Applications Service Providers May Change Your Life

HWeissfield writes "ZDNet has an interesting article by Jim Seymour concerning the recent advances by ASPs and how this new paradigm of software use could potentially change the way that productivity is created." (More below.)

HWeissfield continues "I saw this as an unsurprising evolution of the way that the Internet is influencing our society today, but I question whether we can really leave critical applications and reports to someone other than ourselves. It may be common to use the terminal paradigm on mainframes where computing power is grandeur and reliable connections can be made, but what about the chaotic and unpredictable mass that is the Internet? Where could Linux fit into this structure that may be prevalent in the future?"

For one thing, it may mean "instant" commercial accounting and tax software for Linux, BSD, BeOS etc. without begging companies that publish such things for ports to your favorite OS. For example, Intuit, publisher of Quicken, Quickbooks, and TurboTax, is reportedly ready to roll out cross-platform, Web-based apps big-time. If they do this - and if their competitors follow them - it'll save a lot of small businesses, from the need to maintain a Windows or Mac box in a corner to run financial software after they've switched to Linux, *BSD or BeOS as their primary OS.

This is a "must read it all the way through" article. It's deep and thoughtful and (as HWeissfield points out) it raises many questions. Care to take a crack at answering some of them?

Outstanding!

[Just+Some+Guy]

What a great article! It changed my life! It's a must-read!

Erm, where is it?

The URL?

[AdamT]

From the source: http://www.zdnet.com/pcmag/stories/reviews/0,6755, 2348942,00.html

Or maybe here...

[Dowser]

http://www.zdnet. com/pcmag/stories/reviews/0,6755,2344646,00.html

Interesting concept

[jd]

Web-based applications aren't "new" - Java was Sun's venture into this line - and they do move in the direction Sun have been anticipating (the "Networked Computer"), but that doesn't make them any less fascinating.

One problem, though - web-based applications are constrained by the limits of HTML as a presentation language. (Now, if web browsers also supported TeX, they'd be awesome! :) The fact is, whilst the web's presentation is inferior to that obtainable by a specialised, locally-running application, the local application will always be the program of choice for the majority of users.

Then, there's the degree of control you have. This affects "geeks" (read: computer hackers) more than "real users". Where's the benefit in supercooling, overclocking your 1GHz Alpha, running Journalled Reiserfs on your home-built RAID array, expanding up to 256 megs high-speed RAM, and running the very latest Enlightenment & Gnome on X11R6.4, if none of this gives you ANY benefit whatsoever? If the application is over the web, your computer is nothing more than a dumb terminal, no matter what you've done.

Lastly, there's a security issue, here. No ISP, AFAIK, is using IPSec, or ESN. No IPSec means no real security in any of your applications, or your data. No reliable authentication. Minimal encryption, if any. No ESN means that unstable applications or web-browsers can cause DoS. Automatic throttling of rogue processes is essential for something like this.

P.S. To those complaining about the lack of a link: If you're looking for a ZDNet article, you might find it best to start at ZDNet's web site, and use their search facility. It's not painful, I promise. And it means the rest of us can get on with discussing more important stuff.

This is...ehh....

[bconway]

I am completely opposed to this approach for a variety of reasons. First off, cpu power is cheap. Period. Secondly, by centralizing such mundane tasks as word processing and office products (as Sun plans to do), the chances of needing to do a simple task and having it unavailable increases exponentially. Even the best ISPs have some downtime on services. Why should I use a centralized (or heaven forbid, web) interface if I just want to type up a report when I can get it done easily and safely on my own? This is a grotesque idea, and one for which there is no need for. Just because something can be done, does it really mean it should?

Not quite there yet

[jalefkowit]

ASPs are a good idea, but they won't kill off local applications completely. There are a number of reasons why:

• Security. Would you entrust confidential corporate communications to a Hotmail account? OK, now ask yourself if you would entrust the spreadsheet with all the juicy details of your Top Secret business plan to MSExcel.com.
• Usability. Just about every web-based application suffers from having to use HTML as a front-end. HTML is great but it is NOT the One True User Interface to Everything -- it's optimized for browsing hypertext, not word-processing or spreadsheet navigation. See Jakob Neilsen's excellent Alertbox column on this subject for more detail.
• Performance. Most people are still accessing the Web through modem connections. This makes it difficult to supply data-intensive applications online, and it also adds the extra burden of having to log on to get to your application (which, unlike installing new software, is not a one-time annoyance).

