Outsourcing to an ASP is all the rage. But is it really all that?
For the past year, we’ve all heard the hype about application service providers (ASPs). In short, leasing software rather than owning it is supposed to help businesses lower total cost of ownership (TCO) for software by getting out of the upgrade game. In theory, ASPs can enable businesses to have the latest and greatest without all the hassles of upgrading individual software seats across the enterprise. Other benefits include lower maintenance costs and integration with other software outsourcing services such as custom security configuration.
As usual in technology, there is a gap between hype and reality. Doubts and questions remain about the advantages of ASPs and their offerings, as indicated by a recent survey conducted by the ASP Industry Consortium. For the first time ever, non-ASP customers were questioned about their reasons for not using (or planning to use) ASP services. Almost half responded that they did not see any clear cost advantages to ASP services, and about a third were not even familiar with the ASP concept. These findings are significant in that they reflect general confusion about the industry.
For starters, there is no clear definition of an ASP, and recently, the definition has been stretched to include application infrastructure providers, system integrators, network services, and other value-added services as companies attempt to redefine their businesses to obtain a share of the profitable ASP and Web-hosting marketplace. Some reports estimate that more than 1,000 companies list themselves as ASPs. Framingham, Mass.-based International Data Corp. (IDC) projects that the hosting services market will grow from $820 million in 1998 to $18.9 billion in 2003, representing a compound annual growth rate of 87 percent.
Confusion about ASP services has made potential customers reluctant to outsource services. Generally speaking, an ASP should provide not just the applications, but all the IT infrastructure and support services necessary to deliver them via the Internet or a private network. Unfortunately, the service is not so straightforward. The market is strewn with inconsistencies. Some ASPs have the internal resources to deliver applications to customers. Others provide only some of these services–such as application or network management–then work with complementary partners to offer customers complete solutions.
Add to the mix the many ASPs that are partnering with Web-hosting providers for their robust telecommunications infrastructure and Internet expertise, and it’s clear that the ASP and Web hosting industry has become one immense mélange of e-commerce and enterprise services. Channel partners may serve the vertical-application needs of customers while the provider handles the horizontal-hosting needs. In most cases, the application and Web hosting services are intertwined. ASPs with deep pockets and strong partnerships are positioning themselves as general hosting service providers, allowing customers to outsource as much or as little as they choose.
Despite the varied business models and inconsistent offerings, the trend toward outsourcing application hosting services is evident and continues to rise, driven mainly by the cost of implementing a secure, scalable environment. Research by Stamford, Conn.-based GartnerGroup shows that the IT and personnel costs of securing Internet-exposed applications are three to five times higher than those of equivalent internal applications, leaving businesses hard-pressed to find IT staff.
Furthermore, dot-coms experiencing fast growth are having a hard time keeping up with the increasing number of transactions. Ninety percent of Web-site executives surveyed by New York-based Jupiter Communications said their sites could not handle a doubling of transactions, never mind an 11-fold increase. As a result, 54 percent of these executives surveyed projected a 70 percent increase in infrastructure spending for the upcoming year. High-quality hosting services have the necessary networking infrastructure, telecommunications equipment, and the technical expertise to deploy e-commerce systems–a luxury few companies can afford.
The principal benefit to ASPs that bundle their services with hosting services is that they can provide relief to a company experiencing growing pains by enabling the company to affordably expand its operations in a scalable infrastructure.
“Most small businesses can’t afford to implement best practices, sound virus prevention, training programs,” says Traver Gruen-Kennedy, chairman of the ASP Industry Consortium. “They are especially challenged in finding skilled staff in file/server technologies. “ASPs allow small businesses to leapfrog outdated methods by giving them instant access to best practices and the latest technologies, often with no capital outlays. The cost can be turned into an expense, and total cost of ownership can be lowered by 30 to 60 percent.” As an example, Gruen-Kennedy cites one ASP that was able to drop one customer’s individual billing cost from $1.20 to 10 cents by reducing document-management overhead.
“Outsourcing allows IT departments to stretch their money, staff, and equipment so they can focus on priorities and strategic issues,” says Rob Corrao, director of business development for Chicago-based ASP-One, an international ASP. Outsourcing can potentially offer complete outsourced IT solutions for small and medium-sized businesses. To ensure that the ASP can cater to the IT needs of its 21-plus customers (which generate about 50 Web sites), ASP-One employs more than 46 people. This is considered small by ASP standards.
The most popular outsourced applications remain communications (e-mail, instant messaging, video conferencing) and collaboration (document and project management). These are particularly popular with small-to-midsized businesses unable to handle heavy traffic generated by an online application, customer service, or content distribution. An ASP also gives the end-user the freedom to access applications anywhere from one convenient portal.
So when it comes to ASP and Web hosting services, what should the potential customer be concerned about? The answers lie in the fears of CIOs everywhere: security, reliability scalability, and price.
According to a recent survey conducted by the ASP Industry Consortium, security remains a primary concern among current and potential users of ASP services as cyberterrorism continues to climb. The Bethesda, Md.-based SANS Institute and Boston-based Forrester Research report that organizations suffered more than 2,000 separate attacks upon computer systems and content in 1999. When done right, offsite hosting and management can overcome the hazards of onsite data storage, including the theft or destruction of content and physical sabotage of the storage server itself. At the very least, ASPs should provide the physical and logical security solutions with onsite security checks and intrusion-detection systems for networks. Precautions for protecting content or data integrity should also be offered.
