regular white-hat phishing attacks, or you don’t properly protect PCs from invasive keystroke loggers and all the other prevalent intrusion techniques, it really won’t matter what level of security excellence Salesforce.com has achieved.

Also, “secure” means more than “protected from intrusion and misuse. With Quicken (or GnuCash) I can easily backup my data to a backpack drive, knowing how I’d restore it if I need to.

With a cloud-based service provider I’m willing to take it on faith that they backup their customers’ data in case of some form of catastrophic failure. Recovering to the state just before my most recent transaction download, on the other hand, is something I strongly suspect isn’t part of the service.

For the enterprise equivalent, Salesforce.com is always the SaaS touchstone. It recommends customers make use of their own backup and recovery tools, or else rely on third-party services.

But of course, your own backup and recovery tools are exactly as vulnerable as anything else inside your firewall, while third-party alternatives add yet another potential point of security failure you can’t directly control.

KJR first mentioned the cloud more than ten years ago (“Carr-ied away,” 2/4/2008), and yet the cloud continues to perplex CIOs.

From business cases that are always either more nuanced than “the cloud saves money” or else are wrong … to an impact on application development that’s much more significant than “recompile your applications in the cloud and you’re done” … to COTS and SaaS-based application portfolios whose integration challenges put the lie to cloud nativity as the uniform goal of all IT architects … to the ever-harder-to-untangle questions surrounding cloud-level vs internal-firewall-based information security …

If you’re looking for simplicity inside all of this complexity, good luck with that. You’re unlikely to find it for the simplest of reasons: An organization’s applications portfolio and its integration are direct reflections of the complexity of the organization itself.

Modern businesses have a lot of moving parts, all of which interact with each other in complex ways. Inevitably this means the applications that support these moving parts are numerous and require significant integration.

Which in turn means it’s unlikely the underlying technology can be simple and uniform.

And yet, when I need an application that can automatically download transactions into a personal financial database, there’s a depressing uniformity of vision:

“Put it in the cloud.”

Sigh.

Comments (15)

  • I find myself in exactly the same quandary. I’ve used Quicken for years, and there is the every 3-year cycle of upgrades just because the vendor wants more income. The core product hasn’t changed significantly in some time (a point some might argue, but new features that do me no good don’t constitute a significant change). Yes, I could move to the cloud. But why? The only reason that concept is being pushed isn’t the benefit to the customer. I like an environment where I back up and can restore my data. I’m also not fond of the idea of putting all my financial data in a single vendor’s cloud-based offering. At some point it may be the cloud is the answer to every computing question. It isn’t today, but vendors are so entranced with the cash flow of subscription pricing that’s the primary model they’re pushing. And that includes easy downloading of financial transactions.

  • Very thoughtful article.

    Given the fact that we are currently actively being attacked by state sponsored hackers, especially Putin’s dual purpose thieves/spies in a military operation, I think the most secure solution for individuals is to keep everything on their personal computer and back up regularly.

    I don’t honestly know if there is a good corporate solutions, under current conditions, since the best approach is to probably to change security strategies every few months. This kind of frequent change is alien to most corporate cultures I know of.

  • Bob: I have high jacked your statement “The cloud moves data system costs from a capital cost to an expense cost.” Which people hate because now they have to discuss with their CPA/CFO.

    I have also used your discussions about complexity of systems, pointing out that 1) especially in large companies, there are numerous little hacks and tweaks (a setting here, a script there) that makes the whole mess work. Usually undocumented, and the people who developed it are dead or retired (or somebody, for some political reason owns a tiny, but essential piece).

    Which brings it all back to “Is the ‘cloud’ better or worse?” and the definitive answer is “It depends.”

    We can get the level of security we want. Even better. And backups. And redundancy. And everything else we want. For a price.

    Which brings it back to the same discussions we were having many years ago. The customer/company wants a software package that “does it all.” We have the “.Com to Jesus” talk. The decision makers show up a month later with a software package that does it all for a fraction of the cost (their golfing buddy recommend it). Of course it does little, and the cost turns out to be many times what was anticipated.

    A different label, still the same old snake oil.

  • I think the real issue is trust and control of your own data. I do not explicitly trust that anyone besides me can be responsible for my data. I just feel better if I have a backup for all of this information that is VERY valuable to me.

  • I use GnuCash and have been using it for years. The .QFX file import works quite smoothly. .QIF imports also work, though I find the .QFX processing a little bit easier.

    The developers are also pretty responsive. I’m running Ubuntu. Your experience on Windows might be different. I have not paid attention to the other platforms.

  • While I can agree that having security updates are important, I don’t see why we have to pay for a new version of Quicken every year with very few new features that are noticeable. Seems like they always seem to have the connections to download from banks breaking about that time also as extra incentive to make you pay. I always feel that is a bit like a protection racket going on. We don’t have to pay for such security upgrades from most any other publisher – we only pay there when it is a significant improvement in features. I really, really miss Microsoft Money. It seemed to work better and had some features that Quicken is still missing.

