Dreaming of PaaS

Dreamforce is the snazzy name for Saleforce.com’s annual show-and-tell extravaganza. It’s a pretty stylish event too: rock bands, parties, and big theatrical presentations. I didn’t go but if you’re working for an SFDC customer it’s difficult not to get caught up in the hype.

Force.com is the associated development platform. The functionality has now been extended and you can do everything from integrating Salesforce with Facebook to hosting your own websites on the platform itself.

It’s exciting stuff and there’s no doubt that the PaaS model has real benefits for businesses that more than ever need to be dynamic, flexible, and quick to market with new products. Where’s the catch? It’s right here: in all the rush to implement products on the platform you probably forgot some basics: namely the fact that utilising cloud-based servcies doesn’t dissolve your responsility from doing a proper job of upfront planning and ensuring that applications you’re developing for the new platform still follow the basic tenets of application security.

A respected figure within the security industry suggested to me a short while ago that he considers PaaS/SaaS products to still be some way short of being fully enterprise ready. I’m ready to disagree with that opinion. I think that you can begin to put more of your eggs into the PaaS basket but don’t get too drawn into thinking about the service providers security at the expense of forgetting to think of your own: are your Force.com developers trained in secure development practices, how resilient is your own connectivity to the remote servcies, in your haste to produce new products after drinking the conference cool-aid, did you do the right upfront planning?

You’ve got to get to know the platform first and that means learning much more than what you’re going to get from attending the conference.