Value

By Howard Baldwin, CIO Leadership Forum

Trying to Bar the Enterprise to Web 2.0 Applications Is a Futile Effort—and a Mistake

If you're the parent of adolescents, you're probably oversaturated with references to MySpace, Facebook, Flickr, and other so-called Web 2.0 applications. If you're in IT, however, don't let that satiation spill over into your day job. Web 2.0 has its value in the enterprise—you just have to focus on it. You may feel like a gatekeeper, trying to keep what belongs in the enterprise separate from what belongs on your teenager's computer, but the fact is that the worlds do—and should—overlap.

Think about it: Flickr is a photo-sharing site, but some companies are working with their advertising agencies to store collateral graphics there. On eBay, the grandparent of Web 2.0 applications, you can bid on Sun Microsystems storage arrays—and see just how satisfied the buyers have been with the seller's service. How many other suppliers have that kind of transparency?

There is, admittedly, a lot of hype about Web 2.0. As Boston Consulting Group's David Ritter puts it, "Hype is far ahead of adoption." But Ritter, managing director of the firm's technology communications and IT practice, insists, "There is a there there." To derive value from Web 2.0 requires considering some basic issues of collaboration in the 21st century: trust, Web services, and security.

What Defines Web 2.0?
According to Ritter, two primary factors define Web 2.0. "There is the notion of community, in which users create content and interchange data. It encompasses a trust system or a notion of reciprocity." Wikipedia and eBay, he says, are solid examples.

Based on his work with clients, Ritter believes that IT hasn't begun to scratch the surface of what communities can do. Consider the typical process for developing a custom application: First someone in IT asks for user requirements, develops a document for distribution, and then solicits comments. A year later, the application is finished. But in the meantime, it has become irrelevant to the business unit's needs. "Now think about setting up a wiki, secure enough that no one from outside the firewall can access it, and using it as a requirements repository," Ritter suggests. "Anyone can contribute to the requisition, and you have a more open and iterative process for collecting feedback."

Even better, with multiple people contributing and expressing an opinion, it's easier to prioritize multiple options for features. "You can broaden the bandwidth of the communication that IT has with the business," says Ritter. "There still has to be a filtering process, but everyone can see the input transparently and can build on it." The biggest advantage: one person's ideas will frequently inspire others.

Looking at Web Services
The second defining feature of Web 2.0 is one that will be familiar to chief information officers (CIOs): the idea of a Web services-based architecture in which small pieces of code are loosely joined. "These are basically mashups on the Web," says Ritter. "You can take rental information from craigslist and combine it with Google Maps and you get housingmaps.com." It's easy to create, and it has some usefulness." It's a lightweight version of a service-oriented architecture (SOA), which achieves integration using standard protocols and formats. (Just make sure you have the licensing rights to the information.)

Underpinning that idea is the thought that "perfect isn't necessary, and an SOA does not need to be a big-bang, high-cost initiative," Ritter adds. "Simplicity is the primary design concern." Case in point: Google's search engine. Do you always find what you need when you search on Google? No—but it is easy to use and it is good enough. "That's a lot easier than dealing with 5000 commands in the programming interface of an enterprise resource planning application," he says.

Even so, there are larger architecture issues to deal with. Langdon White, director of global engineering for the consulting firm Keane, believes that Web services and Web 2.0 are a great way to offer data efficiently, but you have to think through the ramifications. "We understand a traditional Web site in which data goes back and forth to the browser," he says. "But Web 2.0 is a new paradigm that has to be thought through" He cites the example of a client whose vision of a collaborative business intelligence dashboard involved transmitting 20 gigabytes of data between client and server. White recommends experimenting with multiple tiers of data to avoid situations like this.

The Security Question
When you talk about applications that work best with collaborative input, the question of security ultimately comes up—even on the consumer side. White points out that Wikipedia, to avoid overzealous input, has had to lock down the definition of Jesus Christ.

Most Web 2.0 applications actually have a modicum of security built in, simply because contributions, to be valuable, must come from a trusted source. That means that participants in a Web 2.0 application must be known and identifiable, with passwords and user names.

That's from the outside looking in. From the inside looking out, down at the component level, developers of Web 2.0 applications have be assiduous in their use of those identifiers. The best advice: follow basic logic to adhere to good security practices, such as validating for proper input and checking for malicious strings of data. "I've seen applications where you can call up an individual's financial reports, and just by clicking on a slice in a pie chart, you can generate data," explains Konstantinos Karagiannis, an ethical hacker for BT INS, a consulting firm based in Santa Clara, California. "When the application requests the information from the back end, it does it as part of that stream of data" He says that without proper security precautions, someone can intercept the transmission, input another user name, and get someone else's financial information.

For the same reason, Karagiannis says, "don't use as identifiers data that can be misused if intercepted, such as social security numbers" One last recommendation: keep the applications lean; don't add more code or data than necessary. That will improve both performance and security.

Whatever Happened To Personal Computing?
In the end, it's important to remember that many technologies that now seem indispensable to the enterprise actually started out as personal: everything from instant messaging to cell phones and on back to personal computers themselves. The key for CIOs is not to try and prevent the inevitable. Rather, think how you can usher in and guide the technologies to providing value to the enterprise. There exists a compromise state in which they're both controlled and collaborative.

"With infinite power comes infinite responsibility," says Keane's White. "You have to set up governance to support that environment."