Open-AudIT • View topic

View unanswered posts | View active topics

Board index » Open-AudIT » Discussion

All times are UTC + 10 hours

OAv2 SaaS

Page 1 of 1

[ 5 posts ]

Print view

Previous topic | Next topic

Author

Message

Mark

Post subject: OAv2 SaaS

Posted: Wed Aug 29, 2012 7:59 pm

Site Admin

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia

So, lets assume a couple of things:
* Items such as "I forgot my password" on the homepage exist.
* The code base has been audited for security (it already has - it would be ongoing).
* All traffic occurs via HTTPS.
* A user guide has been written, including tutorials.
* You would have an audit host in your network that submits results back to the OAv2 SaaS.
* You would have your own separate database.
* You would have a common PHP code base.
* No customisations would be performed.
* Any reports created would be available to all users.
* Support would be provided via the forums, but would be more "dedicated" (ie, I would be checking the forums every hour or so). No dedicated support would be provided.
* Upgrades would occur and not be destructive, nor take the service offline for longer than 20minutes each time.
* The offering would be based on the open source version, but behind the bleeding edge - that's what the open source version is for. Testing and debugging. When something is stable it would be migrated to the SaaS offering.
* You would not need to worry about any upkeep of the server.
* Your data would be backed up every (day, week, month - some defined and acceptable period).
* This backed up data would be available for you at any time so you could move to your own "in house" code base.

Would you be willing to pay for OAv2 "online" - ie, Software as a Service?
Would a price of 5c / device / month be appropriate, too low, too high?

Would you pay extra for a completely separate PHP code base?
Would a price of 20c / device / month be appropriate, too low, too high?

Would you pay for extras such as Software License and CMDB?
Should they be included in a higher base price instead?

Would paying via PayPal be an issue?

What about a reduced price in exchange for advertising in the app (it's online, I'd use something like Adwords). Am just thinking out loud on that one :-)

I am attempting to gauge the viability of offering this service. Before I commit to it, I'd like some idea of whether people think it a valuable enough service to pay for.

In addition other services would be offered such as training, support, customisations, consulting on an as requested basis.

Any help, thoughts or guidance that people care to give would be most appreciated.

Thanks in advance.
Mark.

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.

Top

jonbendtsen

Post subject: Re: OAv2 SaaS

Posted: Mon Sep 03, 2012 11:33 pm

Helper

Joined: Thu Apr 15, 2010 12:28 am
Posts: 83

[quote="Mark"]So, lets assume a couple of things:
* Items such as "I forgot my password" on the homepage exist.
* The code base has been audited for security (it already has - it would be ongoing).
* All traffic occurs via HTTPS.
* A user guide has been written, including tutorials.
* You would have an audit host in your network that submits results back to the OAv2 SaaS.

It it could be done directly from the client, which has the advantage that if it runs automatically and someone powers it on while connected to the internet, then bingo, the latest audit IP address is revealed in OpenAudit. Might be useful after theft.

Further more, this means that road warriors will also be audited.

[quote="Mark"] * You would have your own separate database.
What do you mean by this? Would you reuse the same database management system, but have different databases inside that. Like MySQL and then show databases would reveal:
openaudit_mark
openaudit_jon
mysql

Or would you run it inside it's own special virtual machine which only has 1 client?

[quote="Mark"] * You would have a common PHP code base.
* No customisations would be performed.
Cost extra

[quote="Mark"] * Any reports created would be available to all users.
What do you mean by all users?

[quote="Mark"] * Support would be provided via the forums, but would be more "dedicated" (ie, I would be checking the forums every hour or so). No dedicated support would be provided.
* Upgrades would occur and not be destructive, nor take the service offline for longer than 20minutes each time.
* The offering would be based on the open source version, but behind the bleeding edge - that's what the open source version is for. Testing and debugging. When something is stable it would be migrated to the SaaS offering.
* You would not need to worry about any upkeep of the server.
* Your data would be backed up every (day, week, month - some defined and acceptable period).
* This backed up data would be available for you at any time so you could move to your own "in house" code base.
What if BSA asks for data if company XY is in compliance?