Some types of hosting environments are more vulnerable than others. Security should be a concern when using shared-server environments, in which several customers have access to the server and limited control of the equipment.
While conventional hosting is particularly vulnerable, colocation services–in which the host provides a dedicated server for the customer–have their own set of security problems. The common practice of linking servers for administrative purposes can open a bandwidth pipeline, leaving individual servers vulnerable to attacks by a malicious administrator. It’s a classic example of the domino effect. An assault on one server can bring down other network-connected servers.
This is what happened to San Jose, Calif.-based AboveNet last May, when a the core router was hacked, bringing down service for nearly 1,000 customers for a full day. The hacker did not have to hit the target server to bring it down; he or she only needed to find the group of servers attached to that router. Single-host priority configuration and a dynamic IDS-to-routing policy can prevent this type of catastrophe.
In addition to seeking security assurances, customers are also demanding that their applications be available on a near-constant basis, according to the survey. Of the 137 respondents, 37 percent indicated that the acceptable level of application downtime can be no more than 53 minutes per year, which translates to an uptime rate of 99.99 percent. Another 7 percent were even more demanding, saying no more than 5.3 minutes of downtime per year (99.999 percent uptime) was acceptable, while an additional 7 percent went even further, demanding 99.9999 percent uptime–a downtime rate of no more than 32 seconds per year.
These days, such high expectations are not unreasonable given multilayered emergency backup plans for a disaster or equipment failure, and high-performance network connections. Major providers have private peering and transit agreements with key telecommunications network providers to ensure a higher level of service than a business could provide itself with a relatively small traffic load.
The customer’s unspoken fear of relinquishing control over mission-critical operations and applications is another internal struggle CIOs must overcome. While it is a valid concern, it is usually dismissed when the customer sees the cost benefits and understands how the ASP can actually help him get back to more important business. As Corrao puts it, mission-critical matters are more likely to get out of control, or are made less of a priority, when IT staffs are constantly struggling to keep on top of such daily routines as backup and file-server administration.
Speaking of control, don’t presume that by outsourcing application hosting, you are hiring someone to manage the services. Even though more and more service providers are taking on an active administrative role, there are many that leave the customer fully responsible for the management of the hosted operations. Most providers still perceive their primary role as that of keeper of a secure facility and a reliable, scalable network.
As with any booming business, beware of the fallout. Last summer, customers of Red Gorilla, an ASP start-up, were stunned to find themselves without service one morning, and even more stunned when calls to notify the ASP of the problem went unanswered. Having lost its funding, the company went belly-up overnight without a word of explanation for the abrupt disruption of service.
The Red Gorilla case, while largely isolated, does reflect the recent shakeout of the ASP industry. Shutdowns and layoffs have plagued the marketplace as it has consolidated. ASPs hit hardest are the very specialized niche providers and general service providers. Recent fatalities include Pandesic Inc., HotOffice Inc., and eBaseOne Inc. Those barely surviving are either merging with other ASPs such as Applicost, Agilera, and Maxwell or are laying off employees in record numbers. Infocure Corp. has laid off more than 400, Interliant Inc. more than 300, and Infinium Software more than 120. Others laying off in smaller numbers include Concur Technologies, Breakaway, and V Campus.
The case of Red Gorilla makes a strong argument for an ASP business contingency plan and for evaluating an ASP’s roots and financial stability. Deep pockets and strong backing seem to spell success in this unstable industry.
There have been similar instances of unexpected service disruptions, but the ASP industry is learning to step in quickly and “rescue” competitors’ customers. All too often, though, arrangements are made after the blackout. This can prove tragic for businesses relying on ASPs to run mission-critical applications. Even if an ASP seems solid, there’s always the “what if”–so get a backup business contingency plan in writing.
Service-level agreement basics
To help businesses understand the basics of service-level agreements (SLAs), the ASP Industry Consortium has published “The End-Users’ Guide to Service-Level Agreements.” An SLA is a contract that commits an ASP to a specified level and quality of service. The SLA guide was created to help customers better understand and evaluate an SLA prior to working with an application service provider.
Before signing on the dotted line, make sure the SLA addresses the following issues:
A specified level of customer support
Provisions for system and data security
A guaranteed level of system performance, such as sub-second response time
Continuous system availability-24 hours a day, seven days a week. (Does the SLA include a business contingency plan in the event of closure, bankruptcy, acquisition, etc.?)
Is your SLA a one-size-fits-all document, or are there different service tiers–such as gold, silver, and bronze–that will allow you to tailor the SLA to our needs?
If you fail to deliver on any service point covered in the SLA, is there a designated contact person who can address the issue?
What kinds of enforcement provisions are in place in the event that the ASP does not deliver on the SLA? Is the service refundable? Can you terminate the relationship and choose another ASP without penalty?
In addition to the SLA guide, the Industry Consortium provides a host of educational resources through its Web site www.allaboutasp.org.
Contributing Editor Cynthia Kurkowski writes from San Antonio, Texas.