Main

Sep 07 2011

Moving to the Cloud

For most organizations, maintaining servers is not a core competency, but there are concerns with moving hosting and other services to the cloud. One of the most common concerns we hear from small businesses is the reliability or security of cloud hosting services. Several high-profile outages have made it obvious that cloud services are not infallible.

However, it is a mistake to assess cloud services on an absolute scale. Small businesses should ask themselves whether cloud service providers can do a better job keeping the servers running than they can. Almost always, the answer is yes.

If it has ever taken you longer than 24 hours to recover from a server outage, it’s probably time to move to the cloud.

It is impossible for most small businesses to match the ability and experience in server management of providers like Amazon and Rackspace. Additionally, those providers have several advantages that come from the scale of their business. If hardware fails, they have a larger pool of backups to use as substitutes than do small businesses. They can make better use of resources by spreading the cost of features like diesel generator backup and redundant connectivity across many hosted solutions, enabling them to offer more resilient systems at a lower cost than their customers could achieve independently.

What are the telltale signs that an organization should move to the cloud?

A literal cloud Not all small organizations need to move to the cloud, and there are factors to consider other than reliability and cost. However, if it has ever taken you longer than 24 hours to recover from a server outage, it’s probably time to move to the cloud. If your server uptime is worse than 99.9%, it’s probably time to move to the cloud. If you don’t know what your uptime is, server hosting is probably not a high enough priority and should be outsourced, usually, by moving to the cloud.

In addition to increasing reliability and lowering costs, there are some operational advantages from moving to a cloud-hosted solution. The potential to scale capacity quickly is one such advantage, and is of particular value to startups and other organizations expecting rapid growth. The process of spinning up an additional cloud server is significantly faster than installing a new physical server of your own, and does not incur the fixed costs of purchasing new hardware. As a bonus, if that increase in usage turns out to be a spike instead of sustained growth, spinning down that cloud server is just as easy.

Photo by Horia Varlan

Aug 23 2011

The Biggest Mistake Entrepreneurs Make

The biggest mistake entrepreneurs make is building their product before finding out if people want it.

I was working on a company last year to develop a product to help small business owners start leveraging social media and the web without spending hours on them. We had the business plan and the feature list. We had plenty of people telling us it was a great idea.

Notecards galore About the time we were planning to start development, I attended Lean Startup Machine in Boston, a weekend-long competition where teams try to create a business, prove the market, and achieve revenue by the end of the weekend using Eric Ries’s lean startup method. The opportunity to practice lean startup hands-on crystallized a set of assumptions that had nagged me for months.

After the conference we started talking to people who weren’t social media experts or small business experts. We talked to people who could conceivably become our customers some day and asked them if they would pre-order the service. Over and over we got the same response: small business owners who needed web presence help didn’t want a tool that made creating and managing it easier; They wanted guidance from someone who could walk them through the process, and they wanted someone else to worry about all the technical details.

We had identified a valid problem, but our solution didn’t fit the market. So we pivoted.

We cancelled development of the product and migrated to a services model instead. We still help businesses create and handle their web presences, but instead of building tools that none of them wanted, we guide them through the process and take care of all the technology so our clients can focus on running their business.

Aug 22 2011

How To Test a Business Idea Without Spending a Fortune

The chasm between what people say they are willing to pay for and what they will actually pay for is wide.

Here at THG, we often works with startups on using the lean startup process to help determine whether there is demand for their product before they sink significant time and money into development.

The Chasm between What Customers Say and What Customers Do Customer development is a key part of this process. When doing customer development, the most common piece of advice we give is to make sure you are getting real commitments from potential customers. The chasm between what people say they are willing to pay for and what they will actually pay for is wide.

When testing an idea on the market, act as if you already have the product and try to complete a transaction. Get your customer to pull out their cash or credit card and pay you. You won’t necessarily keep the money they give you, but if your product is compelling enough to part customers from their cash, you may have found a problem worth solving.

Photo by celesteh on Flickr

Aug 11 2011

Secure Your Web App By Focusing on Users

Since reading Randall Munroe’s excellent commentary on password strength in modern web applications, I’ve noticed countless online services that limit the potential strength of a user’s password by limiting the length, while simultaneously increasing the difficulty of remembering that password by requiring that it include symbols, numbers, and mixed cases. Even a number of well-known financial institutions have fallen prey to this misconception. If your organization or company is thinking about how to structure password requirements, the comic provides a perfect illustration of how to reorient your approach to increasing security for your clients.

How to Pick a Secure Password

As the comic rightly points out, the different types of characters in a password based on a root uncommon word doesn’t increase security as much as a passphrase of several common words would. Thus, a password like bananasandwichspringhula would take more than 66,000 times as long for a brute force dictionary attack to guess than the seemingly more secure f1@tw0rm{5. That passphrase of 4 common English words is not only easier to remember, but is actually more secure. Even more secure (by a factor of about 1.66) is a truly random string of 8 characters – symbols, numbers, and letters – but that’s also much harder to remember.

The Business Case

Ensuring password strength is a common business problem. As a result, there are plenty of simple JavaScript fragments that will happily compute a password’s strength or let your application force users to pick a “secure” password. The problem? They’re doing it wrong. Each of these free algorithms perpetuates the misconceptions about what makes for a secure password. They mistake “hard for humans to remember” for “hard for computers to figure out.” The ideal solution would be a script that quickly calculates the entropy of a given password, enabling the user to select an easily remembered password that is also secure.

The Challenge

Quickly determining the difference between Oo9kX9^# and f1@tw0rm{5 might be easy for the human creating the password, but the fact that one is based on a root word is not as immediately clear to a computer. The computer must try common substitutions, subtle variations, and match the word against a dictionary list. Effectively, to determine the strength of the password, the computer must attempt to crack it in a more sophisticated way that simple brute force. Calculating a simple brute-force time-to-crack would yield the same result for each of these passwords. However, in an actual attack, the latter would fall much more quickly than the former. While a purely random password is easy for a computer to assess, the lack of randomness introduced by the user in trying to make the password memorable is what introduces vulnerabilities for savvy hackers.

The Solution

To achieve a balanced compromise, service providers should educate users about how to keep their information safe by creating a strong password that is also memorable. Don’t assume that simply requiring certain character types will make your users more secure. Many users will follow the letter of the law, not the spirit, in their attempt to create an easily memorable password. And please, please don’t limit the length of user’s passwords! Munroe’s compromise of a simple string of common words isn’t a perfect solution on security or memorability, but it is a realistic improvement that will help your users do what they want: protect their data online.

Photo by Marc Falardeau