Alert_DEC2011.indd 18
11/17/2011 2:11:23 PM
From The Editor
I’ve been watching the software-as-a-service (SaaS) phenomena for a
A Model Solution SaaS represents business power and flexibility.
while, and have found few issues like it that can cleave the CIO community. While some IT executives are extremely bullish about SaaS and see it as the next big thing, others are concerned that it will lead to a CIO losing control over technology deployment. That’s not all, they’re also divided over its relevance — is SaaS for mid-sized enterprises or can large organizations benefit from it as well? Whichever side of the fence you may be, there’s undoubtedly a lot of buzz around SaaS. The levels of interest that enterprise-software makers are taking in SaaS is growing. In fact, research by the Software & Information Industry Association reveals that 67 percent of independent software vendors will be offering SaaS products in 2008. A CIO’s necessity to reduce the complexity of application deployment as well as keep maintenance hassles low also imply that SaaS is on the brink of greater adoption. CIOs who are keen on SaaS tell me that it allows for quicker rollouts, lower cost of ownership, and takes away the headaches The key factor in SaaS of business disruption courtesy application and version upgrades and the consequent adoption has to be how retraining required (not to forget, the server open organizations are to side of the equation). new business models. This is not to suggest that SaaS is going to threaten traditional software in the short term. Large enterprises have been slow to adopt software-as-a-service, and its share of the enterprise application market is still small. Apart from this, there are quite a number of CIOs who question how reliable it is, given the fact that the best of SLAs cannot guarantee a 100 percent uptime. Given this muddled state of affairs, I feel that in all this the critical issue is not SaaS technology or how it is delivered. The key factor in SaaS adoption has to be how open organizations, regardless of size, are to new business models and novel ways of deploying technology to attain business advantage. I also think that organizations (and my finger’s pointing to the big guys here) which figure out how to exploit the business power and flexibility that a SaaS model represents are going to really be the enterprises of tomorrow. Do you agree with this? Either way, I look forward to knowing your thoughts on SaaS and related issues.
Vijay Ramachandran, Editor vijay_r@cio.in
d e c em B E R 1 , 2 0 0 6 | REAL CIO WORLD
Content,Editorial,Colophone.indd4 4
Vol/2 | ISSUE/02
11/28/2006 2:15:49 PM
content DECEmBER 1 2006‑ | ‑Vol/2‑ | ‑issuE/02
Enterprise Applications
Executive Expectations
COVER sTORy | saas RIsIng | 26
VIEW FROM THE TOP | 36 Jerry Rao, chairman of MphasiS, says companies will have to do two things to stay in the game: keep tabs on technology that can redefine business — and empower CIOs.
CoVEr: Il lUStrat Ion by bIn ESh SrEEdh aran
Software-as-a-Service, some say, is a true child of today’s Internet, resurrected from the failed application service provider model. It promises to grow up to deliver business services in much the way people have milk delivered at home — without having to see the cow. Feature by Harichandan Arakali
Interviews by Harichandan Arakali
Total Leadership HOW TO gET InsPIRED | 24 Inspiration triggers creativity — and that is often the first step toward innovation. Column by Mike Hugos
Compliance THE COMPLyIng gAME | 40 CIOs are struggling to comply with HIPAA’s medical privacy regulations. The smaller the healthcare organization, the harder the task. Feature by susannah Patton
more »
d E c E M B E R 1 , 2 0 0 6 | REAL CIO WORLD
Vol/2 | ISSUE/02
11/28/2006 2:15:54 PM
content
(cont.) departments Trendlines | 15 Media | Tuning in to Technology Leadership | Virtualization turns up Political Heat Security | What does 2007 Hold? Book Review | John Naisbitt’s latest identifies five
trends in Culture, Politics, Economics and IT. Leadership | Managing the Use of IM By The Numbers | Software Development Failures e-Commerce | Preparing for Holiday Traffic
Essential Technology | 54 Federated Identity | Federation is the logical goal of identity infrastructures, but achieving it takes more than just technology. By Phillip J. Windley Open Source | What you should know about GPL3.
By Bernard Golden
From the Editor | 4 A Model Solution | SaaS represents business power and flexibility. By Vijay Ramachandran
Inbox | 14
NOW ONLINE For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. Go to www.cio.in
c o.in
Govern G.I.S. MADE EASY | 46 A geomatics-based system to plan and monitor rural development is a novel approach. But the true novelty lies in users knowing how to apply it — which forms the basic objective of the e-Gram Suvidha project.
2 2
Feature by Gunjan Trivedi
Mapping the last mile | 50 As chief executive officer of the CSC project at IL&FS, Aruna Sundararajan is at the helm of one of the largest public-private partnerships in the country: an IT project to deploy 1 lakh common services centers that will offer services to citizens. Interview by Kunal N. Talgeri
10
d e c em B E R 1 , 2 0 0 6 | REAL CIO WORLD
Content,Editorial,Colophone.indd10 10
11/28/2006 2:16:01 PM
Advertiser Index
ADVISORY BOARD Manage ment
President N. Bringi Dev
COO Louis D’Mello Editorial Editor Vijay Ramachandran
Assistant Editor Harichandan Arakali
Special Correspondent Balaji Narasimhan
Senior Correspondent Gunjan Trivedi Chief COPY EDITOR Kunal N. Talgeri
COPY EDITOR Sunil Shah www.C IO.IN
Editorial Director-Online R. Giridhar
Anil Nadkarni
Cisco
60
Citrix
33
Head IT, Thomas Cook, a_nadkarni@cio.in Arindam Bose Head IT, LG Electronics India, a_bose@cio.in Arun Gupta Director – Philips Global Infrastructure Services Arvind Tawde VP & CIO, Mahindra & Mahindra, a_tawde@cio.in Ashish Kumar Chauhan President & CIO - IT Applications at Reliance Industries
Epson
Freescale
Honda
3
59
Reverse Gate Fold
D esign & Production M. D. Agarwal
Creative Director Jayan K Narayanan
Designers Binesh Sreedharan
Vikas Kapoor, Anil V.K. Jinan K. Vijayan, Sani Mani
Chief Manager – IT, BPCL, md_agarwal@cio.in
HP
Insert
Mani Mulki VP - IS, Godrej Consumer Products Ltd, m_mulki@cio.in
IBM
5, 11, 16 & 17
Unnikrishnan A.V. Sasi Bhaskar, Girish A.V. Vishwanath Vanjire
Manish Choksi VP - IT, Asian Paints, m_choksi@cio.in
Mercury
9
Microsoft
2
MM Shanith, Anil T PC Anoop
Photography Srivatsa Shandilya
Production T.K. Karunakaran
T.K. Jayadeep Marketing and Sales
General Manager, Sales Naveen Chand Singh brand Manager Alok Anand Marketing Siddharth Singh Bangalore Mahantesh Godi Santosh Malleswara Ashish Kumar, Kishore Venkat Delhi Nitin Walia; Aveek Bhose; Neeraj Puri; Anandram B Mumbai Parul Singh, Chetan T. Rai Japan Tomoko Fujikawa USA Larry Arthur; Jo Ben-Atar
Singapore Michael Mullaney UK Shane Hannam
Events Mumbai Rupesh Sreedharan
Neel Ratan Executive Director – Business Solutions, Pricewaterhouse Coopers, n_ratan@cio.in Rajesh Uppal General Manager – IT, Maruti Udyog, r_uppal@cio.in Prof. R.T.Krishnan Professor, IIM-Bangalore, r_krishnan@cio.in
SAP
Wipro
13
6&7
S. B. Patankar Director - IS, Bombay Stock Exchange, sb_patankar@cio.in S. Gopalakrishnan COO & Head Technology, Infosys Technologies
s_gopalakrishnan @cio.in S. R. Balasubramanian Sr. VP, ISG Novasoft, sr_balasubra manian@cio.in Prof. S Sadagopan Director, IIIT - Bangalore. s_sadagopan@cio.in Sanjay Sharma Corporate Head Technology Officer, IDBI, s_sharma@cio.in Dr. Sridhar Mitta Managing Director & CTO, e4e Labs, s_mitta@cio.in
All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.
Former VP - Technologies, Wipro Spectramind
Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: Vijay Ramachandran. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India
CTO, Shopper’s Stop Ltd, u_krishnan@cio.in
Sunil Gujral
s_gujral@cio.in Unni Krishnan T.M
V. Balakrishnan CIO, Polaris Software Ltd., v_balakrishnan@cio.in
12
d e c em B E R 1 , 2 0 0 6 | REAL CIO WORLD
Content,Editorial,Colophone.indd12 12
Vol/2 | ISSUE/02
11/28/2006 2:16:02 PM
reA der feedBACk
Focus on Technology
The CIO 100 Awards & Symposium special issue was simply fantastic, especially the unique way in which you profiled India’s CIOs. CIO India is doing a good job and is on the right path to be on par with its US edition. Still, content-wise, I feel you must focus more on one aspect: please have more articles on future technology roadmaps. I miss that kind of content in the Indian edition. You could talk about new technologies, new findings and research happening across the technology domain. Articles on future roadmaps will be highly informative for the readers, and I am sure CIOs will find them to be an interesting read. Ishwar Jha VP-business technology,Zee Telefilms
Tread New Terrains Here is a thought that came to mind when I was reading CIO recently: why don’t you look at a special edition on one dedicated topic, and cover some CIOs in India and abroad to take their views? The topics could be: 1. What can the CIO do to move into the boardroom — not to just give a status update but to actively participate in moving the business forward? 2. Is it time that CIOs move away from reporting to CFOs to CEOs? 3. If India is as great an outsourcing hub 14
Inbox.indd 14
d E C E m B E R 1 , 2 0 0 6 | REAL CIO WORLD
now as it is made to be, why aren’t most companies in India outsourcing to the partners/vendors here? 4. What do we mean by IT being a business enabler? Does providing PC, email and other applications translate to enablement of business, or...? 5. Telecom and IT are coming together so fast. So, which is the endangered species here — the telecom guy or the IT guy? Personally, I would like to see one of these topics being picked and ripped apart through interviews, locally or abroad, and case studies too.
"The CIO is now expected to collaborate with business, bring innovation into its processes, and fulfill the objective of driving IT to shape business."
Tamal ChakravorThy CIO, Ericsson India
The CIo resource(s) Congratulations for the grand CIO 100 Awards & Symposium ceremony. It was a great event and I was pleased with the manner in which some of India’s biggest companies were recognized and rewarded. The event was spectacular and memorable. Thanks for inviting me to be part of the event. Each association with CIO India — be it through your magazine or the Focus events — has benefited the learning path of CIOs. The role of the CIO has transformed over the years from a technology leader to a business IT leader. He is now expected to collaborate with business, bring innovation into its processes and systems, and fulfill the objective of driving IT to shape business. I eagerly wait for CIO magazine every fortnight. It is a vast resource, and I What Do You Think? We welcome your feedback on our articles, apart from your thoughts and suggestions. Write in to editor@cio.in. Letters may be edited for length or clarity.
continue to be impressed with the quality of articles. The insights in the case studies will be of interest to most CIOs — both to read, share the knowledge, and apply the learnings. I wish CIO India a great year ahead and a happy, prosperous and peaceful New Year. v. subramaNIam CIO, Otis Elevators (India)
Corrigenda • Bharti Airtel’s director (innovation) & group CIO Mr Jai Menon’s name was misspelled in the photo caption of ‘Dial IT for Integration’ (CIO, November 15, 2006). The company’s market capitalization was also stated incorrectly in the article. Bharti Airtel’s market capitalization stands at Rs 1,031 billion. • The lead letter of InBox (‘Benchmark Aid’, CIO, November 15, 2006) was incorrectly attributed to Mr Ravi Uppal, vice chairman and MD of ABB India. The letter was written by Mr Rajesh Uppal, general manager-IT of Maruti Udyog. The errors are regretted.
editor@c o.in Vol/2 | ISSUE/02
new
*
hot
*
unexpected
Tuning in to Technology
IMaGING By PC aNOOP
I
P HOTO By S rIVaTSa SH aNd ILya
M E D I A In recent times, a booming FM radio industry has become a standard feature of the media & entertainment sector in fast-growing Indian cities. Bangalore is no different, with listeners having as many as six dedicated FM radio stations to choose from. And technology is at the epicenter of the FM players’ best-laid plans for competitive advantage. Adlabs Radio is among the first to tune in on this front — having deployed an IP technology using real time protocol called Livewire in its studio facilities, including BIG 92.7 FM in Bangalore. Adlabs’ FM studios are fully digitized from the point of delivery to the transmitter. “From broadcasting consoles to routing of signals to studios, the way we handle audio across station is different compared to the conventional TDM (time-division
multiplexing) technology that has been in use in radio broadcasting,” says Soumen Ghosh Choudhary, CTO of BIG 92.7 FM. “The technology can produce 24-bit, 48 KHz audio, which travels across the studio facility through a standard Ethernet switch as the one normally used for data (mail/ internet) in offices,” he adds. In other words, the technology uses one CAT 6 cable that can carry multiple audio signals simultaneously, as opposed to the erstwhile single wire for stereo audio signal.
