The role of agents in hybrid (OnDemand / OnPremise) environments or why Corporate IT isnt going to disappear any time soon
The use of OnDemand software in the enterprise space is evolving as the market becomes more mature. For some use cases, there is a shift from pure OnDemand applications to platforms that harness the best of the new SaaS applications and existing OnPremise assets.
I started thinking about this development and how such applications are embedded in real corporations. To often enough, pure SaaS applications represent Shadow IT in which Corporate IT is regarded as a hindrance and its involvement is not viewed as necessary or desirable. The pitfalls of such efforts can be very costly as portrayed by a recent blog by Gartner analyst Thomas Otter about SaaS contracts.
As SaaS HCM deals come up for renewal, and procurement gets involved, it is now crystal clear that most HR departments have been contracting for HCM software without IT procurement involvement. One of our findings is that most of the time, HR departments are rather poor negotiators. Software vendors have had a field day, and not just on pricing. Most of the time HR just signs the boiler plate, and the boiler plate is typically one-sided, like All Blacks v Japan one-sided.
Indeed, SAP Business ByDesign has marketed its OnDemand offering as one that largely eliminates the need for Corporate IT.
A quick rant about Corporate IT
The life of the typical enterprise user is affected by Corporate IT in a variety of areas. Software used must be governed, paid for, supported, etc. Usually, corporate users are only interested in the IT services when something doesn’t work or the application that they need is unavailable. As long as the service works, then users shouldn’t be aware of the existence of such services.
Corporate involvement, however, encompasses more than software – there are a variety of other related services that exist in the background (network, telephone, security, servers, etc) without which most employees couldn’t work at all. In this blog, I’d like to examine Corporate IT using this broader context.
The role of agents in Hybrid Environments
During the recent Influencer Summit in Boston, Peter Lorenz (executive vice president and corporate officer) keynoted on SAP’s Cloud Strategy. For me, one slide where Lorenz talked about the involved technology rang a bell. In particular, the ‘SAP Cloud Connector’ was familiar.
Lorenz described the Connector as a packaged approach that was based on lightweight peer-to-peer communication and which includes a reverse proxy. This description resonated and reminded me of other “agents” that mediate between the OnDemand and OnPremise worlds – many of which I have seen in other contexts / conversations with SAP.
I recalled a TweetChat in December concerning the new OnDemand Portal where another ‘agent’ was discussed.
The conversation referred to the Enterprise Agent that is used by StreamWork and which has the following architecture.
Now, I have no idea if these are separate agents or the same one but what is evident is that a hybrid environment as it is often proposed by SAP requires additional OnPremise components beyond the existing OnPremise systems (ERP, CRM, LDAPs, Active Directories, etc) that are to be integrated with the OnDemand offerings.
The StreamWork agent is currently in productive use and thus the instructions on how to use it are the best documented. Let’s take a quick look at the network protocols necessary to configure this agent.
Although such network-configured configuration tasks are quite common for Corporate IT, they are tasks that can’t be performed by ‘Business’. The involvement of Corporate IT is therefore necessary or such solutions will not function.
Note: It is important to state that I am not questioning the validity of such agents. Their usage is often necessary in such hybrid environments to reduce complexity and meet certain corporate policies (for example, those related to security). Despite this usefulness, there will be a variety of OnDemand customers who have a pure OnDemand environment (for example, many SME customers) – their configuration will usually be less complex and can largely be set up without the involvement of Corporate IT. However, as ByDesign is focusing on medium-sized companies, many of which have subsidiaries, hybrid environments will probably be common for such customers.
Corporate IT tasks associated with the integration of external and internal systems are not new. For example, this document from 2006 describes options and strategies to secure Internet-facing SAP Portals and depicts similar steps as that described in the StreamWork document. Such tasks are also not only restricted to SAP’s Cloud offerings but are a major general challenge (as this regarding the necessity to Bridge Amazon VPC and an enterprise’s own IT infrastructure reveals) in such environments.
