Enterprise Mashups: Mashed Or Half-Baked?

Everyone talks about aligning IT with business goals, but alignment is usually as far as it goes. IT and line-of-business remain largely separate, even if their aims are in tune. Promoters of enterprise mashups want to bring these camps closer, erasing some divisions by empowering otherwise nontechnical staff to develop their own applications. But many IT pros are wary, and with good reason.

Like an increasing number of new technologies, mashups demonstrate that innovation is now led by consumers, not business customers: Google Gadgets, Yahoo Pipes and countless other sites have turned the Web into an open platform that anyone can access. Millions of amateur developers are mixing Web services into new applications far more quickly than can be done within SOAs (service-oriented architectures), the closest enterprise equivalent.

But unlike previous consumer fads that infiltrated the enterprise, mashups represent more than just a security threat, a way to increase employee satisfaction and/or a chance to get technology on the cheap. Staffers who use mashup sites and tools outside of work represent an untapped source of innovation. Some vendors claim to make development as easy as surfing the Web, while others aim their mashup platforms at power users of office applications—people who might create fairly sophisticated Excel macros, but only as a way to help them do trying tasks.

Not every IT department will want to empower its employees this much, of course. In our reader survey for this article, fewer than half of respondents said they're considering letting non-IT staff build applications. But don't dismiss the technology out-of-hand: Even in environments where every desktop is locked down and employees can't change settings on their own machines, let alone on a server-based application, mashups can still add value. By integrating different applications or data sources into a single front end, they can boost productivity, simplify workflows and let enterprise applications benefit from Web services on the public Internet.

Continue Reading This Story...

Reaping What You SOA

The first mashups on the Web used Google Maps, and its Ajax API is still a favorite of many sites. Microsoft and Yahoo now have similar services, with Yahoo presenting a Flash-based option. In the enterprise, network management applications have begun allowing IT to overlay data on a map. For example, wireless mesh vendor Tropos Networks imports Google Maps data into its browser-based management console, giving network admins a real-time view of every radio node's coverage and activity. Tracking of individual users and client devices is planned for a future release. Competitors SkyPilot and Strix Systems use Google's Earth application to do much the same thing outside a browser.

While mapping services are ever-popular among enterprises, general search is considered even more useful: More than half of all respondents who are building mashups have incorporated access to Google search. The likely reason for Google's popularity is its relatively simple API, which lets developers incorporate the engine with just a few lines of code. For example, a Web page or app that displays a list of sales prospects could automatically search the Web for more information on a person or company, either whenever the page is viewed or with a single click. This would be easy to accomplish manually, of course, but a mashup avoids cutting, pasting and switching among browser windows, all of which can add up to a big productivity drain if performed often enough.

Integration with business partners' systems is less mature, though the shipping industry is a clear leader in offering mashable APIs. More than a quarter of poll respondents had built mashups using FedEx's service, with slightly fewer turning to UPS. Both shippers offer Web services that access their internal billing and package-tracking applications. Services from e-commerce sites like Amazon.com and eBay are popular among small businesses, but a niche in the enterprise. Some enterprise mashups do integrate with AOL, thanks to its XML API that can return an IM user's presence status.

But mashing up services from the public Internet is only half the story—and one where enterprises are always likely to lag behind mashup sites that are actually on the public Internet.For large companies, the greatest value often comes from integrating internal enterprise apps, a daunting task. Whereas most public Web sites have APIs that allow access through REST, enterprise applications must be service-enabled one by one. There are also security and admission-control issues whenever an internal application is making data easier to retrieve, even if access is intended only for within the enterprise.

This is where SOA comes in. Specialized enterprise mashup vendors have been joined by a growing number of larger SOA players, most them seeing mashups as the "last mile" of SOA, a way to make the architecture accessible to end users. Whereas the Web services in SOA are usually designed for servers communicating with one another, mashups almost always involve client machines, too.

All this extending is causing some growing pains. Most SOA suites are designed to use SOAP (Simple Object Access Protocol), support for which isn't built into most Web browsers or client-side runtimes like Java and Flash. Mashups on the public Internet tend to use RSS for data, with custom formats for more complex APIs, usually developed on an ad-hoc basis by Web service providers.