(Continued on Page 18)
Virtualization Turns up u Polit i ical Heat it ea eat One of the hot topics at VMworld 2006 was how virtualization software can unsettle the balance of power within companies and their IT departments. Virtualization can cause business users to lose ownership of servers that are consolidated into shared systems, making it difficult for IT managers to sell the technology internally. There also may be resistance among IT staffers if the idea is championed by business or a deployment affects storage and networking teams in addition to server managers. Control of server resources is a touchy issue for business units that have had their own systems, said Larry Speights, a technical adviser on a VMware project at a petroleum company that he asked not be
LEADERSHIP
VOL/2 | ISSUE/02
Trendlines.indd 15
identified. “The owners of these systems say, ‘It’s my system, but if it’s virtualized, it’s not my system anymore. It’s running shared with everyone else,’” he said. IT staffers may feel threatened if the push for virtualization comes from the business side and “is not going through their approval process,” said Brad Wagner, a technical lead for platform services at Georgia Pacific Corp. “It’s a bad thing when the executives agree to a technology and the technical people didn’t invent it there.” Wagner and Gary Tierney, senior manager of technical services at Fair Isaac, have each been running systems equipped with VMware’s software for about three years. Tierney said he prepared a presentation about the technology for employees at Fair
Isaac. However, he learned that IT workers from different functional areas needed to be more tightly-integrated because of virtualization’s far-reaching effects. What sells business on virtualization is the promise of reduced IT costs through hardware and systems management savings. Tierney, though, recommended that IT managers shouldn’t make any distinctions between their physical and virtual servers with end users. “In the beginning, we had issues with people accepting virtualization,” Tierney said. Now, he said, IT staffers find it easier to just provide a server when users need one, without specifying whether it’s an actual or virtual system. — By Patrick Thibodeau REAL CIO WORLD | d e c e m B e R 1 , 2 0 0 6
15
regulatory requirements and increasing consumer concerns about information security breaches are making data-level security controls a top priority for 2007, according to IT managers at the Computer Security Institute trade show in Orlando. after years of implementing technologies such as firewalls and intrusion detection systems, companies now must move similar controls down to the data level, they said. “The data now matters above everything else,” said John Ceraolo, director of IS for JM Family Enterprises, a rs 42,300-crore auto distribution and financing company. Non-public information needs to be protected, whether it is at rest or in transit, he said. That requires an increasing focus on measures such as data classification and encryption, stronger user access and authentication and usage monitoring and auditing, Ceraolo said. Most of the work to handle network threats has, to a large extent, already been accomplished via firewalls, etcetera, said Mark Burnett, director of IT security and compliance at Gaylord Entertainment. The goal now is to put multi-layered defenses around the data as well, he said. “We are layering technology controls to ensure we can identify where information is passing across our network.” driving the focus are regulations that Gaylord is required to comply with such as the Payment Card Industry (PCI) data security standard mandated by the major credit card companies and SOX, he said. “We have a strong network firewall, intrusion detection system and intrusion prevention system,” said ann Garrett, CISO at the North Carolina state office of IT in raleigh. What’s lacking are controls for mitigating user errors at the end point, she said. as a result, there’s an increased focus on data encryption — and on ways to log and audit user transactions. “We have to add accountability and auditability at the end point," she said. Patrick Howard, chief information security officer at the US department of Housing and Urban development (HUd), said that earlier this year his agency disclosed that it had lost a back-up disk containing sensitive data on 757 current and former HUd employees. HUd plans to have an implementation plan in place by the end of the year to address issues identified so far, he said. among the planned measures are data encryption, two-factor authentication of users and the ability to more closely monitor user activity. — Jaikumar Vijayan SECURITY
TREnDLInES
Focus for 2007: DefenDing Data
Radio Ga-Ga (From Page 15) Apart from providing audio quality, the benefits of the deployment include faster gestation period and interoperability. It is thus easily deployable even in remote cities and town. “It is ready for existing and tomorrow’s data-centric studios, and uses the latest developments from the world of computer networking. An entire facility can be wired in days, instead of months,” says Choudhary. At the level of the studio, a radio jockey (RJ) now works on a more sophisticated and digital console. Says Kiran Sridhar, an RJ at BIG 92.7 FM: “You can have different, preconfigured settings for different jocks. Also, the music can be scheduled from anywhere outside the studio because it is fully configurable using a regular Web browser.” The latter feature, cited by RJ Kiran, is critical, and Choudhary concurs: “The system is based on interactive, Web-based remote management applications. Any equipment can be configured remotely and browsed. The easiest part of the system is that anyone connected to the network can access system through the Web and configure, install, troubleshoot and monitor system and equipment in the network.” He points out another related benefit of the fullyautomated technology: “We have our main broadcasting studio, which we call the ‘ON AIR’ studio. For some reason, if the same fails, the software in the station can automatically switch on the ‘‘Backup Studio’, which then acts as the ‘ON AIR’ studio.” Though Choudhary is tight-lipped about the cost of the technology, he says it is lesser than the ‘conventional studio build cost’. The Livewire deployment also means that Adlabs Radio will now need trained IT manpower who have to be developed into broadcasting engineers, he notes. Adlabs Radio is believed to have invested Rs 400 crore on transmission equipment, infrastructure and licensing. — Kunal N. Talgeri
18
d e c e m B e R 1 , 2 0 0 6 | REAL CIO WORLD
VOL /2 | ISSUE/02
Five emerging trends in culture, politics, economics and technology. B O O K R E V I E W Every few years, futurist John Naisbitt collects his observations into a book of emerging trends. Mind Set! is the latest in the series that began with the 1982 bestseller Megatrends. Continuing the franchise, Naisbitt’s new book identifies five trends in culture, politics, economics and technology. This time, Naisbitt also outlines his process for reaching his conclusions. As one would expect, he reads a lot and travels widely. (He currently lives in Vienna and is a faculty member at Nanjing
University in China.) The key to making predictions, however, is to filter all the information he gathers through 11 'mind-sets' that guide his thinking. For example, to formulate his prediction that the world economy will be defined in terms of industry-centered domains — like the automotive and pharmaceutical industries — that do business globally, he relies in part on the dictum, “See the future as a big picture puzzle.” After observing that because of globalization, traditional indicators like gross domestic
TREnDLInES
From the Mind Behind Megatrends
Mind Set! By John Naisbitt HarperCollins, 2006 Rs 1,125
product provide an incomplete picture of a country’s economic activity, Naisbitt identifies cross-border, industry-based economic domains as the key elements in the evolving world economy. How those pieces are arranged will determine how growth gets measured, he says. By reshuffling the relevant data, the picture of the world economy will emerge, he predicts. Naisbitt’s principles have a pop-psych feel to them. Mindset No. 4, “Understanding how powerful it is not to be right,” reminds us of the chestnut
that we must let go of old ways to achieve (pick one) personal, professional or corporate growth. (Naisbitt applies this principle to dogmatic European Union politics that, he predicts, are a recipe for the continent’s economic decline.) However, argues Naisbitt, simplifying how one thinks about the world is the best way to make sense of it. — By Elana Varon
Francisco-based law firm Fenwick & West’s Employment Practices group. “The big difference is people know how to monitor email better than IMs,” Swanson says. according to a 2006 survey by the american Management association and the ePolicy Institute, workplace IM is “a recipe for legal, regulatory and security disaster.”
I n S T A n T M E S S A G I n G The tempest surrounding former US Congressman Mark Foley’s sexually explicit instant message (IM) conversations with minors has turned into a political scandal, while offering a warning for corporate IT groups. The episode underscores how IM conversations can be just as damaging as e-mail, says Shawna Swanson, a partner with San
VOL/2 | ISSUE/02
The ePolicy Institute has some tips on how to rein in IM: assume employees are using IM. Only 47 percent of employees using free IM tools reported that their companies knew about its use. Survey employees and test your network to see if employees are using IM clients. There are management tools to detect and monitor IM traffic. When you find IM clients on the network,
don’t rush to ban them. Employees who see IM as critical to their jobs might revolt. Set an IM policy that reflects any regulatory compliance requirements and acceptable use rules. Make it clear that instant messages belong to the employer. Make sure your IM policy is being met. IM management tools can help log and report on IM traffic and enforce company policy. — By robert McMillan
I LLUST LLUSTraT IO N By UN N Ik rI SHN aN aV
Managing use of IM
BY DIAnn DAnIEL
Best Practices Educate senior management. Create (at minimum) a half-day software development course, to be held every quarter. Get buy-in from the business side by emphasizing costs of failed projects and by making software development education a corporate goal.
Senior managers. Here’s how they can improve.
E x C E S S I V E P R E S S U R E and unrealistic, often arbitrary, deadlines from IT senior management rank as the top reasons software projects fail — and senior managers know it, according to a recent Cutter Consortium survey. So how can senior managers break the cycle? To avoid making bad decisions, they must learn more about the software development process and get involved with project development reviews, Cutter concluded after surveying senior managers and their employees at 100 development organizations. Just 39 percent of senior managers consider themselves “very knowledgeable” about software development, and just 28 percent of non-senior managers give their senior managers that rating. Too few senior managers understand the development process, like estimating project costs and creating r e a l i st i c
schedules, according to Cutter. In fact, 35 percent of respondents named impossible deadlines, excessive project scope or a limited budget as the main reason for software project failures. Lack of senior management involvement — especially at the right times — fuels unrealistic expectations, Cutter analysts say. In 38 percent of companies Communicate responding to Cutter’s surappropriately. vey, senior managers just occaOversimplifying software sionally involve themselves in development puts you projects, checking in only for in danger of giving an major problems. And just 27 peroversimplified solution. cent take part in project development Understand your senior reviews — a crucial point where problems managers’ learning and can be proactively addressed to head off listening styles, and examine failures, says Cutter Consortium Senior how much information is Consultant E.M. Bennatan. appropriate at each stage. “The whole idea of project management review is creation Create a project disaster plan. of opportunity for senior Every project should have an early managers to be able warning system, and danger signs should to get involved,” be communicated to all. When a project goes he says. off track, don’t be afraid to stop the project, define minimum goals, rebuild the team and revise the plan.
Software Project Killers Unrealistic Deadlines
absentee Oversight
Poorly conceived project time-frames top the reasons why development efforts fail.
Too few senior managers get actively involved at the crucial project development review stage. Most participate in:
Our senior management pressures the project manager and/or the development team to agree to impossible deadlines, excessive project scope, or a limited budget: 35%
Resolution of major problems: 69% Project budgets (establishing and expending): 67%
Our customers or marketing department request too many changes during project development: 17% Our developers do not follow an organized development process: 13%
Trendlines.indd 20
Project planning (scheduling, budgeting, staffing, etcetera): 41% Project development reviews: 27%
Source: Cutter Consortium
TREnDLInES
Software Development Failures: Who’s to Blame?
V OL/2 | ISSUE/02
Trendlines.indd 21
| ESSENTIAL TECHNOLOGY | GOVERN | TOP VIEW | COLUMNS | FEATURES NEWS |
IL LUSTraT IO N By UN N Ik rISH NaN aV
E - C O M M E R C E Online retailers in the U.S. have to choose between panicking over a possible overload of website traffic, or seizing a share of the Rs 20,565-billion worth of retail sales up for grabs this Christmas holiday season, according to the National Retail Federation. The stakes are high. According to a recent Harris Interactive survey, 40 percent of online consumers will abandon transactions entirely or turn to competitors upon experiencing problems. So, what must online retailers do? First, they should prepare their systems for a 25 percent increase in traffic over last year’s, according to Rajib Das, vice president of business development for SkillNet, a retail industry technology consultancy. SkillNet recommends that online retailers conduct a website performance audit to see if the site can handle going from, say, 1 lakh visitors a day to 1.35 lakh, to see if the e-commerce applications and back-end interfaces (CRM, inventory, order management) hold on through the spike. Next up: Das says that while many of the better e-tailers measure conversion rates (what percentage of consumers who come to a site actually become a customer), as a practice, it has not reached the vast majority of them. More retailers need to focus on improving their conversion rates, he says. Because the “act of getting people to your site is a costly affair,” Das says, “even if you can do it a little better, it can make a humongous change [in increased revenue].” Another wrinkle is that while newer customer service technologies are enabling more flexible customer experiences, the pressure on the back-end IT systems to get this right is even higher. “The website is a faceless operation, so customer service is even more of an important factor,” Das says. —By Thomas Wailgum
RESOURCES
WebExclusive
Ready foR Holiday TRaffic?
Features Meet Your New Host Supply chain software has been considered too risky and important to be hosted by outsiders. That is, until you consider the risks and expense of installing and supporting it yourself. Blogs Help Win the IT Talent Search The benefits of using the Web to gauge candidates’ current work and interests. Read more of such web exclusive features at www.cio.in/features
Columns Everyone Gets to Play Good IT governance is not about committees, processes, forms and procedures. It’s about involving as many people as possible. And then it’s IT’s job to support them. Who’s your Boss? Whom a CIO reports to is directly related to IT’s impact in an organization. Read more of such web exclusive columns at www.cio.in/columns Resources Podcasts from CIO Live Atul Kumar, the CIO of Syndicate Bank discusses the challenges of holding on to the talented people within your organization. S Sridhar, CIO, Hutchison Essar talks about the innovative uses of VoIP Download more web exclusive podcasts from www.cio.in/resource
Log In Now! CIO.in
REAL WORLD
Michael Schrage
It’s All About the Execution
Digital Subversives Are employees compromising security by bringing consumer tech into the enterprise? Perhaps, but if you use too heavy a hand to stop them, you’ll be fighting a losing battle.
P
ower users can be demanding pains in the butt. And tech-savvy managers may be relentless thorns in your side. But the employees with the greatest potential to make your enterprise life a seething hell of killer viruses, data loss, network disruptions, compromised security and contempt for your professional competence are the ‘ordinary’ folk who think their technologies belong on your network. They care not that Skype is a terrific vector for viruses or that a MySpace account will prove to be an information sieve or that making the company’s uber-customized sales-force automation system run on their BlackBerrys will take months of programming. They don’t think twice about using 1-gig memory sticks to back up customer data and then lose the sticks on a trip. Maybe, in the interests of good supplier or customer relationships, they’ll put a behind-the-firewall link on del.icio.us to help answer a question or two — and then call your people screaming that you’ve made them look bad because it’s inaccessible. Employees just suck, don’t they? It’s bad enough that they don’t read the documentation, follow the rules or make even a minimal effort to get the most they can out of internal IT systems. Now, they’re bringing every consumer electronics gizmo they’ve purchased, website they’ve accessed and IM account they’ve set up into the enterprise, and they expect you to support them. Just what do they think they’re doing? The answer to that question is the reason the surging challenge of consumer technologies will get worse before it gets better and why the problem can — at best — be managed and not solved. 22
d e c e m B E R 1 , 2 0 0 6 | REAL CIO WORLD
Coloumn Digital Subversives.indd22 22
Vol/2 | ISSUE/02
11/27/2006 5:03:07 PM
Michael Schrage
It’s All About the Execution
An emerging majority of employees honestly believe that the technology they use outside the organization is superior to the technology they use inside the enterprise. They feel they’re getting a swifter and more valuable user experience interacting with eBay than with your supply chain software; Google’s better than your DBMS; Skype beats your phone system; and AOL wins because you don’t allow IM or buddy lists. What’s more, the savvier employees with teenagers look at MySpace and Facebook, and wonder why IT isn’t adapting those kinds of social networking genres for project management and hiring systems. They wonder why they get better, faster, cheaper or free software services outside the firewall. They think you’re too slow, cautious, unmotivated. They think you suck. If they like you, they simply think you’re too busy. So that’s their excuse for bringing external technologies and services into the enterprise: you can’t and/or you won’t. Further complicating this dynamic is the reality that most of your better employees now take their work home and on the road. Companies have (successfully) used IT to both blur and dissolve the lines between the office and the home. Well, two can play at that game. Employees once dependent on enterprise software to finish a project over the weekend now want to be able to integrate software and services from websites you might not like or trust. Too bad for you. Historically, IT’s response to technical insubordination is prohibition: employees are forbidden from using Skype, IM, personal e-mail accounts and so on. I remember that in the 1980s, more than a few Fortune 500 IT shops didn’t allow personal computers. In the 1990s, corporate IT tried to stamp out unauthorized local networks that various workgroups had set up for themselves because IT hadn’t gotten around to supporting them. No wonder IT got a reputation as ‘user hostile’. Guess what? Last millennium’s authoritarian/totalitarian IT enterprise culture approach to innovation imports can’t work. Declaring war on external technologies turns your employees into innovation insurgents and ‘Google guerrillas’. You are defining them as enemies, and enemies have little interest in cooperation and collaboration. No — they’re interested in figuring out work-arounds and counter-measures. They’re not doing this out of spite; they’re doing it because using these tools and technologies makes their work lives easier, better and more productive. Do employees occasionally and — yes — inappropriately use these sites and technologies for personal use like booking travel, buying products, sending personal messages? Of course. Then again, they’re also doing work at home and during personal time while on the road. Does IT really want to be Big Brother, Supernanny and Techno-enforcer all in one? As the CIO, is that the ‘employee empowerment’ brand you want for IT?
