.gif)
by Kevin Sangwell
Summary: Manyarticles in this issue use the term Software + Services (S+S) when referring toclient (desktop, browser and device) and server based applications which consumeone or more Internet (cloud) services. While this model shares somecharacteristics with Software as a Service (SaaS) the differences aresignificant for Enterprise IT.
This paper contrasts the challenges of adoptingS+S versus SaaS; it will become clear that consumption of a well-definedexternal service is less challenging for enterprises than the consumption of afinished service.
Today, the majority of applications delivered asa service over the Internet (that is, SaaS) are aimed at the consumer and smallbusiness markets. The business monetization model used, whether subscription-or advertising-funded, is largely that of the Long Tail; selling a little ofsomething to many, many customers through a scalable distribution channel, asdescribed by Chris Anderson (see Resources).
However, enterprise demands are significantlydifferent from the demands of these consumer and small business segments, socertain assumptions supporting Long Tail economics and service delivery (andconsumption) just do not apply in an enterprise context. For example, consumersdon’t have to worry about compliance and Enterprise Application Integration(EAI) and all that is implied by it is largely irrelevant to small businesses.
Thus considering software services from anenterprise perspective raises a number of questions. Who owns the data? What isthe Service Level Agreement (SLA)? Can internal identities be extended outsidethe firewall to access cloud services? Are there regulatory implications?
Contents
Background
Software Services: New Integration Challenges
Identity and Access Management
Data
Operations
Regulations and Legal Obligations
Conclusion
Resources
About the Author
Background
Roughly 70 percent of IT budgets go to maintainexisting systems leaving around 30 percent for new solutions. While the cost ofhardware and software is becoming less the cost of management and support isgrowing. Businesses are expecting more from IT than ever before, partly due torecovering confidence following the dot-com bust, as well as growing demand forWeb 2.0-style capabilities inside the firewall.
At the same time, corporate IT is suffering acrisis of perception, as evidenced by the feedback over Nicholas Carr’s 2003essay, “IT Doesn’t Matter” (see Resources). Business leaders are oftenfrustrated that internal IT projects take months and significant investment toprovide benefits that appear readily available on the Internet. Usersexperience search, collaboration, and publishing capabilities on the Internetthat are far superior to many enterprises’ internal capabilities. An increasingnumber of applications are being made available as services on the Internet,giving the business an alternative IT sourcing model.
In this paper I discuss the implications ofconsuming external software services on existing corporate IT infrastructureand operations and compare the challenges of the SaaS model with the S+S modelwhen consuming any line-of-business application that has broad adoption acrossthe company. I use the term “software services” to refer to the services inboth SaaS and S+S models because we can consider software delivery as acontinuum with traditional inhouse hosted software, built or bought, at oneextreme, and finished services delivered over the Internet (that is, SaaS) atthe other. The hybrid, in-house software plus cloud services, spans the middleof the continuum (that is, S+S). Figure 1 illustrates this software deliverycontinuum. In this paper,
· Traditional software refers to applications installed in the infrastructure accessedexclusively by internal users.
· Building block services provide low-level capabilities that can be consumed by developerswhen building a composite application. These services exist in the cloud
· Attached servicesprovide a higher level of functionality compared with building block services.Applications leverage attached services to add functionality.
· Finished servicesare analogous to full-blown applications, delivered over the Internet using theSaaS model.
· S+S refers to theuse of applications that consume attached services or one that is built withbuilding block services.
.jpg)
Figure 1: Software delivery continuum and software servicestaxonomy (Click on the picture for a larger image)
When considering an IT infrastructure orapplication sourcing model, it is important to understand the businessobjectives. For example, outsourcing is driven by the need for cost efficiency,transferring the cost and risk of delivery of an existing, mature application toanother party in exchange for contracted payments. In contrast, adoption of asoftware service satisfies a business need, such as more effective customermanagement (in the case of CRM). From a business manager’s perspective, SaaSappears to be the best of both worlds: the business benefit is realized at acost proportional to use (or even free), with no additional or up-front capitalinvestment in IT resources. Although the business is best placed to determinehow well the service solves the business problem, unless IT is included in thediscussion, many of the wider implications for enterprise IT—hidden costs ofsoftware services adoption—will be missed.