[quote="Mark"]Would you be willing to pay for OAv2 "online" - ie, Software as a Service?
Yes, probably. I have thought about starting such a service myself, because I think it is missing.

[quote="Mark"]Would a price of 5c / device / month be appropriate, too low, too high?
What does the competition cost/offer?

[quote="Mark"]Would you pay extra for a completely separate PHP code base?
I dont know. What benefit does it provide? And the hazards?

[quote="Mark"]Would a price of 20c / device / month be appropriate, too low, too high?
What does the competition cost?

[quote="Mark"]Would you pay for extras such as Software License and CMDB?
It would have to have Software Licenses for me to be interested. What is CMDB?

[quote="Mark"]Should they be included in a higher base price instead?
I think so.

[quote="Mark"]Would paying via PayPal be an issue?
yes, but you could possibly start up with that. Let people use it for free for a month, and then let them prepay for a user chosen amount/timeframe.

But how do you handle if the amount of machines changes? How do you handle the difference between those that report in hourly, and those that does it daily/weekly. They will take up a different amount of space.

[quote="Mark"]What about a reduced price in exchange for advertising in the app (it's online, I'd use something like Adwords). Am just thinking out loud on that one :-)

No, hell no. That does just not signal that the service is valuable.

[quote="Mark"]I am attempting to gauge the viability of offering this service. Before I commit to it, I'd like some idea of whether people think it a valuable enough service to pay for.
It is worth paying for. I think there are competing services already.

[quote="Mark"]In addition other services would be offered such as training, support, customisations, consulting on an as requested basis.

Any help, thoughts or guidance that people care to give would be most appreciated.
I came for the license audit function. Look into what similar offerings costs elsewhere. If you are priced too cheaply, businesses will think that you are worthless and not buy your service.

Top

Mark

Post subject: Re: OAv2 SaaS

Posted: Fri Sep 14, 2012 11:15 am

Site Admin

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia

Hey Jon,

Many thanks for the great feedback and thoughts. I really appreciated it. If any others have the time to put their thoughts down, please, please do. My replies are below. Hopefully they make some sense :lol:

[quote="jonbendtsen"]What do you mean by this? Would you reuse the same database management system, but have different databases inside that.

Yes, exactly. Same database server, different actual databases. Same PHP code files. The database you connect to would be determined by the URL, hence you could not connect to someone else's database because your URL will be different to theirs.

[quote="jonbendtsen"]Any reports created would be available to all users.What do you mean by all users?
My bad. Any created Reports would be specific to your database, hence only available to YOUR users.

[quote="jonbendtsen"]What if BSA asks for data if company XY is in compliance?
I've just been through a Microsoft audit being completed by KPMG. They were happy with the data provided by OAv2 across 7,000 systems. You can show them the source of the audit script and they should be happy (if they have any idea how this stuff works - which they should).

[quote="jonbendtsen"]What does the competition cost/offer?
There are other offerings out there, but in my opinion none are as thorough at auditing as OAv2. Most also offer it as part of a larger suite which tends to cost a significant amount.

[quote="jonbendtsen"]I dont know. What benefit does it provide? And the hazards?
The benefit of allowing custom reports (beyond simple reports - this actual PHP templates required). And also some "feel good" about your instance being separate to others (even though there's no real security benefit). Think warm & fuzzy for management types.

[quote="jonbendtsen"]What does the competition cost?
I know our current tool (which does not meet our requirement - hence we use OAv2) costs us something like $150 / server / year. Other devices are at no cost.

[quote="jonbendtsen"]It would have to have Software Licenses for me to be interested. What is CMDB?
Licensing - OK, fair enough. CMDB - think being able to say "this system called XYZ has a database over here called DB, a website on this server here called MyWeb and a file store over here that is shared as \\def\share". Being able to store that data, visualise it, report on it, estimate the impact of changes (if we change the disk on server X, which systems will be affected). Stuff like that. Google CMDB for some idea's of what can be accomplished. The raw data is already in OAv2, I now need to make the sections that allow you to join it all together and report on it, etc, etc.

