Decision makers often have difficulty selecting appropriate software

Transcription

1 InSide Gartner This Week Vol. XIX, No. 23, 4 June 2003 Management Update: CRM Vendor Evaluations in a Volatile Market Decision makers often have difficulty selecting appropriate software packages for customer relationship management (CRM) initiatives. Complicated and protracted evaluations are frequent, caused by oversights made by project teams, internal politics, and unfamiliarity with technologies and vendors. Gartner provides a blueprint for success. Assessment of CRM Initiatives With the end of the technology boom and increasing conservatism in IT investments, enterprises are less tolerant of inefficient product selection processes. In today s uncertain economic environment, it is more critical than ever that buyers better manage risk in their CRM application procurements through the use of a disciplined selection process. (continued on page 2) CIO Update: Web Services Provider Platforms and Delivering Functionality as a Service The ability to deliver functionality as a Web service is rapidly becoming an intrinsic capability across a wide range of software platforms. Gartner provides guidance on what a Web services provider platform is, how to find one, how it will fit into an overall service-oriented architecture (SOA) and what best practices to follow to ensure a successful strategy. Obtaining a Web Services Provider Platform Enterprises using standardized application servers are likely to already have the provider platform capability in-house. And increasingly, other types of platforms and applications are being imbued with this capability. Thus, many enterprises will not have to purchase a provider platform In This Issue... 1 Management Update: CRM Vendor Evaluations in a Volatile Market Decision makers often have difficulty in selecting software for customer relationship management (CRM) initiatives. Gartner provides a blueprint for success. 1 CIO Update: Web Services Provider Platforms and Delivering Functionality as a Service Gartner provides guidance on what a Web services provider platform is, how to find one, how it will fit into an overall serviceoriented architecture and what best practices to follow to ensure a successful strategy. 14 CIO Update: Enterprise Security Moves Toward Intrusion Prevention As targeted hacker attacks increase, intrusion prevention is gaining importance while intrusion detection is fading away. Gartner has defined three key criteria for true network-based and host-based intrusion prevention. 17 Management Update: The Real Payoff From IT Outsourcing Is Quality, Not Cost Reduction It is critical that an enterprise understands the proper way to evaluate its outsourcing strategy. The long-term view should always be taken. Cost reductions aren t always possible, so enterprises must focus on other benefits. 19 At Random (continued on page 8)

2 Management Update: CRM Vendor Evaluations in a Volatile Market (continued from page 1) To help ensure the success of CRM initiatives, the application evaluation process must include a thorough assessment of the potential pitfalls and the tactical and strategic consequences of an application acquisition. Buyers must be able to accurately determine their functional and technical requirements to enable meaningful comparisons to what is available in the software market. Keys to a Successful Assessment Process Key Issue: What methods should be employed to ensure a comprehensive assessment of competing CRM vendors, service providers and technologies? Tactical Guidelines: A CRM application evaluation can take four to 12 months and require the participation of as many as 20 people. Enterprises must establish a disciplined evaluation process to manage time and resources effectively, and to avoid rash actions and unnecessary delays. Devoting sufficient time and focus to the early phases of the evaluation process will help avoid future difficulties in documenting milestones, building consensus, explaining analyses and justifying final conclusions. Throughout the evaluation process, it is critical to remain focused on three key activities: Identifying Requirements. A comprehensive review of the enterprise s requirements and of the potential tradeoffs that can be made in meeting those requirements is the critical first step. This review will lead to the identification of selection criteria that will be used as the basis for measuring the appeal of prospective vendors. Developing the Evaluation Framework. Disparate criteria must be consolidated into a framework and prioritized to reflect the enterprise s concerns, and to ensure consistency when evaluating vendors, products and services. This is a significant issue, for the selection of CRM applications often involves multiple constituencies with competing agendas and perspectives that must be reconciled. Evaluating Vendors Capabilities. Finally, project teams must collect, compile and score information on vendors and their products. The team may have too little information on certain issues and may have to do more research, or it may have too much information from numerous sources and struggle to consolidate it. Mismanagement or insufficient focus in any of these three key areas can derail a product selection project. The potential consequences of such oversights include major delays in the completion of the procurements, the loss of money through poor use of resources or investments, and a poor product selection or no selection at all, if the process breaks down to the point that no decision can be reached. Avoiding this fate requires that these activities be conducted within the framework of a disciplined and comprehensive application evaluation and selection process. This process should be segmented into three major phases: internal needs assessment; research and analysis; and negotiation and selection (see Figure 1). The internal needs assessment should be closely aligned with the enterprise s CRM business strategy, and should include efforts to identify opportunities for automation. The objective of this review is to determine which processes the new purchases must automate. The efforts in this phase include preparing the vehicles for collecting data in the subsequent research and analysis phase. These vehicles include: Request for information surveys for vendors 2003 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. Additional subscriptions may be ordered for an annual fee ($500 in the United States for 50 issues per year; higher pricing may apply elsewhere). Multiple reprint prices are available on request; contact Gartner at Comments can be ed to: inside@gartner.com. 2 Inside Gartner This Week