The article claims that Microsoft is developing a version of Office that would work over the web. Suuuure. Microsoft always claims to have a version of its products in the pipeline that works with whatever the buzzword of the moment is (remember Windows for Pen Computing?). They do this to look like they're on top of developments in the industry and to scare off potential challengers, not to develop killer apps for new technologies. Besides, if all applications were Web-based, Microsoft's desktop monopoly would be meaningless, and we all know how seriously they take THAT.

So, maybe in a few years, when bandwidth improves and security improves and some other things improve, ASPs will be universal. But for now they're better for niche applications than they are for general use -- they're just not ready for prime time yet.

-- Jason A. Lefkowitz

Looking before I leap

[Just+Some+Guy]

There are a few issues I'd demand to see addressed before I'd willingly switch to a remote application server:

• Backup.
  Local: Oh, damn, I deleted September?!? Hey, Matt, could you pop the September end-of-month DAT in?
  Remote: [hold music while my credit card charge for "advanced services" clears]
• Security. What security model does the service use? Does one root user have access to every user's data? If so, I want that job. Screw insider trading!
• Bandwidth. I'm sorry, but this seems to be glossed over too often. Yeah, I know, we'll all have our own private T-1s next year, and xDSL in our country retreats... Sure. For now, I suspect that the vast majority of personal users are browsing over analog, and I don't know too many businesses ready to upgrade their dual-channel ISDN to a DS-3 so that the secretarial pool can run WordPerfect. I don't care if it does get cheaper - so will the local hardware it would be replacing.
• The Slashdot Effect. Services will make design decisions based on expected average load, not peaks. What happens when I've absolutely, positively, got to have this report finished by noon, but it's final report time at Schmuckitelly University (who's a paid user of the same service)? Can the service (for a premium, even) guarantee that my requests can get a higher priority?
• Liability. What happens when the service deletes September (see above)? You can bet that there will be limited liability clauses left and right, so how far are you willing to trust their assurances?
• Better than local servers? Related to the Bandwidth entry, hardware is getting cheaper just as quickly as bandwidth (except for that $#!(*(%! RAM!). How can a remote server expect to remain as cost-effective as a local one? And how will you feel the first time that a service decides to subsidize their rental income with banner adds across the top of your spreadsheet? And what about when you realize that those banner ads are specifically targeted to whatever spreadsheet you're currently working on?

Maybe I'm wrong; I certainly hope so. But part of my paycheck derives from a healthy sense of paranoia. I just couldn't, in good faith, encourage my employer to jump on this particular bandwagon.

Re:Looking before I leap

[Just+Some+Guy]

Backup / Security / Liability
Although your application runs remotely, your data can stay local.

I think perhaps that my morning coffee hasn't kicked in yet, but I don't see how that would work. Do you upload foo.txt to the server, run the app remotely, and download foo.txt when you're done?

The Slashdot Effect
Simple answer: more servers, with load balancing.

I have to admit that I don't particularly like that idea. See, if I run a local application server, and it's starting to bog, I can take the initiative to fix it right now. If I were renting remote apps, then I have to trust that the service is going to maintain their gear at a level that gives performance that I consider acceptable. I don't believe that every (or even most) vendors would slack in that arena, but it's still a potential problem. I mean, it's terribly annoying when a remote mailserver is overloaded and holding your mail too long. What if that mailserver was instead running your appointment scheduler?

I'm not going to claim that remote applications are a panacea for everyone, but it does make sense in many business applications.

Thanks for your answer. I'm really not trying to be argumentative - honest! :) I would agree that app servers may be the answer for some companies. The niche I imagine, though, would be small/new companies who lack the capital to buy their own local equipment. There would be a definite benefit in borrowing a high-dollar database until you can afford your own.

