The Web can be a sticky place on your first fly by; with an ill-conceived plan you can get trappedGartner Group research director Gene Phifer had discussions with a CIO recently who was seriously considering giving each and every one of 16,000 employees a personal Web site. It seems the CIO was eager to exploit the World Wide Web's potential to empower staff. Fair enough, some might say. But this CIO was also talking about giving every one of those employees his or her own Web server.
"He was going to crank out Windows 95 Web servers and let individuals populate their own Web server and have their personal Web site on their desktop," Phifer told CIO magazine incredulously on a recent Australian visit.
"And I said: 'God, do you know the support burden you're about to sign up for? I mean, at any point in time about half of those servers are probably going to be broken, because these people aren't programmers. These aren't developers, these are standard end users that don't know how to operate a Web server; and you shouldn't ask them to. If you want to have 16,000 Web sites, have a big central server that's got 16,000 directories and let them populate their own directory'."The ill-conceived plan highlights the dangers of rushing too quickly into Web technology deployment, and also nicely illustrates the confusion bedevilling some corporate efforts to implement competitive Web-enabled business strategies.
Phifer believes Gartner Group research into how companies are using Web technologies around the world provides a meaningful starting point for the move into Web deployment. He was visiting Australia to present at the seminar, "Network Computing: Using Web Technologies for Competitive Advantage" held earlier this year. He says that before companies can make money out of the Web, they need to understand where the technologies are heading, how they are being used, where they can be leveraged, and the risks involved.
"It is vital to understand the risk factors that companies face in implementing and deploying a business solution, then weigh the risk against the potential benefit and see if the equation adds up before deciding what you should do," he says.
As Phifer's discussion with the CIO demonstrates, most companies are looking to decentralise as they move to deploy Web-based technology, with end-user departments, workgroups and business units building their own Web sites and in many cases operating their own Web servers. And in that trend, Phifer says, there's good news and there's bad news.
"On the plus side, this allows end-user empowerment. If the end users need to do something to further their business, to make money for their enterprise, it gives them the ability to do that. On the other hand, if it's not coordinated at a higher level, they'll all do their own thing in a thousand different ways, and it will turn into the American Wild West."Consider the corporate culture before deciding on a model for deployment. In companies with a highly centralised culture it probably makes little sense to have decentralised Web sites all over the shop. But if the culture allows it, nudge things as far as is reasonable towards decentralisation in the interests of empowering users, Phifer says.
If you're unfortunate enough to work in an enterprise where IT is seen more as a barrier to success than an enabler, end users will find every possible way to go it alone, even if it means breaking the rules. In such organisations, IT should show leadership by establishing an overall coordination role for itself and act as a facilitator rather than a barrier, according to Phifer.
That decision made, decide how far you want to go, and how fast. While most companies already have some flavour of intranet, very few -- even among those Gartner calls Type A organisations -- have yet gone into high-scale, mission-critical application development in an intranet setting. And that is surprising, because in Gartner's taxonomy, Type A organisations are the early adopters: quick to see the competitive benefits of adopting technology and to leverage it ahead of the competition.
Certainly Type As are doing application development in the Internet space: developing self-service applications and other middle-tier, middle-complexity applications; but they are moving cautiously, recognising the technology simply hasn't matured sufficiently to support high-volume, mission-critical applications. All that is about to change. By next year the tools will be there to provide an infrastructure capable of running enterprise-class applications.
Meanwhile even Type Cs, the ones that see IT as a cost centre and a necessary evil, are moving into Web technology, realising they have little choice in the face of a host of new competitive pressures.
Organisations in the same boat as the Type Cs, Phifer says -- that is, organisations that are so far from running mission-critical applications that they've barely got their feet wet -- should start by considering what they want to do with their intranet. Do they want to publish via the Web? Do they want to do collaboration? Do they want to do document management? Do they want to write applications -- low-end, high-end or mission-critical?Once these questions are answered, then they should consider the numerous management and organisational tenets around deploying an intranet site. That typically opens up "about a thousand other questions", Phifer says.