3 Figure 1 Phases in the Evaluation and Selection Process Phase 1: Needs Assessment (5 to 8 weeks) Confirm opportunity for automation Create project team Define detailed requirements Prioritize criteria Establish long list Generate RFI/RFP Prepare demo scripts, reference interview surveys and user evaluation forms Source: Gartner Research Phase 2: Research and Analysis (4 to 8 weeks) Compile responses Conduct due diligence Establish short list Perform in-depth vendor analysis Solicit presentations and proof-of-concept pilots Select finalists Phase 3: Negotiation and Selection (3 to 6 weeks) Submit conclusions Select winner Craft negotiating strategy Negotiate contract Initiate relationship RFI request for information RFP request for proposal Action Items: Before considering solutions, enterprises must reach a consensus on the scope of the evaluation, establish processes and milestones for qualifying or disqualifying prospective candidates, and determine what information they will use to validate vendor claims. Enterprises should select products using six high-level criteria: functionality, technical architecture, cost, services, vendor viability and vision. The latter three should represent close to half the weight of the purchase decision. Setting Up the Process and Examining Criteria in Detail User evaluation forms for product demonstrations Reference interview questionnaires and vendor performance scorecards Once the needs assessment is complete, the capabilities of the competing vendors and their products are mapped to the defined requirements. Analysis of this data should result in negotiations with a selection of finalists that have the greatest potential to meet expectations. 4 June 2003 Gartner recommends that a topdown, hierarchical approach be used to identify, organize and weight the issues affecting the success of a product acquisition (see Figure 2). The first step is to determine which enterprise business goals the application implementation must accomplish. Next, decision makers should examine six highlevel criteria to evaluate vendors: functionality, technical architecture, costs, services, viability and vision. Members of the project team should prioritize each criterion s importance to the enterprise. The process of defining and weighting these six criteria should be repeated until a satisfactory level of detail has been addressed. Gartner has developed a baseline weighting scheme to use as a starting point in prioritizing each of the six high-level criteria: Functionality: 24% Technical architecture: 16% Cost: 15% Services: 20% Viability: 18% Vendor vision: 7% Key Issue: What are the significant criteria to consider when analyzing CRM vendors, products and services? Tactical Guideline: When creating the evaluation framework, it is important to establish a rigorous, clearly defined scoring methodology for reviewing potentially disparate and conflicting sources of vendor performance information. During the requirements definition process, key criteria are identified and relative weighting are established. Eventually the analysis raises questions that are reasonable but not significant enough to require prioritization. For each of the most detailed and weighted criteria at the bottom of the evaluation framework, specific requirements will form the foundation of the enterprise s needs assessment. 3

4 Management Update: CRM Vendor Evaluations in a Volatile Market (continued) Figure 2 A Hierarchical Framework for CRM Application Evaluation Goal Confirm the objective Functionality Technical Architecture Cost Services Viability Vision Use six perspectives to perform due diligence SFA Marketing CSS Platform Support Distributed Computing Scalability Integration User Interfaces Initial Costs Ongoing Costs Professional Services Ongoing Support Financial Organization Market Product Service Corporate Explore the critical factors in each area that will affect success in achieving the defined objective Development Environment Source: Gartner Research CSS SFA customer service and support sales force automation Functionality Evaluation Criteria Tactical Guidelines: Enterprises with stable business models and technology infrastructures should consider broader suites, while those with evolving business models will be drawn to best-of-breed components. In prioritizing evaluation criteria, buyers must bear in mind that a vendor will have domain expertise only in a limited set of markets. They should be wary of vendors offering complete business solutions that really represent conglomerations based on acquisitions, in-house development and partnerships. Project teams typically refine their requirements analysis by first investigating their functional needs before assessing the field-deployable capabilities available from solution vendors. In this more-stringent fiscal environment, enterprises must also focus on solutions that address immediate business needs and offer the greatest potential for a positive return on investment. The scope of functionality of many CRM initiatives includes only sales force automation, marketing automation, customer service and support, and field service (see Figure 3). To provide this functionality, CRM suites and best-of-breed applications are available. Project teams should be aware, however, that no single vendor has developed a monolithic solution with best-of-breed functionality in every major category of customer-facing, front-office applications. Vendors still tend to focus on providing functionally strong products in areas where they initially experienced success, or in areas immediately complementary to their core expertise. Decision makers should consider how well these vendor core strengths map to the enterprise s needs. Action Item: Enterprises should favor vendors that have articulated clear visions for their domains, and use references, scripted product demonstrations and case studies to validate their claims. 4 Inside Gartner This Week

5 Technical Architecture Evaluation Criteria Tactical Guideline: Enterprises should investigate the potential impact that product rewrites, acquisitions or enhancements will have on prospective solutions ability to meet scalability, integration, usability and manageability requirements. The category of technical architecture addresses the overall design of CRM applications. It also examines how the components of the software integrate and interact with each other, and with third-party hardware and software systems. Decision makers must verify that the software products comply with enterprise technical standards that are in use or being considered for the future, and how easily these offerings can integrate with installed systems. This audit of the technological fit between the alternatives being evaluated and the enterprise s technical environment helps buyers anticipate additional purchases or customization that would be required to implement an overall CRM strategy. Action Item: Enterprises should carefully prioritize the importance of technological components, and ensure from the beginning that all the pieces work together. They should strive to implement open (as opposed to vendor-proprietary) solutions and standards wherever possible. Cost Evaluation Criteria Tactical Guideline: Enterprises must gain a comprehensive understanding of the initial and ongoing costs associated with a solution. They should be aware that vendors may seek maintenance agreements and other service fees to recoup revenue lost through aggressive software price discounting. Cost analyses should include all financial outlays for procuring and implementing a CRM application and managing the installation on an ongoing basis. Especially important is a thorough grasp of consulting fees for customization and integration, as well as initial training fees. Also of concern are ongoing postimplementation expenses, including Figure 3 CRM Application Core Functionality Sales Force Automation Marketing Automation Customer Service Opportunity tracking Sales configuration Sell-side e-commerce Order management Telesales Managing campaigns Web-based marketing Content management Telemarketing Call management E-services Knowledge bases Field services Contact Center Technologies: CTI, IVR, Predictive Dialers, Universal Queues Data Warehouse Technologies: Analytics, Reporting Tools, ETL Tools, Data Marts Source: Gartner Research CTI ETL IVR computer-telephony integration extraction, transformation and loading interactive voice response 4 June