Re:Looking before I leap

[mulan]

My company has outgrown Quickbooks. In light of that, we have been investigating several Application Service Providers for potential financial service candidacy. The big debate has been to use an ASP for accounting services or purchase a reputable software package, a server to run it on and keep it in-house. The final verdict: the latter, and here's why:

Small to mid-size biz
Several of the ASP's I researched and spoke with advertise that they specialize in solutions for the small to mid-size biz. Dell defines a small to mid-size business as a company with = 10 concurrent users. For a biz that cannot afford a $20,000USD accounting package, I can hardly see how that same biz can swing the cost for an ASP (see below)

Cost
For a 15 install/user-base (their minimum requirement) Corio charges approximately $13,000USD per month for software, hardware, bandwidth and technical support for financial services. PeopleSoft is used as the backend and I do understand that PS isn't exactly $15 shareware from Tucows, but $13K is a lot of money, regardless.

I realize that the Application Service Provider market, as it is defined these days, is a relatively new field of service. However, the cost is excessive, the requirements haven't been as accurate as they appear and all of this causes the people that could benefit the most, to be shut out.

It's an excellent idea, but the market needs more competition. Lower the prices and scale to what you advertise.

Re:Looking before I leap

[tweek]

The lab I network admin at recently did some testing for a big client that required a Winframe connection to the client to do the testing. Since I had to set up the machines, I got a chance to see exactly how well winframe worked. Going over a 28.8 (barely) connection to the clients dial in which serviced all of the company's sales force, the performance was amazing. Admitedly they load balanced the terminal server connections, but once you connect you are locked to that server. I thought it would be like vnc (horribly slow over some networks) but it was as if I were sitting at the machine itself. you see you local drives in the remote file manager. It is truly sad that Microsoft sucked up another comapnies great technology and claimed it as their own.
"We hope you find fun and laughter in the new millenium" - Top half of fastfood gamepiece

Different markets

[Kaa]

It is worth noting that there are very different markets for software. For example, I expect server-based applications to be quite successful within the intranets of large and medium-sized corporations. There is plenty of bandwidth and control, no problems with trust and security (at least, no more than they already have), tech support becomes noticeably easier, and collaborative work could become easier. Not to forget about the eagerness with which the IT departments will jump on the opportunity to wrest control back from those pesky and unruly users.

However for outsourcing applications the case is completely different. I doubt we'll see many individuals or companies relying on their applications for external entities. There might be exceptions (e.g. for stuff like payroll and accounting), but basic stuff like word processing and spreadsheets will remain local for a loooong time.

To summarize, if you work for a big corporation, prepare to see your PC morph into a semi-dumb terminal. If not, don't worry, be happy.

Kaa

Yeah, except...

[Greyfox]

All those apps will probably end up being IE-Only, using some proprietary Microsoft crap.

How you make money in the software business

[mr]

Microsoft (and others) have been trying to figure out a way to improve the revenue stream.

The way the shrink-wrapped world most of us life in goes like this:
The package is sold (cash for producer)
You use the package.

Barring some lame file format changes, or an OS change, if the software worked for you in 1980, and your needs haven't changed, why would you help the software developers bottom line by buying a new version? (And it is possible to run that 3.3 copy of CP/M WordStar :-) ) You can see why, to developers, Microsoft is the company they love to hate. Note too, how among the Macintosh faithful, how the Mac OS allowed older code to run un-modified worked to the Mac's advantage.

The model of a limited time license you need to re-up doesn't work well on the shrink-wrapped PC platform. (Although Microsoft has that as a 2 year site license for businesses using Office 97/98)

The model of charging a yearly maintenance fee is tried by many shrink-wrapped vendors. But, this is used more as a warranty program. In exchange for money, (and evening out our cash flow) we will send you the new software when we make it.

If you try to follow the model of buying the features you need, then the maintenance model doesn't work. And how does the vendor get more money out the users.

Ok, how about the model of a yearly licensing fee? This has not worked, other companies rush in and take your customers, by pointing out how they have a lower cost of ownership. (assuming an infinite ownership time)

Now, what if you charged a company or person every time they used a service (Really, the software)? This model is:
Recession resistant. (if the business cycle takes a downturn, you can't sit out an upgrade cycle, now can you?)
Evens out the cash flow
Simpler to control the licenses and therefore the revenue stream. (harder to pirate)


Remember the stink about how Microsoft was going to rent software? And no one really wanted it? The ASP is just another form of rental.
And a way to provide steady and increased cash flow.

