After a breach affecting thousands of institutions, Canvas's decision to reach an agreement with attackers highlights how ransom negotiations risk turning cybercrime into a predictable business model.
Damn, this is a big one. I’ve been watching since it started, and I hope it sends shockwaves through the SaaS model. Institutions learned overnight how by trusting one single private company that they were all screwed over, and probably made them even a bigger target. Hopefully they start re-evaluating.
Having worked ed-tech for a while, I’m not surprised. Blackboard, Canvas, all hot garbage. There’s a real need there, if someone can do a simple selfhosted (by the university) version with oauth/SSO to campus networks that lets them control their data? It’d be a no brainer, I think most campus IT networks would prefer that.
I have no idea how those looked on the backend or from the IT admin perspective. But the regular user experience was completely awful. It wouldn’t surprise me if the whole thing was complete shit.
I was thinking about this exact problem, and I came up with a similar idea. There could be a parent company developing the core software and maybe even providing installation and setup services, but each campus ultimately maintains their own self-hosted, zero-trust instance. Each campus would be downstream implementations of the parent software and would only update or talk to other instances as needed.
Given how campuses operate, it seems like they would be great candidates for an optionally federated platform like that.
Would you mind elaborating? I shouldn’t find it hard to follow but I don’t have a lot of natural intuition on that world of decision making and would like to improve.
Important to define risk because a lot of software people here(me included) will immediately think “what do you mean their data was hacked”. However from a legal standpoint they get to point the finger at Canvas.
Damn, this is a big one. I’ve been watching since it started, and I hope it sends shockwaves through the SaaS model. Institutions learned overnight how by trusting one single private company that they were all screwed over, and probably made them even a bigger target. Hopefully they start re-evaluating.
Having worked ed-tech for a while, I’m not surprised. Blackboard, Canvas, all hot garbage. There’s a real need there, if someone can do a simple selfhosted (by the university) version with oauth/SSO to campus networks that lets them control their data? It’d be a no brainer, I think most campus IT networks would prefer that.
I have no idea how those looked on the backend or from the IT admin perspective. But the regular user experience was completely awful. It wouldn’t surprise me if the whole thing was complete shit.
I was thinking about this exact problem, and I came up with a similar idea. There could be a parent company developing the core software and maybe even providing installation and setup services, but each campus ultimately maintains their own self-hosted, zero-trust instance. Each campus would be downstream implementations of the parent software and would only update or talk to other instances as needed.
Given how campuses operate, it seems like they would be great candidates for an optionally federated platform like that.
So just traditional software?
So just, Software as a Product (SaaP)?
Ha, think you just discovered the standard model from the 2000s!
But I agree.
The problem is CapEx vs OpEx.
Would you mind elaborating? I shouldn’t find it hard to follow but I don’t have a lot of natural intuition on that world of decision making and would like to improve.
My university used to only self host. Now they’re ditching self-hosting for cloud-based SaaS. 🤷♂️
It’s because doi g things on site requires CapEx, which then increases your tax liability.
By going SaaS, you offload the entirety of risk.
The problem is the morons who sign these contracts are fucking clueless about ensuring the liability is strong.
Important to define risk because a lot of software people here(me included) will immediately think “what do you mean their data was hacked”. However from a legal standpoint they get to point the finger at Canvas.