Software Services: New Integration Challenges
When adopting software services, one set ofchallenges becomes the responsibility of the provider — service delivery andservice support. However, IT will face an additional and therefore new set ofchallenges in adopting the new model (Figure 2).
.jpg)
Figure 2: Software services consumption adds new challenges (Click on the picture for a larger image)
Ignoring these new challenges is not an option.As we will see, there may be direct and indirect costs, resource implications,and compliance issues. In other words, the adoption of a software service meansa hybrid procurement/integration project for internal IT. Integration Figure 2:Software services consumption adds new challenges needs to be considered inthree broad areas:
· Identity and Access Management
· Data
· Operations
Regulations and legal obligations should also beconsidered.
Identity and Access Management
Identity and access management is a perennialproblem that affects many aspects of IT, from help desk costs through userproductivity to data security. It’s also one area where enterprise IT shouldprovide a better user experience compared to the Internet—yet most enterpriseshave dozens of user directories. Analyst organizations frequently state that onaverage password resets account for 30 percent of help desk calls.
The addition of a finished service, with itscorresponding external directory, requires extensions to the provisioning anddeprovisioning process, even if this is a human process. For example,when an employee leaves, many organizations struggle to deprovision or disableinternal accounts in a timely manner; the risk of exposure in the case of anexternal application or service is significant because there is no corporatefirewall preventing the user from accessing the application and its data.
Neither Active Directory (AD), nor metadirectoryproducts such as Microsoft Identity Lifecycle Manager solve this particularproblem. AD is proprietary and its trust model is not sufficiently granular,and metadirectories are not widely deployed and don’t operate in real time.Something standards-based, such as Federation offers a set of capabilities thatmake it a particularly good fit for integration with an external application orservice. It is loosely coupled yet operates in real time rather than via aschedule, simplifying provisioning and deprovisioning. Federation trustrelationships have a high level of granularity, allowing the consumerorganization to expose only a subset of their directory (based on rules); andreal-time mapping of attributes to “claims,” reducing the need for internaldirectory changes. (See Figure 3; for more on Federation and ADFS, seeResources.)
In contrast to SaaS, S+S applications may have aback-end service running inside the firewall, in which case a single enterpriseor proxy identity could be passed to the service in the cloud. Identityintegration is a common capability of many enterprise applications, so theback-end service may integrate with Active Directory or generic LDAPdirectories out of the box.
.jpg)
Figure 3: Federation providing identity integration (Click on the picture for a larger image)
Access Control
Authorization and access management is anotheraspect that needs consideration. Many applications provide capabilities thatdiffer according to the user. For example, an expenses application may allow amanager to authorize claims up to a value of $4,000; claims above $4,000 mayneed director approval. Today, many applications inside the corporate firewallset permissions against individual users; in effect, the application contains amapping between the user and their authorization. However, numerousorganizations have started to move away from user-based authorization torole-based authorization. The benefits are clear: lower administration costs,consistent authorization within a role, and transparent compliance.
When a finished service has multiple levels ofauthorization, there are two options: Task someone inside your organizationwith manually mapping users to authorization levels; or extend the internalrole-based model to the external application. The former often falls to thehelp desk; a hidden cost of adopting finished services. The latter, mapping aninternal role to the external application, could be achieved throughFederation; for example, membership of an Active Directory group could bemapped to a name/value pair in a cookie that is used by the externalapplication.
Authorization in building block or attachedservices (the hybrid Software + Services) could follow the Federation model,and indeed there are advantages to doing so: Integrity is tightly managed atthe service provider, which may help achieve compliance. The more flexiblemodel of S+S means that authorization could be carried out by a local serverbefore the request is made to the external service. Having local control overand enforcement of policy means the organization can react to business changesmore quickly. It also simplifies integration; the enterprise can make changesto the configuration of the on-premise part of the vendor application to suitits environment.
Summary of Identity and Access Management Implications
· If the external service depends on user identity(highly likely for SaaS, possible for S+S), your provisioning anddeprovisioning processes need to be extended. Integration could be viatechnology or a manual process, both of which have cost implications.
· Service provider user account policies need tobe evaluated against your internal policies (for example, password complexity,lock-outs, and so on).