Re:Priority #1 for ASPs - reduce costs

[Paul+Carver]

You seem to be under the impression that these ASP are subject to the kind of strict regulations that apply to banks and other financial institutions. I didn't see any evidence to support that belief.

Banks are generally not "fly-by-night" operations because there are fairly severe penalties for people who run their financial business in a casual anything goes manner. Since ASPs are so new, I doubt that there are any regulations. The individual ASPs will probably be making up their policies as they go along and doing whatever they can get away with.

Browser Compatibility, and Some Doubts

[Effugas]

Remember all the talk about how, if Linux loses the battle over browser compatibility, it loses the war for the desktop?

This, my friends, is a large reason why.

Only two things have prevented ASPs from becoming an integral part of the standard computing experience:

A) Lack of widespread high speed networking.
B) Immature tools for representing quality interfaces over HTML/Java/etc.

The judicious use of the extensions offered in Internet Explorer 5 arguably makes somewhat irrelevant the former(there's still the problem in that it's not particularly efficient or stable to have application functionality dependant upon a network connection; but then again it's arguable a server is much more likely to Autorecover much more reliably than a desktop OS) and almost totally obviates the latter.

The only thing preventing more applications from being designed in this manner is the fact that IE5 is nowhere near ubiquitous. Don't laugh--critical applications are already being designed according to Microsoft's master plan: Dialpad.Com, the surprisingly effective free Voice-Over-IP-To-Any-Landline-Telephone, is written in Java with some kind of Windows specific extensions.

Why? Two reasons: One, Sun has utterly bungled Java beyond belief when it comes to deploying new libraries, and two, Dialpad figures (witheringly reasonably) that the majority of their users can successfully *use* Windows specific extensions.

Of course, the fact that Dialpad apparently works successfully on Netscape for Windows hints at broken not-quite-cross-platform code somewhere in the pipeline. (Probably some native methods being used.) Either that, or the system's intentionally limited. I doubt that though--Dialpad actually added detailed Linux Masq instructions to their site. (Joy!)

Dialpad, incidentally, is a fascinating case study in how an ASP can operate. They are actually entirely standards-compliant, using H.323 to move their voicestreams around. However, they implemented a system they call Split-323(patent patending, which is slightly silly since the core concept is found all over the place) where most of the heavy H.323 lifting is done on the server side, with only the voice codec'ing remaining for the client to execute. Quite nifty, and is likely the general paradigm we're likely to see for systems that traditionally required binary application deployment--a small application, usually net-deployed, that executes whatever specifically requires a presence on the individual host(in this case, digital audio in, out, and compression) with the rest being left on some server out on the global Internet.

I said this is what we're likely to see. I didn't say it's the greatest idea known to man.

On the one hand, ASP style deployments work beautifully for applications that are inherently communication oriented. Dialpad is about connecting to other phone lines. MindTerm, the mind-bogglingly(sorry) cool Java deployed and amazingly full featured and GPL'd SSH client, brings high end communicative security in package that requires no installation beyond accessing a web page.

But do we really want non-communication based applications to require a network connection?

Pundits like to go on and on about how broadband is going to be all over the place in a few years. Bruce Schnier, author of Applied Cryptography and creator of the excellent Blowfish encryption algorithm, observed that while high end processing power will increase on and on ad infinitum, the low end never goes away--it just gets smaller, deployed for never-before imagined applications, etc. Smoothly scaling performance from the high end to the extremely low end is, therefore, a value. I posit that bandwidth is much the same way--maximum speeds will get higher and higher(indeed, in the course of the last 5 years I've gone from a 2400bit link to a 1,500,000bit link!), but there's always going to be something puttering along damn slowly and not entirely reliably. Look at the proliferation of wireless technologies proudly proclaiming speeds that are laughable in wired realm but are actually pretty cool once made wireless.