Enormous reservoirs of time, money, resources and hostility are consumed in this losing battle to define what employees cannot or should not use. Don’t do it. People will use IM whether you like it or not. People will use their cell phones to access proprietary databases. The core concern is that some of these behaviors are far riskier than others. IT’s traditional role of identifying such risks in order to eliminate them is no longer sustainable — not when the quality of external options is so often superior to the quality of internal service.
Declaring war on external technologies turns your employees into innovation insurgents and ‘Google guerrillas’. You are defining them as enemies, and enemies have little interest in cooperation and collaboration.
Vol/2 | ISSUE/02
Coloumn Digital Subversives.indd23 23
There is no cost-effective ‘solution’ to this challenge; there is, however, a constructive approach. Don’t compete; don’t combat; co-opt. Organize advisory groups of employees who flout your rules on external innovation and relentlessly get their input on how helpful you should be. The purpose is not to cater to their whims or get them to like you better. It’s to exchange ideas and insights around risk. It is not your job to eliminate risk; it’s your job to manage it. You and your folks (should) know way more about the technical risks of these technologies than your employees. How well do you communicate and explain risk scenarios? To what extent do your employees appreciate that there are often very simple, easy things they can do to dramatically reduce their individual and your institutional exposure to risk? It’s foolish and counter-productive to let IT’s and Legal’s ‘eliminationist’ policies get in the way of good risk management. And it undermines relations with employees when you introduce new systems and services. How well CIOs and IT should leverage external innovation to amplify core IT processes deserves future discussion. But for now, CIOs need to turn their shops away from declaring war on their digital subversives and instead invite them to better understand the nature of enterprise risk. These people are using these technologies because they’re smart, not because they’re stupid. They’re smart enough to understand the difference between risk elimination and risk management too. CIO
Michael Schrage is codirector of the MIT Media Lab’s eMarkets Initiative. Send feedback on this column to editor@cio.in
REAL CIO WORLD | d e c e m B E R 1 , 2 0 0 6
23
11/27/2006 5:03:08 PM
Mike Hugos
TOTAL LEADERSHIP
How to Get Inspired Inspiration triggers creativity. And, very often, that is the first step to innovation — even in IT.
A
s leaders, we are charged with marshaling the innovative energy in our organizations. And we work hard at it. It’s too bad innovation doesn’t happen from hard work alone; if it did, we’d have all we need. But innovation calls for more than diligence. At the center of every innovation, there is the proverbial ‘aha’ moment: that moment of inspiration when you see something about a particular problem that you haven’t seen before. I have learned about this moment of inspiration from watching my wife, who is a dancer and choreographer, go through the process of looking for inspiration. Sometimes, it seems to come out of nowhere; sometimes from a piece of music; and sometimes, to my surprise, from something I say or do. Getting inspiration and then crafting it into a stage production is what a performing artist does. Getting inspiration and crafting it into an IT system is what a CIO does. Perhaps no one would call us artists, but in order to foster innovation, we CIOs need to learn from artists.
How Artists Work When seeking innovation, we typically ask: how do we get ideas? But that’s the wrong question. I don’t think we get ideas; I think the ideas get us. Artists routinely say their best ideas seem to come from outside of themselves; what they do is give form to those ideas through whatever medium they are working in, be it painting, sculpture, dance, music, film or literature. The better question to ask is: how do we put ourselves in a frame of mind where we can receive inspiration when it comes to us? Artists have been wrestling with this question 24
d e c e m B E R 1 , 2 0 0 6 | REAL CIO WORLD
Coloumn How to Get Inspired.indd24 24
Vol/2 | ISSUE/02
11/27/2006 5:43:05 PM
Mike Hugos
TOTAL LEADERSHIP
for millennia. Here are some things I see artists do when they work: They immerse themselves in their subjects. Actors immerse themselves in the personalities and histories of their characters, painters do sketch after sketch of an image, and musicians experiment with many different sequences of notes and tempos. They collaborate. Many forms of art require effective collaboration between groups of people with complementary skills. My wife works closely with the dancers in her company, lighting designers, costume designers and musicians. She combines their different ideas to give form to her dance. They play with different ideas. They don’t dismiss an idea just because it seems strange at first. My wife and her collaborators try out different combinations of movement, light, costumes and music to see what happens. Inspiration occurs when a certain combination of ideas suddenly reveals a simple underlying pattern that ties the work together and expresses what the artistic work is about. Artists say they know the inspiration is authentic if they have an intellectual, emotional and physical response to it. Once that happens, there’s a flurry of activity as people flesh out their inspiration and give it shape. During this period, artists work long hours; they become single-minded about bringing their ideas into tangible form and presenting them to the world. And once a big project is finished or a big show is done, artists leave town. Being creative is emotionally and physically taxing. Artists feel drained after they’ve done good work. They take time off to recharge.
Tolerate uncertainty. It is an act of discipline and sometimes of courage to immerse oneself in the details of a problem and resist the temptation to rush to judgment about what should be done. Because of the complexity inherent in most business problems, it is unlikely that the first few ideas will be truly innovative. Don’t dismiss ideas just because they defy pre-conceived notions, and don’t give in to pressure to start building something before you get the inspiration you need. Look for simple patterns. As you investigate ideas and combine them in different ways to create system designs, look
CIOs are already good at working long and hard. When we combine that with the ability to discover inspirational ideas, we unleash a powerful process for giving our companies the tools to compete and succeed.
Finding Your Muse Extrapolating from my experience with artists, I see four basic skills that the innovative CIO needs to cultivate in order to excel at innovation: Immerse yourself in the business. It almost goes without saying that you should have a good grasp of the concepts and rules that guide the business operations of your company. This means a good working understanding of how each business activity fits into the overall business, how the work in each activity is performed, and what the cost and profit factors are. Collaborate frequently. CIOs need to innovate in the face of high levels of complexity in both business processes and technology. Complexity can be handled more easily if groups of people from IT and business units work together, bringing their complementary skills to bear on a problem. The innovative CIO orchestrates this process.
Vol/2 | ISSUE/02
Coloumn How to Get Inspired.indd25 25
for designs where all the elements fit together in a simple, logical and complementary fashion. Remember that complex system designs usually signify that solutions have not been completely explored. When you find a simple combination of workflow processes and technology that can satisfy a wide variety of business requirements, then you have an innovative design. Simplicity is important to artists because audiences can understand simple patterns of expression more easily, and so these are an effective way to communicate ideas. Simplicity in system design works well for a CIO because system designs that are uncomplicated are more likely to be built successfully and more likely to perform as expected. As you and your team develop these four skills, you will see a remarkable increase in the innovation that happens in your organization. We CIOs are already good at working long and hard to get things done. When we combine that ability with an ability to discover inspirational ideas, then we unleash a powerful process for giving our companies the tools they need to compete and succeed. Finally, remember that innovation is an art more than a science. As you become an innovator, you become an artist. So do as the artists do when you finish that big project — get out of town. Don’t bring your BlackBerry. Have fun. All work and no play makes a dull CIO, and no dull CIO has a chance as an innovator. CIO Michael Hugos is a partner in AgiLinks, a software company specializing in agile supply chains. He is former CIO of Network Services and author of Essentials of Supply Chain
Management. Send feedback on this column to editor@cio.in
REAL CIO WORLD | d e c e m B E R 1 , 2 0 0 6
25
11/27/2006 5:43:05 PM
Cover Story | Enterprise Applications
Sa S a a RiS i Cover Story_SAAS.indd 26
11/28/2006 2:09:58 PM
Reader ROI:
The value of reducing in-house IT dependencies
aS ing aS aS
Software-as-a-Service, some say, is a true child of today’s Internet, resurrected from the failed application service provider model. It promises to grow up to deliver business services in much the way people have milk delivered at home — without having to see the cow.
BY H a r i c H a n da n a ra k a l i
Cover Story_SAAS.indd 27
Il lustrat Io n by P C ano oP
How to build an eco-system for the SaaS model
11/28/2006 2:10:03 PM
Cover Story | Enterprise Applications
Im agIng by u nn I kr Is hna n aV
I
Photo by al PEs h
Yogesh Jagga
is the CIO of a successful mortgage brokering company in California, which has its IT as well as its sales staff in India. Parsec Loans, the company, sells loans from some 20 American banks to retail customers in America. Faced with enabling his company’s sales with IT that would bring Parsec cost-effectiveness and few headaches, setting up the IT shop in India was a no-brainer. But Jagga took it a step further by not investing in any stand-alone customer relationship management software. He bought seats on Salesforce.com’s enterprise edition to enable a sales team that operates from a call center in Gurgaon. This allowed him to exploit a simple yet powerful idea. Salesforce.com hosts the customer relationship management (CRM) software for Parsec and gives the company’s
sales people all the access to the software and the related infrastructure they need to function effectively. “Using the Internet and the telemarketing agents, it takes up to 45 days from initial queries to the loan being disbursed,” says Jagga. “This is laborious, requires tasks such as appraisals, multiple partners — the lending banks — are involved, and we need to work together. This is more of a relationship management effort,” he explains. Buying a subscription to the CRM then made a lot more sense than the higher initial investment involved in the conventional route of buying software, hardware and hiring people to put it all together. “I don’t have to worry about initial expenditure. There isn’t any down time, and if there are any upgrades or maintenance to be done, we know in advance.” The power of the idea comes from a host of other companies simultaneously being able to do exactly the same thing as Parsec. It’s called ‘Software-as-a-Service’. Software-as-a-service (SaaS) is being touted as different things to different users by different vendors. The consensus, however, is that it could make life more exciting — and profitable — for businesses by allowing them to configure their own computer applications. They can do so only when they need to, with a little help from the CIO organization. For the users, this might represent a reduction in upfront investments in computers and software — money saved, which might then be employed more directly in the business. For the CIO, SaaS can take away the pressure of having to quickly deliver an application that the business users are hounding him to build yesterday — the CIO can then ask his men to focus on building better rules for integrating IT with business and, down the line, on integrating the applications that come as a service with existing standalone applications. For the vendors, the business model involves hiring out software applications for a subscription-fee, with upgrades and support thrown in. The challenges before SaaS include integration with existing customized software applications, and legal as well as security measures of allowing the vendor to host data for businesses — usually a requirement for SaaS. Yet, a growing number of companies, from Parsec Loans to multinational network equipment maker Cisco, are embracing SaaS. Vendors too are coming together to help build an eco-system of SaaS delivery.
SaaS arrangements can reduce the pressure of initial investments, down times, upgrades and maintenance, says Yogesh Jagga, CIO, Parsec Loans
Vol/2 | I ssuE/02
Cover Story | Enterprise Applications The opportunities are undeniable, and it’s a matter of time before the challenges will be surmounted.
Reborn in the internet
Vol/2 | I ssuE/02
I
Service-oriented architecture is being used, so that different modules can come from different sources, and integration is easy. Further, everything will be delivered using the Web, which means they can be hosted anywhere and accessed anywhere. It was precisely this idea of anytime, anywhere with minimum upfront investment that Amit Verma found attractive. A marketing manager at Informatics India, Verma also doubles as the IT administrator for the econtent distributor. His 18 salesmen use Salesforce.com’s CRM software to work from virtual offices across India to sell subscriptions to Informatics’ services and two products — an aggregation of business content hired out to organizations such as Reuters and Factiva, apart from a search-engine-based portal to scientific research content. Informatics India’s customers include Dr. Reddy’s Laboratories and Apollo Hospitals, and it services some 1,200 customers today, mostly institutional buyers. “We had an inherent need for the SaaS model,” says Verma. At Parsec Loans, Jagga says he plans to double the number of seats subscribed to a 100. “And this is at the division for which I am CIO. There are two other divisions that also have another 20 seats,” he says.
P hoto by srIVatsa shandIlya
It was the idea of anytime, anywhere and minimum upfront investment that Amit Verma, IT administrator of Informatics India, found attractive.
ImagIng by un n IkrIshn an aV
The concept isn’t new. Even before computers, it was common enough — it is like the shift that happened from actually owning a cow to getting milk delivered in packets. Having your own data center with all the necessary software installed is the IT-equivalent of owning a cow. SaaS allows businesses to subscribe to the service without having to own the product. Earlier, the business model was: you go to an independent software vendor, buy a software product, pay a license fee, pay an implementation fee perhaps to a systems integrator, and work out a deal for the maintenance of the software and hardware. It would also be the end user’s headache to invest in the necessary hardware and other software. All this meant large investments of money and time and effort upfront. Then, there was the worry of connecting IT with business processes. The application service provider (ASP) offered to take away much of this pain with a different business model — the provider would host the software and companies could purchase the use of that software on a per-user and per-unit-of-time basis. ASP didn’t succeed for the number of users and the cost of using it in that business model didn’t work out. That was the failure of the dotcom era, says Dr. Sridhar Mitta, founder of e4e, which taps SaaS-ready software to sell business services to clients. In a sense, SaaS is the promise of ASP realized. It takes the business model one step further by making the same software simultaneously usable by several users, each with their own customizations, and secure from the other — a concept called multi-tenancy. The changing marketplace is also helping: now, the cost of software has come down because a lot of open source components are being used, outsourcing has helped reduce the development costs in some cases, bandwidth is more easily available with broadband becoming popular, hardware is becoming more commoditized with each passing day, and the number of users is growing fast. Meanwhile, independent software vendors are building applications ground-up to be multi-tenant and modular.
