How ECM Clouds Are Different from Generic Clouds

By Dan Elam posted 06-29-2011 11:57



In my last blog I talked about some of the recent problems with the big, generic cloud companies and how they may provide some capabilities that can’t be matched in-house, but they also have some limitations to the specific ECM market.  In some cases, the very flexibility and safety built into these massive cloud infrastructures has been the reason for some outages.

But what about the ECM-specific cloud market?  Vendors like SpringCM,, and Dropbox offer a variety of ECM functionality in the cloud.  These vendors understand the issues specific to ECM, but do they have the ability to match the robust environments that the generic cloud vendors such as Amazon, Google, and Microsoft provide?  The answer is yes and no.

A few weeks ago, Dropbox confessed that a bug in their simple authentication had resulted in users being able to access any account without a correct password.  As long as you had a valid userid, any password would get you into that user’s account.  With 25 million users, Dropbox has a very large population with billions of documents.  The bug was relatively short lived:  just four hours on a Sunday.  But the resulting fallout has been severe.  Arash Ferdowsi, Dropbox CTO, wrote on his company blog that “this should never have happened.  We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.”  Dropbox indicated less than 100 accounts were even potentially compromised.  That didn’t stop opportunistic lawyers from filing a class action suit in the San Francisco District Court.

The Dropbox bug was a basic security authentication feature.  Something that every online system uses and pretty easy to implement.  So how could this happen?  One answer might be that vertical cloud vendors regularly roll out updates for features.  By integrating the security into the ECM application instead of using a separate security module a simple bug may have been introduced for what would have otherwise been a standard minor update.

Dropbox and offer basic ECM services with relatively simple document storage capabilities.  They are popular with traveling users or those who want to share documents with trusted users and be able to sync from computers and mobile devices. appears intent on moving even further upstream with some key recent hires and additional venture capital money, but it isn’t clear how they will take on vendors like SpringCM or SharePoint.

SpringCM was more critical of the Dropbox.  "Our customers don’t consider  passwords a nice-to-have",  said Christopher Junker, CEO of SpringCM.  "More than anything else the Dropbox no-password issue highlights one of the differences between basic data syncing services like Dropbox and, and what the analysts call commercial-grade cloud ECM.  Enterprise users want more control over security, as well as features like collaboration and workflow; functions you can’t get with basic data syncing services.  They're ok for individuals who just need a place to put files, but if a company wants to drive business outcomes, they want something enterprise-ready."

Platforms like SpringCM are somewhere between a Dropbox and an Amazon in terms of ECM functionality and generic infrastructure, meaning they might be subject to issues that the others might see.

One final class of cloud-vendors are the smaller shops who host either single-instance ECM solutions for customers or very vertical applications.  These tend to be less cost-effective, but they also have very tight internal controls.  They also tend to be smaller, so they almost never can offer the same scalability or performance as the bigger cloud players.

In the end, cloud is still almost always more cost-effective and robust than in-house software.  But that doesn’t mean that careful thought and planning isn’t required.  And as cloud becomes inevitably more popular, look for users to be even more critical of issues like security and uptime.

#DropBox #ECM #cloud #SpringCM