Sending the wrong message

How did the assembled tech industry hordes at the Internet World trade show manage to give the impression that service-oriented computing is nothing to do with services? The Washington Post's technology reporter spent the whole day there on Wednesday, and yet still ended up writing that web services are "not about services at all." Once again, the industry's self-obsession is sending the wrong message to outsiders. It is so fixated on infrastructure standards between technology components that it doesn't give a second thought to what the end result of all its efforts is supposed to be.

Right at the top of the web services stack, up there above the application layer, sit users and businesses — real people doing real jobs. The role of IT is to provide automated services that enable them to do those jobs better and faster. It is precisely all about services provided to people; it doesn't stop with machines.

Of course we need all the infrastructure standards so that everything performs more seamlessly, reliably and speedily, but the exchange of services between machines is not an end in itself. It's just a stepping-stone on the way to providing great services to users and businesses. The finest achievement a technologist can aim for is to create technology so good, people take it for granted.

Therefore, when the industry speaks to the outside world of customers and users, it shouldn't boast about the amazing progress it's making on web services standardization. Impressive though that is, it's frankly boring to industry outsiders, something we should quietly keep to ourselves as part of the behind-the-scenes work the industry has to do to build great infrastructure. Instead, the industry needs to start focussing on how that technology infrastructure will help users and businesses do the things they want to do in their own environment, and help them do it faster, better, cheaper.

On that note, it's good to see the industry starting to talk about automating business processes, which Charles Fitzgerald, Microsoft's general manager of platform strategies, took as the theme of his Internet World keynote. What's not good though is to talk as if this is an idea the tech industry has just invented, with phrases like "The business process is becoming the new unit of work." The concept actually has more than a century of management science behind it, and so while the tech industry has done well to discover that it's important, it still has to do quite a lot more work before its message will ring true with the business world.
posted by Phil Wainewright 3:13 AM (GMT) | comments | link

Distributing web services

Reliably delivering web services to partners and customers depends on a more robust shared infrastructure than the Internet currently offers. But the next-generation infrastructure may be closer than we think. Last week, I cited Jeremy Allaire's observation that "Akamai has built a operating platform that exists inside the Internet." A few days later, I noticed McAfee.com's CIO Doug Cavit being quoted in an InfoWorld article about plans to use a .Net-enhanced version of Akamai's network to distribute updates to McAfee's remotely managed desktop anti-virus software. Here's an excerpt:

Cavit says he envisions eventually hooking his system into a third-party application that takes payment transactions, all processed at the edge. Using Web services "really is a big paradigm shift," Cavit says. "It opens up a whole new interesting set of ways of going about building the Web and it opens the door on the concept of utility computing and things like that ... that operate via CDNs or overlay networks."

When Cavit uses the phrase 'utility computing' we come full circle back to the same concepts that Jeremy was writing about in his article last week. But this is a different kind of utility computing than some people have in mind. Doug Kaye recently pointed to a pair of articles in Optimize Magazine, one of which dismayed me so much by its failure to understand the nature of utility computing as it's going to be enabled by web services, that I devoted my entire ASPnews column this week to putting the record straight. The Power of Utility Computing outlines a concept of incremental selective outsourcing to a shared grid of utility computing that is far removed from traditional notions of outsourcing.
posted by Phil Wainewright 3:44 PM (GMT) | comments | link

Protecting digital title

The buzzword is digital identity, but the fundamental issue is digital title — who owns what in the digital world. The core objective of any system of digital identity is to connect people in the physical world to the digital assets to which they have title, or to which the owner has granted them rights. The more securely and reliably we can do that, the less we have to step outside of the digital space to complete transactions, and thus we can automate processes more completely, making them more convenient and productive.

Finding a way to automate the process of signing on to multiple online services is one of the most obvious ways of smoothing the flow of online commerce, and therefore single sign-on has been an important early objective of projects such as Microsoft Passport and the Liberty Alliance. But both have run into problems of security and privacy.

• The security issue is a huge one because of the value of what is involved. If you use the same ID and password to log in to many different online merchants, you're concentrating a large amount of potential spending power into a single digital identity. If that same ID and password pair also gives access to your bank and credit card accounts, government agencies, utility billing accounts and personnel records at your employer, you are assigning almost total control of your personal assets to that single digital identity. This becomes a very attractive entity to steal. Concentrate hundreds of thousands — potentially millions, as Passport aimed to do — into a single, centralized system, and you are creating a treasure trove so attractive to hackers that its security is almost certain to be breached sooner or later.



• The privacy issue is a side-effect of consolidating so much information in one place, particularly if it is done in such a way that enables the provider to track and analyze individuals' online purchasing and usage patterns at the various sites they sign into using this centralized system. At its most sinister, this could be used to uncover patterns of behavior that could compromise their rights to employment, insurance or medical care. More benign (but equally unwelcome) abuses might be the sale of customer details to direct marketers based on their matching specific purchasing or spending profiles. Oddly enough, people seem to get more worked up about this idea of big companies snooping into their private lives than they do about the risk of having their entire online identity hijacked by some miscreant. Neither of them are palatable outcomes.