REAL CIO WORLD | d e c e m B e R 1 , 2 0 0 6
29
Cover Story | Enterprise Applications
For Large Users too Both Jagga and Verma fall in the category of small- and mediumsized businesses (SMB), where IT, at best, entails some excel sheets. So, the move to SaaS is easy — little or no integration of the new applications is required with existing ones. A Global 500 logistics company decided to buy a subscription of Pivot Path, a ‘service delivery platform’ built by Jamcracker, which has most of its development and operational team working from a center off the grid-locked road to Electronics City in Bangalore. Manish Jain, head of Jamcracker’s India Operations, says, “The logistics company grew by acquisitions, and has some 175 internal software applications.” The company has 2 lakh users, each of whom uses five applications doing tasks like helping customers track a package or answering a query. “This number increases by several thousands during Christmas and then reduces by thousands” as large numbers of temp staff come on board and leave. Pivot Path automates the process of creating accounts for each new addition of staff, telling the logistics company’s complex computer systems what applications a staff member
can access and so on. The automation reduces the time required to give a user access to that average number of five applications from two weeks to a few minutes, once a corresponding supervisor or team leader submits a user profile, says Jain. That SaaS is not a technology in itself but a way of making technology available to businesses is what makes it attractive. If the problems of integration with existing software — which large corporate companies have a lot of — and security of data, which in SaaS resides with the vendor, are addressed effectively, corporate adoption will take off. Ray Wang, a senior analyst at research firm Forrester Research, says, “At its essence, SaaS is a deployment option and is a way of allowing enterprises, their customers, partners and employees to take advantage of technology, without dealing directly with the management and administration of that technology.” Wang says: “In our latest ‘Business Technographic Survey’, we found that the large enterprises are even more interested in adopting SaaS than SMBs. For instance, Cisco has used Salesforce.com as their default CRM system.” Cisco Systems announced in November that they have
SOFTWARE AS A SERVICE
ASP
Application Outsourcing
salesforce.com, netsuite, siebel Crm on demand
rightnow t technologies
saP Crm ondemand
us Internetworking providing oracle on an on-demand basis
accenture managing saP, oracle on demand
all customers run the same application code from software publisher?
y yes
y yes
y yes
no
no
Code modification possible?
no
no
no
y yes
y yes
multi-tenant architecture?
y yes
y yes
no
no
no
subscription
subscription
subscription
subscription
license
originally designed to be saas?
y yes
y yes
y yes
no
no
Customer owns license?
no
no
no
no
y yes
Who has the responsibility for operating, maintaining application?
software publisher
software publisher
software publisher
service provider
service provider
Who has the responsibility for operating, maintaining infrastructure?
software publisher
software publisher
software publisher
service provider
service provider
Vendor
Customer
Vendor
Customer
Customer
Examples
how do you pay for the software?
Who controls upgrade timing? 30
d e c e m B e R 1 , 2 0 0 6 | REAL CIO WORLD
Vol/2 | I ssuE/02
source: Forrester research
SaaS versus the Rest
Building the Eco-system As corporate customers take more interest in SaaS, established players such as Salesforce.com and up-andcoming ones are building an eco-system that will encourage large-scale adoption of SaaS. Joining them are independent software vendors, building SaaS-ready applications groundup, and system integrators that see opportunities in helping large companies customize and integrate SaaS software for the user companies. Apart from providing online directories of SaaSready applications, the players have now gone a step ahead by allowing open access to application program interfaces to developers, who can then build their applications to work in the corresponding SaaS environment. The ISVs also get to list their applications on these directories. At e4e, an interesting experiment is being tried out, which combines the power of SaaS with the power of offshoring. Consider Jagga’s operations in Gurgaon, which is a small call center. Anand Talwai, president of e4e, says his company bundles the SaaS capability of sales force automation with the actual business service of doing what that sales force would do. “We have 500 small and medium mortgage brokers in the US as customers for whom e4e starts with generating leads and hands over at the point the loan can be closed,” says Talwai. Each of these 500 brokers is a tenant of an underlying software that e4e runs in a multi-tenant environment. This also means each of them has their proprietary data residing with e4e. “It’s like Gmail,” explains Mitta, “where your mail sits on Google’s servers, but you get access to it.” In e4e’s case, of course, the money comes in the form of a fee that the brokers pay per-loan-closed. “Today, we are doing about a 100 loans a week,” Talwai says. Wang says the ease of use and the Googlelike reliability is what makes SaaS revolutionary in practice. “Like Web 2.0 applications, we are expecting
implications for the CiO Verma is a telling comment on the way things are going, even if his is a small company — he is a business person also taking on the CIO’s role in his company. Anuradha Acharya, chief executive of Ocimum Bio Solutions, a biotech services company in Hyderabad, is another example. She is the company’s technology head as well, and pretty hands on about it. Acharya switched from ‘Datatracker’, a CRM product she had built in-house, to Salesforce.com two years ago. It “makes my life simple as I generate reports myself and am not dependent on the sales folks.” Please note, this is the
The switch to SaaS helped Ocimum Bio Solutions capture trends instantly across geographies and products, says its chief executive, Anuradha Acharya. Vol/2 | I ssuE/02
I
business applications to function almost like Google — with that level of reliability, ease of use and simplicity; and yet handle the complexity of transactions that business applications bring,” he says.
Im agIng by u nn Ikr I s hna n aV
doubled the number of users (for the sales force automation software they subscribe to at SalesForce.com) to 15,000.” Jeremy Cooper, a vice president of marketing at Salesforce.com, says clients in the financial services domain are now validating the SaaS model. So, concerns about scalability, reliability and security are being mitigated because the large enterprises are now embracing the model, he adds.
Photo by su r Es h
Cover Story | Enterprise Applications
Cover Story | Enterprise Applications CIO talking. The switch also helped in planning and getting trends instantly across geographies and products, which is very useful for planning and sales and marketing, she says. Wang says this reduced dependency on IT support is one of three big opportunities for users. The second is the straightforward one of quick deployment and capital deferment, apart from the the less-obvious opportunity to derive benefits beyond software features and upgrades. The challenges Wang lists include regulations that may require data to be on-site. It will pose difficulties for enterprises that
rely on heavy real-time data integration, and for users used to heavy customization of software. CIOs, says Mitta, get advantages and disadvantages: urgent headaches are taken away, such as the pressure to build that application that business users need yesterday. But in return, the CIO loses control over that application, which is now subscribed to off the Web. This situation, however, will evolve as the business guys start needing more integration with existing applications. The CIO of one large Indian subsidiary of a multinational giant headquartered in Europe says, “SaaS will mean losing control. It makes sense for small and medium businesses which may need the money elsewhere. But if you are cash-rich, then building an in-house IT department is the way to go.” SaaS does not also mean SLAs will go away to be replaced by something that makes everyone happy. The CIO’s department will TEnAnCy continue to monitor SLAs. But, in theory, In a multi-tenant architecture, customers share some or all layers of the stack. pulling out will not be nearly as painful multi-tenancy can apply to: 1) the application layer only, 2) the application as in the case of traditional applications and server/processing layers, or 3) the application, server/processing, outsourcing. Yet, Don Best, vice president of and database tiers. since customers sharing the same codebase can’t modify marketing at Jamcracker, points out that a the code, customizations to the application (including custom tabs, custom recent McKinsey survey found that 70 per objects, etcetera) must be done through sophisticated configuration tools and cent of the respondents wanted a “single stored in the metadata layer. throat to choke. What this also means is, if a CIO is buying bandwidth for his company PAym PA AymEnT T mODEL from a telecom utility, for instance, he may get saas is typically pay-as-you-go, on a per-user, per-unit-time basis. In contrast, ona discount on the bandwidth only if he buys a premise, licensed applications typically require a large upfront license fee followed bouquet of services from that telco. by a smaller monthly maintenance fee (usually around 18-22 percent of the license Service delivery platforms do the job fee). application outsourcing usually involves a large upfront license fee and of helping the telco deliver these services, monthly maintenance fee like on-premise software plus a monthly outsourcing such as the same CRM software, a human fee paid to the vendor that is managing the infrastructure and application (which resource management software, and even is sometimes the same vendor that published the software). an enterprise resource planning package to the CIO and his executive bosses. RESPOnSIbILITy In the SaaS model, none of these services saas vendors take responsibility for managing the application including has to be built by the telco. They can come performance, for managing uptime, security, reliability, and scalability. In from whichever independent software on-premise software, customers either the application manage these aspects vendor built them. The rest of the story in in their own It department or pay a hosting company or application outsourcer the McKinsey survey, Best says, was that the to do it for them. more number of services the CIO buys from the telco, the greater will be his stickiness to COnTROL OF uPgRADE TImIng the telco as a customer. saas vendors typically release two to four major upgrades and several smaller This brings one back to the single most updates each year. Customers receive these upgrades seamlessly and important trend that every CIO agrees on automatically and have little or no control over when they occur. In contrast, today — technology heads must exploit their licensed vendors typically release upgrades every 12 to 18 months and allow knowledge of technology to help their bosses customers to decide when to apply an upgrade. because licensed upgrades make sound business decisions. CIO often require significant time and cost, firms running traditional licensed software frequently skip upgrades, missing out on the benefits of the latest functionality.
Key Characteristics of Software-as-a-Service
source: Forrester research
Assistant editor Harichandan Arakali can be contacted at hari_a@cio.in
32
d e c e m B e R 1 , 2 0 0 6 | REAL CIO WORLD
Vol/2 | I ssuE/02
Top p
SaaS Traps BY THomas Hoffman
In theory, software-as-a-service (SaaS) should be a cost-effective option for IT executives who don’t want to deal with the hassle and expense of installing and supporting software for users. By tying into a Web-based software service that users can access with a browser, IT departments can avoid the costs of adding servers, powering servers or even setting aside space for them in a data center. And since the software is supported by a managed service provider, IT managers don’t need dedicated staffers to deal with helpdesk-related issues. So SaaS is cheaper than installing your own software, right? Don’t count on it. “If you go into a SaaS agreement believing it’s going to be less expensive under all circumstances, you should reorient your thinking,” says Rob DeSisto, an analyst at Gartner. There are all kinds of extraneous expenses that SaaS customers need to be aware of, according to DeSisto. Those include setup costs, training fees, storage limits and the costs of integrating with other applications. Here are the top 10 'gotchas' in SaaS agreements that corporate customers should watch out for:
1
'I agree' to what? SaaS providers typically send electronic contract notifications to customers with an 'I agree' button for them to click, says Pat Cicala, president and CEO of Cicala & Associates, a consulting firm in New Jersey. “People usually get sick of reading these agreements online and end up clicking ‘I agree’,” says Cicala. IT organizations that are poorly governed or don’t have a centralized Web licensing strategy run a significant risk of 34
d e c e m B e R 1 , 2 0 0 6 | REAL CIO WORLD
Cover Story_SAAS.indd 34
having business leaders agreeing to software terms they’re not familiar with. “You’ve got business buyers making a lot of the contractual decisions, and they’re not savvy in a lot of the contractual issues,” says DeSisto. For instance, most business leaders don’t know enough to ask if the vendor’s data center is staffed by people with proper security certifications or if the vendor is ready to comply with the SAS 70 auditing standard.
2
Easy installment plans. For customers, one attractive characteristic of SaaS agreements is that they don’t require a huge upfront financial commitment to start a service. But even though there are advantages to paying for the service on a monthly or quarterly basis, few customers realize that they can pare their yearly costs by 5 percent to 15 percent if they pay for an annual SaaS agreement all at once, says Michael Mankowski, senior vice president of Tier 1 Research in Minneapolis. Customers should also obtain the rollout plan for the software in writing, says Mankowski. Find out what the vendor’s rollout capacity is, he says. Will it add 100 of your users per week? Per month?
3
missing SLAs. Service-level agreements, such as those guaranteeing vendor response time, are a critical component of SaaS contracts, says Mankowski. Some vendors provide SLAs with the contract, while others charge extra fees for SLAs or don’t provide them at all, he says. “If it’s a businesscritical application and you need five 9s uptime, you need to make sure that’s covered in the agreement with your SaaS
Vol/2 | I ssuE/02
Cover Story | Enterprise Applications provider,” Mankowski says. Also, contracts should stipulate penalties such as credits or givebacks if service levels aren’t met, says Jeff Kaplan, managing director at ThinkStrategies Inc., a consulting firm in Massachusetts.
4
Performance levels. Customers should clearly define software uptime and availability levels with SaaS providers in writing. Before entering into an agreement with a SaaS provider, customers should ask the vendor for a record of past performance levels, says Kaplan. It’s also wise to ask about business plans and investments that the provider is planning to make over the next three to 12 months, including enhancements to servicedelivery capabilities, says Kaplan. Customers should also ask how they will be contacted if there’s a service disruption, and they should find out how much time the vendor has to fix the problem under the contract, says Mankowski.
5 6
Defining uptime. SaaS customers need to carefully define guarantees around system uptime, says DeSisto. Most contracts call for 99.5 percent uptime or part of your money back for a month. “But what does that mean?” asks DeSisto. “Is that 99.5 percent of planned uptime? Does the vendor plan to be down eight hours a month? If so, which hours?” Add-on costs. SaaS customers should scour the fine print for hidden expenses. Sometimes vendors charge to configure the software or implement the database or workflow processes, says DeSisto. In some cases, vendors charge an additional Rs 800 to Rs 1,125 per user per month to stage and test the software, he says. And if you want to add support for handhelds and other mobile devices, those costs can escalate to Rs 2,000 per user per month. Vendors also may try to predetermine the amount of storage that’s available for each end user in your organization and bill for overage charges. “So many people are buying SaaS based on price. They need to understand what the base product is and how much all the add-ons cost,” says Rob Scott, managing partner at Scott & Scott, a Dallas-based law firm. Customers should also ask whether training is “baked into” the cost of the service or if there are additional costs for training or support, says Mankowski.
7
Integration intangibles. If SaaS software has to be integrated with other customer systems, buyers need to determine who’s responsible for handling the systems integration and at what cost, Scott says. An “ecosystem” of third-party firms can typically handle this work for less than what SaaS providers charge, says Kaplan.
Vol/2 | I ssuE/02
Cover Story_SAAS.indd 35
8
Data rights. Before entering into SaaS agreements, customers should determine where their proprietary data will reside and what rights they have to access that data, says Cicala. “If the deal goes south, you need to know where your data is and what kind of shape it’s in,” says Mankowski. Customers should also ask for guarantees in writing as to how the data will be protected from both a privacy and disaster recovery standpoint, says Kaplan. Moreover, customers should determine whether they’re entitled to back up the data on their own systems should they choose to, Mankowski says.
9
non-negotiable? One of the biggest misconceptions about SaaS agreements is that they’re simple “click-wrap” contracts that aren’t open to negotiation, says Cicala. Customers figure they’re already saving money, so they don’t press the issue. “But the licensing costs are going to catch up to you,” says Cicala. The vendor essentially bundles maintenance and support costs into the contract, so it makes sense to try to negotiate the deal down. And just as with other types of software licenses, big customers can obtain volume discounts. “If you’re talking 50 seats, there might not be a lot of discounting,” Mankowski says. “If you’re talking 5,000 seats, then the vendor might be inclined to talk a discount.”
10
Exit charges. Let’s say an organization has signed a one-year contract for CRM services for 1,000 seats but wants out of the deal after nine months. In some cases, providers will hit customers with exit charges before giving them their proprietary data back, says DeSisto. He points to one vendor that has enforced a 10 percent penalty against the total value of a contract if a customer wants to cancel the deal after six months. Or let’s say a customer has a service agreement for 200 users and wants to scale back to 100 users after six months. In some cases, the vendor will try to continue charging for 200 users or force the customer to pay a penalty for scaling down to 100 users, says DeSisto. Either way, he says, it flies in the face of the so-called on-demand software model. CIO
Reprinted with permission.Copyright 2006. ComputerWorld.