[quote="jonbendtsen"]But how do you handle if the amount of machines changes?
It's easy to track the number of PCs seen each month/quarter/etc. I do this no for work. We need to bill our clients based on how many machines they have on our networks... I've created some reports that show the number and types of computers seen each month.

[quote="jonbendtsen"]But how do you handle if the amount of machines changes? How do you handle the difference between those that report in hourly, and those that does it daily/weekly. They will take up a different amount of space.
Remember only "changes" are stored, not the full machine audit every time. I have ~7,000 machines in my DB at work and the DB is about 600MB. That's for around 10 months of auditing. DB size should not be an issue. I also have some "clean up" style script I can run if/when needed.

[quote="jonbendtsen"]If you are priced too cheaply, businesses will think that you are worthless and not buy your service.
Agree 100%. My problem is that I want to price it so cheap that you would not consider hosting it yourself. But if I do that, it may (as you have stated) undervalue that application. I guess you're right - find something comparable that's out there already and base my price on that (cheaper, obviously). The other issue is that I have to find something comparable...

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.

Top

jonbendtsen

Post subject: Re: OAv2 SaaS

Posted: Fri Sep 14, 2012 9:08 pm

Helper

Joined: Thu Apr 15, 2010 12:28 am
Posts: 83

[quote="Mark"]Hey Jon,

Many thanks for the great feedback and thoughts. I really appreciated it. If any others have the time to put their thoughts down, please, please do. My replies are below. Hopefully they make some sense :lol:

Looks like it is only you and me. Maybe we should do it together?

[quote="Mark"][quote="jonbendtsen"]What do you mean by this? Would you reuse the same database management system, but have different databases inside that.
Yes, exactly. Same database server, different actual databases. Same PHP code files. The database you connect to would be determined by the URL, hence you could not connect to someone else's database because your URL will be different to theirs.
Good, and naturally not only because the URL would be different, also because the database user and password would be individually different? Even though it creates extra hassle.

[quote="Mark"][quote="jonbendtsen"]Any reports created would be available to all users.What do you mean by all users?
My bad. Any created Reports would be specific to your database, hence only available to YOUR users.
I was just shown the first page after login on a commercial vendor system, that looked like it quickly gave the overview that a systemadministrator should use. However, it is still a manual login process. I would rather have something that emails out a report to the systemadministrator, maybe escalates it and something that could be automatically monitored (if the client wants it). (think valued added extra).

[quote="Mark"][quote="jonbendtsen"]What if BSA asks for data if company XY is in compliance?
I've just been through a Microsoft audit being completed by KPMG. They were happy with the data provided by OAv2 across 7,000 systems. You can show them the source of the audit script and they should be happy (if they have any idea how this stuff works - which they should).
I am sorry, but my question was not clear enough, think this situation:
BSA: "Hey Mark, rat out on your clients which is not in compliance or we will sue you into oblivion for aiding and bedding a criminal."

And for question 3 BSA could offer to "hire" you as a consultant, and then they get their data.

We just had a case sort of like that in Denmark where the lowest court ruled that a 3. party had to turn off the DNS entry for the one being sued. A higher court later reversed that saying: "since the 3. party was not being sued in this case, then we can not make a ruling that forces them to do something." hinting that if they were sued directly, then they could be instructed to remove the DNS entry. The 3. part was the free DNS server vendor gratisdns.dk, and he is pretty good for sticking to his principles even though it cost him money. It is now twice he's been to court for providing a DNS service.

[quote="Mark"][quote="jonbendtsen"]What does the competition cost/offer?
There are other offerings out there, but in my opinion none are as thorough at auditing as OAv2. Most also offer it as part of a larger suite which tends to cost a significant amount.
thorough is good. And I also like that one can freely extend it if one wants to. I've done that myself because I missed some features.

[quote="Mark"][quote="jonbendtsen"]I dont know. What benefit does it provide? And the hazards?
The benefit of allowing custom reports (beyond simple reports - this actual PHP templates required). And also some "feel good" about your instance being separate to others (even though there's no real security benefit). Think warm & fuzzy for management types.
I think that could be a value added service.