Microsoft is repackaging Passport as a distributed platform after the original concept of a centralized service fell foul of both the above problems. The Liberty Alliance avoids a centralized system by adopting the notion of federated identity, in which users are free to register different IDs with different providers, but can then explicitly link their separate identities from one provider to another. Unfortunately, this still leaves the system open to abuse, as Doug Kaye pointed out in a recent essay, On Liberty and the Case for Anonymous Federation of Identity.

In two short sentences in that essay, Doug succinctly nails the fundamental flaw in all of these systems: "Who says consumers want a network identity? Why is that a good thing? I suggest it's unwanted, unnecessary and dangerous." By encouraging individuals to concentrate all their digital title into a single digital identity, we're asking them to commit one of the cardinal sins of secure systems. Single sign-on is a massive single point of failure.

This week, Doug has published a new essay that seems to outline a viable and elegant solution, and the key to it is a very simple switch in emphasis. Instead of automating the sign-on process by having a single sign-on that machines pass around to each other, instead you give individual users a tool that automates the process of managing multiple secure sign-ons. In fact, his system of Consumer-Centric Form-Fill and Sign-On also automates the process of filling the registration forms for each new service that the user signs up for, adding a great deal more convenience and time-saving than single sign-on ever offered.

You may well ask yourself how it is that one individual writing in his weblog can come up with a smarter idea than the assorted best minds of the industry working together in the Liberty Alliance (or indeed than all those other best minds at Microsoft). Well, there are three answers, all of which make a lot of sense, and the third of which is the clincher. To start with, Doug knows his subject. In 1999, he worked as the CEO for a proposed startup, backed by a consumer-credit information business and an online ad provider, that planned to link consumer's online and offline identities. He's currently writing a book about web services. He knows the territory. Secondly, nobody writing in their weblog is just one individual. Doug had a pile of feedback on his first essay from some of the top thinkers in security and digital identity.

The clincher is that Doug is approaching this topic with no particular interests to protect except those of the individual. I'm not saying that the members of the Liberty Alliance aren't also concerned with the interests of the individual. But here we have a body that brings together two groups who are most comfortable with a "big systems" approach to solving problems. We have huge corporations like American Express, Citigroup, United Airlines and Vodafone, who want digital identity systems that will help them protect and grow their market share, and we have IT vendors like HP and Sun, who want to be able to sign lucrative contracts to supply digital identity systems. Neither of these groups are eager to promote a low-cost, distributed solution that puts large and small online providers on an even competitive basis. As long as there's a possibility they can protect the interests of individual consumers by using capital-intensive methods that act as a barrier to competitive entry into their established markets, they have a duty to shareholders to continue to explore those alternatives.

Of course, it's entirely possible there are flaws in Doug's suggestion, too. Its reliance on a single automated form tool creates an exposure to hacking of that tool. It would be better if there were a range of tools available to reduce that risk. Each individual still stores all their profile data in a single database, which makes an attractive point of attack. There would need to be a way of certifying the trustworthiness of profile database storage providers without imposing too high a cost of entry to becoming a provider, thus ensuring a plentiful supply of reliable competitors. The main reason I'm attracted to it is because it matches the key ingredients of a security system as outlined recently in a profile of security guru Bruce Schneier in The Atlantic Monthly, where he argues that effective security systems are distributed (ie they rely on many small, autonomous components) while minimizing their reliance on keeping secrets.

It will be interesting to see what response there is to Doug's proposition, especially in the run-up to next week's Digital ID World conference. If any of the VCs come away from Denver without identifying a suitable investment prospect, maybe they should give Doug a call. It sounds to me like a project that's worth pursuing.
posted by Phil Wainewright 4:31 AM (GMT) | comments | link

Web services foundations

Uche Ogbuji has written a remarkable essay on The Past, Present and Future of Web Services. It positions web services firmly in the context of their legacy, starting with distributed computing among mainframes and minicomputers, acknowledging the contributions of early pioneers such as HP's development of eSpeak and Dave Winer's stewardship of XML-RPC, explaining how ebXML fits into the picture, and recounting the birth of SOAP, WSDL and UDDI.

This is an invaluable document for understanding the true origins of web services, even without part two, which WebServices.Org will publish later this week, and which promises to review developments during 2002 and then take a look at what the future will hold.

While on the subject of excellent overviews, ZapThink in its email newsletter earlier this month published a superb summary of Web Services' Idées Fortes. In it, Jason Bloomberg does a very clear job of demonstrating why the three core principles of coarse granularity, loose coupling and asynchrony are the key to web services, and why it's essential to incorporate them when designing systems with web services:

Coarse granularity is ... the key to business process automation. For companies to automate their processes, they must be able to work with business concepts from a business perspective. Business managers couldn't care less about API calls; they want to work with coarse-grained business concepts like customers and orders. Web services are the key to making this coarse granularity possible. Many current web services implementations are missing this point entirely by performing direct one-to-one translations of existing APIs into web services interfaces. Companies will realize a much greater ROI and business benefit by not only implementing web services, but by making them coarse grained.

Jason goes on to note that "coarse granularity requires loose coupling, and is also an asynchronous process," thus bringing the three concepts together. "Web services take these common-sense notions of how people and businesses interact and put them into software."
posted by Phil Wainewright 8:15 AM (GMT) | comments | link