It's the wireless side, specifically laptops, that suffer the most from the ASP paradigm--wireless bandwidth is far more scarce, and many applications already deployed on them are intrinsically non-communication oriented. To force laptops to initiate connections whenever basic applications are to be used removes much of the freedom intrinsic in a battery powered, portable computing environment.

On the flip side, I'll be the first to admit that laptops have been made much less free by the degree to which communicative uses have taken over the actual applications people run. The concept that a laptop would become almost entirely useless, though, without Net.Mommy somehow being able to tunnel a link to it is rather bothersome nonetheless.

Security is a far more pressing concern. People fail to grasp the vast amount of security embedded in the simple fact that their files are located on their hard drives, in their homes, on a machine that is running no remote access services and is not permanently connected to the Internet. This security is eroded constantly by a disturbingly large number of intentional(in the RealNetworks fiasco) and unintentional(insert browser vulnerability here) ways, but literally moving the location of an application from onsite to a remote location introduces an incredible number of possible points of attack, from data corruption to privacy violation / industrial espionage.

A perfect example: GPS-Assisted Destination Routing. Take something like Mapquest.Com vs. a traditional CD-ROM based Street Atlas USA.

Mapquest requires no CD-ROM sale, would never have out of data information on the marketplace, could probably add a Dialpad-style applet to receive location data from a GPS receiver, and would probably require some form of wireless connectivity a la (the soon to be ridiculously oversubscribed) Ricochet service.

In comparison, Street Atlas USA does require a CD-ROM sale, would eventually suffer from stale data, would have GPS easily integratable with the core application, and would require no (expensive) wireless networking to function.

How easy it is to ignore that Mapquest would be receiving up-to-the-minute accurate positional and destination data for whoever's using their service. Combine the ridiculously pitiful privacy standards that Corporate America operates under with constant pressure from VC's to find sources of funding and the ease at which Net vendors can pass off security and privacy lapses as "accidental occurances which have already been fixed" and suddenly the ASP picture becomes much more dangerous for the end user.

The bottom line is, when it comes to security, trust, no matter how great, is no competition to a brick wall: Security Through Impossibility is simultaneously the simplest and most effective means by which sensitive data can be protected from malicious agents. ASP's demand much trust to be usable, and while benefits from ease of deployment and harms from reduced functionality and accessiblity are significant concerns for any business considering employing an ASP, one has to wonder at what times it is justified to remove the brick wall inherent in on-site deployed solutions.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

The Real Danger Here is data!

From a corporate perspective (hi boss!), the ASP model is extremely compelling for two reasons:

1. Recurring income. This was pointed out by a previous poster, but I mention it again because it's relevant.
2. Lock-in. This is where we need to get scared, kiddies. If you're using hosted, outsourced software, who really controls your data? Here's a hint: it's not you.

Once you've built up a backlog of data on your host, you're locked-in, forever. You'll never be able to migrate off their system, because THEY have all their data!

I come from the mainframe world, where this type of lock-in is standard practice. Once you get your system into a customer, you start turning all of their OWN data into your proprietary format. In the mainframe world, this mostly happened by accident, because people HAD to just invent file formats left and right. In the outsourced ASP model, it will happen ON PURPOSE.

So, let's assume that you're using XYZ Accounting, an ASP package. Maybe you decide that you want to use QRS Accounting instead, and you notify XYZ that you want your data.

They say no. Or, if you were careful in writing your contract, they'll respond by charging you a fortune in "conversion services" -- which you agreed to when you signed the contract.

And I'm sure some of you are thinking "hey, that's my data, they can't do that!". Well, let's think about the credit card companies -- it's YOUR purchasing patterns that they monitor, and they get to sell them for a profit. If you want to see your "own" data, you have to jump through their hoops. If it hadn't been for an Act of Congress, you probably wouldn't be allowed to see that data AT ALL!.

In summary: if any of you are thinking about going down the ASP route, be sure that you have clauses in your contracts that give you final ownership of any data you generate. If you don't, you'll get screwed.

Take it from me; I've seen it happen by accident. Now it's going to happen on purpose . . .