6 Management Update: CRM Vendor Evaluations in a Volatile Market (continued) maintenance fees, additional training, and additional consulting fees for upgrading or customizing software to support evolving technical and business requirements. Action Item: Do not accept standard, vendor-supplied software-licensing agreements. Seek to purchase only the licenses that are needed at a discount from list price, and be wary of spiraling costs caused by postimplementation expenses. Secure maintenance agreements that represent a percentage of discounted software license investments, and seek payment schedules that secure maximum leverage in any relationship with a prospective vendor. Service Evaluation Criteria Tactical Guidelines: Expect to weight services as the second-most-important criterion, following product functionality, in assessing the value of a vendor relationship. Users should carefully examine the maturity of vendors professional service organizations (PSOs), especially their experience with complex implementations involving multiple thirdparty products or major integration requirements. When procuring CRM systems, user organizations must ensure that they can efficiently incorporate and use these products to support their business objectives. Such efforts require consulting expertise, problem-resolution capabilities and knowledge transfer of skills that are critical to using the application. The evaluation team should assess the quality and availability of professional services dedicated to a solution, such as business consulting, implementation and training. The team should also address key ongoing support issues such as help desk support, documentation and maintenance services. The provision of these services is a critical factor that impacts customer satisfaction, product acceptance and successful long-term business relationships. Action Items: Focus the analysis of services on two perspectives: The professional services offered to maximize the product s value, and the ongoing support services needed to ensure reliable operation of the software. Identify vendors that have a strong network of service partners, and be wary of those forced to go it alone in providing professional services. Vendor Viability Evaluation Criteria Tactical Guideline: Enterprises must anticipate that restrained IT spending will slow the operations of most providers. Products may be sophisticated and have high levels of service, but can the vendor sustain these standards? It is critical that enterprises confirm the financial condition, organizational stability and market position of the vendors they are considering. This three-dimensional perspective will enable buying centers to better anticipate whether a vendor will become a leader, remain competitive, become a potential acquisition target, or fail and exit the market. The latter two outcomes could have far-reaching ramifications, placing significant burdens on user organizations. Such consequences may include: Substantially increased maintenance costs Loss of competitive advantage due to disrupted product innovation The need to revisit the entire procurement decision Action Item: In light of economic conditions, carefully weigh the tradeoffs between a vendor s viability and the technical attractiveness or cost competitiveness of its offerings. Vendor Vision Evaluation Criteria Tactical Guideline: A prospective vendor should have a plausible blueprint for continuing innovation, extending services (internally and externally) and ensuring its own survival in the marketplace. The high-level commitment of time, money and personnel required to implement and manage CRM applications mandates a review of the stated visions of the CRM 6 Inside Gartner This Week

7 vendors being considered. Users should determine the compatibility between a prospective vendor relationship and the long-term objectives of the enterprise. This analysis should measure a vendor s probability of: Carrying out future product plans Delivering consistent levels of service Maintaining or improving its market position Action Item: Evaluate each prospective vendor s strategic directions for product and business development, assess the attractiveness of that vision and its likelihood of being realized, and determine how well the vendor s priorities align with the enterprise s strategies and business requirements. Summary The quality of the evaluation and selection process is among the most critical factors that affect the success of a CRM implementation. The research and due diligence efforts undertaken during a well-planned and conducted evaluation and selection process will also help reduce and manage risks in the long term. Managing risk is paramount when considering the adoption of new technologies, especially those that affect front-office processes and interactions with customers and prospects. Special attention should be paid to the risk that an inappropriate product or vendor relationship could undermine a business objective. Buying centers must realize that the procurement of CRM products establishes relationships with vendors if not a series of relationships with the vendors product and service partners that are critical to obtaining the desired advantages. Decision makers must also realize that services are often the most difficult and expensive aspect of any CRM endeavor, and anticipate that the vendors organizations, services, product development plans and associated partnerships will all be subject to change based on changing market conditions. Properly setting expectations and using a systematic selection methodology will enable enterprises to more efficiently anticipate and accommodate these uncertainties by encouraging greater focus, discipline, oversight and consistency in decision making. Bottom Line Buyers should keep the following pointers in mind to better manage the risks associated with evaluating and purchasing CRM technology: Do your homework and follow the recommended method. Remember that you are buying not just products, but also relationships, and that no single vendor can do everything. Bear in mind that product and price make up only half of the decision, and software prices represent only a portion of total costs associated with procurement. Do not ignore vendor viability or service capabilities. Services represent the greatest risk and the most expensive part of the endeavor. Written by Edward Younker, Research Products Analytical source: Michael Dunne, Gartner Research This article is an excerpt of a chapter from a new report, Building Business Benefits From CRM: How to Design the Strategy, Processes and Architecture to Succeed. The 354-page report is the first offering of the Gartner Executive Report Series, a new business venture of Gartner Press that provides buyers with comprehensive guides to today s hottest IT topics. The CRM report features 26 fact- and advice-filled chapters, an appendix describing six CRM case studies, a glossary of terms and 128 figures. For information about buying the CRM report or others in the Executive Report Series, go to For related Inside Gartner articles, see: Management Update: The Real-Time Enterprise at the Customer Front Line, (IGG ) Management Update: Realizing the CRM Vision, From Strategy to Execution, (IGG ) Management Update: Large-Enterprise CRM Suites, Technology Outlook, Key Vendors, (IGG ) Management Update: CRM Suites Magic Quadrant for North American Midsize Businesses, (IGG ) 4 June

8 CIO Update: Web Services Provider Platforms and Delivering Functionality as a Service (continued from page 1) outright. Although there may be a nominal cost for the initial acquisition of a Web service provider platform, many enterprises will bear the burden of upgrading to get the desired technology. Those costs may be wasted investments in situations where the enterprise has not sufficiently planned for its use of Web services and is haphazardly acquiring infrastructure it thinks it needs. The end result will be a fully enabled infrastructure, at great cost, but with minimal utilization given constraints in business priorities, development resources and customer needs. Enterprise planners can avoid this fate by gaining a better understanding of the nature of Web services provider platforms and their infrastructural requirements. Gartner provides guidance on what a Web services provider platform is, how to find one, how it will fit into an overall serviceoriented architecture (SOA) and what best practices to follow to ensure a successful strategy. Building Blocks of the Web Services Provider Platform Key Issue: What are the key components of a successful Web services provider platform? Strategic Planning Assumptions: By 2007, enterprises will spend nearly $1 billion on software licenses for Web services provider platforms that were unnecessary because they lacked an overall Web services implementation strategy (0.7 probability). By 2007, unanticipated mismatches between Web services consumers and providers for example, delivering high-fidelity content to a mobile device will account for 25 percent of Web services project implementation failures (0.6 probability). As with all services, Web services are not complete applications; rather, they are building blocks. They require other software to invoke them. Some applications will expose their functionality as services, whereas other applications will only consume services. The Web services and SOA environment thus require two types of platforms: those exposing services (service providers) and those consuming services (service consumers). Enterprises getting started with Web services must commit at a minimum to a Web services provider platform and a Web services consumer platform. Gartner examines several building-block technologies for the Web services provider platform. Action Item: Take stock of the provider platform building-block technologies your enterprise may already have in-house, and what your vendors are planning to infuse into these products during the next 24 months. The Provider Platform: A Services Vending Machine Strategic Planning Assumption: Through 2007, more than 25 percent of exposed Web services will be unnecessary and unused, having consumed more than 10 percent of available development resources (0.7 probability). Adopting Web services will require new capabilities in nearly every piece of software infrastructure, but the degree of impact and rapidity of change will vary greatly depending on the enterprise s investment strategy and the vendor s technology road map. In the case of the Web services provider platform, a fair amount of planning will be required to identify: What functionality should be exposed as a Web service Where that functionality resides The other applications with which the Web service will interact A single Web service cannot exist in a vacuum. It must be constructed with a clearly articulated plan, including consideration of its potential consumers. Complicating things is that nearly any piece of software could act as a Web services provider. In some cases as when enterprise portal products fully implement some emerging standards a product may act as both a provider and a consumer. 8 Inside Gartner This Week

9 The basic prerequisites to be a Web services provider are very simple. At a minimum, it requires only a Simple Object Access Protocol (SOAP) engine and listener. Beyond that, complexity grows significantly, commensurate with the complexity of the intended process. Action Item: Take an inventory of the capabilities within your enterprise s infrastructure, but don t expect to expose everything you can as a Web service. Look ahead to future integration complexity and plan appropriately. The Many Faces of Provider Platforms Tactical Guideline: As enterprises struggle to determine the most appropriate way and place to host a Web service, they may be confused by the many faces of provider platforms. These enterprises should look for native capability within the application first, as this approach will likely provide the greatest flexibility. The first provider platform that an enterprise will discover it has available will likely be an application server. However, many other technologies and applications can serve as Web services provider platforms, including: Integration brokers Application platform suites E-commerce platforms Enterprise application packages (such as enterprise resource planning, supply chain management and customer relationship management) Enterprise portals Business intelligence, mobile-andwireless and real-time-data applications Leading application servers from vendors such as IBM, BEA Systems and Oracle as well as Microsoft Windows servers have already been infused with Web services capabilities and are available within many enterprises. Although the capabilities are fundamental and required for new Web services application development, they specifically help with exposing services from standard business applications. Enter the application vendors. Many have spelled out road maps for how their applications will be able to function as Web services provider platforms, and expose a variety of Web services based on underlying functionality. Ultimately, any application could provide the capability potentially extending all the way to the consumer desktop. Consumer finance applications, for example, could use Web services to provide integration to host-based financial services, eliminating the need for cumbersome file transfers. Application Servers Strategic Planning Assumption: By 2005, all leading application servers will offer facilities specially designed for participation and coordination in the enterprise nervous system (ENS) infrastructure, but most business applications will still require some form of integration adapters (0.8 probability). An application server is a modern form of platform middleware. It is system software that resides between the operating system on one side; external resources, such as database management systems, communications and Internet services, on another side; and the enterprise s applications on the third side (see Figure 4). The application server acts as host or container of the business logic. It facilitates access and performance of the business application, despite the variable and competing traffic of client requests, hardware and software failures, the distributed nature of the larger-scale applications and the potential heterogeneity of data and processing resources required to fulfill the business requirements of the applications. A high-end, online-transactionprocessing-style application server delivers business applications with guaranteed levels of performance, availability and integrity. It also supports multiple application design patterns according to the nature of the business application, and the practices in the particular industry for which the application has been designed. 4 June

10 CIO Update: Web Services Provider Platforms and Delivering Functionality as a Service (continued) Figure 4 The Application Server A Form of Platform Middleware Source: Gartner Research Application servers typically support a variety of programming languages and deployment platforms, although most have a particular affinity to one or two. Some application servers implement standard application protocols such as J2EE (Java 2 Platform, Enterprise Edition), while others are entirely proprietary. The proprietary application servers are typically built into packaged applications and are not offered as stand-alone products. Action Item: Talk to your application server provider and learn about its road map for Web services. Integration Brokers User Applications Application Server Operating System Hardware Strategic Planning Assumption: By 2005, 80 percent of midsize and large enterprises will have deployed a External Resources (such as database management systems, communications and Internet services) commercial integration broker suite (0.8 probability), up from 40 percent in Integration brokers are a natural source of Web services, given their central location and access to a wide variety of data and functionality (see Figure 5). Integration brokers will be of particular interest to enterprises seeking to deliver composite Web services, in which data and functionality are aggregated from a variety of sources. Messages passing between applications are processed, converted, routed and tracked in the integration broker. In addition, the integration broker is where: The context of the multistep composite transaction is managed Information about the state and interface requirements of participating applications is kept Accounting and tracking of overall ENS traffic takes place Enterprisewide business activity monitoring is rooted Communication middleware and associated protocols are deployed by the integration broker as applicable to the particular application target. Adapters are invoked to complete the access to the target applications. The adapters may reside in the integration broker or in the target application environment. No ENS can exist without an integration broker. Integration broker vendors such as BEA, IBM, Iona Technologies, Mercator Software, Microsoft, Oracle, Sybase, SeeBeyond Technology, Tibco Software, Vitria Technology and webmethods are the primary suppliers of technology for the ENS. Action Item: Ask your integration broker vendor for its road map for Web services capabilities. Provider Platform Technology: Architecture and Infrastructure Best Practices Key Issue: What are the best practices for investing in Web services architecture and infrastructure? Evaluating Provider Platform Technologies Tactical Guideline: It is critical to evaluate all aspects of any technology being considered as a Web 10 Inside Gartner This Week

11 Figure 5 The Integration Broker At the Core of the Integration Puzzle SAP Visual Basic Natural CICS Source: Gartner Research services provider platform, because one or more factors may make it unsuitable for that role. Different Web services provider platforms have different characteristics, and the appropriateness of any given platform will vary depending on the situation. An enterprise should not assume that the place where the functionality that needs to be exposed sits is the most appropriate place to host their Web services. A variety of factors determine the suitability of a provider platform, including: Scope Does the platform address all of the functionality required to build a coherent Web service? Integration Suite Event Management BPM Transformation Intelligent Routing Metadata Adapters Communication Middleware BPM CICS CORBA PeopleSoft Java CORBA Tuxedo business process management Customer Information Control System Common Object Request Broker Architecture Management Can the platform be integrated into established application management processes, or does it provide its own capabilities? Standards What standards does the platform support, and how rapidly will it assimilate new ones? Tools What application development tools are available to support the platform? Reliability and Scalability What are the platform s reliability and scalability characteristics? Action Item: Prepare a comprehensive view of the capabilities of the provider platforms under consideration, taking into account all aspects of the platform implementation. Software Architecture Planning and the SOA Strategic Planning Assumptions: Through 2007, Web services will not always be deployed over the Web, but in all cases they will be based on SOA (0.8 probability). By 2007, SOA will be the mainstream software engineering practice, ending the 40-year domination of monolithic software architecture (0.7 probability). By 2007, 75 percent of new use of enterprise application servers will be as clientless service provider platforms, with the user-facing side of the application deployed on other platforms (0.7 probability). Through 2007, widely entrenched, monolithic software architecture will remain the largest technical obstacle to the broadly integrated real-time enterprise (0.8 probability). SOA enables applications to have greater flexibility, scalability and reusability, but it requires considerable design, insight and agreement in advance of development. SOA development has been a systemengineering best practice for more than a decade, but lacking standards and dedicated tools, it has largely been the province of leading-edge, technically advanced projects. Gartner believes that Web services architecture will push SOA to mainstream adoption. Web services can function as standards-based SOA services (see Figure 6). 4 June