If SaaS integration is not planned properly, it creates a “cloud in the corner” syndrome – a condition where new cloud-based SaaS solutions are disconnected from existing IT resources. The result: fragmented enterprise data scattered across the cloud.
CIOs have seen this “cloud in the corner” and data silo problem too many times in the past. They know how this movie is likely to unfold. Data quality and integration issues — aggregating data from the myriad sources and services within an organization — are CIOs and IT Architects top concern about SaaS and the main reason they hesitate to adopt it (Data security is another concern). [SOURCE]
Thus, this problem is inherent in most complex SaaS data integration scenarios – regardless of the vendor.
Other SAP OnDemand offerings where Corporate IT support is necessary
SAP has a variety of OnDemand offerings which are currently entering public betas. In such applications, the desire to use synergies with existing OnPremise infrastructure is increasing and understandable.
For example, a recent webinar with the SAP River team depicted the ability to use external identities in this new OnDemand offering. The use case is that a company could allow Single Sign On with SAP River so that users wouldn’t have to login separately to the platform but could login once in their internal environment (for example, via Windows / Active Directory) and then be authenticated automatically accessing their SAP River applications.
To use this identity management-related functionality, a SAML interface must be enabled / configured in SAP River.
This configuration is not trivial and requires the experience of Corporate IT to perform it correctly. Indeed, I expect such identity management–related configurations to increase in number as SAP’s Java-based PaaS evolves and becomes available to more users.
Why is NetWeaver Gateway different?
Although Gateway is not a SAP OnDemand offering, it also represents an example where OnPremise content is being made available to externals. In this case, developers are accessing data via REST APIs. The typical Gateway architecture can also include a mix of internal and external (which may or may include OnDemand offerings) components.
Yet, the necessity to involve Corporate IT – don’t forget we are using a broad definition here – in the set-up of such environments is assumed / accepted and openly described as this How to Architect SAP NetWeaver Gateway for Dummies (and for Experts) about Gateway by John Appleby demonstrates.
If you are deploying applications that allow access from the outside world, like mobile apps, into your SAP network, and security is paramount, then you should deploy a separate instance of NetWeaver Gateway into a demilitarised zone or DMZ. This provides separation between your core SAP network and your edge. You can get the network team to lock down the NetWeaver Gateway system which will make it very difficult for unwanted visitors to penetrate your network.
Indeed, the official SAP Documentation on NW Gateway contains a great deal of material about security and configuration of this environment.
An awareness of the importance of Corporate IT in Gateway-related activities is also evident in SAP’s marketing of NetWeaver Gateway as a slide below demonstrates.
I was curious as to why this distinction exists. I assume it is related to the different audiences to which SAP’s two marketing campaigns are focused. The OnDemand marketing is focused more on the Business / Department level user (who assumes that Corporate IT is ‘Evil Incarnate’) while the Gateway marketing campaign is currently focused more on developers who are perhaps more realistic regarding the necessitates of involving Corporate IT in such environments.
This blog has focused on the technical aspects of this integration; there are a variety of other Corporate IT-related aspects which must be considered when dealing with hybrid environments:
Developing strategic (data governance), tactical (consistent data integration requirements) or operational (vendor selection) strategies to deal with this emerging “internal-to-cloud” data quality problem is a growing priority in 2012. Otherwise most enterprises are going to get less than optimal value from various SaaS solutions. Things are likely to get out of control pretty quickly. [SOURCE]
Thus, it is evident that hybrid architectures require Corporate IT involvement – regardless of whether this fact is inconvenient for SAP OnDemand marketing efforts to “Business”. This is the reality of the complex IT infrastructure of most corporations.
I’m not suggesting that the emergence of OnDemand offerings won’t lead to a major change in how Corporate IT relates to Business. I’m just advocating an honest approach when discussing such environments. This would avoid unrealistic expectations from all (end-users, customers, Corporate IT, etc) involved.