Man, I'm glad someone said this

[DonkPunch]

The whole "paradigm" (yech, I hate that word) of network-distributed applications falls right in the laps of Free OS's like *BSD and Linux. Here, they can offer low-cost, high-availability servers running on commodity hardware. The platforms are exceptionally well-suited to becoming application servers in much the same way they've already proven themselves as http and ftp servers.

IMHO, this is such an easy win for these systems it's not even funny. It would be a shame if a myopic infatuation with Linux on the desktop led to this opportunity being lost. By the time Linux is accepted as a "desktop OS", distributed apps may make the desktop OS an outdated concept. Why not get an early start on tomorrow's goals right now?

Re:Off topic; but...

[Effugas]

any idea why DialPad wants to have network access...

Well, I'd venture it has something to do with the fact that it lets you call up telephones via the Internet for free.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Tell-me-again-how-I-won't-need-an-IT-dept dept?

[DragonHawk]

One thing the author keeps jumping up and down about is how we "won't need an IT department" anymore after the move to ASPs.

Ummmm, who exactly is going to connect up all thse network workstations to the net in the first place? Who's going to run the LAN? Remember, now, folks, your average biz user has about as much interest in IP subnetting as the contents of Rob Malda's stomach. And rightfully so -- the whole point of IT folks like me is so they don't have to worry about 40 acronyms that end in "P".

It would be nice not to have to fight with Windows/Office/etc. all the time, but I really don't see IT departments going by the way side just because you're dependent on the outside network now.

Ballmer's wet dream

[jafac]

This ASP thing has been Ballmer's wet dream for a couple of years now. It's one of the reasons they invested so heavily in IE, and MAD (Microsoft Active Directory).

However, this is a thing that the software companies are pushing for, and the analysts that are in their pockets.

I suspect that most people will not buy into this idea. It's an issue of trust, and "having the biggest dick" (fastest desktop machine). While the ASP model may be adopted roundly as an internal corporate thing, the vast majority of users out there will not adopt this stuff if they have the choice. It is bad, economically for consumers. It's like the difference between owning and leasing a car. Or owning your home and renting it. The data security issues go on top of that.

Unfortunately, like I said, if there's a choice, consumers won't buy into this - however, the way the software industry looks today, there's not much choice out there. Software vendors only have to tweak their pricing structures to make "renting" more attractive (short term), and owning economically unfeasible (like, when was the last hobbyist you talked to who actually BOUGHT a copy of Photoshop? I know ONLY professionals who pay the exorbitant fees Adobe charges). So, MS Office = $30/month through ASP, or you can BUY a copy for $1500. Don't like it? So? - Intuit. Quicken via the web = $30 a month, except for April, where they'll charge $50 because of increased demand, CD, $1000 (or more likely, unavailable).

Ballmer would just love to become a software slumlord, rather than a salesman. It's all about steady revenue streams, and captive audiences.

I wish I had a nickel for every time someone said "Information wants to be free".

Just put them out of business

[heroine]

Well if the suits end up tethering all of us to centralized servers using software we can't own, I'll be happy to put them out of business by offering consumers a package they can take home and actually own outright, even if my degree isn't CS, like they seem to banish you if you don't have.

I-see-porcine-wings-forming dept

[copito]

Remember the 3 of the Twelve Networking Truths

(3) With sufficient thrust, pigs fly just fine. However, this is
not necessarily a good idea. It is hard to be sure where they
are going to land, and it could be dangerous sitting under them
as they fly overhead.

At first blush I would tend to agree with you, but let's dream a little. IPv6 has the potential for revolutionizing autoconfiguration of devices on a network, as does Jini or whatever Sun's NC flavor of the month is. I can imagine a world in which computer networks are set up like telephone networks or electrical networks. A professional contractor comes out to install and maintain the major hardware, but the individual user can plug in an individual device that doesn't need any configuration to be useful.

But never fear, pager jockeys aren't likely to be out of work anytime soon.
--

GPL relevance in an ASP world

[copito]

Since ASP providers never distribute their program, it would seem to me that they could integrate GPL software into their offering without redistributing source. If ASP became ubiquitous (a big if), this could lead to interesting conflicts.

I'm not terribly concerned since it would simply make GPL software more BSDish, and BSD software seems to be doing just fine.
--