12 CIO Update: Web Services Provider Platforms and Delivering Functionality as a Service (continued from page 1) SOA is a topology of applications in which the business logic of the application is organized in modules (services) with clear identity, purpose and programmatic-access interface. Services behave as black boxes : their internal design is independent of the nature and purpose of the requestor. In SOA, data and business logic are encapsulated in modular business components with documented interfaces. This clarifies design and facilitates incremental development and future extensions. An SOA application can also be integrated with heterogeneous, external legacy and purchased applications more easily than a monolithic, non-soa application can. With the emergence of Web services a ubiquitous technology with its roots in SOA the adoption of SOA will increase, and, more importantly, its benefits will become better understood. New tools will make development of SOA applications easier; new application styles will make SOA essential. The 40-year reign of monolithic architecture in mainstream software design will come to an end. With the ubiquity of basic Web services technology and the endorsement of Web services by Microsoft, IBM and other leading IT vendors, a large number of middleware and tools vendors have updated their products or offered new products to bring Web services architecture, and thus SOA, to Figure 6 Web Services Push Service-Oriented Architecture to the Mainstream Service Consumer Service Interfaces Service Provider All-New SOA SOA-Wrapped Legacy SOA-Wrapped B2B mainstream users. Some of the old problems remain, however. The design of Web-services-based applications still requires planning and agreement. The early Web services and SOA tools do not yet deliver the full ease of use and full power of SOA, yet they lay the foundation of the inevitable change. All middleware products and related development tools, including application servers, portal products and integration suites, will offer mainstream support of Web services and elements of SOA. Action Items: Develop an SOA strategy. Enterprises that ignore the potential of SOA, or decide to sit out its early stages, will find themselves outpaced by rivals that take advantage of services architecture to improve their agility and even transform themselves into new kinds of enterprises. Understand the distinction between services and service consumers, and deploy technology that best fits those roles. Standards for the Web Services Provider Platform Tactical Guideline: Look to software infrastructure vendors to implement standards in the technical, process and service layers of Web services provider and consumer platforms. Key: Source: Gartner Research Application Server or Other Platform Middleware Integration Middleware B2B business to business SOA service-oriented architecture Gartner has depicted a representative set of standards that should be considered when implementing Web services platforms (see Figure 7). Note that a provider platform may 12 Inside Gartner This Week

13 also be a consumer platform if the Web service being provided is built so that it accesses other Web services. Through 2006, at least 75 percent of Web services in operation will have been implemented through the integration of newly developed and established applications (0.7 probability). In appropriate cases, established application functionality will be incorporated through the use of business process management and integration broker functionality. Web services provider platforms face the same security challenges as consumer platforms. However, when implementing Web services that enable business-to-business transactions, the provider has a position similar to that of a channel master: It can dictate the security protocol used to communicate business transactions. Action Item: Enterprises establishing producer, provider and consumer platforms should: Monitor the progress of standards in the technical layer (especially security standards). Identify software infrastructure vendors and products that implement those specifications. Ensure the candidate software infrastructure products interoperate with the products likely to be deployed by the consumers of your Web service. Bottom Line No shortage of Web services provider platforms is likely. However, complexity and confusion will result from the duplicity of functionality, and vendor hype will be prevalent. Nevertheless, with a little planning and careful evaluation of available capabilities, most pitfalls can be avoided. Enterprises must be careful to avoid expecting too much from any single implementation, and should balance expectations against real capabilities. If enterprises ask for vendor references that match the level of complexity of the intended process, many potential problems may be Figure 7 Integrating Web Computing Standards Into Web Services Platforms Services UDDI, URI CPP/CPA Web Services Portal SOAP Messaging Management OLTP Platform Business Process Mgmt. Integration Broker Process Content BPEL4WS WS Transactions, etc. XML-based languages, CICA WSDL SOAP, LDAP Persistence Business Data Technical WS Reliability DSig XML Encryption SAML WS-Security XML, XSL, XQuery BPEL4WS Business Process Execution Language for Web Services CICA Context Inspired Component Architecture CPP/CPA Collaboration Protocol Profile/ Collaboration Protocol Agreement LDAP Lightweight Directory Access Protocol OLTP online transaction processing SAML Security Assertion Markup Language Source: Gartner Research SOAP Simple Object Access Protocol UDDI Universal Description, Discovery and Integration URI uniform resource identifier WS Web services WSDL Web Services Description Language XML Extensible Markup Language XSL Extensible Stylesheet Language 4 June

