The dream of many CEOs has come true: corporate information systems with no IT staff to manage are now available. The concept of Total Information Outsourcing (TIO) – which consists of implementing the whole information system of an organization through Web based services using technologies such as Cloud Computing or Software as a Service (SaaS) – has become a tangible reality. TIO provides one of the lowest possible Total Cost of Ownership (TCO) for modern information systems in a company because it relies on economies of scale. It also helps companies without enough resources, such as the Small and Medium (SME) Enterprise, to implement Enterprise Resource Planning (ERP) or Customer Relation Management (CRM) within a matter of minutes and often at a very low cost. TIO covers about any aspect of business information systems such as email, groupware, productivity, telephony, finance, project management, etc.
##CONTINUE##
For most companies TIO is a great opportunity to quickly implement a more efficient information system and at the same time reduce their expenses. However, TIO introduces new risks which can evolve into new costs and eventually lead to dramatic situations, unless they are considered upfront. One risk is related to anti-competitive practices which prevent a company from migrating from an existing TIO supplier to a more efficient one. Another risk is related to new forms of data intrusion related to government laws or to Service Level Agreements (SLA). Both risks can be reduced or even eliminated by adopting the “TIO Libre” recommendations, a set of guidelines created to protect enterprise freedom in an environment where all of a company’s information in electronic format resides outside it, provoking a sensation of loose control.
The core technologies which are used to implement TIO – namely Cloud Computing and SaaS – consist of keeping corporate data and applications on servers located in remote data centers owned by third parties, which raises two questions. One, can I get back my corporate data? Two, can I get a copy of the software that processes my data? In the case of many suppliers, the answer to both questions is no. This implies that organizations that select those suppliers are copying little by little the heart of their business data such as clients, orders, financial records, production processes, etc. to a remote location which they don’t have enough access to. A partial answer to this problem is the notion of Data Portability (http://www.dataportability.org), under which TIO suppliers must provide a way for clients to download corporate data stored inside their servers under a standard format. However, this does not mean that all data can be downloaded, nor that the software to operate the data is provided. Therefore, important information would be lost in the process, preventing a sound migration to another TIO provider. Application logs, which are very useful in the case of lawsuits - to prove the dates of transactions entered into a business application – are also often absent from standard formats of Data Portability. The same applies to the history of data input. Last, but not least, getting the data does not mean that any software application is available to operate this data. Many TIO providers keep their software applications secret and only install it on their own platform. The only way to operate the data downloaded from the TIO provider through another platform may consist of developing a similar application, which can incur a very high cost. In short, many TIO providers try to restrict the “freedom of movement” of their clients, either by keeping their data or by making sure there is no way to easily operate their data outside the supplier’s domains.
Most of the TIO’s risks can be identified by carefully reading the SLA, which defines what service is provided to a given client and how. Provisions related to “privacy”, or lack of it, are essential parts to identify in an SLA. Clauses which guarantee that private business information can be processed for “developing new services” can be interpreted in different ways. What is the appropriate interpretation, for example, when a CRM SaaS company develops a new market research tool. Does this mean that private business information entered into the CRM can be provided to a competitor? Some privacy policies are based on the notion of “aggregates” which are supposed to be anonymous and protect privacy. However, if a company is the only one to sell a given product or has a leading position in a market segment, data aggregates may contain mostly the same values as those of that company and are no longer really anonymous. Data aggregates also create a risk of breaching trade secrets.
Even worse, certain provisions defined in SLAs can be overridden by federal laws. In many countries, suspicion of corruption or money laundering in the context of international trade can be used to force a TIO provider to disclose private business data of certain clients without notifying them. For this reason, it is essential to make sure that the laws which apply to a given TIO provider do not create any risks of this nature. It is also essential to keep track of the legal evolutions. The banking industry is a good example of how the notion of secrecy has evolved over time. Nowadays, tax administrations have become advanced users of data mining technology. Thanks to data warehouses fed from multiple sources, tax administrations are capable of cross-checking values and detecting tax frauds. Little by little, tax administrations have forced banks to disclose more and more information which used to be protected by banking secrecy. True banking secrecy can only be found nowadays in a few countries, such as Belgium or Luxembourg and has become a kind of exception to the rule. The same legal evolution could apply to TIO. Let us imagine first what would happen if the IRS (Internal Revenue Service) could collect in its own datawarehouse a copy of the data which has been entered by users of a company into a SaaS CRM or ERP. This would definitely help the IRS to prove that certain fiscal optimizations are actually tax frauds, by getting a much broader view on the company activities here and abroad.
These risks are major risks for a business. Yet, TIO is so convenient that it is here to stay and grow. Rather than fighting against TIO, Cloud Computing and SaaS, rather than adopting a naïve attitude and ignoring the risks, the Foundation for a Free Information Infrastructure (http://www.ffii.org) has created a workgroup to explore ways to minimize the risks for companies wishing to adopt TIO. The initial recommendations were published in December 1st 2008 at the Open World Forum held in Paris, France with the presence of representatives from 50 countries, including major open source experts from the United States. The FFII TIO group has exhibited the concept of “TIO Libre,” which defines 3 freedoms that a company should look for from their TIO supplier. The first freedom, called “Data Freedom,” consists of making sure that all data, including logs, stored by a company onto the servers of a TIO provider can be later retrieved and downloaded without any loss of information. The second freedom, called “Software Freedom,” consists of making sure that a TIO Provider supplies all necessary software under an Open Source / Free Software license to operate the data provided without the loss of application features. The third freedom, called “Competition Freedom,” calls for making sure that the TIO supplier is not using legal tricks, such as patents on business methods, as a way to block any possible competition. The FFII has started to create a list of providers which accept this “TIO Libre” vision and to provide their services in a way which protects both their business and the business of their clients (tio.ffii.org). By adopting “TIO Libre,” companies are free to change from one TIO provider to another, from one country to another, reducing the risks related to the lack of loyalty, transparency or efficiency of a supplier. “TIO Libre” providers are now available for ERP, CRM, Voice over IP and Cloud Infrastructure. We hope more suppliers will soon join the TIO Libre breakthrough and contribute to a world were trade secrets and free competition still thrive.
For more information about the TIO workgroup of the FFII, visit their web site at http://www.tiolibre.org.
-----------------------------BY Jean-Paul Smets-Solanes & Rogerio Atem Carvalho, members of the TIO workgroup of the FFII
Source:EMQ
Jean-Paul Smets-Solanes is the CEO of Nexedi and Rogerio Atem Carvalho is a Professor at the Instituto Federal Fluminense. They are both members of the TIO workgroup of the FFII (Foundation for a Free Information Infrastructure).
© 2009 Boston Hannah International.
Posts
0 comments:
Post a Comment