SOA's focus on servers also ignores files stored on desktops, largely because the IT departments that build SOA applications aren't often in a position to understand or interpret data within an accounting spreadsheet or a sales presentation. Many mashup vendors, on the other hand, see these files as rich sources of mashable data—end users tend to service-enable files they know are important. Newly service-enabled files can then be shared with other users, saving the corporate e-mail server from choking on large attachments without turning to SharePoint-style collaboration software.

The end result of service-enabling files and the need to manage the resulting Web services can be a SOA-like system based on RSS instead of SOAP. Attensa, n Software/RSSBus and Serendipity Software all sell products, roughly equivalent to the ESB in SOA, that are aimed at creating, routing and managing behind-the-scenes RSS feeds rather than building front-end mashups. The ability to turn files into feeds is also included in some enterprise mashup suites, notably those from Kapow and IBM, while Denodo Technologies' data mashup suite competes head on with ESBs, offering service-enablement for databases and legacy servers too.Most RSS service-enablement tools can also create feeds based on screen scraping, allowing mashups to use data from Web sites that don't offer their own feeds or Web services APIs. These can be a convenient way to service-enable intranet sites, though there could be copyright issues involved in using them with third-party Web sites. This highlights a risk with mashups in general: Any change to the site's format can affect the RSS feed and perhaps break the application that relies on it.

Changes can be a problem even with intranet sites or internal apps, because mashups almost always involve using a service or application for something that it wasn't designed to do. That's generally a good thing—it's almost the definition of innovation—but it also means that upgrades can lead to incompatibilities, particularly if a mashup comes to depend on "bugs" in the underlying service.

The only way to avoid this is good old-fashioned QA. Ensure, for example, that services are exposed through carefully crafted and rigorously tested APIs; this is part of the motivation behind SOAP and the WS-* stack. Unfortunately, testing slows down development, which is why SOA often looks—and is—stodgy and bureaucratic compared with mashups and Web 2.0. There's always a tradeoff.

Self-Service IT

There are three main types of mashups: presentation, data and logic. Presentation mashups are the simplest; they combine information from multiple sources into a common interface. Data mashups gather information from multiple sources and combine it, while logic mashups, generally the most complex, involve programming to connect two or more applications; see much more on mashup basics at //LINK//.Low barriers to entry mean that specialized enterprise mashup products are not always necessary. A mashup can be hosted on any Web server and developed with the same tools as any other Web-based app. This is what a majority of respondents to our survey are doing. The most popular platform is Microsoft's ASP.Net, with Adobe's Flex, Google's free Web toolkit and the open-source Ajax framework Ruby on Rails also popular. Other alternatives include Curl and Nexaweb's framework, which can combine Java, Flash and Ajax.

Still, dedicated mashup platforms have several advantages, especially for enterprises that embrace the concept of users-as-developers. Their main added value is in ease of use and security: Non-IT people need a platform that closely resembles familiar Web sites or Office applications, while IT needs a way to track mashups or their component Web services to prevent data leakage. Centralized management can also encourage re-use, as people developing mashups are able to build on the work of others.

Ease of use is the greatest selling point for specialist enterprise mashup vendors Coghead, JackBe and Kapow Technologies. All offer drag-and-drop development environments aimed at business staff. Coghead and JackBe target all three mashup types, from the simplest presentation-based portals to full applications that include business logic. Kapow is the enterprise version of data mashup Web site Dapper and features a large number of pre-built, open-source mashups at its OpenKapow Web site.

Larger players IBM, BEA and Oracle arrived in the space later, and BEA's AquaLogic is the only specialized mashup environment officially shipping now. IBM's Info 2.0 and Oracle's WebCenter Composer are both due before year's end. All stress centralized management and integration with other SOA tools, with IBM looking to link up much of its other software, including Lotus Domino.

BEA is focused on presentation mashups from pre-built widgets or Web URLs, all of which can be centrally tracked for security compliance. Oracle's WebCenter, the most ambitious of the three, will allow users to edit JSF (Java Server Faces) files directly. Each user's changes are stored separately, ensuring that no one can damage the underlying application. Microsoft also has a mashup tool in beta, Popfly, aimed at both Internet and enterprise use.For organizations that don't want to maintain mashup servers, several vendors offer hosted mashup services. Salesforce.com has an early lead in this area, thanks in part to its history as a SaaS provider, in part to its role in setting up the AppExchange, an online marketplace where other SaaS vendors' technologies can be integrated with its own. Launched in January 2006, AppExchange now includes more than 300 applications from 200 vendors, ranging from independent software developers to well-known companies. As you'd expect given Salesforce.com's CRM roots, many of the services available through AppExchange relate to sales and lead management, but the site also offers diverse business applications aimed at everything from accounting to project management to online office suites.