Share Your Opinion do you believe software-as-a-service has come of age as a business model? how feasible do you think it is for large enterprises to adopt the saas model? and how easy would it be to convince your management to do so? share your thoughts (or reservations) on saas with your peers. Write in to editor@cio.in
c o.in REAL CIO WORLD | d e c e m B e R 1 , 2 0 0 6
35
Trendline_Nov11.indd 19
11/16/2011 11:56:19 AM
I.T. Calls the
Shots
View from the top is a series of interviews with CEOs and other C-level executives about the role of IT in their companies and what they expect from their CIOs.
36
d ece m B E R 1 , 2 0 0 6 | REAL CIO WORLD
View from the Top.indd 36
By Harichandan Arakali
In this interview to CIO, Jaithirth (Jerry) Rao, chairman of MphasiS, looks at the future of domestic outsourcing and warns companies of inevitable death if they don’t give their CIOs a voice in the boardroom. His certainty seems to spring from the conviction that IT has a defining role in creating and sustaining business, and he wants CIOs off the benches.
I think it varies from industry to industry and from company to company. But if you aren’t even asking the question in your boardroom, then it's likely that you are missing out on something — and one day somebody will redefine your business in such a way that technology will no longer be a tool but a central piece itself. When that happens, you’re not going to be ready. So, there's no one macro prescription for all CXOs, but there's certainly a need to engage and grapple with this.
P hoto by S rivatsa Shandi lya
Jerry Rao: Whether technology is a means to an end in business or whether technology itself can define the contours of business is a fairly important debate that we’ve been having for at least two decades. Till now, we have seen technology define the constraints of a business. In the last few years, we’ve been looking at technology in its role in defining the opportunities of a business. Companies such as Amazon and Google have shown that. We tend to underestimate what some traditional industries have done. Airlines, for instance, now allow customers to print their own boarding passes. I don’t see business and technology as two separate yet intersecting circles, but as one complex ellipse in and of itself.
How should other CXOs look at this?
I
CIO: Forrester is pitching for the idea of ‘business technology’ to replace IT. What’s your take on this?
Can you illustrate how technology will take such a defining role? Think of the music industry and the whole idea of what intellectual property is. If every single song — from Beethoven to
Imagin g by U NNIKRISHNAN AV
Jaithirth (Jerry) Rao, chairman, MphasiS, is convinced that companies, which want to stay in the game, must do two things: keep tabs on technology that can redefine business — and empower CIOs.
Vol/2 | ISSUE/02
11/27/2006 5:33:34 PM
View from the Top
Jerry Rao expects I.T. to: Play a central role in redefining business Integrate internal systems
Vol/1 | ISSUE/16
View from the Top.indd 37
REAL CIO WORLD | J U LY 1 , 2 0 0 6
37
11/27/2006 5:33:36 PM
View from the Top
The Beatles — costs 99 cents, it's not technology but business that's been redefined. The nature of IP in music has been redefined. And so has the value of a label, a group and a singer. Turn to our own industry — IT services — for instance. We should pay more attention to the possibility that objects are being created, which, like building blocks, are mass manufactured, thereby reducing the need for customized software, which is our bread and butter. Closing in on the other side, programming is becoming simpler. So maybe, customers who give us programming jobs today may want to do it themselves. This may still be five years away, but it’s something that changes the nature of business itself and we need to keep tabs on it. No longer is technology a lever; technology is something that redefines the whole constraint and opportunity matrix.
Given these changes, what should CIOs tell their managements? CIOs should do an honest job of stating where things are, particularly in an existing company. If you have a whole set of legacy platforms and technologies, be very clear about what it costs to run and why it doesn’t make sense to change all of it. You can’t get off one horse mid-course and get on another. This is not to say that you shouldn’t invest in changing legacy technologies over a threeyear period — that would be a mistake. CIOs have to get that across to management. What you need is a parallel process, a twotrack process for new deployments and fixing legacy systems. You need a sinking fund with a program on how hardware and software will be exited. The sinking fund cannot come from an annual budget, or it could lead to budget cuts that, in two years, will make a company even more rigid. Every quarter, CIOs must present how many apps they've closed down and how many new releases and functionalities they’ve added. One of our customers, a large investment bank, has such a system of reviews. 38
d ece m B E R 1 , 2 0 0 6 | REAL CIO WORLD
View from the Top.indd 38
Essentially, you will have organizations that will die. I don’t know how many CIOs in India are directors on boards, but they should be.
“No longer is technology a lever; technology is something that redefines the whole constraint and opportunity matrix.” — Jerry Rao
Very few, in our experience. Well, companies that don’t have CIOs in top management — not necessarily as directors — are going to run into trouble sooner are later. With growth and competition, they are going to face problems.
But there’s a perception that CIOs are twice removed from end customers… They aren’t anymore. They have a lot of interaction with customers and their systems are interacting with customers all the time. So, they should be out there helping make business decisions. Today, at most financial companies, the largest channel for acquisition of customers is the Web, and the CIO runs the company’s Internet site.
So, the CIO has a strategic role, more than support? This isn’t necessarily in the context of outsourcing? No, this has nothing to do with outsourcing. We are talking about deployments. Just like good CFOs increasingly share how the street is looking at their companies and how analysts view them, good CIOs need to share what others think of a company. I haven’t seen many people do serious inventory of the current landscapes to figure out what they have, what they need, where the constraints are, and where opportunities lie.
That clout comes from being on the board. Should CIOs be part of top management? That’s a non-question. If you don’t have CIOs as a part of top management in this day and age, you will have backward organizations.
The individual defines his job. There isn’t a simple formula. Many CIOs voluntarily say, ‘Hey I am not a business person.’
That contradicts a need for CIOs to have a strategic role. Companies that don’t encourage their CIOs to be business-savvy and take strategic decisions will not do well in the long run. They will lose market share.
What's the business case for Indian companies to outsource? The business case in India is actually stronger than it is in the US because companies here find it hard to attract and retain talent. If you were a talented software engineer, why would you work at
Vol/2 | ISSUE/02
11/27/2006 5:33:39 PM
View from the Top
a manufacturing firm, when an IT company could give you better pay, bonuses and a better career plan? CIOs of Indian companies will only get second-rate talent. It seems to me like it's a case for talent rather than cost.
How should Indian CIOs view outsourcing? They should leverage outsourcing from a talent stand and not cost. Many Indian companies also have the advantage of not having legacy problems that their American counterparts face, so they can actually have very dynamic IT. In the financial services sector, for instance, there are areas where India is ahead of the US. We have T+1 settlement. From what I hear, ICICI Direct has one of the busiest sites in the sector anywhere in the world.
Do you pursue contracts with Indian companies? We have started. In the last two years, we have had a small measure of success: an airline, a bank and a telecom firm.
But aren’t margins lower? Gross margins are definitely lower, but selling expenses are also lower, so operational margins — while being definitely lower than with the American customers — aren’t that far off. Return on capital is roughly the same to slightly lower if you take away tax arbitrage because, with Indian businesses, we don’t need to invest in capital intensive telecom, etcetera.
So, why haven’t Indian IT services made inroads at home? Indian IT spend as a percentage of GDP is small. India is still backward in this; we leverage our IT talent to boost other people’s productivity and not our own. But this will change. If the fastest growing cell phone company in the world is in India today, change is coming.
Vol/2 | ISSUE/02
View from the Top.indd 39
Will the West account for the bulk of revenues in the next decade?
SNAPSHOT
MphasiS
What do you think of software as a service?
Turnover (2005-06):
It’s fascinating. If you look at the models of companies Total Employees: like Salesforce.com, you turn 11,414 (31 March '06) on a switch and you expect CIO: the lights to come on. Can How do you view Abnash Singh we do on-demand software your CIO’s role in Source : company of that variety for inventory expanding EDS’s control and so on? It's business in India? early days, but it's a major It's a tremendous role. Unless he gets our business opportunity. We are doing something in the area of tax actions vis-à-vis the domestic market right, and gets us reliable and consistent systems and return. We've built software, which our US comes up with new ideas, we aren’t going to be customers use to prepare their tax returns. The able to crack the domestic market. Re-treading software belongs to us and we charge them per return. We have started doing something, but what we did in the US won’t work. still haven’t got very far.
Yes. Growth and the sheer dollar volumes there are higher.
Rs 940.11 crore
Give us two examples of ideas he’s given you.
Abnash Singh, MphasiS’s CIO, has come up with clever ways of keeping control of costs, while ensuring an archival and retrieval ability we need while recording calls in our BPO business. He's also brought in realtime monitoring technologies and processes into our network operation centers, which will be very useful as we grow the remote infrastructure management business.
What’s your interaction with the group CIO of EDS? First, I am a vendor to him. When he's creating a new generation of infrastructure management software, which is the bread and butter business of EDS, I am trying to be a vendor to him. Two, we've begun giving him ideas of new technologies, platforms and an open system he could use. I read about the number of patents Microsoft files from India in a newspaper. I want to send EDS’s CIO that clipping and tell him that in the next three to five years, India must play a prominent role in EDS’s IP creation. That's the kind of dialogue I want with him.
Isn't this a threat to offshoring? Of course, self-help is a threat to offshoring! But there's so much work now that it’s not an immediate threat. In five years, who knows?
What would you like improved at MphasiS? Our biggest problem: we are a Rs 900-crore top-line company. But we still operate with the non-integrated systems of a company half that size. Our challenge is to migrate our internal billing and time management systems and dashboards, so that they are integrated and run in real-time. CIO
Assistant editor Harichandan Arakali can be reached at hari_a@cio.in
REAL CIO WORLD | d ece m B E R 1 , 2 0 0 6
39
11/27/2006 5:33:39 PM
C
Feature.indd 40
11/27/2006 5:10:38 PM
Compliance
ThE
Complying ying GamE BY SUSANNAH PATTON
CIOs are still struggling to comply with HIPAA’s 10-year-old medical privacy regulations.And the smaller the healthcare organization, the harder the task.
Reader ROI:
Why compliance is not taking off How you can prune the cost of complying
Vol/2 | ISSUE/02
IllUSTraTIo n by SaSI bh aSK ar
In 2001, Ron Uno,
manager of information management at Kuakini Health Systems, made the decision to move his hospital’s medical records system from paper to computers. The main motivation for the costly, multi-year project? The Health Insurance Portability and Accountability Act, or HIPAA, the then five-year-old federal law that sets standards for protecting the security and privacy of American medical records. If the hospital had an electronic medical records (EMR) system, Uno reasoned, it would be easier to monitor who was accessing sensitive patient information and to comply with the law’s privacy and security regulations.
REAL CIO WORLD | d E C E m B E R 1 , 2 0 0 6
41
Compliance Five years later, Uno is halfway through implementing an EMR system. He estimates that Kuakini, a nonprofit with Rs 1,237 crore in revenue, which operates a 250-bed hospital and a 200-bed long-term care facility in Honolulu, has spent between Rs 45 crore to Rs 67.5 crore on implementing the system and other technologies to help it comply with HIPAA. “Even though we’re a small hospital, we’re trying to comply as much as we can,” says Uno, who is closing in on full HIPAA compliance, though he’s not there yet.
The Long, Hard Road to Compliance A decade after HIPAA was signed into law, CIOs like Uno are still struggling to comply with its provisions. Some lack the resources to fully meet the requirements of this complex set of rules; others seem to feel little need to hurry since the federal government has not aggressively enforced the law. So, it comes as no surprise to learn that HIPAA compliance rates appear to be slipping. Fewer hospitals and healthcare facilities are fully complying with the law this year than in 2005, according to a recent survey by the American Health Information Management Association (AHIMA), a professional
organization for health information executives. And more than one-quarter of US security executives whose organizations need to be HIPAA-compliant admit that they are not, according to 'The Global State of Information Security 2006', a study released by CIO and PricewaterhouseCoopers earlier this year. These findings stand in sharp contrast to the billions of dollars invested by healthcare CIOs in technologies to protect medical records, including EMRs, firewalls, remote monitoring systems, intrusion detection, auditing software and encryption programs. HIPAA compliance rates declined across institutions of all sizes, but specialists say the problem is most acute at small to midsize hospitals with their limited budgets. “Smaller hospitals with thinner margins and smaller IT budgets will have a more difficult time being compliant,” says Gartner analyst Robert Booz. There is no question that HIPAA has made patient information more secure. It has also accelerated adoption of healthcare IT systems nationwide, an evolution that is boosting efficiency while reducing medical errors. Getting there, however, hasn’t been easy. Asif Ahmad, CIO and VP of diagnostic services at Duke University Health System, says that HIPAA compliance has created extra burdens, even for large healthcare organizations such as his own. “I can’t imagine a community hospital coming up with all of these resources,” he says. Uno agrees that it is harder for smaller organizations to secure the resources and support to fully comply with HIPAA. But it can be done. Uno sold his senior management team on the importance of compliance by stressing that failure to meet HIPAA requirements could lead to privacy breaches. “No one wants to be the scapegoat for a privacy breach,” he says.
The Silent Crisis
Rick Casteel, VP of
MIS at Upper Chesapeake Health, says he looks at vendors who can show his enterprise how to use their tools to meet compliance requirements. One secret, he says, is to stay clear of vendors who say they are HIPAA compliant. 42
Feature.indd 42
d ece m B E R 1 , 2 0 0 6 | REAL CIO WORLD
HIPAA was introduced in 1996 as a broad measure designed to protect confidentiality and security of health data. It called on the Department of Health and Human Services to standardize electronic patient health and financial data, and to set security standards to protect ‘individually identifiable health information’. The law, which applies to all healthcare providers and health plans, as well as insurers, technology vendors and universities, put in place a series of mandates and deadlines. Perhaps the most important to healthcare CIOs were the privacy rules, which took effect in April 2003, and the security rule, which had an April 2005 deadline. While HIPAA offers a framework for how healthcare organizations need to safeguard data, it does not provide recommendations for specific technologies to do the job. This lack of detail meant that healthcare CIOs scrambled in the early years to get ready for the
Vol/2 | ISSUE/02
11/27/2006 5:10:56 PM
Compliance deadlines. They invested in hardware and software, in addition to training staff on safe ways to access and transmit personal health data. More recently, however, the focus has shifted away from compliance, say specialists. “The healthcare industry has spent billions on HIPAA compliance, and now what we’re seeing is HIPAA fatigue,” says Gartner’s Booz. Nearly 39 percent of hospitals and health systems reported full privacy compliance this year, according to AHIMA, which surveyed 1,117 healthcare privacy officers and others whose jobs relate to HIPAA privacy. That’s up from 23 percent in 2004. However, the number of those who believe they are more than 85 percent compliant dropped to 85 percent in 2006, down from 91 percent in 2005. “This is not a crisis, but more of a silent erosion of HIPAA compliance,” says Dan Rode, VP of policy and government relations at AHIMA. “It’s a wake-up call.” After the rush to implement privacy and security systems, he says, many institutions now report that support and resources from healthcare organizations are declining in the face of budget constraints. Also troubling to some privacy advocates is what they see as the federal government’s generally lax attitude toward HIPAA enforcement. According to the Health and Human Services Office of Civil Rights, which enforces the law, more than 22,000 grievances have been lodged since the HIPAA privacy rule took effect in 2003. Most have to do with personal medical information being wrongly revealed. The government has closed 75 percent of these cases, either ruling that there was no violation or no jurisdiction, or after ensuring that hospitals, health plans or doctors’ offices had fixed violations. To date, no fines have been assessed by the department. Out of 339 complaints referred to the Justice Department for possible criminal prosecutions since the privacy rule took effect, only two have been prosecuted fully under HIPAA. Unlike those who have run afoul of SarbanesOxley, HIPAA violators have not faced high-profile prosecutions that would encourage compliance. “There haven’t been any ‘perp walks’ before news and television cameras,” says Peter Cizik, CEO of consultancy HIPAA Solutions Rx. Although HIPAA violators are unlikely to get into trouble with the federal government right now, they should strive to comply in order to avoid running afoul of state and federal privacy laws or getting involved in costly class-action lawsuits, says Cizik. He notes that HIPAA provides a “floor” for minimum standards of privacy and security and that if state laws are more stringent, they will prevail. In California, for example, any organization doing business there must notify all individuals affected by a breach of personal information.