Data
A line-of-business application is unlikely toexist as an island, even when it is externally sourced. A good example ispayroll. The payroll service provider needs raw data: employee name, pay amountand so on, to process payroll monthly. In this example, the data could besupplied via a simple extract of the relevant information from the internal HRsystem. Clearly, e-mailing an XLS or CSV file to the payroll provider isunlikely to provide the level of security/ confidentiality needed, so anotherform of data exchange is required, and IT will be expected to provide this. Inother words, IT faces an Enterprise Application Integration (EAI) project.
From an EAI perspective, building block andattached services should be straightforward to integrate; after all, they’redesigned to be consumed by developers as extensions of a local application. Oneexample of an attached service is Exchange Hosted Services for Filtering (formore information on Exchange Hosted Services, see Resources). Integration inthis situation is twofold:
1. DNS: MX record changed to point at the serviceprovider (Microsoft in this case)
2. Firewall rules changed to allow inbound SMTPfrom only the service provider (which increases security).
As infrastructure is the focus of thisarticle, I won’t delve into further detail with respect to EAI. However, wewill look at the infrastructure implications for data from a few other perspectives:
· Firewall rules and filters
· Encryption and signing
· User view
Firewall
To understand the firewall implications ofconsuming finished services, we need to investigate which internal applicationswill integrate with the software service and the form of integration. Is itone internal application that needs to be integrated or several? What firewallrules need to be created to allow publishing and traffic flow? If theapplications are exchanging XML, does this need to be validated at thefirewall, and can the firewall provide this capability? Does the data need tointegrate with some form of workflow, and if so, how does this workflow spanthe internal/external infrastructure? If the integration occurs over HTTP(SOAP, for example), there may be few implications on the firewall beyond thecreation of rules.
With building block and attached services,there’s likely to be some local back-end infrastructure, which naturallybecomes the focal point for data integration and security. Indeed, some SaaSvendors are realizing that enterprises will be more willing to subscribe whentheir data is stored inside the corporate firewall—so they’re evolving theirfinished services to the S+S model by installing an appliance inside customerdata centers.
Encryption and signing
The most effective way of exchanging encrypteddata across the Internet is to adopt certificates from a public certificateauthority. If the certificates get installed on clients, a Public KeyInfrastructure (PKI) project is required, with all its implications, such ascertificate life cycle management and publishing the certificate revocationlist. Not a trivial undertaking, but once completed, it will enable othercapabilities within the infrastructure, such as signed e-mail and Smart Cardauthentication.
Of course, with a local back-end infrastructurein S+S implementations, encryption and signing is likely to be far simpler(fewer end points).
User view
Another perspective on data is the view of theuser. Rightly or wrongly, many business people want to continue working withthe tools they are familiar with—the Microsoft Office applications. Considerthe number of times a new application fails to reach its full potential becausethe business users insist on extracting the data and using Excel for day-todaymanagement. Rarely does this data get back into the application. A number ofindependent software vendors have started to build their application clients asOffice Business Applications, essentially using Office as the applicationplatform. This generally results in faster adoption and lower trainingoverhead, but it does present IT with deployment and maintenance issues. Pointsto consider: Does the software service provide all of the capabilitiesneeded by the business, or will users need to extract the data to performmanipulation/analysis in a local tool/system? Will the adoption of the softwareservice result in yet more departmental applications built in Access and Excel?
Summary of Data Implications
· Analysis will be needed to determine dataintegration and ETL needs.
· Firewall rules may be needed to allowintegration.
· The firewall may need updating to providefiltering for application data (for example, XML Schema validation).
· Purchase of certificates or implementation ofPKI may be needed to support authentication, encryption and signingrequirements.
Operations
The problem of operational integration whensourcing an application or service externally is somewhat incongruous: Afterall, a key benefit of being a consumer is that operations are theresponsibility of the provider, yet internal operations and processes will beimpacted by the external application or service in several areas, the mostsignificant being help desk and user training.
Help desk
Many consumers have been frustrated byinefficient and confusing call centers. To avoid similar problems, internalhelp desk teams should be aware of new applications and services beingintegrated into IT operations. Enterprise users depend on numerous internal ITsystems to access an external application: the network, DNS, proxy servers.It’s the responsibility of the corporate help desk to support these, not theservice provider. Many organizations now realize the importance of simplifyingthe support process for the business, providing, for example, a single phonenumber and intranet site which connects them to the appropriate first-lineteam.
