How web services became cloud magic, then turned real again

When businesses turn into a set of web APIs, decisions about trust, security, and risk management become more important than ever -- and many of these are board-level decisions.
Written by Stilgherrian , Contributor

"Servitization" is the ugly buzzword. It means turning your business into a suite of services that you provide, rather than a catalogue of products that you sell. In turn, you run your business by calling upon a set of services provided by other servitized businesses.

As more business activity moves online, increasingly, this strategy means presenting your business' services as a set of web services or an application programming interface (API) through which those services are delivered -- or at least through which they're ordered, managed, and paid for, even if the actual delivery of the service to the end customer is still done by people and physical machines.

Opening up your business by exposing it to potential customers as an API is part of a "self-accelerating trend to openness", according to futurist and strategy advisor Ross Dawson. But this doesn't mean that every aspect of a business should be opened up. Indeed, the opposite is true.

"There are, crudely, three layers for information inside organisations," Dawson told the APIdays Sydney conference last month.

"There are some things which, for lots of reasons, will always be proprietary," he said. These include truly confidential things like trade secrets and other intellectual property, or data which must be kept confidential for regulatory reasons.

"At the other end of the spectrum, there's information you're quite happy to throw open to the world. And in the middle is the sharing of information with trusted partners... This starts to bring up some questions. What is a trusted partner? How do we know that they are trusted? What data does that mean that we share with them? How do we create our structures to be able to define what sorts of data, and in what formats, are shared with what kinds of trusted partners?"

All of that can be framed as one simply worded question: What information from inside the organisation should be available to which outsiders?

"Simple question, but answering that question is defining what the organisation will be. This is what the board of directors needs to consider... These are strategic decisions which shape what the organisation is," Dawson said.

Conceptualising the business as a set of APIs has potential benefits: Faster systems implementation times, reduced costs, more agile business structures, and a business focused on what makes it unique. But it also brings new risks.

"Clearly, there are security aspects. An ill-designed API can give access to internal systems, or be open to malware," Dawson said. "There are valid reasons you do need to worry."

It seems like we've come full circle.

A decade or two ago, before we started calling it "the cloud", it was just "the internet". Discussions about live data linkages between businesses were all about data standards, interoperability, reliability, and security.

Then we started calling it "the cloud", and the cloud would apparently solve everything with sparkly unicorn magic.

Now, as more business-critical applications are being delivered from the cloud as an API or web service, the conversation has come back to data standards, interoperability, reliability, and security.

"Our customers are far more educated than they probably were six or nine months ago, absolutely," Matt Goss, managing director of Concur Australia, told journalists at the Tech Leaders Forum last week.

"The business community is no longer [saying] 'It's in the cloud, it's OK'," he said. "They're asking software-as-a-service [SaaS] vendors serious questions about compliance standards, who their customers are, how long they've been operating, how they integrate with other SaaS vendors, and whether they support mobile users."

Concur's travel and expense-management software services were originally "somewhat on the fringes of what were called mission-critical systems", Goss said. "It was a great place for businesses to dip their toe in the water."

But now, partnerships with other vendors, such as cloud enterprise resource planning (ERP) vendor NetSuite, mean that Concur is directly integrating with core business systems.

"Cloud-based systems are creeping into the mission-critical components of businesses, and I think that is a big part of what's bringing the focus and attention for us," Goss said. "If you're using Concur, we touch every single one of your users within a business... Rather than being on the fringe, I would suggest that [cloud-based systems have] become more central to a business."

And when a system does become more central to a business, it needs to be trusted.

"The simplest way to get that financial data from Concur to NetSuite is via a web service or an API, so that's built very robustly," Goss said. "The other point I'd make is that it's only done by virtue of the customer saying, 'I want you to make this connection.' So the customer is the ultimate arbiter of whether that occurs."

But opening up your own business' core systems to those of another is a bit like needle sharing. You're injecting each other's data. For Daren Glenister, field chief technology officer with Intralinks, the answer to the trust question is to combine transparency with regular testing.

"There's a lot of vendors out there who will not allow you to perform security audits against their datacentres. Why? If you want to improve your security posture, have as many people do audits against you, so that you can actually find out if you've got weaknesses, and you can do something about it," Gleinster told ZDNet.

"This isn't a plug for us, I'm just saying, we actually allow our customers contractually ... to come in and do a pentest [penetration test] whenever they want, and then we look at the findings, look for weaknesses, and fix them.

"But there's a lot of vendors out there -- large ones, as well -- who won't even allow you to do an audit against their datacentres. If you want to be a SaaS vendor, you've got to be interested in improving your [security] posture on a daily basis almost."

Intralinks provides secure inter-enterprise content management and collaboration tools for high-regulation industries, and it's already seeing increasing demand for proof that its systems are secure.

"More and more, we're being pushed, by the major banks especially," Glenister said. "Major compliance regulatory bodies are forcing people to audit... You're going to see more of it. We definitely are."

You only have to look at New York state's reaction to the massive data breach at JPMorgan to see where this is heading. The head of the state's Department of Financial Services is introducing tough new cybersecurity requirements for banks licensed in that state. While that doesn't include JPMorgan, which is chartered nationally, it does include Credit Suisse, BNP Paribas, and Santander, the Financial Times reported.

"It may come from New York, but that's coming to all of the major banks, which is then going to impact all of the international banks as well. SaaS vendors are going to have to be more open," Glenister said. Vendors will be forced to hold their SaaS vendors more accountable. "The only way anybody can do that is if they do audits."

And as more organisations integrate payments directly into their systems, the banks will in turn get tougher on them.

Jeff Cotten, managing director of Rackspace's international business, agrees that vendors should be more transparent when it comes to their security practices -- and he also thinks we need more specific security standards.

"One of the challenges that we have is that there really is no defined standards around how we interface with each other, whether we're talking consumers to business, or business to business," he told ZDNet.

In the same way that businesses handling credit card data have to conform to the Payment Card Industry Data Security Standard (PCI DSS), Cotten would like to see a validation and certification process for personally identifiable information (PII) and other critical data.

"Having some type of more defined strategy around a business API ... gives us an opportunity to figure out how we create the right security mechanisms in that type of an interaction -- versus today, where it's a bit more open, and it relies on every business to protect themselves," he said.

"If you think about what's happened with Sony and others, we've all relied on them, and whatever practices they have, to actually deploy the right security mechanisms."

Rackspace requires its customers to encrypt all PII they hold, but apparently this sometimes requires convincing.

"It's amazing to me the debates that we get into with customers around are they willing to encrypt data or not. You would assume that in today's world, everyone would be doing everything they can to try and encrypt data," Cotten said.

"What we're all awakening to is that this is actually a problem that's existed for a long time, and it's now being exposed."

As far as Ross Dawson is concerned, the change is inevitable.

"There are massive risks to not taking action," he said. If you say, 'Alright, this is all too hard. We're not going to expose any information,' you'll simply be left behind."

Disclosure: Stilgherrian attended Tech Leaders Forum as a guest of Media Connect. He has previously travelled to NetSuite's SuiteWorld conferences in San Francisco and San Jose as the company's guest.

Editorial standards