14 CIO Update: Web Services Provider Platforms and Delivering Functionality as a Service (continued) anticipated. Even so, some initial Web service implementations will likely fail to become useful due to functional mismatches, performance problems or other issues. Regardless, now is the time for enterprises to take stock of what is available or will be shortly and start to experiment with Web services, or risk being left behind. Gartner offers the following advice: Take inventory of the Web services platform technologies you may already have in-house today, and find out what you will need tomorrow. Don t expect to succeed with a single-provider strategy, or expect that everything will interoperate successfully with everything else. Don t expect to expose everything as a Web service. Written by Ned Frey, Research Products Analytical source: Larry Perlstein, Gartner Research This article is an excerpt of a chapter from a new report, Harnessing the Power of Web Services and Middleware: Building and Deploying Integrated Applications for the Agile Enterprise. The report is an offering of the Gartner Executive Report Series, a new business venture of Gartner Press that provides buyers with comprehensive guides to today s hottest IT topics. For information about buying the report or others in the Executive Report Series, go to For related Inside Gartner articles, see: Management Update: Security Strategies for Enterprises Using Web Services, (IGG ) Management Update: A Conceptual Evolution, From Process to Web Services, (IGG ) CIO Update: Gartner s Web Services Technology Influence Magic Quadrant, (IGG ) CIO Update: How Web Services Will Change Enterprise Architectures, (IGG ) Management Update: A Common Sense Definition of Web Services, (IGG ) CIO Update: Enterprise Security Moves Toward Intrusion Prevention Targeted hacker attacks on enterprises have been increasing, and are generally launched by more sophisticated and motivated attackers. Intrusion prevention is gaining importance while intrusion detection is fading away. Gartner has defined three key criteria for true network-based and host-based intrusion prevention. Intrusion Detection Has Problems As enterprises became disenchanted by the performance of intrusion detection products, security vendors stopped using the word detection and began relabeling their products as intrusion prevention or intrusion protection. However few products provide the features that Gartner believes are necessary for true intrusion prevention. In the post-internet boom, with the dawn of Web services and with the network becoming an integral part of business operations, security solutions such as intrusion prevention systems are being introduced that offer real protection for the enterprise. Similar to intrusion detection, intrusion prevention can be separated into two broad categories host-based and network-based. Mandatory Requirements for Intrusion Prevention An intrusion prevention system must meet three key criteria: It must not disrupt normal operations. When it is inserted online, a network-based intrusion prevention system must not introduce unacceptable or unpredictable latency into a network. A host-based intrusion prevention system must not use more than 10 percent of a system s resources. Normal network traffic and hostbased processes should operate identically, whether an intrusion prevention system is running or not. Blocking actions must occur in real time or near real time, with latencies in the range of tens of milliseconds (not seconds). It must block malicious actions using multiple algorithms. Intru- 14 Inside Gartner This Week

15 sion prevention systems must provide blocking capabilities that include signature-based blocking of known attacks. However, intrusion prevention systems must also move beyond simple signaturebased approaches such as those used by antivirus and intrusion detection systems to at least support policy, behavior and anomaly-based detection algorithms. These algorithms must operate at the application level in addition to standard, network-level firewall processing. It must have the wisdom to know the difference (between attack events and normal events). As intrusion prevention systems mature, they will be able to positively identify and block higher percentages of attacks than today s first-generation intrusion prevention systems (that is, firewalls) do. However, they will never be perfect, and it will always be necessary to flag suspicious activity for further human investigation. Thus, the intrusion detection market will be relegated to mere first-alert status. Host-Based Intrusion Prevention Host-based intrusion prevention is software that resides on a server and prevents cyberattacks against the operating system or applications. Products from Okena and Entercept Security Technologies have had early success in protecting servers, particularly against the Code Red and Nimda attacks. Host-based 4 June 2003 intrusion prevention is an immediate cure for vulnerabilities in servers, but because of the costly overhead of managing security software on many diverse platforms within the enterprise, host-based intrusion prevention systems will not see the same adoption rate as network-based intrusion prevention. Host-based intrusion prevention technology can apply policies based on predefined rules or learned behavior analysis to block malicious server or PC actions. Host-based intrusion prevention can stop attackers from implementing buffer overflow strikes, changing registry keys, overwriting Dynamic Link Libraries or engaging in other approaches to obtain control of the operating system. Host-based intrusion prevention can be implemented as software shims that intercept calls between applications and the underlying operating system, or as kernel modifications that apply more-stringent security controls than those built into commercial operating systems. Examples of software shims are: Network Associates/Entercept Security Technologies Cisco Systems/Okena Sana Security GreenBorder Technologies Examples of kernel modifications are: Argus Systems Group Sun Microsystems Trusted Solaris Operating System Hewlett-Packard s Virtual Vault Host-based software that simply locks down the host and only allows certain applications to execute does not meet Gartner s criteria for hostbased intrusion prevention, because it does not protect against flaws in permitted applications. Network-Based Intrusion Prevention The advantages of network-based intrusion prevention systems include the reduced importance of constant monitoring, and that an attack does not set off chimes and claxons that cause a chaotic scramble to react. Network administrators know that Code Red attacks have become part of the background radiation of the Internet. Therefore, the time spent logging and responding to such attacks is wasted. Once identified, the affected session should simply be dropped. Thus, not only are valuable resources conserved, but also a better overall security posture is achieved. The defining characteristics and benefits of network intrusion prevention are: Firewalls and gateway antivirus systems are examples of firstgeneration, network-based intrusion prevention systems. However, firewalls primarily operate at the network protocol level, and antivirus systems largely implement simple, reactive (that is, non-real-time), signature-based detection and blocking. A true network-based intrusion prevention system must: Operate as an in-line network device that runs at wire speeds. 15

16 CIO Update: Enterprise Security Moves Toward Intrusion Prevention (continued) Perform packet normalization, assembly and inspection. Apply rules based on several methodologies to packet streams, including (at a minimum) protocol anomaly analysis, signature analysis and behavior analysis. Drop malicious sessions don t simply reset connections. To do all that, network-based intrusion prevention must perform deep packet inspection of all traffic, and generally must use specialpurpose hardware to achieve gigabit throughput. Software-based approaches that run on generalpurpose servers may be sufficient for small enterprise use, and bladebased approaches may scale up to some large enterprises. However, for complex networks running at gigabit rates, Gartner believes that application-specific integrated circuits and dedicated network security processors will be required to perform deep packet inspection, and to support blocking at wire speeds. Vendors include: TippingPoint Technologies IntruVert Networks NetContinuum ipolicy Networks Fortinet Characteristics and Benefits of Network Intrusion Prevention The defining characteristics and benefits of network intrusion prevention are: Inline position: Rather than tapping into a data stream from the switch or other device, the products sit inline with the data stream. Inline systems can analyze and identify packets and sessions, verify which are malicious and drop the associated stream of packets. That is essential to the products protective abilities. Stateful signature: To efficiently handle multigigabit traffic streams, some form of stateful inspection must be used. The state of a particular communication going over a network includes the ability to have session knowledge about the packets being analyzed. Some awareness of state enables the engine to parse only the pieces of the session that are applicable to the attack signature. That provides high throughput and low latency, which are also required for enterprise applications. Combined algorithms: No single methodology can catch the maximum number of intrusion attempts while minimizing false positives. Intrusion prevention systems must use a combination of methodologies: Signature analysis is the most powerful method, but it must be augmented with protocol/ packet anomaly detection. Protocol/packet anomaly detection focuses on signatures within the protocol or packet that have been defined as hostile, malformed, out of sequence or potential zombies, which are some distributed denial-of-service (DDoS) relay kits that can serve as transmitters for floods of packets to be sent to DDoS targets servers. The relay kits use Internet Relay Chat channels to communicate back to controlling hackers, who can direct the relay kits to start attacking certain Web sites. By bombarding sites with bogus traffic, hackers can make it impossible for a site to respond to legitimate connections. Behavior-based statistics are less exact, but they can provide a valuable function. This technique involves analyzing baseline metrics of known traffic patterns, then setting the alert threshold when extreme traffic pattern changes occur, such as massive flooding that may indicate a denial-ofservice attack. (Flooding may also indicate a legitimate network traffic surge. Thus, notification can maintain or alert required infrastructure changes to meet valid traffic demand.) Dropping malicious traffic: Once a malicious session is identified, it is simply dropped, which protects the destination server or device. Logging and alerting are functions of these devices. Intrusion Prevention Summary Some facts about intrusion prevention are: 16 Inside Gartner This Week