Vol/2 | ISSUE/02
TecHnologies To Help AChIEvE COmpLIAnCE hIPaa compliance is a goal all healthcare CIos need to reach. Experts say the technologies listed below are a key part of a successful compliance effort: TEChnOLOgy
vEnDORs
E-mail encryption
PGP, Postini, PostX, ZixCorp
Electronic medical records
athenahealth, Cerner, eClinicalWorks, Epic, misys, nextGen, Tripwire
Single sign-on and access control
Passlogix, SentillionVergence
firewalls and intrusion detection
Check Point, Cisco PIX, SonicWall
remote auditing and monitoring
arcsight
— Compiled by Katherine Walsh
The widespread damage that a privacy breach can cause in the healthcare arena came to light this year when Providence Home Services, a division of Seattle-based Providence Health Systems, revealed that backup computer tapes and disks containing personal information and medical records on 365,000 patients were stolen from a parked car. In addition to suffering public embarrassment, the healthcare company paid to inform all its patients via mail and offered to pay for credit monitoring services. The data theft is under investigation by the Oregon attorney general’s office. “Health care is a ripe target for identity theft,” says Cizik, himself a victim of the Providence breach. He notes that the company spent millions to pay for ID theft protection services and to defend against a class-action lawsuit filed on behalf of former patients. “For some organizations, unless they think it can happen to them, they won’t take all the necessary steps to keep their information secure,” adds AHIMA’s Rode.
a Plan for aCtion As a consultant for HIPAA Solutions Rx, Ross Leo travels the country to help hospitals and healthcare systems achieve compliance. Many small and midsize facilities REAL CIO WORLD | d E C E m B E R 1 , 2 0 0 6
43
Compliance he works with are struggling to pay for system upgrades; still others are moving slowly “in order to be seen as not ignoring HIPAA.” Leo feels their pain: he oversaw a HIPAA compliance program as CISO and director of IS for the managed care division at the University of Texas Medical Branch in Galveston. Some of his clients can’t afford the leading-edge technology to track access to patient information. Leo suggests that companies in this situation start their compliance efforts by drawing up a risk mitigation plan that outlines weaknesses in IT security and staff procedures for guarding data privacy. Such a plan can
policies can help bring them toward HIPAA compliance. For example, Leo worked with IT and security staff to develop policies for safe use of the Internet at a midsize Chicago hospital that was starting to deploy PCs with online access at workstations. He recommended that the hospital ban access to patient data on these PCs except in certain cases. Leo also suggested barring remote access to the patient information database for doctors and other staff members who log in from personal computers or laptops. Leo says minor changes in procedure can make a big difference in protecting patient data. For example, a fax machine placed at a nurse’s station can reveal patient information to anyone walking by. “People usually think their processes are OK when they’re not,” he says.
Taming Costs
Ron Uno, manager
of information management at Kuakini Health Systems, pointed out to his senior management that failure to meet HIPAA requirements could lead to privacy breaches.
help the CIO pinpoint what needs to change and where to target investment. After a risk analysis assessment, Leo recommends the addition of, or upgrades to, security systems. These can range from basic firewalls to more sophisticated EMRs, depending on the hospital’s budget. Even when a hospital or clinic can’t afford large-scale technology investments, Leo says that changes to IT 44
Feature.indd 44
d ece m B E R 1 , 2 0 0 6 | REAL CIO WORLD
Cost is a major stumbling block for CIOs determined to bring their organization in line with HIPAA. In fact, the AHIMA survey found that 55 percent of respondents identified resources as their most significant barrier to full privacy compliance. When Kuakini’s Uno started looking for an EMR system, he knew cost would play a key role in his decision. EMRs are not required under HIPAA, but they make it much easier to comply. Where other facilities in the Honolulu area have spent Rs 157.5 crore to Rs 180 crore implementing EMRs, Uno would have to get by on a much smaller budget — approximately Rs 67.5 crore. So when he chose Cerner to provide the EMR, he negotiated carefully with his longtime vendor to make sure he could complete the project on his limited budget. “We examined each contract line item with a finetooth comb to see if it was really needed or if we could find an alternative. There were items included that we didn’t need, such as a standalone [uninterruptible power supply],” says Uno. “[Eliminating] it saved us a lot of money. The bottom line? You need to know how each item fits in the project infrastructure.” To help implement the EMR system, a six-member in-house IT team works in concert with the Cerner consulting staff. Uno says this approach has helped Kuakini realize significant cost savings and monitor the project better. “Foremost in my mind during this process was the fact that we are not a rich hospital,” says Uno. “We formed a partnership with Cerner and keep constant tabs on the cost of the project.” The cost of compliance is also on the mind of Rick Casteel, VP of MIS at Upper Chesapeake Health, which has revenue of Rs 729 crore and operates two hospitals in Harford County, Maryland. Casteel started preparing for HIPAA six years ago. He considers HIPAA an essential foundation for assuring security and privacy
Vol/2 | ISSUE/02
11/27/2006 5:11:06 PM
Compliance of medical data, but one that is complex and demands constant attention and dollars. He wouldn’t specify how compliant Upper Chesapeake is with HIPAA, but says he is comfortable that “we have balanced electronic security well against the demand for data and the need for quality and safety.” Like Uno, he is always looking to contain his compliance costs. Casteel started his organization’s compliance effort with a complete inventory of existing tools such as firewalls and other security software programs. Upper Chesapeake undertook this assessment utilizing a Web-based tool from Xpediate. The tool provided a structure for an in-house inventory while allowing Casteel to use internal resources rather than bring on additional staff or hire expensive consulting assistance. After completing the inventory, Casteel went to his current vendors and worked with them to find different versions of software that would help the healthcare provider reach compliance. “We were looking for vendors who would show us how we could use their tools to meet compliance requirements,” Casteel says. For example, a partnership with Trigeo helped his team see how valuable systemwide log management could be in relation to HIPAA and how the vendor’s tool fit into the healthcare provider’s IT infrastructure. In that way, Casteel says, he has avoided excessive spending on all new HIPAA security and privacy systems. One key to success, he says, is to avoid hype from vendors looking to sell new products. “I would avoid vendors that bill themselves as HIPAA compliant,” he says, noting that HIPAA provides a framework and does not require specific vendors or products.
looKInG ahead HIPAA has pushed IT executives like Uno and Casteel to move forward with EMRs and other technology initiatives that make it easier to audit access to sensitive patient data. However, such systems also create new risks and new demands on IT. “I’m required to give more people access to more data,” says Casteel. This increased access provides more opportunity for data to escape. “Privacy breaches are what keeps an IT manager up at night,” he adds. Healthcare CIOs have another reason to focus on keeping their data private and secure. In 2004, President George Bush entrusted the IT and healthcare industries with the task of building a National Health Information Network (NHIN), a system to provide every citizen with an electronic medical record by 2014. He appointed Dr. David Brailer to coordinate the effort. Brailer resigned in April, but the Department of Health and Human Services is pressing ahead with NHIN. Looking forward, Uno and Casteel agree that the most important HIPAA compliance deadlines are behind
Vol/2 | ISSUE/02
HipAA ip HAs pusHed iT ipAA execuTives To move
forward with teChnology initiatives that
mAke iT eAsier To AudiT Access To sensiTive pAT p ienT dATA.
them, although several lesser provisions remain to be implemented. For example, the deadline for healthcare organizations to start using a ‘national provider identifier’ (NPI) is next May. The NPI is a unique health identification number that will be assigned to healthcare providers to simplify communication between providers and health plans and to cut the risk of fraud.
ComPlIanT aT a last Uno intends to keep fine-tuning his systems to bring Kuakini in line with HIPAA. It’s been a long road, but compliance appears to be just around the corner. By the first quarter of 2007, Uno says, doctors at his hospital will use an identity management system from Oracle. It will allow physicians to use a single sign-on to gain access to several hospital systems; it will also provide clearer auditing and tracking to see who has used the systems. The EMR and other in-process systems for computerized physician order entry and electronic medication administration records will come online later in the year. “We hope to be 100 percent HIPAA-compliant sometime in 2007,” says Uno. Despite the financial burden of working to comply with HIPAA, he says, the alternative — exposure of patient data — could spell disaster. “With regards to healthcare privacy,” he says, “no one wants to be in the spotlight.” CIO
susannah patton is a california-based freelancer. send feedback on this feature to editor@cio.in
REAL CIO WORLD | d E C E m B E R 1 , 2 0 0 6
45
Geomatics
A geomatics-based system to plan and monitor rural development is a novel approach, but the true novelty lies in users understanding its modus operandi. Enter e-Gram Suvidha.
By Gunjan Trivedi
Il lUStrat Ion by an Il t
M
46
Govern Main.indd 46
uch against the spirit of Mahatma Gandhi’s ‘gram swaraj’ (village self-governance) maxim, a large percentage of Indians continue to migrate from rural to urban areas. The cities are clocking fast growth rates, but the lack of infrastructure, facilities — and opportunities — in villages has fuelled the exodus. State governments have been taking measures in recent times to develop villages and arrest the migration. The onus is not just on executing rural development projects, but also on monitoring them. Can information and communication technology tools play a role in this process? The Madhya Pradesh government cottoned on to the technology path in 2003. With e-Gram Suvidha, a G2G project to help users in government avail of geomatics-based systems across five districts. The facility has tremendous promise, according to Vivek Chitale and V.V. Sreedhara Rao of the National Informatics Centre (NIC), in their paper on the e-Gram Suvidha project. “The features include built-in traverse-aid, distance computation, and optimized identification of a suitable location meeting a specified criterion.” The electronic village facility has been designed for bureaucrat-users at levels ranging from zilla panchayats to the district collectorate, which can provide sector-wise thematic maps at the press of a key. In effect, the system presents block-wise thematic maps Reader ROI: of villages, showcasing geographical boundaries with existing facilities, How to integrate and manage computation of distances, and up-to-date village profiles. The users can data at multiple levels thereby use the data to identify suitable locations for creation of infrastructure Why stakeholders’ inputs are key to major projects facilities in accordance with the norms of planning.
d e c e m B e R 1 , 2 0 0 6 | REAL CIO WORLD
Vol/2 | ISSUE/02
11/27/2006 7:00:17 PM
11/27/2006 7:00:22 PM
Geomatics
From MIS to GIS
As planning and management of facilities got more complex with increased emphasis on spatial dimensions, the NIC homed in on a geomatics-based system to add a new dimension to the method of data acquisition, organization, classification and analysis. The approach had the potential of enabling efficient display and dissemination of data, and could help stakeholders take appropriate solutions for decentralized planning of rural development. The geomatics-based system would deal with two versions of data: spatial data, comprising digitized Survey of India maps of villages, blocks, districts, road and rail networks, and non-spatial data related to findings of the monthly surveys under the 11-Point Program. The e-Gram Suvidha project was thus born. Users at the district level downward can today query independent and offline systems that are replete with monthly data, and figure out the most economical and feasible solutions for infrastructure projects. For instance, if a bureaucrat wants to plan a school, he would like to know the number and location of existing schools in the village concerned before deciding where the school must be built. “Without transparency and presentation of proper data, there can be political or bureaucratic factors influencing decisions to deploy new amenities,” says M. Vinayak Rao, senior technical director and state informatics officer, NIC-Madhya Pradesh. “Now, since we have the geo-presentation software, we can fire a query. The findings help administration take valid, rational and well-informed decisions so that right infrastructure can be created at the right place to be used by the right people,” he explains. The presence of the system also increases the pressure on administrators to act promptly. “It enables faster response and corrective actions to the changing ground realities. It also helps in better management of facilities. And usage can aid in disaster management,” says Rao. The facility has currently been deployed in more than 20 centers covering ten distinct areas of planning like education, health, transport, — M. Vinayak Rao communication and electrification, among Senior technical director & state informatics officer, others. The system is operational in five districts NIC-Madhya Pradesh of the state: Chattarpur, Bhopal, Dhar, Mandla and Damoh.
The e-Gram Suvidha was deployed as a successful pilot at the zila panchayat in Chattarpur district three years ago. The concept has its roots in the NIC’s 11-Point Program, which envisioned MIS for monitoring of departmental activities in rural habitations on the back of manual retrieval of data and analysis. The monthly data would be prepared on the basis of monthly surveys carried out by government officials. Further, the program stated that monthly data transmission would be carried out to state authorities after its compilation and analysis. Before the e-Gram Suvidha facility, the process of manually retrieving information and planning were timeconsuming and had high margins of errors because decisionmakers had to deal with hordes of numbers and figures. The process required government-appointed agencies to survey the villages in Madhya Pradesh every month to collect data pertaining to amenities such as hand pumps, transformers, schools and primary health centers. The data would be entered in MIS systems at the block offices, which was thereafter compiled at the district NIC centers and finally at the state center. This is the point at which the chief secretary of the state uses the data to take decisions relating to development. The data also reached district collectorates to enable them to take decisions relating to their jurisdiction.