Training
User training is an important aspect ofintroducing any new application, irrespective of where it is hosted. Anadvantage of finished services is that the provider typically makes on-demandtraining available. However, the enterprise has little control over the qualityof such training, and poor training increases the cost of support and reducesbusiness productivity. The introduction of upgrades as part of the service, oneof the benefits of subscribing to finished services, is another potentialproblem: If the enterprise does not have the ability to delay theimplementation of the upgrade until all staff have received training, theinternal help desk may have to handle a spike in support calls. A related issueis whether individual features of the finished service can be selectivelydisabled: If the capability is already provided in-house, IT needs to ensurethat users are all using the internal capability.
“THE GREATER THE IMPORTANCE OF THEAPPLICATION TO THE BUSINESS, THE MOREIMPLICATIONS YOU NEED TO CONSIDER. ALINE-OF-BUSINESS APPLICATION DELIVERED AS A FINISHED SERVICE IS A SIGNIFICANTINTEGRATION UNDERTAKING.”
Deployment
If the finished service uses the browser as itsclient, the normal compatibility concerns apply: browser version and securitysettings, plus installed plug-ins and their versions. With a traditionalapplication, the enterprise can determine when to upgrade to the new version,which is critically important if the new version requires the latest browser.When the application is external, this option may not be available.
If the service’s client is not browser-based,internal IT will be responsible for deployment and its implications(compatibility testing, deployment planning, rollout, and so on).
If the service is an attached or building blockservice, there will be a need for deployment of either the back-endinfrastructure in the enterprise data center or the client, or both. Forback-end deployment, there are common nonfunctional challenges: What server,network, and storage capacity is needed to meet the load? Can shared servicessuch as, existing SQL server or web server farms be used? How are resilienceand disaster recovery provided? Can it run in multiple data centers? Theanswers will be more dependent on the local components of the application thanon the attached service in the cloud: In other words, it can be approachedlargely like a normal back-end deployment.
Provider operations / business continuity
It is tempting to focus purely on the contentsof the SLA when it comes to selecting, monitoring, and evaluating a serviceprovider. How the SLA will be achieved is an important consideration: An SLAwhich states that service will be restored within 24 hours of a disaster seemsgood on the surface; however, the definition of a disaster and form ofrestoration are critically important. To the service consumer, disaster may bethe accidental deletion of records from the application, but the serviceprovider will likely have a different view. Taking this example further,restoring application data is a complicated process for many businessapplications. For instance, restoring a single Exchange mailbox or message or asingle SharePoint site or document was a significant challenge until thoseapplications matured. Now apply that challenge to a multitenant SaaSapplication—even if granular restoration is possible, the provider will bereluctant to do it due to operational costs.
Another concern several architects haveexpressed to me is the risk of the service provider going out of business, orwithholding data to prevent migration to a competitor. Placing the applicationcode in escrow is a step in the right direction, but isn’t really sufficient.Assuming an enterprise consumer could get its data, rebuilding the applicationin their data center without install instructions or access to the developersmay not be feasible. There is no solution to this yet; it’s a question of trustthat the provider will do the right thing if the worst happens, and confidencethat they have good business and management skills.
Reporting
As with any SLA, business and IT groups shouldreview reports on performance and investigate where SLAs have not been met.
Summary of Operations Implications
· Help desk procedures need to be updated toperform first-line troubleshooting for new application & escalationprocesses need to be defined with the service provider.
· Review internal help desk SLAs to ensure theycan still be met when depending on the service provider for escalated support.
Regulations and Legal Obligations
Proving compliance with regulations and legalobligations will have an impact on the infrastructure, and ensuring compliancefor a business process that spans internal systems and external services can beespecially challenging. It also presents a potential solution with respect tocompliance: If the application or service is industry-aligned, there is a goodchance it will be compliant with the relevant regulations in major markets;this may not be the case where the service is generic. Even in situations wherecompliance is a selling point of the service, an enterprise’s internal securitypolicies or region-specific laws, such as the European Parliament DataProtection Laws, may be incompatible with the service provider policies.
Data ownership
Clearly, an enterprise wants to retain ownershipof its business data at all times; the contract should state this explicitly.Furthermore, it may be prudent to verify that data can be extracted on-demand.
