ASP me no questions, I'll sell you no lies

Making outsourcing deals with ASPs is all very well, but if you don't keep a close watch on your service level agreement you...

Making outsourcing deals with ASPs is all very well, but if you don't keep a close watch on your service level agreement you could come seriously unstuck, writes Mark Vernon.

A Martian reading up on application service providers (ASPs) might think that IT heaven was a place on Earth. Suppliers are not known for understating what they can do, but the Utopian blurb that accompanies the claims of ASPs has reached new heights. Reality bites when it comes to contracts and Service Level Agreements (SLAs), and our Martian could be mistaken unless he trawled through the small print too. The devil is in the detail, so what demons should potential ASP users beware of?

The first point to make is that while the ASP model is here to stay, not all ASPs will survive these bold, early days. Bullish growth figures hide the fact that the industry is in a delicate and precarious phase of its development and that means that customers will get their fingers burned too.

"The next 12 months may very well determine the future prospects of the ASP model, as ASPs scramble to position themselves in the market, chase down an ever-receding customer base and replace grandiose marketing claims with concise, sober-minded business propositions," says Ben Pring, principal analyst for Dataquest's Application Services Worldwide programme.

The issue is developed in a recent report from Stratecast Partners, a division of Frost & Sullivan. ASP Sector Assessment points out that only those ASPs with a well-defined business model, partnership strategy, distribution strategy and solid financial standing will prosper in a market that will become increasingly competitive. "In a market bogged down in hype and confusion, the sustainability of an individual ASP will be based on partnerships, focus on core strengths, distribution, market segmentation and branding," adds Diane Myers of Stratecast Partners.

However, with that preliminary warning, perhaps the fundamental issue when choosing an ASP is knowing what you want from it. And this is not as obvious a comment as it might sound. Many, perhaps most, IT decisions are made with only a vague sense of what is required or expected. ASPs must be tackled on firmer ground since their raison d'etre is to provide services and solutions efficiently and effectively. At best, those benefits will be lost in nebulous contracts. At worst, the agreement could collapse like the proverbial house built on sand.

To put it another way, just because a service is being outsourced does not abrogate the organisation from all responsibility. An intelligent choice of ASP and then working on the detail of the SLA is the way to assert control. Indeed, in a new market, the SLA might be the only way of guaranteeing service, since even a big brand IT supplier could lack real experience and a track record. Expertise and maturity are desirable but, at least when it comes operating strictly as an ASP, may be a luxury at this stage.

"The drawing up of an SLA or contract is the first step in building a customer relationship," continues David Alexander, director of strategy and marketing, Northgate Information Solutions. "The customer has to feel comfortable with the contract and this means that principally SLAs have to be clear and concise."

For example, there is an inevitable trade off to be made with IT applications. "You can have the vanilla version which won't quite fit what you want, or you can make it fit with extra cost, time and risk," says Peter Slavid, an ASP consultant at ICL.

The point about working with an ASP is who makes these choices. "You need to decide on this. Do not let the ASP decide for you," says Slavid.

Having worked out what, perhaps the next question to ask is how - how will the ASP provide its services. The network infrastructure is key here. Performance and who has responsibility for it is the issue that must be clearly defined.

Grant McClymont, director of Advanced Datacom Systems, puts the matter is put succinctly. "The additional bandwidth required to serve applications in the ASP model means that infrastructures must operate at 100% performance levels otherwise users will be impeded in their work. SLAs must reflect this primary requirement."

Having said that, bandwidth is still a limited commodity and prioritising traffic is a feature of any managed network. "This policy-based networking is likely to become an important aspect of ASP management and SLAs will need to include provision for the performance of the overall service as well as individual components," McClymont adds.

Security is clearly a central issue too. On the one hand, the actual buildings in which servers are housed needs to be considered. And the infrastructure matters too. Are shared services secure? Can user profiles be efficiently managed, especially when adding new users, changing user profiles, deleting users and suspending users while away? Another element that covers both the physical and virtual threats to security is back-up: what kind of disaster recovery measures does the ASP have?

Security can prove a problem in other ways too. "Many ASP's require the download of a plug-in or Java applet in order to deliver a rich, secure environment," says Marc Bodega a senior consultant at CWB. "A bank's security firewall often makes such downloads impossible, and Java incompatibility across browsers could be a problem."

ASPs are by nature built from a network of partners working together. This is how economies of scale and "best of breed" expertise can be brought together. The downside, however, comes to the fore when SLAs and contracts are considered. Here, a tangle of clauses can easily confuse clear lines of responsibility for support or recovery when things go wrong. So, the ASP should be able to provide transparent answers to questions like "who provides application support, the ASP, the software supplier, or is there a third party involved?" On this point, ASPs often talk about providing "full service" - a few enquiries into the exact meaning of this marketing phrase could serve the customer well.

