openerp-community team mailing list archive

Thread
Date

Re: Fwd: OpenERP CMS: How is server separation implemented?

To: Ray Carnes <rcarnes@xxxxxxxxxxxxxxxxxxx>
From: Raphael Valyi <rvalyi@xxxxxxxxx>
Date: Sat, 18 Jan 2014 01:06:07 -0200
Cc: OpenERP Community <openerp-community@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <b23be87da8220b2f11ddfa8e92edae2d@mail.gmail.com>

On Sat, Jan 18, 2014 at 12:51 AM, Ray Carnes <rcarnes@xxxxxxxxxxxxxxxxxxx>wrote:

> To back this up, the first two things that became 'commonly' hosted by
> third parties on publicly accessible (though locked down via
> authentication methods) were:
>
> (In the US at least)
>
> 1) Payroll (as suggested by Fabrice - it doesn't get more 'private' than
> this.
> 2) CRM (there can be no other kind of data more sensitive to a company
> that a customer list)
>
> ADP and Salesforce.com (and competitors) have convinced the market that
> this is secure and have so far been able to protect the data.

Still, there is another point that is missed:

IMHO on of the top selling point of OpenERP is that, because it' open
source and quite productive, and because there is a dynamic community, you
can customize it to make it do what no proprietary ERP ca do.

Most of the OpenERP users are people who don't use a SaaS solution, by very
far.

As I said, it's credible that on a very limited set of modules and with an
extreme care you could secure the entire surface of OpenERP on some SaaS
offering, probably the one of OpenERP SA. Just like may be Salesforce can
secure its data.

But what can be achieve at this scale is quite different than what can be
achieve in the average SMB.

For instance OpenERP let the passwords clear text in the res_users table by
default. What % of OpenERP users do you think deploy with these settings?
I would bet 90% or more...

So for the vast majority of OpenERP users, securing the surface of a whole
ERP with customizations won't be that trivial.
And it's not only about securing it against stealing your company data,
it's also securing it against DOS, which is quite a bit harder.

So all in all, I think that it will well fit a given market share for DIY
SaaS and it's probably great for the OpenERP SA primary offer.
But probably, some people will want alternatives and it's cool that they
will exist.

Also, it's not that binary:
it's not between just:
1) full data duplication like OpenERP + Magento
2) or put all your company data at the reach of any breach inside a
complete ERP API

I will demonstrate with Ooor that there is a middle way where you can
expose exactly what you want without data duplication wherever it makes
sense and still avoid to offer an attack surface of a whole ERP.

Regards.

-- 
Raphaël Valyi
Founder and consultant
http://twitter.com/rvalyi <http://twitter.com/#!/rvalyi>
+55 21 2516 2954
www.akretion.com

References

Re: OpenERP CMS: How is server separation implemented?
From: Nhomar Hernández, 2014-01-17
Fwd: OpenERP CMS: How is server separation implemented?
From: Kurt Haselwimmer, 2014-01-17
Re: Fwd: OpenERP CMS: How is server separation implemented?
From: W. Martin Borgert, 2014-01-17
Re: Fwd: OpenERP CMS: How is server separation implemented?
From: Fabrice Henrion, 2014-01-18
Re: Fwd: OpenERP CMS: How is server separation implemented?
From: Ray Carnes, 2014-01-18