Privacy
Enterprises should carefully evaluate aprovider’s privacy policies and terms of use to ensure that its data will bekept private and not used for marketing or sold to other parties, especiallyimportant where the finished services is supported by advertising. Privacy sealprograms can be helpful in determining the trustworthiness of a provider;providers who are TRUSTe licensees, for example, will have a published policyand have been independently audited to ensure compliance with a set of privacyprinciples.
Summary of Legal Implications
· Compliance may extend to service provider, howdo you still prove compliance?
· Compliance reports may have a cost associatedwith them.
.jpg)
Table 1: Summary of recommendations (Click on the picture for a larger image)
Conclusion
The SaaS market is currently dominated withofferings aimed at consumers and small businesses, as this market segmentbenefits from the delivery model without the need for integration. Consuming aline-of-business application from these providers is risky for any enterprise,as many of the integration points discussed in this paper will not beaddressed.
The greater the importance of the application tothe business, the more implications you need to consider. A line-of-businessapplication delivered as a finished service is a significant integrationundertaking compared to the low effort associated with a tactical applicationwhere the primary concern is contractual issues such as data ownership. Thisrelationship is represented in the heat map shown in Figure 4.
.jpg)
Figure 4: Considerations heatmap (Click on the picture for a larger image)
Today, enterprise IT departments are far moreexperienced and confident of consuming building block or attached services thanfull applications. Be it a data feed for a rich application like Reuters 3000,or an infrastructure service such as spam-filtering, this model is wellunderstood.
As the SaaS delivery model matures and gainsmore widespread adoption, it is natural for more enterprise demands such asintegration to be catered for, and the range of capabilities enterprises areprepared to source as services will increase. The result will be software plusservices applications; a natural balance of on-premise software and cloudservices.
As Gianpaolo Carraro and Fred Chong state intheir article “SaaS: An Enterprise Perspective,” SaaS and S+S are additionaltools that savvy CIOs can use to provide better value to the business. Ratherthan feel threatened, IT managers should view SaaS and S+S for what they are:alternative sourcing models for business benefit, and a different architecturalapproach to building solutions.
Handled correctly, software services will helpchange the business’ perception of IT.
Resources
· European Parliament Data Protection Laws http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm
· Exchange Hosted Services http://www.microsoft.com/exchange/services/default.mspx
· “IT Doesn’t Matter,” Nicholas G. Carr, HarvardBusiness Review, May 2003 http://harvardbusinessonline.hbsp.harvard.edu/b01/en/common/item_detail.jhtml?id=R0305B
· The Long Tail: Why the Future of Business IsSelling Less of More, Chris Anderson (Hyperion, 2006)
· Microsoft Privacy Guidelines for DevelopingSoftware Products and Services http://www.microsoft.com/downloads/details.aspx?FamilyID=c48cf80f-6e87-48f5-83ec-a18d1ad2fc1f&displaylang=en
· Microsoft Regulatory Compliance Planning Guide(although this guide is focused on internal IT, it can also be useful whenevaluating an external provider) http://www.microsoft.com/technet/security/guidance/complianceandpolicies/compliance/rcguide/default.mspx?mfr=true
WS-Federation is a draft OASIS standard that hasbeen adopted by several vendors including Microsoft, IBM, RSA, BEA, andVeriSign. Microsoft’s WS-Federation support takes the form of Active DirectoryFederation Services (ADFS), a component of Windows Server 2003 R2.
· OASIS http://www.oasis-open.org/committees/documents.php?wg_abbrev=wsfed
· Active Directory Federation Services (ADFS) http://www.microsoft.com/WindowsServer2003/R2/Identity_Management/ADFSwhitepaper.mspx
About the Author
Kevin Sangwell is an infrastructure architect inthe Microsoft Developer and Platform Group. He has held a number of technicaland leadership roles in the IT industry for more than 16 years, including fiveyears as a principal consultant in Microsoft Consulting Services. Kevin haslead the architecture and design for Enterprise and eCommerce infrastructuresin the U.K. public and private sectors, including the distributed Microsoftinfrastructure for a 120,000 user organization and an extranet applicationplatform for 1.2 million educational users. As infrastructure architect, heprovides advice and consulting to enterprise customers and presents atinternational events.
This article was published in the Architecture Journal, a printand online publication produced by Microsoft. For more articles from thispublication, please visit the Architecture Journal Web site.