Another perspective is provided by Nigel Pugh, UK country manager of Concord Communications, the performance management software supplier. He argues that an SLA ruled by meaningful information rather than punitive damages will work much more effectively for all concerned. "The aim should be to establish a constructive partnership with your ASP rather than kicking them when they're down, although some form of compensation may be appropriate in providing a reasonable incentive to deliver high reliability," he says.

For example, an important point to bear in mind when defining the SLA is that few network crashes are caused these days by absolute failures of hardware components such as power supplies affecting critical systems. Far more common are "brownouts" that do not, initially at least, cause the whole network to collapse. "The SLA should therefore be designed to minimise the chance of this happening by providing as much relevant information as possible about events in your network and the systems attached to it," Pugh explains.

Another good way of testing an ASP is to ask how they think their service might bring benefits to your business. If you are outsourcing certain aspects of the IT function because it frees you to focus on core business issues, it is reasonable to expect the ASP to demonstrate expertise by suggesting how improvements might be made. "Build a relationship with your ASP and let them find ways to add value to your business. In no time clever ASPs will be finding ways to extend the ASP model that you haven't even considered," says Patrick Coates, managing director at IT supplier SevenMountains.

The same goes for the SLA. "An SLA is going to have to grow with the ASP business. Many companies have been struggling for years to understand their own IT, their points of failure and their business direction. It will take moving your IT outside your business to finally gain a real perspective of what your IT needs are. Keep an SLA simple and obvious, and gain assurances that your ASP will negotiate an SLA to meet your needs as they change," Coates says.

What should you look for in an ASP

  • Are they a genuine ASP, or just an old online service rebranded? It so, does that matter?

  • Expertise. Outsourcing is an art as much as a science. Ask for clear evidence of the ASP's skills base

  • Similarly, the maturity of the ASP as a business itself could matter. An ill-funded, weakly partnered, or badly constructed ASP does not bode well for survival in what is a young market, yet to consolidate

  • In terms of technology, the ASP should provide best of breed. So ask whether it has access to the full range of technical know-how, software and hardware. All elements from network infrastructure to datacentres to applications should be covered. It is worth visiting the ASP site, since a lot can be gathered from even a cursory glance at working arrangements

  • Ask how the ASP could grow with your company. This includes how they will manage upgrades to software, how scalable their offering is both as they and you grow, and what happens if you require new services from them

  • Flexibility matters too because no application is going to fit your business requirements without some customisation

  • Ask what development work is possible on the platform the ASP provides

  • One of the attractive features of the ASP model is the way it can be used to spread risks and rewards. This could take many forms. For example, as the services the ASP provides for the customer increase its economies of scale will grow too. These benefits might then be passed back. Alternatively, as the customer's business develops, profit-sharing of various sorts might be appropriate as success could, in part, be due to the services the ASP provides

  • Warm to an ASP that is prepared to talk, not just show you facts about datacentre capacity or bandwidth availability. An ASP needs to be thought of as a partner - real conversations about how the relationship will work and needs will be met are the surest foundations.

    Users' perceptions of ASP

    Do you know what an Application Service Provider is?

    Yes 70%
    No 30%

    What issues are preventing you from considering an ASP?

    Too unfamiliar 47.25%
    Happy with current arrangements 10.75%
    Would not disclose 8.75%
    No time at present 7.0%
    Not on agenda 7.0%
    Not relevant to needs 7.0%
    Already using 5.25%
    Security fears 5.25%
    Cost 1.75%

    What would be the deciding factor when selecting an ASP?

    Cost 32.5%
    Don't know 27.5%
    Reference site/track record 8.75%
    Reliability 6.25%
    Security 6.25%
    Would not outsource 6.25%
    Quality 5.0%
    Service 5.0%

    Source: HOSTeu survey

    What pitfalls should you beware of in an SLA

  • The enforceability of the SLA. Clearly, avoid ASPs that do not provide SLAs. But also check that the SLA binds the partners of the ASP too, otherwise the ASP is likely to pass the buck when a disagreement arises

  • Look for clauses in the SLA that are measured against business objectives, not technical jargon about server uptime and network latency. An ASP that is prepared to share the risks, say as a result of downtime, is probably a good ASP

  • Ask questions about where company-sensitive data is stored and what measures exist to protect it from unauthorised access. You might want to know whether the ASP administrators can read it too

  • Secure access across the network is an imperative. A simple username and password is not an option for most ASP services. The SLA must, therefore, guarantee strong user authentication

  • The SLA should be flexible to suit the shape of your business. It is no use having all the effort put into 24x7 guarantees of access, if all you require is 9am to 5pm

  • Similarly, customers should make sure they have full visibility of costs. Whether you choose to be billed by transaction or on a time-online basis could make a lot of difference

  • Identify areas that any SLA is not going to realistically be able to cover, such as open Internet performance, unpredicted Web traffic overloads, or "acts of God", and ask how these are going to be dealt with in the partnership

  • Ask about the future of the ASP itself and what the SLA guarantees. What happens if the ASP is bought out or goes under?

  • An SLA should include exit strategies.

  • Read more on IT outsourcing