"Is a TCP/IP network in place? If not, the first big step is to get the TCP/IP network deployed. What desktop environment is in place? Is the organisation running Microsoft or Unix or a combination? If the company wants a Web site, what will it do with it? Will it just be for simple publishing? Can you see the company doing high-end publishing on the Web? Will it run applications? Who is going to provide content to the Web site?"The next step is to establish an IPG -- an integrated policy group -- that will formulate the policy and procedures concerning the Web site. Critical to the success of any Internet project, the IPG should include representatives from the business units as well as the IT department. In their deliberations certain policies should be very easy to identify, Phifer says.
"First of all, what's going to go on the Web site? What kind of information do you want to put on the Web site? Are you going to put up HR policy? Are you going to put up administrative policy? Are you going to put the phone book? What material is acceptable to be there? If you are going to have Web publishing, what kind of information is acceptable? Is it acceptable to publish highly proprietary and sensitive information? If so, how do you protect that? Is it acceptable to publish personal information? Do you want to have pictures of a guy and his dog up on the Web site?"That level of policy is easy to establish and should be done on day one, Phifer says.
But it's also the job of the IPG to refine the policy down the track. That means it needs to meet on an ongoing basis to refine, tweak and enhance existing policies and develop new policies and procedures to encompass new functionality. Central IT should have a key role in the IPG, but not necessarily the leadership role. Any unit big enough to provide content into the site needs to be represented, as does the public relations/corporate communications group.
There are other issues to consider before you can hope to leverage Web technologies. Gartner Group has no doubt Internet technology is going to become the dominant infrastructure of enterprises. Within a few years, the vast majority of standards decisions are going to revolve around Internet technologies. But until that time, one of the big issues to consider is the kind of technology platforms you intend to write on, Phifer says.
"Are you a Microsoft shop? Are you Microsoft desktop? Microsoft server? And if so, are you going to tend to want to deploy the Microsoft version of things? There are lots of reasons why you might want to do that, but lots of other reasons why you might not. And if you deploy the Microsoft versions of things, the question is how you can develop applications in that space and minimise the cross-platform issues."And have no doubt those cross-platform issues will arise. Even Microsoft-only shops are bound to want to establish extranets sooner or later. "If you don't go into it today facing that ultimate fact, you're going to be redesigning your systems and recoding your systems in the future," Phifer says. "I can't tell you how many of our clients, even recently, have been saying: 'We're Microsoft desktop or Microsoft server, so we're going to do DCOM everywhere. We're going to serve ActiveX components down to the desktop, we're going to leverage Active Server pagers, and we're going to do it all the Microsoft way'.
"And I say: 'Great: you're going to produce a wonderful set of robust applications for your employees. It's going to be great. However, when you plug your first extranet in, and you have a guy running Netscape on a Sun Solaris workstation, it ain't going to work. And you're going to have to recode that application. Think about that'."In time vendors will adopt a more pervasive model of network computing, which will better protect developers from the vagaries of different clients. Until then, it is vital to future-proof all Web developments.
Similarly virtual private networking (VPN) will enable an entirely new model of extranet computing. Phifer says as the next major leap forward in extranet connectivity, VPN provides the allure of new applications many enterprises will find too strong to ignore, but also raises serious security risks an organisation must manage. Adequate emphasis on access control, authentication and privacy will be essential for those wanting to exploit VPN. Enterprises considering a VPN in the next 18 months should be confident in its or its service providers' ability to manage and maintain its firewall, authentication and intrusion detection, Phifer says.
"VPN is mature enough in some spaces: if you want to use VPN to enable remote access for your employees, to link up a company office, to link up a new acquisition, to allow for mobile users or telecommuters. Yes, VPN technology is very appropriate today [in these circumstances], because the people are totally trusted.