The main advantages of a platform like AppExchange mirror those of Salesforce.com itself: Simplicity and ease of use. No application integration is necessary; all the work has been done by Salesforce and its partners. The downside is that applications are available only to Salesforce.com subscribers, limiting their appeal to those who aren't interested in CRM.

Nevertheless, Salesforce.com is so dominant in hosted applications that many SaaS vendors without obvious synergies plan to place their offerings on the AppExchange anyway. For example, project portfolio management vendor Innotas, whose service is aimed at tracking and quantifying IT resource usage, says it will use AppExchange as a go-to-market strategy even though most of its likely users are not running Salesforce.com.

AppExchange does highlight the security and privacy issues inherent in hosted mashups, which in some cases require sharing internal data with multiple service providers. Although many customers trust Salesforce.com with their most sensitive data, other providers on the AppExchange system are less well known and trusted. The more hosted applications data is exposed to, the greater the risk that it will leak out.

Internally hosted mashups don't pose as much of a threat, though as with search-engine queries, they can still reveal private information to snoopers. For example, calls to a mapping API can reveal customer addresses to the map service provider. Even worse, if a link isn't encrypted, data can be sniffed by anyone as it traverses the Internet. And encryption isn't always available: While most account-based services support SSL, many free Web service APIs from public sites don't, because they have no need to authenticate users.Power to the People

Most applications on AppExchange are created by SaaS providers or vendors, not end users. However, other sites are explicitly targeting end users as developers. Salesforce competitor LongJump, for example, is working on a hosted platform, still in closed beta, that's aimed at empowering non-developers to build applications. Like Microsoft's Popfly, LongJump isn't aimed just at intranets: Apps hosted on its platform can be shared publicly or offered for sale along with the company's own CRM service.

Serena Software has gone further than most SaaS vendors, aiming to compete directly with IBM, Coghead and Kapow. Like mashup servers designed to run behind the firewall, its Vail service is intended to fully integrate with an enterprise's own SOA or other Web services, connecting to them through SSL or other secure links. Serena also offers a freely downloadable development environment, aimed at end users, that can be used to create both logic- and data-based mashups.

Using outsourced software to integrate internally hosted servers may seem unnecessary, but Serena argues that hosted services will eventually replace most internal servers. Whether or not you buy that, SOA and mashups definitely make it easier to mix hosted services with internal apps, so outsourcing the mashup server itself will make sense for some organizations.

Mashups can also be created without any server or service at all—although their roots on the Internet mean that most mashups are Web-based, there's no reason they have to be. For example, OpenSpan offers a mashup tool that runs locally on Windows PCs, meaning it can interface directly with native Windows applications. Instead of converting files to RSS feeds, it monitors how applications interact with Windows APIs and can also intercept them, giving it complete control of an application's user interface; I/O; and use of shared system resources, such as the clipboard or networking stack.A simple application like Notepad could use multiple menus and other standard Windows objects, while a more complex one like Excel might make use of buttons, menu boxes and various custom objects. OpenSpan aims to keep track of all these, allowing visual scripting of tasks that would otherwise require cutting and pasting. As with presentation mashups on the Web, its greatest benefits are likely to be in organizations that have clearly defined workflows involving a lot of manual tasks. Get Ready

Before opening the door to mashup technologies, you need to make several important decisions. In addition to the question of who'll develop applications, IT needs to determine what data sources will be approved for mashing. Public Web sites and APIs like Google Maps are obvious picks, but the real value in an enterprise could come from combining these with intranet and extranet Web services.

Next, where will the mashing up actually happen? Though mashups are associated with browser-based applications, enterprises with SOAs have the option of server-based tools or desktop-centric integration software.

If you go with browser-based mashups, decide whether to host the new applications on an existing Web server, buy one of the new dedicated mashup platforms or farm out the whole shebang.

Finally, there are a huge number of development platforms and tools, many of them free. Ajax's widespread browser compatibility makes it the obvious choice for most Internet applications, but this isn't an issue for intranet developers who can control their client's platform.