17 Firewalls are intrusion prevention devices. As intrusion prevention begins to include application-level attack blocking, products must meet a minimum set of criteria before enterprises can take them into consideration. Intrusion detection will always be required to give warnings about activities that are suspicious but not necessarily hostile. Most enterprises will require hardware-based intrusion prevention products to protect highspeed networks. Bottom Line As processing power and security algorithm performance increase, intrusion prevention will grow in importance, while intrusion detection will shrink. However, through 2006, enterprises should deploy a combination of both capabilities to meet security best practices. Written by Edward Younker, Research Products Analytical source: John Pescatore and Richard Stiennon, Gartner Research This article is an excerpt of a chapter from a new report, Securing the Enterprise: The Latest Strategies and Technologies for Building a Safe Architecture. The report is an offering of the Gartner Executive Report Series, a new business venture of Gartner Press that provides buyers with comprehensive guides to today s hottest IT topics. For information about buying the report or others in the Executive Report Series, go to For related Inside Gartner articles, see: Management Update: Security Strategies for Enterprises Using Web Services, (IGG ) CIO Update: Gartner s IT Security Management Magic Quadrant Lacks a Leader, (IGG ) CIO Alert: Follow Gartner s Guidelines for Updating Security on Internet Servers, Reduce Risks, (IGG ) Management Update: The Real Payoff From IT Outsourcing Is Quality, Not Cost Reduction It is critical that an enterprise understands the proper way to evaluate its outsourcing strategy. Uncertainty will abound in a deal, and the long-term view should be taken. Cost reductions aren t always possible, so enterprises must focus on other benefits. Outsourcing Is Growing, but Satisfaction Isn t The IT services market declined for the first time in Outsourcing, however, was the only segment within the overall IT services market to experience positive growth. That growth reflects the significant and measurable bottom-line gains that can be made from a sound outsourcing strategy, but belies the growing number of problems blocking the emergence of a successful IT outsourcing model. Satisfaction levels with outsourcing contracts are often poor, a great deal of money is being wasted on poor relationship management, and deals are frequently signed to save money in the short term without structuring the contract to achieve long-term business goals. Enterprise executives often fail to see the business benefits they had hoped for from their sourcing strategies. Outsourcing is not a panacea. Doing it wrong can be worse than not doing it at all. Service Levels Are Met But Business Requirements Are Not Each year, Gartner conducts hundreds of benchmarking exercises on outsourcing deals. They show that many managers are convinced that service providers overcharge for a sometimes inadequate service. However, that is not the norm. Benchmarking results show that service providers usually meet the contracted service levels and often exceed them. Besides measuring performance, Gartner s benchmarking methodology includes interviews with business unit managers and executives to gain their views on the performance 4 June

18 Management Update: The Real Payoff from IT Outsourcing Is Quality, Not Cost Reduction (continued) and alignment of IT services relative to their business requirements. Analysis of those interviews, together with the performance data, reveals that although many service providers are successfully meeting their contractual obligations, the services delivered are not meeting business expectations. The results show a consistent misalignment between the long-term contracts signed with IT service providers, the in-house team managing the deal and the requirements of business units. The procedures and skills that exist to manage those complex relationships are often woefully inadequate. Outsourcing May Not Save Money in the Long Term Since the early 1990s, many longterm IT outsourcing deals have been constructed on the assumption that a steady state will be achieved after an initial period of transition and transformation. In short, the deals have been based on an assumed view of the future. The customer assumes that the higher costs incurred by the service provider during the transition period will be compensated for by lower (and continually decreasing) costs once the steady state is reached. That is a valid approach when there is a good chance of achieving the assumed steady state. However, in today s uncertain and changing business environment, the steady state is seldom achievable. Predefined variations in price, based on changes in transaction volumes and incorporating assumed technology upgrades, soon get out of date. Deals constructed on this basis have typical characteristics: Estimates of existing costs are often wrong. The assumed steady state is seldom reached. Bidders, under significant pressure to show initial cost reduction, construct their pricing knowing that the customer s environment is likely to change significantly before the supposed steady state is reached. Change mechanisms are seldom structured to cope with the uncertainty and dynamics of today s business environment. Many deal-negotiation teams (for both customer and service provider) are aware of those inevitable problems. However, they get the deal signed and move on to the next assignment before the difficulties surface. To determine if an IT outsourcing deal will reduce costs over the long term, Gartner examined the financial aspects of major deals that had been running for several years and have therefore moved beyond the turmoil of the initial transition. All had been signed initially to achieve cost reduction. The deals were with wellestablished national and international IT service providers. IT infrastructure deals with offshore service providers are still relatively rare, and were excluded from this study. The low end of Gartner s sample deals cost 95 percent of the average internal equivalent, with the high end exceeding 150 percent. If a company s current costs are lower than the average, then the total cost of outsourcing will almost certainly be higher than retaining the work in-house. Gartner s analysis also showed that all IT outsourcing is likely to cost more than the average in-house delivery if the deal is poorly structured and has inadequate relationship management. Bottom Line It is critical that an enterprise knows how to evaluate its outsourcing strategy. Gartner recommends prioritizing the following considerations when embarking on a longterm outsourcing deal: Take the long view: Your service provider will become part of your company. The only certainty is uncertainty: Build your deals for continuous change. You are probably the biggest problem: Invest in the skills, resources and processes to manage the complex relationships. A long-term deal with a major service provider is a potential business asset you can either use it or waste it. 18 Inside Gartner This Week