  • I use GnuCash and have been using it for years. The .QFX file import works quite smoothly. .QIF imports also work, though I find the .QFX processing a little bit easier.

    The developers are also pretty responsive. I’m running Ubuntu. Your experience on Windows might be different. I have not paid attention to the other non-Linux platforms.

  • Same conundrum. I’m less concerned about my data being in the cloud than my financial account credentials, that allow the automatic downloads, being there.

    I do use Gnucash. I download manually and it works.. mostly.

  • I had the same complaint about Quicken years ago. I switched to Moneydance and it has it’s database on the computer that its running on.

  • I have been talking about this for quite some time and come to the same conclusions. While the cloud might be good for some things, it’s not a panacea and can actually be dangerous/harmful, depending on how the cloud provider of choice handles and secures the data with which it is entrusted.
    I will take the conservative approach and manage my own data.

  • One might argue that Bob has made the case for paying for the Quicken upgrade if he wants to control his own data.

  • Like you, Bob, I don’t want my data stored on someone else’s servers. I store all my personal data locally and encrypted. I even use the desktop versions of Turbotax and RoboForm. (Yes, I realize my info is already “out there”, but I don’t want to add to the problem).

    I do not download transactions from banks into Quicken! I enter each of my transactions from the paper receipts I have; credit cards, debit card, cash. I have experienced transactions that magically have changed somewhere between me getting a receipt and the info getting to my bank (or MasterCard). In one case, a waiter gave himself a bigger tip after I had left. So I enter my trx and then balance what I have vs what the bank (or MasterCard) says.

    I use a very old version of Quicken and I’m happy with it.

  • bob,

    i recall ibm made us change passwords monthly
    not only that they snailed us the new one that they made up

    in the lab our door had a lock
    code was 1234
    security came through and made us change it
    management chose 4321
    go figure

    the only reason to ever change is so the bad guys cant keep sneaking in easily once they got in the first time
    of course once they got in they added a back door so they can get in again no matter how often you change it
    and the first time they probably got in without knowing your password anyway

    my experience is that i HATE passwords
    all they ever do is keep me out of accessing my own data

    i have no lock screen on my laptop nor cell phone
    i have no passwords except to accounts that mandate i have one to access
    but none at all on anything that i control

    we are not protecting against state actors
    they will get in anyway
    you will never stop the cia kgb mossad mi5 nor even iran and NoKo equivalents if they want in
    we are protecting against the criminals who steal identity and inflict ransomware

    just how does a password stop ransomware anyway ?

    sorry but i have been effeddup too many times by bad patches
    if it aint broke then dont fix it
    no bleeping way i will use a patch that *I* dont need

    and i have lost data in the cloud too
    *my* data stays locally backed up
    and if it is that valuable another off site copy or two will also exist

    links can be faked
    most folks cant inspect them safely
    i cant see where your links go to without clicking on them
    although some cases they can be seen in a browser if not in the email client itself
    and some software launches the hidden ones when you merely open the email to start reading

    i was at raytheon and they got clobbered with scumware when a contractor opened an email
    offering pictures of a porno variety which turned out to be the ultimate phishing scam

    in your case spring for the 50usd and take it off your taxes
    it is a legitimate deduction
    and in your bracket you save 20usd so it really only costs 30usd
    for me i would still use excel even if i had to learn VB to do what i need
    i do my taxes on excel faster better easier cheaper than any of the many tax programs i have tried

    DE mag this month had a great article on software pricing. if its buy then they go out of biz when everybody has it.
    if its rent then its tough to get anyone to sign up. metered usage may be the future.

    security questions serve to cya your doctors office or whoever and are not related to security as you suspected

    what is best depends on the situation
    personal or business
    how big is the risk yada yada

    full disclosure: i was a security consultant for a number of years

    what we need is to ARCHITECT , systems engineer, design, and build
    a totally scumware proof PC which is not all that hard to do when you know how.
    too many people are stuck in a box or prefer the conventional whizdumb from the internet based on what HS seniors ‘know’

    it is easy to do but NSA wont let you
    assuming that anyone would buy it anyway

    i did it in the DOS days in 1980 time frame
    so did a company called CTA who did it on a USAF contract
    why didnt the govt use that design?
    did NSA kill it ?? do’H!
    NSA does prefer to be able to get into your PC more than they want to keep the other guys out of your PC

    w.

  • I find the idea that your data is backed up at home and you can restore it iffy.

    You need a backup in a form you can read with say excel or something like that. And then you need not only a backup of the data, but some way to restore the software. Most people don’t have this.

Comments are closed.