"When you start to look at enabling VPNs for semi-trusted people such as your customers, you're trading partners -- and you trust them, but only so far; you trust them with this piece of your intranet but not the rest -- the question then becomes: how do you fence them in to that piece?"What mechanisms are there to keep them from moving around in other parts of the intranet and finding other information? And the questions don't have really good answers right now. That's the piece of VPN technology that needs a little more maturing," he says.
Overall, Phifer says, there are two kinds of risk to consider: the technology risk and the business risk. Technology risk is essentially the risk of adopting the technology early, or adopting technology that may provide some instability.
Perhaps it doesn't run the way you want it to; or it's not as secure as you need it to be; or then again, maybe operational staff are incapable of supporting it in the first instance.
Business risk has technology risk as a component, but also embraces other angles. For example, what is the risk of not doing something? If competitors get in first, might they not take customers away from, you because they can provide a service you don't?"I use the example of the FedEx Web site," Phifer says. "They launched the FedEx Web site more than three years ago, to allow their customers to get in and track the status of package shipments. Was that a risky proposition when they launched it? Absolutely. The technology risk of what they did was extremely high. They had Web servers going through firewalls talking to mainframes. That was unheard of three years ago.
"But did it make sense from a business perspective? Absolutely. They had to be first on the block with that kind of capability. Otherwise their competitors would have been, and they would have lost customers."In Phifer's book, the FedEx example proves how vital it is to consider the technology risk in the context of overall business risk, including the risk of not doing something. But there are ways of minimising the technology risk at least, he says. For one thing, be careful about using very immature technology.
Release 1.0 of anything is a no-no. "Inevitably there will be problems, there will be security holes. There always are," he says.
For another: "Make sure you understand all the security ramifications of what you're doing," Phifer says. Any vendor who says something like: "All you have to do is poke a hole in your firewall and this product will work," is one to avoid like the plague, Phifer cautions.
"Whenever I hear that phrase I cringe," he says. "And I think most of these guys have figured out not to say that anymore, but that's what they want you to do. So you have to be careful about poking holes in your firewall and making sure that if you want to let that guy's protocols through, nothing else is going to come flying through that you don't want there. Be very careful of those kinds of things."Fully understand the cultural implications also, Phifer says. If users are going to be making a leap from a character screen 3270 interface to a Windows browser paradigm on their desktop, expect them to have to make some enormous adjustments. But even in less extreme cases, there will inevitably be cultural and training issues to consider. Make sure you consider them well ahead of time. Expect to have to spend time training staff in effective Web surfing techniques, and make sure they're all familiar with the "acceptable use" policies that the IPG established.
Another way to minimise risk, according to Phifer, is to ensure in advance that the infrastructure will support the planned enabling technologies. This involves such considerations as whether the network will be robust enough to handle videoconferencing, if that is part of the plan.
Make sure the IP protocols needed to support a Web presence are distributed throughout your network. Make sure the bandwidth out to your ISP is adequate to support the kind of access that is going to be required.
Finally, go back to considering centralisation versus decentralisation, Phifer advises. But this time do it within the perspective of asking yourself how you can push as much of the technology out to the end users as possible.
"Move down the scale towards decentralisation, because enabling your end users -- providing the tools and capabilities to do this -- is where many enterprises are headed. And even those that are highly centralised are looking at taking a step towards decentralisation, just because these technologies lend themselves to that kind of implementation," he says.
Jude O'Reilley, research analyst for enterprise networking strategies at Gartner Group, in Stamford, Connecticut, has developed basic guidelines for users getting ready to evaluate VPNs:1. Security Is the encryption provided by the VPN appropriate to the application? For example, extranet applications may require a higher level of encryption than Internet applications.
2. Scalability Does the cost per node increase or decrease as more end points are protected? Can the network handle growth without becoming too slow or unreliable?3. Manageability Are there facilities for flexible configuration and remote auditing and monitoring?4. Simplicity Are administrators protected from underlying complexity or does the VPN require trained engineers to administer it?5. Quality of Service Can the application tolerate unpredictable delays? If the application relies on real-time information, delays of even the shortest duration may not be tolerable.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.