“The findings of GIS-based systems help the administration in taking wellinformed decisions”
Building Blocks The facility management information system has been developed on a Visual Basic platform and based on SPANS (Spatial Analysis GIS Software) from PCI Geomatics, a geomatics software solution provider. It runs on a Windows-based Pentium IV desktop using MS Access for non-spatial data. “Districts that deploy the e-Gram Suvidha need to incur expenditures of up to Rs 2 lakh on setting up 48
d e c e m B e R 1 , 2 0 0 6 | REAL CIO WORLD
Vol/2 | ISSUE/02
Geomatics the infrastructure, including Rs 45,000-worth automated, the method of sourcing the data is still manual. “The system is offline as software license for SPANS,” says Rao. data is being compiled at state headquarters, The e-Gram Suvidha software essentially and subsequently used by various e-Gram integrates spatial and non-spatial databases Suvidha divisions,” says Rao. and creates visual representations of SNAPSHOT In order to further automate the decisionvarious planning scenarios. Its study area e-Gram making process and enable a faster encompasses the geographical extent of the Suvidha turnaround time, NIC’s Madhya Pradesh districts to create spatial data. For efficacy of State Madhya Pradesh chapter is in the process of Web-enabling the the data, it uses the same coordinate system data dissemination process. A more refined as the one used by Survey of India, the Coverage 5 districts version of data survey and collection format national survey and mapping organization is being envisioned under an advanced of the country, in capturing spatial features Cost of deployment program of basic amenities and services. The on its toposheets (scale of 1:50,000). Other Rs 2 lakh per scope of the program is expected to increase spatial data include revenue maps (scale district substantially to include many more facilities of 1:1,25,000) and block road maps (scale No. of facilities and services, and increase the granularity of ranging between 1:50,000 and 1:85,000). 20 information being collected. These maps are digitized and marked Sectors covered A state-of-the-art data center has been with shared points (ground control points) to 10 set up in Bhopal, where the data will be enable integration of maps and sheet-by-sheet Scale of maps collated online from all the districts. With data digitization. The spatial data identifies > 1:50,000 data soon readily available, Rao expects eight base features as its main entities: block Maps used more and more districts in the state to boundary, village boundary and locations, Revenue, Survey adopt e-Gram Suvidha. “Aided with roads, railways, rivers, block headquarters, and of India and Block road maps pictorial representation of current usage urban areas. The features are superimposed and situation of amenities and facilities and with secondary spatial and non-spatial related deficiencies and problems, users will information for analysis and generation of be able to actually play an important role in thematic maps for facility planning. This not only developing infrastructure of certain areas but digitized map information is stored as layers in the GIS the entire state,” Rao believes. database. The non-spatial database consists of data from “Very soon, we will replace the SPANS with the Webthe 11-Point Program, population census and requirements enabled application,” he says. The non-spatial database will of the district panchayat that delve into the status of the then be migrated to Oracle from MS Access, with various functioning of village amenities and accessibility to services access-controls duly built in to ensure security of the data such as post offices and telephones. now ported online. “The entire exercise to take e-Gram “The focus while developing the system was on two Suvidha online will take about six months,” Rao says. fundamental aspects: a user-friendly interface and openNIC Madhya Pradesh is also eyeing future integration ended design. Its user doesn’t require any GIS expertise for with national-level GIS-based facility management its operation. With adequate training, even a new user can system, which is currently under development. The operate the system,” says Rao. The system currently supports Government of India has identified 70 parameters to be 20 facilities, and can increase the number of services. incorporated into the national-level GIS-based system. One of the unique features about its implementation “We have already covered a part of those parameters,” says has been that it incorporated the inputs of its stakeholders Rao, “and would want to include the rest of these into our across the five districts. During the initial phases, the NIC system in the future before seamlessly integrating with made several presentations to officials in rural local bodies. the national system.” CIO This helped in spreading awareness of the technology and also in gathering their inputs prior to the period when the project was approved. Subsequently, the users were involved in studying and analyzing the requirements, onsite training and supply of relevant documents, and project maintenance and support, apart from the implementation.
Roadmap to the Future At present, data is manually collated and fed into the systems every month. Though the process of computing — and generating appropriate planning solutions — is
Vol/2 | ISSUE/02
Govern Main.indd 49
Senior correspondent Gunjan Trivedi can be reached at gunjan_t@cio.in
REAL CIO WORLD | d e c e m B E R 1 , 2 0 0 6
49
11/27/2006 7:00:25 PM
Given the level of IT and communication penetration in India, the only way to bridge the digital divide is to create common access points, says Aruna Sundararajan, CEO (Common Services Center Scheme), IL&FS.
La
11/28/2006 11:07:35 AM
Interview | Aruna Sundararajan
e h t g n i p p Ma
e l i M t s a L ne at the helm of o is n ja ra ra a d n on na Su y 1 lakh comm lo t at IL&FS, Aru p c e je d ro to p t C c S je C ro e p king tive officer of th rtnerships in the country: a potential of ta e th s a h As chief execu e a p m e ch public-private citizens. The s ment. to s e ic rv lg e r i e of the largest IT s r e loy off p l il m n a l n . Ta w e l u t K a ra y th ru B g rs n te ti nera services cen level — and ge t x e n e th to e e-governanc
vol/2 | ISSUE/02
Interview.indd 51
IL&FS (Infrastructure Leasing & Financial Services) has been designated as the project management agency for this Rs 5,742-crore project. The project is about creating a public-private platform — both in terms of investment and services to be delivered. I am currently with IL&FS, heading the CSC project, and work closely with the department of IT to develop the project and facilitate its implementation in tandem with state governments. There is a deep emphasis on promoting rural entrepreneurship through the CSC scheme. What’s your on-the-ground strategy?
Employment and enterprise creation in rural areas is an integral feature of the CSC scheme. In fact, I’d say that it’s one of the top-two or -three objectives of it.
Photo by Sr IvatSa Sh an dIlya
ArunA SundArArAjAn: In recent years, there has been increasing focus on this issue. If you look at the first wave of information and communications technologies (ICTs) in India, the preoccupation was with technology, business process reengineering and so on. But in the last couple of years, people have begun to realize that they need to factor in issues like creating access for rural citizens: how do you make sure that technology is available at an affordable price and provide value to rural citizens? The common services centers (CSC) scheme, which I am associated with, is an effort to create 1 lakh rural ICT centers. These are points of access that will serve as mechanisms to deliver service, and are aimed precisely at bridging the digital divide.
Could you elaborate on the CSC scheme and your role in the project?
I
come in bridging the country’s ‘digital divide’?
ImagIng by an Il vk
CIO: How far do you think governments in India have
REAL CIO WORLD | d e c e m B e R 1 , 2 0 0 6
51
11/28/2006 11:07:37 AM
Interview | Aruna Sundararajan We envisage that common service centers will be set up by local entrepreneurs who will invest and identify the services to be provided to local communities. A network of about 200 such kiosks will be supported by a service center agency, which again will be a private sector agency. This whole concept is one of a multi-tier network. So, it should be capable of, first, providing services that are relevant to a local area. At the second level, it should be able to aggregate and service requirements that emerge in the region. And at the highest level, it should also be able to deliver national-level services. It’s the first two tiers that are envisaged as being set up in an entrepreneurial mode. And at the top level, a public-private platform is being envisaged, in which both the government and the private sector will be involved in ensuring that e-governance services are delivered to rural citizens. Can you throw more light on its business model?
The initial investment will have to come from the people setting up kiosks. They have to sign a service-level agreement with the government on the standards they will maintain. Any revenue support that entrepreneurs get is based on the performance after they’ve delivered services. Given that the systems are highly IT-enabled, do you think rural entrepreneurs will come forward?
They will be entrepreneurs in the sense that they will set up businesses that don’t have an existing business model or business precedent. But that’s why this scheme does not leave the entire issue of sustainability on the village-level entrepreneur. In fact, if you look at the CSCs and rural kiosks that have already been set up in the country, they have not really found ways to be sustainable. The scheme has a calibrated kind of structure, in which government will provide at least a third of a kiosk’s
revenues via e-governance services. And if kiosks are not able to generate enough revenues, the government actually supports them financially. The scheme has already envisaged that a third of a kiosk’s capital expenditure and operating expenditure for four years will be guaranteed by the state and central government. In other words, there is a strong element of financial support inherent in the scheme. In the first four years, entrepreneurs can draw on this support and after that — once the kiosks stabilize — they can be on their own. What is the level of interest that the CSC project has generated so far?
The level of interest is very high because anything that entails employment opportunities creates interest. This scheme is looking at generating employment to the tune of 2 lakh to 3 lakh jobs. There is a huge amount of interest. At the same time, there are huge challenges to be met. Governments have to get ready to offer a bouquet of e-governance services. Mechanisms have to be put in place to enable service delivery at that level. The whole ecosystem of service provision has to be created. By any measure, this is an unprecedented project in terms of its scale. At this point, what is crucial to the project?
The NeGP (National e-Governance Plan), which was approved a few months ago, has its core infrastructure components: connectivity, data centers and common service centers. The implementation of NeGP has started. Getting the core infrastructure in place is essential to go forward. The CSC is seen as the last mile delivery point under the NeGP. In a sense, it has also drawn from various existing kiosk projects. Given the current level of IT and communication penetration, the only way to bridge the digital divide is to create common access points, rather than hope that every
e-Readiness varies from state to state. The level of infrastructure varies, people’s ability to absorb IT varies.
The readiness of content and service providers varies as well. Content is a huge challenge.”
Interview.indd 52
11/28/2006 11:07:43 AM
Interview | Aruna Sundararajan villager has a PC and an Internet connection. This scheme is trying to replicate the STD/PCO revolution. The CSC model is an extension of it, but only more complex. In recent times, which states have stood out for their e-governance initiatives?
We all know the early leaders: Andhra Pradesh, Karnataka and Tamil Nadu. Now, across the country, there are states — even among the Hindi heartland states that weren’t really known for their use of technology — have begun to tap IT tools. For example, Madhya Pradesh is using IT for education and Gujarat is using IT for delivering services. Uttaranchal, Punjab and Chhattisgarh, too, have taken strides ahead. Where the CSC project is concerned, Jharkhand is the first state that’s done worldclass implementation.
At one level, this is not such a huge business, financially-speaking. On the other hand, banks and financial institutions are part of the process to make sure that the whole model is well thought-out and sustainable. SNAPSHOT
CSC Scheme Total outlay
Rs 5,742 crore
During your stint with Global e-Schools and Communities Initiative (GeSCI), how realistic did you think the ICT approach was in furthering education in India?
Education faces a huge set of challenges in India that need action on several fronts. It has to be oriented towards equipping people Centre: Rs 856 crore with a source of livelihood. It should give them useful skills, which they can leverage State: Rs 793 crore to get themselves jobs. It must expand the list Private sector: of opportunities available. If you look at the Rs 4,093 crore objectives of modern education and its needs, No. of CSCs technology has a big role to play. 1 lakh The exact role of technology will vary CSC-Village Ratio depending on the context. And it is also 1:6 possible to provide quality education without What are the customization challenges that Cost per CSC technology. But, it is becoming increasingly confront the CSC scheme? Rs 70,000-Rs 3 lakh important for people to equip themselves The scheme itself is only meant to be a with modern tools. World over, it is difficult framework because in a country like India, Source: Dept of IT, GoI to conclusively pinpoint the value addition it’s impossible to have a one-size-fits-all that technology has for education. But, there is approach. The scheme provides a lot of enough feedback to say that you need modern flexibility in the way a kiosk can come up, the technology in education. It helps overcome challenges. infrastructure, the kind of services it would like to offer: whether it will provide services to farmers, or healthcare services or e-governance services. Still, there are enormous Does teaching pose challenges in an ICT-enabled approach challenges because e-readiness varies from state to state. to education, and of what kind? The level of infrastructure varies, people’s ability to absorb Yes, teaching does pose a challenge to this approach. Very IT varies, and readiness of content and service providers often, teachers feel far more uncomfortable with technology varies. Content is a huge challenge because e-governance than students. A lot of them are unwilling to make the services have to be provided in the local language. All these necessary effort to change, learn something new and move pose challenges for the scheme. to a new paradigm. Also, a lot of the teachers in many states hardly get the necessary training to make the change. If you suddenly introduce them to a new technology, the process How are you meeting these challenges? of change is not the most optimal one. Training teachers The network itself is a standard base — it is a platformand changing mindsets is a huge challenge. neutral network. It has to ensure that the broadest number Infrastructure is also a huge challenge in a country like of services can be delivered. Different service providers will India: water supply, toilets in schools, etcetera. These are work with different technologies. Where the CSC project choices to be made (at the policy-making level). Do you go is concerned, we are ensuring that it will be interoperable with new technology there? So, all these are difficult choices and that it can be completely standard-compliant. We are to be made. In many cases, there are no perfect solutions. staying away from issues of technology exclusivity. ICT itself is so new in this area that it’s going to take time to develop a model. The education departments, on the Won’t a project of this size be affected by macro-economic whole, are fairly progressive. But again, in a country where trends such as banks’ stand on lending? you have 10 lakh schools, the number of schools with any The government is being extremely careful that only kind of IT infrastructure would be very small. CIO sustainable financial entities get into the scheme. There is a process of careful due diligence in selecting the service center agency and village-level entrepreneurs. They will have to pass the test of credit worthiness that banks have. Chief copy editor Kunal N. Talgeri can be reached at kunal_t@cio.in
Vol/2 | ISSUE/02
Interview.indd 53
Distribution of outlay
REAL CIO WORLD | d e c e m B E R 1 , 2 0 0 6
53
11/28/2006 11:07:43 AM
Essential
technology Illustration by MM Shan ith
From Inception to Implementation — I.T. That Matters
Federation is the logical goal of identity infrastructures, but achieving it takes more than just technology.
54
Essentisl Tec.indd 54
d e c e m B E R 1 , 2 0 0 6 | REAL CIO WORLD
The Hidden Challenges of Federated Identity By Phillip J. Windley
| For years, companies have kept stores of identity information about employees, customers and partners. These databases and directories are critical components of a company’s identity infrastructure. But as businesses push to create new products and increase productivity, they have discovered that they often must cooperate to provide the services their customers and employees demand. Centralized systems just aren’t possible in these cases. Instead, organizations must turn to a decentralized approach, termed ‘federated identity management’. Federated identity systems bring together two or more separately managed identity systems to perform mutual authentication and authorization tasks and to share identity attributes. To users, federated identity systems present a way for a single identity to be used across multiple systems and services. But behind the scenes, it’s more complicated than that. Not surprisingly, the hard part isn’t usually the technology. Rather, the hard part is governing the
identity management
Vol/2 | ISSUE/02
11/28/2006 2:26:09 PM
essential technology
processes and business relationships to ensure that the federation is reliable, secure, and affords appropriate privacy protections. “There are no commonly accepted best practices, no commonly accepted agreements,” says John Jackson, director of software technology at General Motors. “Chances are, one of the parties is doing [federation] for the first time, and the legal implications are not always straightforward.”