19 Written by Edward Younker, Research Products Analytical source: Roger Arthur Cox, Gartner Research Roger A. Cox, a Gartner Research vice president, covers IT and business process outsourcing in Europe. His area ranges from covering major trends in the market to helping enterprises and service providers make long-term deals that will work for their businesses. Mr. Cox holds a bachelor s degree in civil and structural engineering, and is a Chartered Engineer, a Member of the Institution of Civil Engineers (MICE), and a Member of the Institute of Professional Sales. He resides in England, where he works in the Gartner Egham office. Visit gartner.com/outsourcing for additional outsourcing research and information from Gartner. For related Inside Gartner articles, see: Management Update: IBM Commits to the Business Process Outsourcing Market, (IGG ) Management Update: Application Outsourcing Trends for 2003 and 2004, (IGG ) Management Update: 2003 Predictions for Offshore Sourcing, (IGG ) At Random IBM s T-Rex Mainframe Sets a New Standard for Enterprise Computing. On 13 May 2003, IBM announced its latest generation of mainframe hardware, the zseries 990, code-named T-Rex. Delivery will occur in two stages, with uniprocessor through 16-way configurations available in June 2003 and configurations of up to 32 general-purpose engines shipping in October (The 16-way configuration remains the largest supported in a single image.) Although the underlying technology in the z990 will eventually form the basis of IBM s midsize mainframes, the initial systems will most interest the top 10 percent of IBM s customers. Engine performance reaches about 50 percent higher than in the top-of-the-line turbo z900. By the end of 2003, IBM will ship systems capable of nearly three times the capacity of today s largest mainframe, the z900 model 216. Moreover, IBM has made changes in its mainframe system design and architecture to break through barriers such as 256 channels, 15 logical partitions and, eventually, the 16-processor limit. IBM s traditional mainframe strengths continue to evolve and remain the industry s gold standard. Mainframes are central to IBM s on-demand computing utility vision. However, as a stand-alone product, the z990 likely won t generate the sustained revenue bump for IBM that the initial z900 delivery did in As one intriguing enhancement in the z990, an on/off on demand feature allows you to add temporary processor capacity (but not temporary memory capability) as needed and then turn it off later, with an additional charge for the time the engine is active. As with recent iseries and pseries announcements, how third-party software vendors price their products when this temporary capacity is activated will determine how widespread its use becomes. IBM has lowered the minimum workload size for its Workload License Charge (WLC) software pricing, which applies also on the established zseries. This move may make WLC useful to customers that previously saw no benefit from it. Hardware maintenance prices will run about 25 percent lower than for the z900. If you use z900s, consider upgrading within your family if hardware costs or capacity details matter to you, or if the use of fewer of the larger engines will affect workload performance. Early adopters of the z990 take note: some functions (such as the new cryptography feature, expanded channels and support for 30 logical partitions) will not ship until October Analytical sources: Mike Chuba and John Phelps, Gartner Research 4 June

20 At Random (continued) Marketers Must Work Harder to Show They re Legitimate. Recently, U.S. legislators introduced several bills to combat spam: Representative Zoe Lofgren s bill (the REDUCE Act) would require marketers to identify their messages in the subject line as advertisements. Senator Charles Schumer s bill would create a national list of consumers who do not want to receive spam. Senators Conrad Burns and Ron Wyden s bill (the CAN-SPAM bill) would require marketers to provide legitimate return addresses and remove recipients from mailing lists if they request it. Those bills will not stop spam. Spammers make money by disguising spam as legitimate messages. They send spam to as many valid addresses as possible, knowing that one-quarter of one percent of recipients will make a purchase. Spammers will not do anything to jeopardize their profit margin, such as removing recipients from mailing lists merely because they asked to be removed as stipulated by the CAN-SPAM bill. Despite antispam laws in 29 U.S. states and numerous countries, spammers that feel at legal risk can avoid the law by sending messages through offshore Internet service providers. Shutting down spammers will require international cooperation via public and commercial efforts, some of which have gotten under way: International bodies are starting to study the issue in March 2003, the Internet Research Task Force formed a new anti-spam research group ( CAUCE ( a U.S. volunteer organization, advocates legislative solutions to spam. It has sister organizations in Australia, Canada, the European Union and India. ISPs have realized they must cooperate to fight spam. AOL Time Warner, MSN and Yahoo announced initial steps in such an effort on 27 April Vendors, such as Habeas and IronPort, focus on protecting legitimate outbound , in part, by building relationships with ISPs. E-marketers should ensure their campaigns do not violate domestic laws and laws in countries to which they send . Marketers and enterprises sending bulk mailings must work aggressively to separate themselves from spammers for example, by weeding out low-value marketing messages. They should also understand the various filter techniques so as not to get caught in the spam traps. Analytical sources: Maurene Grey and Adam Sarner, Gartner Research Verizon Introduces Low-Priced DSL, Wi-Fi Services. On 13 May 2003, Verizon announced new pricing for digital subscriber line (DSL) service, along with expanded wireless fidelity (Wi-Fi) Internet access. Verizon will offer Wi-Fi access from its pay phones: It has wired 500 pay phones in Manhattan and activated 150 of them. Verizon plans to deploy 1,000 hot spots in New York City by year-end Subscribers to its Internet service can log on to the Wi-Fi hot spots at no additional cost. Those who buy its Veriations bundled packages, which include local or long-distance services, can get DSL starting at $29.95 per month. Verizon will offer DSL separately for $34.95 per month. Gartner views pay phones and the last-mile assets of incumbent local-exchange carriers as a hidden resource for Wi-Fi. Bell Canada has taken similar steps, and now Verizon has addressed this opportunity. The limited trial does not yet make this offering compelling for roaming Wi-Fi users, and using pay phones as hot spots entails significant restrictions, especially in-building. Nonetheless, Gartner believes Verizon will roll this capability out 20 Inside Gartner This Week