HSVs push technical limits

With enterprises looking for low-cost, low-risk solutions in a tight budget environment, HSVs (hosted software vendors) have started to gain more traction in areas ranging from CRM to human resources (see “Rise from the ashes,” Jan. 20, page 35). And though they are strapped for cash and staff, just like nearly every other company, HSVs are continuing to push the technology limits of delivering software as a hosted service.

Two years ago the main challenge they faced was demonstrating security, reliability, and availability. Today, several other items have crept into this menu. Integration tops the list for most vendors, who see it as the biggest impediment to hosted software adoption. As enterprises consider outsourcing more mission-critical applications, they need to make sure their vendors can integrate with key systems behind the firewall.

On your mark, get set, integrate

“As long as there are applications behind the firewall, how you tie into them is definitely going to be an issue,” says Dave Moellenhoff, CTO of Salesforce.com in San Francisco . “A lot of IT departments still have this concept of ‘If I have the application running in-house, I can integrate, worst case, by just going into the database and brute force yanking the data out.’ That integration of last resort is not really available in a Web-native application.”

John Alberg, co-founder and vice president of engineering at Norcross, Ga.-based Employease, agrees: “I have almost as many developers who work on [integration product] Employease Connect as on our employee self-service system,” he says.

The company now offers 300 prebuilt connectors to inside-the-firewall systems such as payroll, as well as to third-party vendors such as insurance companies and eligibility systems. “One of the bigger challenges is finding a way to do that in a reusable way, so each one doesn’t have to be separately maintained,” Alberg says.

Built using Java Beans and a plug-in interface to the Employease network, these connections create maps between the Employease database and the customer or third-party system’s target format. “They live in their own little sandbox and don’t interfere with the production code,” Alberg says.

Like many other HSVs, Employease, a charter member of the HR XML group, is working on projects to expose a given set of transactions, such as a hiring a new employee, to a Web services interface, so it will trigger a chain of events via XML.

“Some of the more difficult parts are coming up with ways to ensure the security and reliability of the transaction,” Alberg says. “It’s the Internet, so there’s no guarantees, for example, about the reliability of packets.”

There’s still a shortage of good tools for building integration around Web-service protocols, and many legacy systems only offer proprietary API interfaces, adds Moellenhoff. “Even with Web services, it’s still a lot of work,” he says. “And we’re a long way from standard data definitions…. It’s not an ideal world.”

David Hsieh, vice president of WebEx Services at WebEx Communications in San Jose, Calif. , agrees, citing Web-services security as the biggest missing piece. “If I’m going to open up my service to APIs, how do I know that you’re going to use those services in a responsible way?” he asks. “These are machine-to-machine communications, so it’s not like you can ask for a password and your mother’s maiden name.”

Made to order

A key objection to hosted software has been HSVs’ inability to customize their wares to the same extent as packaged-application vendors do theirs. So HSVs are working hard to increase customizability while maintaining the cost-effectiveness of a single multitenant code base. “The new model is customization through configuration,” says David Thomas, CEO of Intacct in Los Gatos, Calif. “You have to design [hosted applications] so they can do extensive customization through configuration, and that’s a challenge.”

“Everybody’s sharing the application, so you can’t customize the code,” says Employease’s Alberg.

He explains that instead of using programming languages and tools for customization, the best hosted applications use built-in wizards, drop-down lists, and radio buttons. “There are an unlimited number of custom data elements you can add, and no software development or database knowledge [is required],” he says.

Separating business rules from the application’s base code is also key to “configurable customization,” allowing customers to define and select permissions, role-based usage, approvals processes, and best practices from menus within the system. Finally, customers typically want access to their data via whatever third-party analytics packages they may be using, and this requires a stateless architecture that assures that intensive queries can’t adversely affect database performance for any other customer.

Some vendors are tempted to satisfy customization demands (and make their marketing team’s life a lot easier) by creating separate hosted instances for each customer or even offering to run an instance of the software behind a customer’s firewall. But many refuse to do this because it opens up the can of worms (and associated cost inefficiencies) of managing and supporting multiple versions across a far-flung network. “It comes down to a pricing and cost issue,” says Boston-based Summit Strategies analyst Laurie McCabe. “[HSVs] really don’t want the customer managing it, customizing it beyond the configuration layer.”

But wait, there’s more

Other key technology issues facing HSVs include availability and scalability, and security. Availability is key because unlike packaged software, the vendor, rather than the customer’s IT team, is responsible for uptime and performance. Keys to success here include developing a stateless, fault-tolerant architecture with distributed and replicated databases, application servers running on fast and cheap commodity hardware, and a load-balancing system based on server load rather than traffic. (Hosted apps, unlike most high-volume Web sites, are CPU-intensive, rather than I/O- and bandwidth-intensive).

“We’re sort of a strange combination of a Yahoo and an ERP application,” says Employease’s Alberg. “We’ve had to work hard on building [Web] technology that’s more application-centric. If the response time is less than three seconds, then it’s hard for people to be very productive.”

On the security side, most customers are getting comfortable with the performance of 128-bit SSL encryption, although some vendors also offer the option of using digital certificates for extra-sensitive data. But because the whole application ‑ rather than just data ‑ must be encrypted, some vendors, such as Employease, rely on hardware accelerators such as Rainbow’s Cryptoswift on their front-end Web servers to maintain performance. Vendors must also face up to the risk of DoS (denial of service) attacks and prove to customers that they meet whatever level of security the customer is used to.

“Managing your infrastructure to the standards of your customer is critical,” says WebEx’s Hsieh. “They want to hold you to the same metrics they would use internally. We have to make a lot of our internal processes transparent to the customer… a much more educated customer.”