Complicating your Life Some federations are relatively simple and, as a consequence, easy to govern. For example, if you offer an online service, federating with the identity system of your largest client offers real benefits. The fact that you already have a business relationship with the client makes structuring the federation easy, and such an arrangement rarely involves financial or privacy risks. Delegating the administration of identities to your client means you no longer have to respond to customer calls over lost passwords. In addition, federation creates value for your corporate clients by increasing convenience and reducing security concerns. These kind of win-win scenarios drive federation. When a user who has been authenticated by one party takes an action on another site that has real financial consequences, however, the situation becomes more complicated. The problems come down to turf, regulatory requirements and liability. For example, federating systems for employee portals raises questions about who owns the data associated with various identities and who has the final say when data doesn’t agree. Ownership issues aren’t limited to external partners; federations between the HR and finance divisions of a single company can sometimes be the most acrimonious. What’s more, the regulatory burden can be immense when you’re dealing with financial or health data — both likely scenarios in an employee portal. Global companies have an even bigger problem, given the overlapping and sometimes contradictory requirements of privacy laws around the world.
Vol/2 | ISSUE/02
Essentisl Tec.indd 55
Employee portals also raise the issue of shared financial responsibility. When a company authenticates an employee for its 401(k) provider (employers sometimes sponsor retirement plans), it is saying, in effect, “We vouch for this person.” But if something goes wrong and there’s a loss, who’s responsible? While disentangling a company from the responsibility of providing the outside service is an important benefit of outsourcing, federation requires that employers take some of the responsibility in exchange for a better user experience and more accurate data. One of the lessons GM’s Jackson has learned in the process of federating thirdparty services in an employee portal is that legal staff must be educated on the ramifications of federation. On the other side, the service provider must strike a balance. “You can’t be too loose, so as to expose yourself to breaches of fiduciary responsibility,” says Roger Sullivan, vice president of business development at Oracle. “But, on the other hand, you can’t make it so restrictive that it’s more difficult to trade using this automated model than it would be using paper.”
Pain Points for Federation With governance, there are four primary areas of focus: business issues, liability, privacy and security. The business issues can include details of who does what, who pays for what, and revenue-sharing agreements. Most of these are straightforward and are probably already outlined in existing business agreements. Liability is a tougher problem. Working through the liability issues “ultimately comes down to a common desire by both parties to use federation,” says GM’s Jackson. “Both organizations have to come to an understanding that it’s worth the risk and then work through the issues.” There are no set formulas for assigning risk. “It’s largely ad hoc and dependent on the nature of the application and how large the risk is,” Jackson says. “A travel application is smaller risk than someone’s 401(k).” Auditing can help mitigate liability concerns. Whether you perform your own
Federated Identity Checklist Staying abreast with best practices can keep your company ahead of the game. Start with internal projects. Find an experienced partner for your first external federation. Find win-win situations where both parties gain business benefits. Pay attention to privacy. Make sure any regulatory requirements are met. Create a center of excellence in the CIO’s office. Establish a federated identity council to get input from business users. Educate the legal department about federation. Get your policy creation process up to speed and build a set of identity policies. Create an interoperability framework that outlines products and standards to use. Ensure that the process for revoking credentials is clearly outlined. — P.J.W
due diligence or rely on an external auditor, an audit can convince skeptics that your partner can be trusted with your company’s data. Keep in mind, though, that your partner will want to hold you to the same standards. If you’re going to require an SAS70 audit (acronym for the American Institute of Certified Public Accountants Statement on Auditing Standard) of your partner, be prepared to submit your own organization to the same treatment. Privacy sometimes gets short-changed in IT projects, but you can’t ignore it in federation. Many federations include more than mere authentication. The identifying party may be providing personal data to the federation partner, including things REAL CIO WORLD | d e c e m B E R 1 , 2 0 0 6
55
11/28/2006 2:26:10 PM
essential technology
Federation in Action
The Importance of Policy The ultimate goal of federation is to enable decentralized and distributed identity systems to interoperate in a way that provides all the necessary features for supporting modern business practices. The Internet is the best example of an interoperable, distributed system; protocol and the policies that govern network interactions are the pixie dust that makes it all possible. Similarly, making federated identity work for your organization requires that you pay attention to protocol and policy. It’s important that you choose which of the competing federation standards you’ll use and which you won’t. Record your choices in a special policy called an IF (interoperability framework). An IF is nothing more than a list that explains what choices the organization has made. It categorizes standards, requiring some and encouraging others. It can also say which standards are sustained but shouldn’t be used in new deployments. Because federation will include outside partners who might have made different choices, an IF should have flexibility built in, including an easy way to get exceptions. A clear benefit of an IF is 56
Essentisl Tec.indd 56
d e c e m B E R 1 , 2 0 0 6 | REAL CIO WORLD
1 Mary browses WidgetCo’s employee portal
3 2
2 WidgetCo returns a page with a link to RetireCo containing a unique token
8
1
2
4
m H7D 2
A
P
7
42 Q U
S
D
H 27 Z
L
4
8
WidgetCo
6
P
3 Mary clicks the link for RetireCo
2
W
5
3
2 W
2 RetireCo request
4 Response WidgetCo
RetireCo
5 WidgetCo (source)
8
P 7 W2
2 LQ
W
P
2
Infographics: Vikas Kapoor
like social security number, birth date, and even credit card information, depending on the application. In many cases, use of this data is governed by regulations, especially in Europe and for certain verticals in the United States, such as finance and health. In other cases, you may have promised to protect your customers’ data in specific ways; federation requires that these same protections be offered by your partners. “Revocation of identity credentials is also a key element of any federated scheme,” says Scott Blackmer, an attorney who specializes in IT and privacy law. “Otherwise, federation amplifies the threat of fraud, identity theft, and misattribution of content and opinions, as one party after another relies on bad credentials. Federation should include a system for verifying challenges to identity credentials and suspending or revoking them when they have expired or become suspect.”
By linking identity systems, partner companies can give users seamless access to one another’s network resources.
7
RetireCo (destination)
4 RetireCo sends a SAML request with the link token to WidgetCo 5 WidgetCo sends a SAML response to RetireCo with information about Mary
that it ensures that other policies don’t reference specific standards, which could cause them to get quickly out of date when the standards change. Beyond the technical standards that are critical for interoperability, other important policies govern how the business uses, controls and protects identity data. Your federation policies should cover how your organization establishes trust in partners, what reviews are necessary for what kinds of projects, and how data will be protected. How do you get business units to play along? Hewlett-Packard, one of the world’s largest companies, has succeeded in creating a federated identity system that contains more than 21 million separate identities and is used by more than 200 different applications that are managed by multiple business units. “We use carrots and sticks,” says Anjali Anagol-Subbarao, HP’s chief architect for identity management. “We’ve shown that using the federated identity management system is about one-third the cost of creating a new system for an application. Since each project has to justify itself on ROI, project
managers want to use the federated system.” For those who don’t, policies from the CIO’s office provide the stick necessary to drive the desired behavior. Anagol-Subbarao also points out the value of outside consultants and analysts. “Getting outside help can validate the system and confirms that the approach is sound,” she says.
Where to Begin Many of the companies seeing success in identity federation have one thing in common: they’ve created a COE (center of excellence) in the CIO’s office, a federated identity management council, or both. A COE can help disseminate information, make architectural choices, and educate projects about how federated identity is used in your company. The management council draws business units into the process — an important step, as most federation governance issues are rooted in the business. HP employs an architecture council to develop its federation methodology and
Vol/2 | ISSUE/02
11/28/2006 2:26:12 PM
essential technology
strategy, according to Anagol-Subbarao. The council employs use cases to create companywide principles that answer questions like: how will users be linked? Is personalization important? How do we provide for auditability? “These questions have architectural ramifications. We’ve come up with a strategy for what is important to HP as a business,” says Anagol-Subbarao. Internal SSO (single sign-on) projects are great places to start because they provide a place to choose standards and projects without the pressure from outside partners. Plus, they’re likely to show good short-term ROI. The trick is to make sure your SSO projects don’t become calls for centralized directories, but rather employ federation technologies to do the job. Many of the applications that you retrofit for SSO will be Web-enabled. “Start with simple browser-based access to applications inside the corporation,” says Timo Skytta, director of Web services at Nokia. Browser-based applications are the low hanging fruit of federation because offthe-shelf identity products from vendors, including Oracle, RSA, Novell and others, can often be retrofitted into the server side code with little fuss. Federation projects within your organization have another big advantage: they force you to clean up your infrastructure. GM’s Jackson say’s it’s the first step, and you can scale from there. “If you go back five years, we had an uncontrolled number of identity sources, user IDs, and passwords; we even had multiples in single environments,” Jackson says. “We had multiple directories in every flavor you can imagine. Over the last few years, we’ve consolidated directories and the way we do authentication. We felt we couldn’t move forward with more sophisticated identity projects until we did that.” After you’ve got a few internal federations under your belt, it’s time to move outside the firewall. Partnering with someone who’s already worked through complex federation problems is a great way to learn.
Vol/2 | ISSUE/02
Essentisl Tec.indd 57
Putting the User in Charge of Identity Federation doesn’t have to be a behind-the-scenes interaction between big companies. Lately, an idea called ‘user-centric identity’ has gained traction. It revolves around a few core principles, most notably the idea that users should be allowed to choose which identity credentials to present in response to an authentication or attribute request. A number of user-centric identity systems are available now, and more are in the works. These range from simple, URL-based systems such as OpenID and LID (Light-Weight Identity), to such commercial offerings as Sxip and Microsoft InfoCard. Harvard’s Berkman Center, IBM, and Novell jointly announced a new user-centric system, the Higgins Project, in February. The idea of choice appeals to most people, but what are the implications of this change? Suppose I work for WidgetCo, which has federated its employee portal with RetireCo, a provider of 401(k) investment services. Under a standard federation scenario, I would log in to the employee portal, and when I linked out to RetireCo, WidgetCo would send a SAML (Security Assertion Markup Language ) token asserting my identity to RetireCo’s server. If RetireCo needed other data about me, it could request it from WidgetCo. In this scenario, my involvement is limited to logging in and clicking the link. In fact, the only things that tie those actions to the transfer of my identity data are the policies and security of the employee portal. There’s nothing in the structure of the federation that requires my involvement; WidgetCo and RetireCo could exchange information about me anytime they wanted, and I would be none the wiser. User-centric identity models solve this problem structurally by inserting the owner of the identity data into the transaction. In the user-centric model, when RetireCo needs identity information, the request comes to me. I then choose which credential to present, much like you choose which credit card to present when asked to pay for a purchase. I might choose to use my WidgetCo identity, or possibly some other credential acceptable to RetireCo. I could set up defaults or rules to process the request automatically. But, in any case, I would choose who has access to my identity attributes and how that identity data is presented. This change doesn’t just benefit the user. There are real advantages for RetireCo and for WidgetCo as well. For instance, in the classic federation scenario we imagined earlier, if WidgetCo mistakenly sends my identity attributes to RetireCo, resulting in a financial loss, the former has to accept some of the responsibility. But in the user-centric scenario, any such request has been approved by me — significantly reducing the risk to both companies. — P.J.W.
Federating with an existing business partner is preferable because you can leverage agreements that you already have. Interestingly, one of the biggest challenges in federated identity governance is often getting companies to talk to one another. “It’s hard to get people to come out and document what they’ve done because it’s a business benefit for them — the second customer integration [is] much easier,” says
Nokia’s Skytta. The irony is that federation requires sharing solutions. “There are plenty of questions, and no one has all the answers yet.” CIO Reprinted with permission. Copyright 2006. InfoWorld. Phillip J. Windley is a contributing editor at InfoWorld, an associate professor of computer science at Brigham Young University, and author of Digital Identity. Send feedback on this feature to editor@cio.in
REAL CIO WORLD | d e c e m B E R 1 , 2 0 0 6
57
11/28/2006 2:26:12 PM
Pundit
essential technology
GPL3:The Gloves Come Off Before you take sides, here’s what you should know about General Public License, version 3. By Bernard Golden open source| A few months ago, there was a showdown in the open source world over GPL3. At one end of the dusty street, there were Linux kernel developers led by Linus Torvalds. And at the other end, the Free Software Foundation (FSF), led by Richard Stallman. The two gangs faced off. “There’s a new license in town,” said Stallman. “It’s going to clean things up, so that everyone can be free.” Torvalds retorted: “We’ve lived just fine with GPL2, and we’re going to keep it that way.”
many other applications shipped in them. The question is: what license will those other things be distributed under? There was discussion that the conditions of GPL3 might cause the forking of some of those other parts of the distro into GPL2 and GPL3 versions, with a concomitant requirement for more engineering effort. This forking would be caused by users being unwilling to live with GPL3 conditions for the products and moving toward maintaining GPL2-based versions.
case, no manufacturer subject to liability laws would deliver software-embedding products that were licensed under conditions by which they could not guarantee its operation. Fourth, Torvalds noted that the comment process surrounding GPL3 seems to be designed to let FSF say that they've entertained feedback on the license, while letting them ultimately publish the license as they see fit. In fact, the comment process has been scandalously opaque. It’s impossible to see all the comments that have been
It's likely that organizations will set a policy barring the use of GPL3-licensed products in their software infrastructures. What followed wasn’t dramatic, though it made for serious discussion and some laughs. A group of Linux kernel developers published a paper, citing their concerns about GPL3. A train of comments, rejoinders and remarks followed in the kernel mailing list. Here are the key things you should know about what the paper states and, more importantly, what the import of GPL3 is. First of all, the fact that a number of kernel developers organized themselves enough to generate this paper should indicate the depth of concern about GPL3. Second, there was some talk that the Linux kernel will remain under GPL2. Torvalds makes that decision, and it’s clear he wants GPL2. As many have pointed out, Linux contains far more than the kernel, since distros usually have utilities and 58
ET-Pundit.indd 58
d e c e m B ER 1 , 2 0 0 6 | REAL CIO WORLD
The third key aspect of the paper is that referring to the DRM conditions of GPL3 as ‘Tivoization’ trivializes the issue. It’s easy to sympathise with those wanting to tweak their Tivo to do more than what it delivers. However, the issue is the ability for a hardware manufacturer to block users from manipulating the software inside a machine. Sure, it’s easy to say that Tivo shouldn’t be able to do that, but other scenarios illustrate more serious implications of this ability. For example, should a medical device company be able to preclude end users from modifying how a device works? I don’t want to wonder whether a radiationemitting machine pointed at my tumor has been ‘improved’ by the radiation tech team. This is an extreme example, but illustrates what precluding DRM could cause. In any
submitted, the various committees organized by the FSF to represent important end-user constituencies and their members. Fifth, one can expect the final version of GPL3 to resemble its two drafts. Once the license has been published and its implications recognized, most organizations are likely to set a policy precluding the use of GPL3-licensed products in their software infrastructures. This will cause some confusion in terms of open-source usage. It’s likely that there will be code forks of important products to ensure they continue to be available under GPL2; this is regrettable and will certainly cause more work. CIO Bernard Golden is CEO of Navica, an open source consultancy, and the author of Succeeding With Open
Source (Addision-Wesley, 2004). Send feedback on this column to editor@cio.in
Vo l/2 | I SSUE/02
11/27/2006 5:08:46 PM