[quote="Mark"][quote="jonbendtsen"]What does the competition cost?
I know our current tool (which does not meet our requirement - hence we use OAv2) costs us something like $150 / server / year. Other devices are at no cost.
okay. I am not sure if people want pr. device pricing, or levels, or one size fits all?

[quote="Mark"][quote="jonbendtsen"]It would have to have Software Licenses for me to be interested. What is CMDB?
Licensing - OK, fair enough. CMDB - think being able to say "this system called XYZ has a database over here called DB, a website on this server here called MyWeb and a file store over here that is shared as \\def\share". Being able to store that data, visualise it, report on it, estimate the impact of changes (if we change the disk on server X, which systems will be affected). Stuff like that. Google CMDB for some idea's of what can be accomplished. The raw data is already in OAv2, I now need to make the sections that allow you to join it all together and report on it, etc, etc.
Aha, a Change Management Database. That is a cool feature, definately valueable. Maybe also a risk identifier tool, for unscheduled unplanned unwanted changes.

[quote="Mark"][quote="jonbendtsen"]But how do you handle if the amount of machines changes?
It's easy to track the number of PCs seen each month/quarter/etc. I do this no for work. We need to bill our clients based on how many machines they have on our networks... I've created some reports that show the number and types of computers seen each month.
okay

[quote="Mark"][quote="jonbendtsen"]But how do you handle if the amount of machines changes? How do you handle the difference between those that report in hourly, and those that does it daily/weekly. They will take up a different amount of space.
Remember only "changes" are stored, not the full machine audit every time. I have ~7,000 machines in my DB at work and the DB is about 600MB. That's for around 10 months of auditing. DB size should not be an issue. I also have some "clean up" style script I can run if/when needed.
Oh, I thought it stored every audit in full. I got that understanding from v1, when I looked in the database to see how easy it would be to group programs together into 1 license. Like Adobe CS# package which in my v1 installation shows up as:

+ many others, list is hand made. We have some which still havent upgraded to CS5 because they are busy. But I want to group every CS5 line into one segment saying:

Adobe CS5 package +
And when you press the + it unfolds and lists all the individual programs.

[quote="Mark"][quote="jonbendtsen"]If you are priced too cheaply, businesses will think that you are worthless and not buy your service.
Agree 100%. My problem is that I want to price it so cheap that you would not consider hosting it yourself. But if I do that, it may (as you have stated) undervalue that application. I guess you're right - find something comparable that's out there already and base my price on that (cheaper, obviously). The other issue is that I have to find something comparable...
If you "kill" the host-it-yourself segment you might loose a "food chain".

1. If people doesnt run it themselves, they have less chance to start providing patches to you, and you are just another vendor, so you might loose ideas and man power to extend Open Audit.

2. People might not like having you hosting information about them which can be used to sue them. Okay, so maybe you will not share the data with BSA, but once you get big enough you need employees, or the hosting provider employees will give BSA the data they want. Or BSA might simply pay some cracker for the data that shows that company XZY using your hosted software is not in compliance, has not been for a long and and knows it. As far as I remember, not many years ago the German tax department bought a DVD from an x-swiss bank employee about German citizens who committed tax fraud against Germany.

3. People that start out cheap by running it themselves, and later want to migrate to your online service to save their own time.

Top

snue

Post subject: Re: OAv2 SaaS

Posted: Tue Oct 02, 2012 10:17 pm

Newbie

Joined: Tue May 10, 2011 9:40 pm
Posts: 22

i like having stuff like OA on my own servers, but i guess there are some people which would love such a service. i don't think anyone would have a problem with paying for OAv2 in general (if its stable and reliable like v1 - haven't used it in real-world yet, but i'm sure it is - or will be.), as its imho the most useful and useable piece of inventory software i know.

maybe, like many other companies, you should make a "core" version of OAv2 without additional features (extended reporting, software auditing etc.) for free, a self-hosting package with additional features for, as you said, ~150$/year (maybe even more and only with forum support, training/consulting extra) per server and your own hosting for 5-20c/client.

Top

Page 1 of 1

[ 5 posts ]

Board index » Open-AudIT » Discussion

All times are UTC + 10 hours

Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum