IT-Code-News: IT News HeadLines (InfoWorld) 29/01/2009

Microsoft releases Web Sandbox under open source

Microsoft has made source code for its Live Labs Web Sandbox project for securing Web content through isolation available via open source under the Apache License 2.0, according to a report this week on Microsoft's Port 25 site.

Web Sandbox features technology for mashing up code while maintaining process isolation, quality of service protection, and security. It is intended to address a problem in which Web gadgets, mashup components, advertisements, and other third-party content on Web sites either will run full trust alongside content or are isolated inside of IFrames. This results in many Web applications being intrinsically insecure with unpredictable service quality.

Since announcing the technology preview at Professional Developer Conference 2008 in Los Angeles in October, Microsoft has open-sourced the Web Sandbox framework and is partnering with industry leaders to evolve Web Sandbox into an industry-wide solution, Microsoft said.

Microsoft is looking for developers to experiment with Web Sandbox, even including samples so developers can try to break the Sandbox.

"Since the initial release of Web Sandbox we have received a great deal of feedback from the Web security community. We have also been collaborating with a number of customers, partners, and the standards communities that would like to adopt the technology when it is ready. Our goal is to achieve widespread adoption of Web Sandbox and to help foster interoperability with complementary technologies like script frameworks," Microsoft Live Labs said on its Web Sandbox Web page.

Although Microsoft is using an Apache license for the project, it is not sponsored or endorsed by the Apache Software Foundation, Microsoft said. The company last year became a sponsor of the foundation.

Web Sandbox builds upon Microsoft's experience with DHTML, Windows, Windows Live Web-based gadgets, and the Microsoft BrowserShield project, which leverages JavaScript virtualization through rewriting.

Data export leaves firms vulnerable, says research

The tendency of firms to distribute sensitive data to offices around the globe could be creating a new form of information vulnerability, a report has suggested.

Researched for sponsor McAfee, the 'Unsecured Economies: Protecting Vital Information' survey points to a range of security issues - some of them tied to the worsening economy - but the issue of how and where data such as customer information is distributed in enterprises is connected to longer-running themes such as worker outsourcing and globalisation.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

The 1,000 CIO-level professionals surveyed for the report in the US, UK, Japan, China, India, Brazil and the Middle East, reported an average of US$12 million (£8.3 million) of sensitive data resided abroad per firm, in addition to $17 million of intellectual property (IP).

How far this data dissemination trend had gone depended on country, with Japan showing the lowest at $8.2 million, with the UK the most exposed with $15.2 million. As to IP specifically, China was the most at risk, with $61 million in foreign hands.

A major reason companies have taken to moving information away from their home area is, predictably, cost. Whatever it costs to manage data at home, there is almost certainly a partner who will do the same function in another part of the world for considerably less.

The deeper motivation for moving data abroad depended on country. Western companies appear to be motivated not just by labour costs, but by the desire to avoid burdensome data regulations, while less developed nations such as China can actually move data abroad to make it more secure.

The average loss of IP from foreign sites was put at $4.6 million (£3.2 million), with the UK at low end of the spectrum with only $375,000, and China at the other end with $7.2 million.

Amidst a welter of statistics, however, three countries are clearly cited as being at the top of the watch list for posing the biggest threats to data protection - China, Pakistan and Russia, in roughly that order. These countries reputations for data security are so poor that many firms have purposely avoided allowing data to be stored in them.

"As China and Russia's economies soften, there will be even more pressure to 'appropriate' intellectual property as a means to continue economic growth. Organised crime and state-sponsored groups in both Russia and China will continuously seek out new and profitable targets. Pakistan looms as potentially the largest threat, with attackers motivated by ideology rather than economic gain," says the report.

Unsecured Economies: Protecting Vital Information, researched by Purdue University's Center for Education and Research in Information Assurance and Security on behalf of McAfee can be downloaded by registered users.

Will Apple's App Store change the desktop app market?

There's no doubt that Apple 's iPhone has changed the landscape of the smart-phone industry, and indeed the mobile phone business as a whole. But one of the most revolutionary advances that Apple offered up isn't in the iPhone itself: It's the mechanism the company developed to distribute non-Apple applications to iPhone and iPod Touch users.

Third-party development for mobile devices and smart phones was already happening well over a decade before the iPhone's mid-2007 launch. Palm, Microsoft, and Research In Motion all allowed other companies to develop software for their devices, but they left it up to those third-party developers to market their creations -- and forced users to find, purchase, download and install them on their own.

[ Keep up with app dev issues and trends with InfoWorld's Fatal Exception and Strategic Developer blogs. ]

In many ways, this model was no different from the one used by PC makers (including both Apple and Microsoft) to enable developers to create software and sell it through the same retail channels as the computers themselves. But software for mobile devices evolved in a smaller niche market, one with a more diverse range of platforms that was better suited to online purchasing. The result was often chaos. Users didn't know where to go to find applications, and in some cases, they didn't know how to properly install or remove the applications they had bought.

The App Store 'a radical shift'
Apple's decision to develop a new model -- its App Store -- marked a radical shift for developers and users in mobile software distribution. For developers, the App Store represented a one-stop solution for getting their creations into the hands of users. Apple leveraged its existing iTunes infrastructure for selling music and movies to make apps available to users, handle transactions, prevent piracy by tying purchases to an iTunes account, and offer some measure of marketing and management of customer reviews.

Once the App Store opened last July , developers didn't need to worry about traditional retail channels, setting up a Web site to host downloads, or figuring out how they would get paid. (Apple skims 30 percent off the top; developers keep the rest. ) Not only did this drastically simplify the overhead for developers in distributing their apps, it also leveled the playing field between small developers -- maybe just one person working on a single product -- and large corporate developers.

For users, the App Store has been even more revolutionary -- and popular. By December, it had already distributed 300 million application downloads and was cranking out 2.2 million a day from a one-stop smorgasbord of applications. Buyers can browse categories, see what's new or popular, read reviews, check out screenshots, and search for specific applications by name or function. On top of that, buyers could do all that searching and evaluating on their computers or directly from an iPhone/iPod Touch.

But finding apps is only half the story. Purchasing them is also easy. Once you've set up an iTunes account, there's nothing more to it than clicking the "Buy" button and verifying a password. Then comes the real genius part: effortless installation. There's no installer utility, no convoluted instructions, no setup wizard -- the application just appears on your iPhone or iPod Touch home screen immediately if you used the device to find and buy it, or during the next sync if you purchased it on a computer. Software has never been so easy to find, purchase and install on any device.

Beyond the iPhone
Apple may have created the App Store for the iPhone and iPod Touch, but the concept isn't limited to them. In relatively short order, the concept is being copied by virtually every company the develops a smart-phone operating system. Google has launched a store for applications for its open-source Android smart phone system, Microsoft has created a portal for Windows Mobile applications, Palm launched its own app store, and RIM has announced that it will develop a store for BlackBerry users.

So far, most reviews indicate that Apple still has the edge in ease of use and installation. Still, it seems very clear that the idea of the App Store is a hit with mobile device owners and developers. But is it a concept that is necessarily limited to just mobile devices?

A broader App Store could grow in two directions: as a source for other slimmed-down devices, most notably netbooks, and as a place for software distribution for full-featured computers running operating systems such as Mac OS X , Windows Vista or, down the road, Windows 7.

App Store for Netbooks
Netbooks have emerged as a new and popular class of notebook computers . Typically stripped down in terms of processing power and storage, netbooks offer more portability and cost less than traditional laptops. But they rely on an older or stripped-down operating system (typically a Linux variation designed for the device or Windows XP) and a limited set of applications. The low cost and small footprint is making netbooks a popular choice for families, schools and frequent business travelers who want something more than a smart phone -- in particular, something with a real, albeit small, keyboard and screen -- but whose computing needs are minimal. Netbooks work well for editing basic office documents, browsing the Web and for e-mail.

Since netbooks essentially fit in between a smart phone and a full-featured computer, they're a logical step for App Store-style software distribution. In fact, many of the constraints on netbooks and smart phones are the same: small screen size, limited memory and processing capabilities, and restricted storage for the applications themselves. Since many netbooks are designed to be easy to use and carry and often serve as a second computer, making app installation simple is an excellent idea.

There's also the software-update component to consider. Apple's App Store application on the iPhone and iPod Touch can check for updates of installed applications to make the update process as easy as installation. Given concerns that netbooks may have outdated software because of their stripped-down nature, delivering security patches for vulnerable components could be done as simply as iPhone app updates.

One problem with the App Store for netbooks is that various vendors rely on differing operating systems. That means multiple companies would need to develop the stores and build the infrastructure to support them; given the current economic climate, that kind of investment might be hard to justify.

Apple is probably in the best position to deliver a netbook with an App Store. The company is no stranger to creating stripped-down versions of its flagship Mac OS X operating system, and its upcoming Snow Leopard OS X update is designed to be more streamlined. In fact, the iPhone and iPod Touch both run a version of Mac OS X, as does the Apple TV. It wouldn't take much for the company to create an operating system, the developer frameworks and an extension of the existing App Store for an Apple-based netbook.

Apple isn't exactly without experience in the netbook arena, either. In the late 1990s, Apple create the eMate 300 -- a small, low-power laptop intended for use in education. The eMate ran the same operating system as Apple's Newton PDA line, and in many ways, it was the world's first netbook.

Whether Apple will release a netbook is unknown. In a conference call last fall, CEO Steve Jobs flatly denied the possibility, calling the iPhone Apple's netbook. It's also worth noting that the eMate 300 and the Newton were both terminated not long after Jobs returned to Apple in 1997. However, that hasn't stopped Mac users and rumor sites from speculating that an Apple netbook is on the way. Nor has it stopped analysts from predicting that Apple must create a netbook to cash in on the popularity the devices are beginning to enjoy.

More recently, Apple COO Tim Cook, who is running day-to-day operations while Jobs is on a six-month medical leave, indicated that while Apple is watching the netbook market, it has no immediate plan to release its own . Of course, Apple also denied rumors that it was developing a mobile phone for months before ultimately unveiling the iPhone two years ago.

Taking the App Store to the Max
While netbooks would be a next logical step for the App Store concept, what about relying on such a store for all software distribution for full-featured computers? At first glance, the idea seems unfeasible.

First, the major operating systems including Windows, Mac OS X, and Linux are all much more complex than smart-phone operating systems. There's also a great deal more variation among individual operating systems on full-featured computers because of user-specific installation options, third-party add-ons, hardware drivers and a slew of configuration choices. Even issues like home directories, profile names and locations can make each computer more unique than most smart phones. Users also have free range to access and modify parts of the file system (even system files) on a computer than on a smart phone.

That doesn't mean the App Store concept is impossible. In businesses and schools, a variety of solutions exist for mass deployment of applications to work stations. Many of those solutions allow IT staffers to define which applications are installed on particular computers -- and which users can access them. That system works much like an App Store would, except that the decision to install software is made by IT staffers or department managers -- not the individual users. Once an application is set to be deployed to a given machine, the process takes place largely in the background without the user needing to do anything -- mimicking the simplicity of the App Store install process.

One challenge to adopting that approach for something like an App Store is that it would require a good deal of information about the computers to which software is being distributed. In a consumer App Store environment, that could open the door for privacy concerns. There would also likely be a concern about bandwidth. Smart-phone, or even netbook applications, must be relatively small, but some computer applications can be hefty, something that could be an issue when it comes to downloading them over the Internet. And it would be particularly challenging if Internet service providers limit customer bandwidth.

The real hurdle: retailers?
Ultimately, the real hurdle to an App Store for computer software distribution and installation isn't likely to be a technical one. It's more likely to be the conflict such a store would create with software developers and retail channels. While developers would probably come around to the idea of selling software this way -- most likely as an adjunct to existing channels -- retailers would be a different story. They might be cut out of the application food chain entirely. If an App Store were even moderately successful and well implemented, it could prove to be a disaster for software vendors. That issue didn't arise with the iPhone because it was a new device without any existing software retail channels, and other mobile systems have typically relied on small online shops.

Exactly where the App Store model will lead software distribution isn't clear. But the model has been a radical success, and I doubt it'll remain limited to smart phone apps for long.

Ryan Faasis is a frequent Computerworld contributor specializing in Mac and multiplatform network issues. You can find more information about him at RyanFaas.com . Computerworld is an InfoWorld affiliate.

With economic slump, concerns rise over data theft

Is the worsening economic situation going to turn some employees into data thieves?

That's a top concern amongst IT decision makers, many of whom say that laid-off employees are the biggest security threat created by the economic downturn. In a McAfee-sponsored worldwide survey (registration required) of 1,000 IT decision makers, the company found that 42 percent of respondents felt that the laid-off employees represented the biggest IT security threat caused by the recession. That's more than were worried about outside intruders. And 36 percent said that they were worried about security problems caused by employees in financial stress.

[ Learn more about how the financial crisis is affecting IT and the high-tech industry, plus what IT can do to help, in InfoWorld's special report. | Get sage advice on IT careers and management from Bob Lewis in InfoWorld's Advice Line blog and newsletter. ]"

Crime rates spike during hard times, and with thousands of workers being laid off each week now, there may be an added incentive for employees shown the door to take intellectual property with them to bolster their chances of getting hired with a competitor, to use with a start-up company of their own, or maybe even to sell.

"The economic downturn across the board is going to provide additional motivation for people who would want to do harm," said Seth Bromberger, an information security manager with PG&E in San Francisco. "It's on a lot of people's radar right now."

According to Bromberger, companies that have their employee exit processes in order have less to fear from laid-off workers. It's just that with the current economic squeeze, people's motivation may be changing

Layoffs can fray employee loyalty, and there certainly is money to be made selling all kinds of corporate data.

Last August, a financial analyst with subprime mortgage broker Countrywide named Rene Rebollo was arrested by the U.S. Federal Bureau of investigation for allegedly selling Excel spreadsheets containing customer information for about two-and-a-half cents per record. Over a two-year period he may have made $70,000 from the scam, the FBI said.His annual salary was $65,000.

According to court filings, Countrywide had security software that disabled the use of USB drives on its PCs. But Rebollo found one PC that didn't have the software and was able to download about 20,000 records each week onto his personal thumb drive, which he'd later email to a buyer, the FBI said.

USB drives are one of the most underestimated sources of data leaks, says McAfee CEO Dave DeWalt. "For $100 you can buy a 100GB drive," he said. "100GB can be the entire customer base for an entire large company."

An economic slowdown can create other computer security problems too. As businesses fail and are bought, that churn can lead to management chaos within IT groups. Workers aren't sure how to report security concerns, or to whom, and existing controls may not be monitored as roles are switched and jobs are lost. In addition, workers may not want to report security issues for fear of jeopardizing a co-worker's job or drawing unwanted attention to themselves.

Ignoring security problems can be costly. The average security breach results in a loss of $4.6 million in intellectual property and costs about $600,000 to clean up, DeWalt said.

"We don't have the good risk models and as a result people are taking risks," said Eugene Spafford, a professor of computer science with Purdue University who contributed to McAfee's report on its survey data.

Security breaches will go up as a result of the downturn, especially as companies try to trim information security costs, although "it's not clear that we will see a lot of them attributed back directly to security issues," he said.

Still, not everyone sees the downturn as a game-changer.

"I'm not sure I recognize a greater threat to this company because of the downturn in terms of cyber threats," said Jim Klotz, CIO with the PMA Insurance Group in Blue Bell, Pennsylvania. Increasing cyber crime is just a fact of life, and it would be growing with or without the slump, he said. "More people are capable and more people are finding profit in it."

Intel to detail eight-core Xeon processor

Intel plans to detail an eight-core Xeon processor at the International Solid-State Circuits Conference in San Francisco next month, offering an early look at what appears to be the company's first eight-core chip.

Details of the Xeon processor that will be discussed during the Feb. 9 presentation are scarce. The ISSCC program only reveals that Intel executives will discuss an eight-core, 16-thread Xeon processor manufactured with a 45-nanometer process.

[ Stay ahead of advances in hardware technology with InfoWorld's Ahead of the Curve blog and newsletter. ]

Intel declined to comment on the Xeon processor that will be detailed during the presentation. "We are presenting 16 papers at ISSCC, but don't have anything further to share at this point," said Nick Jacobs, a company spokesman in Singapore.

The timing of the presentation suggests the eight-core Xeon processor is likely to be the Nehalem EP processor, an upcoming chip that is designed for dual-socket servers and workstations. This segment of the Xeon line is due for a refresh, and the Nehalem EP processor is scheduled to be released during early 2009.

Like other Nehalem chips , the Nehalem EP chips will include an integrated memory controller and use Intel's Quick Path Interconnect (QPI), which replaces the front-side bus and allows more data to flow between the processors and other components in the computer, speeding up the computer's overall performance.

How many flavors will Windows 7 come in?

Windows Me may not have had much going for it, but it has one claim to fame: it was the last major release of Windows to come in a single edition, or SKU.

In the ensuing decade, every major release of desktop Windows has come in a wide -- too wide, say many -- variety of flavors.

[ Find out how Windows 7 trumps Vista | See how Windows 7 beta performs in InfoWorld's benchmark tests | Take InfoWorld's hands-on video guide to Windows 7. ]

By one count, Windows XP and Vista came in eight separate editions , if you include two Windows Media Player-free versions mandated by the European Union for anti-monopoly reasons.

Even Windows 2000, often romanticized for its small footprint , came in four versions.

This increase in Windows edition has bewildered many consumers, and led even ardent Windows fans to make dark jokes.

"I wonder whether Windows 7 will have 700 SKUs or if [Microsoft] will streamline that," Andrew Brust, a technology consultant and Microsoft MVP, has said on his Twitter page.

Paul Thurrott, a well-known Windows blogger , said, "It is laughable. It's such a brazen play on their part to juice people for as much money as they can get."

This MBA textbook-style attempt to maximize revenue by divvying up features by customer segment is actually hurting Microsoft, said Rob Enderle , an independent analyst.

He said Microsoft's decision to strip Active Directory features from consumer versions of Vista meant that workers running Macs at home or on personal laptops have an easier time hooking up to their corporate network than many Vista users.

That is helping Apple gain the foothold in the enterprise it has long been denied , Enderle said.

"In effect, this screwy SKU thing has given Apple an advantage in enterprises that Microsoft has taken away from itself and probably will be one of the primary things slowing Windows 7 adoption" should it come in multiple editions, he said.

Will Windows 7 continue the 'SKU inflation'?
How many editions will Windows 7 come in? A recent beta release of Windows 7 lists five versions during the installation process:

-- Starter Edition, a stripped-down version for customers in developing countries running underpowered hardware that has been around since XP;
-- Home Basic, the controversial low-end consumer flavor introduced with Vista that Microsoft apparently debated whether or not to release;
-- Home Premium, also introduced with Vista;
-- Ultimate, introduced with Vista, the loaded-with-goodies version aimed at hard-core hobbyists;
-- Business , introduced with Vista as the replacement to Professional for corporate use.

A Microsoft spokeswoman confirmed the five version names in the Windows 7 beta, but said they were only "preliminary."

"We will continue to take customer feedback from the beta test period into account as we refine the SKU set for Windows 7 and will share more information when we are further along the development path," the spokeswoman said in an e-mail.

Meanwhile, CNET UK reported that Microsoft plans to make a single version of Windows 7 just for netbooks.

There is evidence, via a Microsoft job posting, that Microsoft plans to release a Small Business version of Windows 7 , as it once planned but abandoned for Vista, as well as an Enterprise edition , which already exists with Vista. There would also be two additional 'N' versions of Windows 7 for customers in the EU, which has signalled recently it may even demand Microsoft bundle rival browsers with Windows . In all, Windows 7 could therefore have as many as 10 editions.

Windows blogger Thurrott disagrees, arguing strongly that Microsoft will cut down on the proliferation in editions that hit an apex with XP and Vista. He notes that the public Windows 7 beta includes the locale-specific themes that, in XP and Vista, were only available in the Starter edition.

The public beta, which is of Windows 7 Ultimate, appears able to run on low-end hardware like netbooks, obviating the need to create a separate SKU for it, Thurrott said.

He said that he has also heard reports that Microsoft plans to cut the "useless" Home Basic, that the Business edition will eventually be renamed Professional and include Media Center features, and that an Enterprise edition would be eliminated and its features, such as desktop virtualization, offered as add-ons to interested corporate customers.

Thurrott believes Microsoft's best strategy is to release Windows 7 in just three versions (not including the EU-mandated ones): Home, Professional and Ultimate.

"Gosh, I really do hope so. If there were just three versions, no one would make fun of it," he said. "Five or seven versions, that's just crazy town."

Thurrott also thinks Microsoft should cut the price on all of its versions, as well as let customers install Windows on multiple PCs or virtual machines, as Apple does with Mac OS X.

He said he was hopeful for a reduction in editions because Steven Sinofsky, the Microsoft VP in charge of Windows 7's development, is "a simplicity maven."

Enderle, who hammered Microsoft's version strategy with Vista , especially its decision to release Vista Home Basic, has a more quixotic hope.

"I think there should be one version of Windows which allows the OEMs [PC makers] more flexibility with regard to creating unique user experiences without breaking compatibility, and restores the ability of users to drive OS upgrades in the companies where they work," Enderle said in an e-mail.

"I'm not aware of another instance where a user-focused technology is specifically altered so a user can't bring it into their workplace," he said.

Computerworld's Gregg Keizer contributed to this story. Computerworld is an InfoWorld affiliate.

Google, partners release net neutrality tools

Google and a group of partners have released a set of tools designed to help broadband customers and researchers measure performance of Internet connections.

The set of tools, at MeasurementLab.net, includes a network diagnostic tool, a network path diagnostic tool and a tool to measure whether the user's broadband provider is slowing BitTorrent peer-to-peer (P-to-P) traffic. Coming soon to the M-Lab applications is a tool to determine whether a broadband provider is giving some traffic a lower priority than other traffic, and a tool to determine whether a provider is degrading certain users or applications.

[ Related: President Obama has stated his support for net neutrality. | InfoWorld's Bill Snyder defends Google from accusations of undermining net neutrality. ]

"Transparency is our goal," said Vint Cerf, chief Internet evangelist at Google and a co-developer of TCP/IP. "Our intent is to make more [information] visible for all who are interested in the way the network is functioning at all layers."

The tools will not only allow broadband customers to test their Internet connections, but also allow security and other researchers to work on ways to improve the Internet, Cerf said. Current Internet performance tools "are geeky to the extreme," he said during a Washington, D.C., forum on the M-Lab tools.

The M-Lab project, launched Wednesday, comes after controversy over network management practices by Comcast and other broadband providers. Earlier this month, two officials at the U.S. Federal Communications Commission questioned why Comcast, the largest cable modem provider in the U.S., was exempting its own VoIP (voice over Internet protocol) from traffic congestion slowdowns, but not offering the same protections to competing VoIP services.

The FCC letter to Comcast came after commissioners ruled in August that the broadband provider's decision to slow some P-to-P traffic violated the agency's network neutrality rules prohibiting broadband providers from blocking or slowing Internet traffic or applications. News reports in late 2007 unveiled Comcast's practice of slowing some BitTorrent traffic. Comcast later said it was slowing traffic only at times of peak congestion, but the FCC and other groups disputed that the traffic management was limited.

Comcast declined to comment on the M-Labs effort.

The set of tools will allow broadband customers to measure their providers' performance, said Michael Calabrese, director of the Wireless Future Program at the New America Foundation, a think tank involved in the M-Lab project. Consumers "deserve to be well-informed" about their broadband performance, he said.

Some of the M-Lab tools have already been released, but participants in the project plan to further develop the tools and host them on servers around the world, added Sascha Meinrath, research director at the Wireless Future Program. All the M-Lab tools will be released under open-source licenses, allowing others to modify and improve them, he said.

People on either side of a debate on whether the FCC or U.S. Congress should develop network neutrality rules should welcome the tools, said Ed Felten, director of the Center for Information Policy and a computer science and public policy professor at Princeton University. It took months for policymakers to gather solid information on Comcast's network management practices, but net neutrality advocates can use the tools if they suspect broadband providers of interfering with traffic.

"If you believe that network neutrality government regulation is not needed, if you believe that the market will handle this ... then you should also welcome Measurement Labs," Felten said. "What you are appealing to is a process of public discussion ... in which consumers move to the ISP [Internet service provider] that gives them the best performance. It's a market that's facilitated by better information."

However, one ISP industry source, who asked not to be identified, questioned whether the tools would accurately point to the cause of broadband problems. Spyware or malware on computers can affect browser performance, and problems with the wider Internet can cause slowdowns, the source said.

The M-Labs partners seemed to bypass broadband providers when putting together their tools, the source added. "It may appear that issues that are occurring off an ISP's network may be the ISP's problem," the source said of the tools. "It's important for groups like this to collaborate, not only among themselves, but also with ISPs."

Jetty Web server flies to Eclipse

The wheels are in motion to make Jetty, an open source Java Web server, an Eclipse Foundation project, said Webtide, the main developer of Jetty. The software is used as a server for rich Internet and embedded applications.

Jetty already has been part of several Eclipse projects, including acting as the Web and application server for Equinox, the Eclipse OSGi-based plug-in platform for application development, Webtide said.

[ See also: "Eclipse PHP upgrade tackles object-oriented programming." ]

By becoming an Eclipse project, Jetty would gain from formalized processes and Q&A procedures that a greater developer base can provide, said Webtide. Anyone writing code for Eclipse or who would like to contribute to Jetty can work on the project.

Webtide expects Eclipse to accept the project after a 6- to 10-week public comment period. "All the feedback we received so far is toward that effect, but until it's done, it's not done," said Adam Lieber, Webtide CEO.

Jetty is based on the Java servlet container concept similar to Apache Tomcat, Lieber said. "You can layer other things on top of Jetty," and put it in devices such as phones, he noted. Bringing Jetty to Eclipse enables it to work with numerous Eclipse projects, said Lieber.

Jetty has been around about 12 years and downloaded an estimated tens of millions of times. "We've considered Jetty to be the best-kept secret out there, and after 12 years, it's an overnight success," said Lieber.

In a prepared statement released by Webtide, Eclipse executive director Mike Milinkovich endorsed the Jetty move. "This will add world-class runtime technology to the Eclipse runtimes initiative and create greater awareness for Jetty in the Eclipse community,? Milinkovich said.

The proposal to have Jetty become part of Eclipse also would have it offered under a dual license. Currently licensed under Apache License 2.0, an Eclipse Public License format would be added when the project is accepted by Eclipse, Webtide said. Current users and other projects consuming Jetty continue to maintain current rights. The move also will help Jetty be used more by OSGi projects, said Webtide.

Webtide offers custom distributions of Jetty and related support services.

Silverlight adoption hampered by economic crisis

Microsoft's Silverlight technology has streamed some high-profile live events lately, the inauguration of U.S. President Barack Obama and the 2008 Summer Olympics among them. But Silverlight's real promise for the business customer -- to improve user interfaces for day-to-day applications -- has been thwarted by tightening budgets.

In a recessionary climate, enterprise IT decision makers are hesitant to adopt new technologies. They are even less likely to adopt ones focused on UI design, which is a low-priority item in the best of times, designers and developers said.

[ Test Center: Microsoft Silverlight 2. ]

"The UI is considered the last part of the application," said Ryan Peterson, principal and software engineer for Serenity Software, a Harrisburg, Pennsylvania, company that specializes in UI consulting and design. "The mindset has always been and still is: You build the application and then you build the interface. It's a large contributing factor to why people cut that [first]. They think if the application works, we can take care of the interface later."

Creative UI design for years has been primarily limited to the realm of high-impact Web sites and advertising and marketing campaigns. But before the U.S. economy began its nosedive last year, enterprises were beginning to take a closer look at how UI design could actually make them more efficient and save money by giving line-of-business workers better ways to interact with applications.

It was into this environment that Microsoft introduced the 1.0 version of Silverlight in April 2007. The company positioned the cross-browser technology as a competitor to Adobe's Flash multimedia technology for building RIAs (rich Internet applications).

Early on, Microsoft said it would integrate .Net -- the underlying development framework for Microsoft software -- into Silverlight. The integration of .Net would make it easier for developers to create more interesting UIs for business applications and allow them to tie the UI into back-end data stored in other Microsoft-based enterprise applications.

The first version of Silverlight wasn't fully baked, however, and it wasn't until October's release of Silverlight 2 -- .Net framework included -- that developers and designers could really use it to build more interactive UIs and add multimedia to Web-based applications. Unfortunately, the release coincided with enterprises freezing or cutting budgets as the economy faltered.

"IT shops were very interested in (UI design) before all the stuff happened toward the end of last year," said Dave West, a senior analyst with Forrester Research. "They're still interested, but adoption is down."

Ben Dewey, a senior software developer for IT consulting firm twentysix New York who has worked with Silverlight, said Silverlight 2 "was launched at a time when the economy started dropping," which affected its adoption.

"I don't know if people are really paying for Silverlight [development] just yet," he said. "People are going for less flashy." Dewey called Silverlight and UI design in general in this economic climate a "nice to have" vs. a "need to have" technology for many IT projects.

In general, the addition of new technologies to IT projects also falls off in a faltering economy, others said.

"When there is a lot of money, there is a lot more freedom to do projects that are completely new," said Glenn Phillips, president of Forte, a consulting firm and custom development and design shop in Birmingham, Alabama. "That is where the new technologies get introduced."

However, "when the economy is tough, that's when people say, 'Let's just take care of what we've got built. That's not the point where you would go and change out your technologies," he said.

Still, it's not all bad news for Silverlight and UI design technologies in general. Forrester's West noted that some system integrators lately have added UI designers to teams that historically would not have included one. He said the economic slowdown may be allowing them to explore how they can use new technologies even if they aren't currently deploying them in projects.

"People have more time on their hands so they're looking at new technology and roles, or whether there is a desire by their customers to [use those technologies]," West said.

Having a UI designer on a project that involves Silverlight is key to unlocking the potential for the technology, twentysix New York's Dewey said. He said while it was clever of Microsoft to integrate .Net into Silverlight, it also makes it easy for developers who have no creative talent to do UI design.

The end result may be the development of applications with clunky UIs built by inexperienced designers, which could turn people off of Silverlight and not realize what can really be done with the technology, he said.

"There's nothing to stop developers from sending out applications [with] no real aesthetics work," Dewey said. "People will start releasing stuff in Silverlight that when compared side by side in Flash" doesn't look as good, he said, which could give Silverlight a poor reputation.

Serenity Software's Peterson, who specializes in explaining to businesses how better human interaction with computer UIs could save them money and make their businesses run more efficiently, said some of his clients are using Silverlight to improve their UIs. However, this use has been limited to adding more creative UIs to applications that already run on the .Net platform, he said.

IE8 RC1 gains ground in JavaScript race

The newest version of Internet Explorer 8 is still the slowest big browser when it comes to JavaScript. But it has significantly closed the gap since last summer's second beta, benchmark scores show.

According to tests run by Computerworld , Internet Explorer 8 Release Candidate 1 (IE8 RC1) lags behind its four major competitors in rendering JavaScript -- at times, by large margins.

[ Discover the top-rated IT products as rated by the InfoWorld Test Center. ]

Mozilla's Firefox, Google's Chrome, Opera Software's Opera and Apple's Safari all posted better SunSpider JavaScript benchmark scores, with Chrome leading the pack. It was four times faster than IE8 RC1, while Firefox and Safari were nearly twice as fast.

Computerworld ran the SunSpider suite in Windows XP three times for each browser, then averaged the scores. In SunSpider, smaller numbers are better. The results were: Chrome 2.0.159.0 -- 1275; Firefox 3.0.5 -- 3037; Safari 3.2.1 -- 3050; Opera 9.63 -- 4139; and IE8 RC1 -- 5573.

Although IE8 RC1 was the slowest of the five browsers, its SunSpider score was approximately 70 percent faster than IE8 Beta 2's, which was released in August 2008, and tested by Computerworld last month .

Microsoft, however, continues to dismiss benchmarks like SunSpider. In an interview earlier this week when the company launched IE8 RC1, senior product manager James Pratt criticized such tests. He described them as "micro-benchmarks" that place an emphasis on scores as a "drag race" that Microsoft isn't about to enter.

"We looked at when users load real Web pages," Pratt said, adding that the company tested what he called the "top 25" sites on the Internet. "We looked at where IE spends its time when it shows those pages." Only 20 percent of IE's time is occupied rendering JavaScript, Pratt said. "To say that a browser engine is just a JavaScript [engine] doesn't match the reality of how the Web is built today."

Instead, Microsoft wants to push the discussion toward a more holistic view, and away from just JavaScript. For most users, Pratt continued, it just doesn't matter.

"We're at the point, with what people do in the browser, that users can't really tell the difference between browser [performance]," he said. "Beyond building a performance lab, which we've done, it's very difficult to tell which browser is fastest. The reality is that for most users, they'll all be comparable."

Other browser builders would disagree.

Mozilla, for example, has been aggressive in touting its new JavaScript engine, dubbed "TraceMonkey," which it launched last year and has added to Firefox 3.1, an upgrade that has been delayed several times during beta testing.

Computerworld is an InfoWorld affiliate.

iPhone boosts AT&T as traditional voice revenues decline

AT&T offset some declines in traditional voice revenues for the fourth quarter with the help of more Apple Inc. iPhone customers.

In all, there was a net gain of 2.1 million wireless customers in the fourth quarter, with nearly all of them, 1.9 million, new Apple iPhone customers, AT&T reported Wednesday.

[ Stay ahead of advances in technology with InfoWorld's Ahead of the Curve blog and newsletter. ]"

About 40% of all iPhone customers are new to AT&T. Overall, AT&T had 77 million mobile phone customers by the end of 2008.

AT&T's net income of $2.4 billion for the fourth quarter of 2008 was down from $3.1 billion in the same period last year. Fourth quarter revenue was $31.1 billion, compared with $30.3 billion in the fourth quarter of 2007.

CEO Randall Stephenson noted that revenues overall for 2008 grew despite a poor economy and predicted more revenue growth for 2009. Revenue for 2008 was $124 billion, up 4.3% from 2007.

For the quarter, the wireless division had $11.5 billion in revenue, up from $10.2 billion in the fourth quarter of 2007. Wireless data revenue grew a whopping 51% for the quarter to $3.1 billion, and wireless customers sent about 80 billion text messages, double the amount from the previous year.

AT&T's addition of 2.1 million new subscribers for the quarter beat out the competition, including Verizon Communications , which posted a strong fourth quarter yesterday. The addition of 1.9 million new iPhone subscribers was down from 2.4 million in the third quarter.

Analyst Kate Price at Technology Business Research Inc. said the iPhone has had a more dramatic impact on AT&T than the BlackBerry Storm has had on Verizon . Verizon added 1.2 million new subscribers in the fourth quarter, although it didn't begin selling the Storm smart phone until Nov. 21, mid-way through the quarter.

Price also said the iPhone subscribers use 1.6 times the data service of the average AT&T customer, or about $100 a month, further adding to AT&T's success.

She added that the switch to smart phones is correlated with the decline in voice minutes at AT&T, which dropped to 711 minutes on average per customer in the fourth quarter, down from 736 in the year-earlier quarter.

AT&T's traditional voice revenue was $8.8 billion in the fourth quarter, down from $9.8 billion in the fourth quarter of 2007.

Credit crunch changes economics of outsourcing

The credit crunch is undermining the economic model of outsourcing, with discounts offered in the early years of a contract disappearing in the face of the recession.

An analysis by Compass Management Consulting of more than 125 outsourcing deals found that discounts usually offered in the early years of an outsourcing deal are no longer available, and the financial crisis is having a dramatic effect on the pricing of long term outsourcing deals.

[ Related: Putting a price on offshoring | Also, what technologies can you not afford to cut in the recession? InfoWorld reveals the top 5 spending priorities you can't compromise on. | And check out what InfoWorld's Ephraim Schwartz has to say about how to survive your outsourcer's downfall. ]

In recent years, outsourcing providers have made long-term deals attractive by offering "significant discounts" for the first year of the contract. This initial discount is recovered in the later years of a contract, when charges can be 30 percent or more above a comparable internal market rate, Compass said.

Outsourcers are "unwilling or unable to fund losses" by offering discounts to enterprises during the early years of contracts, the consultants group said.

"Outsourcing is no longer a source of working capital for corporates nor a vehicle for financial engineering. Fewer outsourcing providers are entering into contracts that have negative cashflow in year one in order to fund a short term discount for their clients," said Andy Gallagher, consulting director at Compass.

"Just as the credit boom transformed the outsourcing sector's ability to fund discounts based on an annuity stream from contracts, the shrinkage of credit will have a transformational effect on the sector. The economics of outsourcing and the way deals are managed is going to change radically in the months to come," he said.

According to Compass, most sourcing deals before 2008 were fixed-price for the duration of the contract period or set at a baseline price which increased at a pre-determined figure each year. The multiplier for the increase was normally linked to the retail price index (RPI) or the consumer price index (CPI) for the year in question. This pricing approach was designed to be below market price in the early years of the contract and above in the later years.

In 2007, 90 percent of contracts followed this "flat line" pricing model, where discounts needed funding in the early years. But by the second half of 2008, this figure had fallen to below 65 percent as vendors moved to a pricing approach that tracked their own forecasts of changes in the market over the contract period or compared the contract price with actual market rates.

With these upfront savings now removed from many deals, Compass predicts that customers will have to work more closely with providers to gain value and achieve sustainable cost reduction throughout the duration of their contracts.

"We are already seeing the best performing companies working to understand their existing operational performance, how they compare with best practice and what opportunities exist for improvements. With that understanding comes a more constructive approach to contract management," said Gallagher.

Compass also warned that many enterprises could be paying for costly customised services from outsourcers for IT services, such as desktop desktop management, when a standardised service would provide savings, Compass suggested. A standardized service offering could generate savings of up to 30 percent and still meet a company's requirements, the consultants said.

Computerworld UK is an InfoWorld affiliate.

The 7 dirty secrets of the security industry

Do you ever get the feeling your security providers are failing to tell you the whole truth? We entrust the industry to protect us from unacceptable risk. But we must confront the underlying truth: The goal of the security market is to make money.

Here are the seven dirty secrets of the security industry and practical ways to command honesty from your trusted security providers.

[ Discover the top-rated IT products as rated by InfoWorld's 2009 Technology of the Year Awards. | And keep up on the latest tech news headlines at InfoWorld News, or subscribe to the Today's Headlines newsletter. ]

1. Antivirus certification omissions. The dirtiest secret in the industry is that, while antivirus tools detect replicating malicious code like worms, they do not identify malcode such as nonreplicating Trojans. So, even though Trojans have been around since the beginning of malicious code, there is no accountability in antivirus certification tests. Today Trojans and other forms on nonreplicating malcode constitute 80% or more of the threats businesses are likely to face. Antivirus accountability metrics are simply no longer reflective of the true state of threat.

2. There is no perimeter. If you still believe in the perimeter, you may as well believe in Santa Claus. That isn't to say there is no perimeter. But we need to define what the perimeter is. The endpoint is the perimeter, the user is the perimeter. It's more likely that the business process is the perimeter, or the information itself is the perimeter too. If you design your security controls with no base assumption of a perimeter, when you have one you are more secure. The mistake we tend to make is, if we put the controls at the perimeter, then we will be fine. For many threats, we couldn't be more wrong.

3. Risk management threatens vendors. Risk management really helps an organization understand its business and its highest level of risk. However, your priorities don't always map to what the vendors are selling. Vendors focus on individual issues so you will continue to buy their individual products. If you don't have a clear picture of your risk priorities, vendors are more than happy to set them for you. Trusted security partners will provide options for assessing your risk posture and help you develop plans to make the most security impact for the least cost and complexity. Security needs to conform to and support your business priorities. Too often, vendors want your business to conform to their portfolio.

4. There is more to risk than weak software. The lion's share of the security market is focused on software vulnerabilities. But software represents only one of the three ways to be compromised, the other two being weak configurations and people. The latter is the largest uncovered area of risk. This is malicious code that doesn't leverage a vulnerability but rather leverages the person. For example, downloading a dancing skeleton for 'a spooky good time' (this was a trick employed by Storm), social engineering, spear phishing, etc. While we still need to find vulnerabilities and patch them, we must understand that an organization is only as strong as its weakest link. And more attention needs to be paid in mitigating the other two ways beyond software.

5. Compliance threatens security. Compliance in and of itself is not a bad thing. But, compliance in and of itself does not equal security. At the very least it's a resource and budget conflict, and it splits our focus. Compliance is supposed to raise the minimum standard of security, but it just gets us to do what we are required to do and nothing else.

What's more, that which is easy to measure is not necessarily that which is most valuable. So if there were 15 software vulnerabilities last month, we can measure that 12 of them have been patched. It is much harder to measure how effective end user training was to make administrators immune to social engineering attacks. The lesson is you need to be compliant, but your entire risk strategy cannot be based on it.

6. Vendor blind spots allowed for Storm. Storm is being copied and improved. The Storm era of botnets is alive and well, nearly two years from when it first appeared. How is this possible? 1. Botnets thrive in the consumer world where there is little money for innovation, a fact Storm and its controllers know. They are making money off of everything from spam to pump-and-dump stock scams. 2. They eat antivirus for breakfast. A lot of the techniques and innovations used by Storm are not new; they are just being leveraged artfully against the blind spots of antivirus certifications and antivirus vendors. 3. Malcode does not need vulnerabilities. Most of the Storm recruitment drives have leveraged social engineering and play off of a holiday or sporting event.

7. Security has grown well past "do it yourself." Technology without strategy is chaos. The security market is often far too focused on the latest hot box or technology. The shear volume of security products and the rate of change has super-saturated most organizations and exceeded their ability to keep up. Organizations realize only a fraction of the capabilities of their existing investments. Furthermore, the cost of the product is often a fraction of the cost of ownership. There was a time when you could "do it yourself." But the simple days of Virus meets Antivirus are long gone. Highly effective organizations are embracing professional and managed security services to extend and augment their in-house expertise. By focusing your in-house expertise on what you know best -- your business -- scale comes from teaming with third-party expertise. This will be increasingly necessary in these tough economic times.

The primary goals for executives over the next few years is to cut cost and reduce complexity. Today we are seeing a massive convergence in the security market. There are only going to be a few large players left and a bunch of smaller players. Will consolidation lead to better efficiency, or will it lead to vendor lock-in?

As executives simplify, they will face many choices. Simply reducing vendors may fail to balance cost, complexity and risk. Vendors have a responsibility in this equation and must rise to the challenge. True risk management can show where to prune solutions, but the key is risk driven, responsible simplification.

Corman is principal security strategist for IBM Internet Security Systems. Network World is an InfoWorld affiliate

Cloud computing shapes up as big trend for 2009

It is still early in the year, but cloud computing already is shaping up as a key trend for 2009.

At SoftwareAG's Cloud Computing Innovation Day in Santa Clara, Calif., on Tuesday,? executives from companies including Software AG, Elastra, RightScale, and Soasta pondered the benefits and obstacles of cloud computing,? a concept that generally involves enterprises utilizing third-party servers over the Internet? to run applications. The event was at least the third cloud computing-related session scheduled in the Silicon Valley area since last Thursday.

[ Check out InfoWorld's new Cloud Computing blog | See "What cloud computing really means" from the perspective of IT professionals ]

"For me, cloud computing is infrastructure, infrastructure in the most fundamental sense," said Miko Matsumura, vice president and deputy CTO at SoftwareAG. "It really is the compute infrastructure to some extent, but that it gets deeper at some level."

Today, the main benefit of cloud computing is that it enables adherents to only use what they need, something particularly important in a down economy, Matsumura stressed. Clouds scale up and down quickly, he said.

"It gives you a lot of flexibility," Matsumura said. He anticipates enterprises utilizing cloud computing in a hybrid fashion, deploying some applications in the cloud but perhaps not for a bread-and-butter SAP application holding lots of proprietary data.

At Elastra, the company seeks to help take advantage of cloud computing using existing infrastructure, leveraging a client's virtualized datacenter and grasping which applications might make sense deployed on the Amazon Elastic Compute Cloud (EC2) public cloud, said Stuart Charlton, chief software architect at Elastra.

"To really understand the cloud, it's not just about outsourcing," Charlton said. The point of the cloud is that it is aligned with recent concepts such as SOA and enterprise architecture, he said. Qualities of the cloud include on-demand access, usage metering, self service, scalabilty, and elasticity, according to Charlton.

Upcoming barriers to cloud adoption include integration and data quality, he said.

"My view is that the cloud is a very interesting destination for some apps, not for every app but for some apps," said Tom Lounibos, CEO of Soasta, which offers Web application testing via a cloud paradigm.

Applications for the cloud can include sales and marketing systems, RSS and content management systems, social networking, and CRM. The cloud "makes a very interesting platform for composite apps," Lounibos added.

Asked what applications do not work in the cloud, Lounibos declined to be specific, saying companies make personal decisions about cloud deployments based on core competencies.

Soasta is seeing enterprise companies as well as startups as customers. "What I've learned is cloud computing blurs the line between enterprise and small and midsize companies," he said. Lounibos asked, "Is Facebook a small or midsize company?"

Cloud computing is inexpensive, stressed Michael Crandell, CEO of RightScale, which offers cloud management for deploying mission-critical applications. He listed other drivers to the cloud as scalability and access to resources.

Barriers to cloud adoption include lock-in, security, service-level agreements, regulatory compliance, and loss of control of underlying infrastructure, Crandell said.

"On the obstacle side, lock-in, interestingly enough, is the No. 1 obstacle that we hear mentioned among customers and prospects that we speak with," said Crandell, adding that RightScale addresses obstacles to the cloud.

He listed customer examples, including a biopharmaceutical company using the cloud for wikis for its global workforce, grids for protein analysis, and compute-intensive statistical analysis.

Crandell said commoditization in the cloud space is happening and is good in that it creates standards and the ability to replicate. It also can lower prices. But even at the cloud infrastructure level, differentiation is occurring, said Crandell. He cited as an example Amazon's Availability Zones capability to protect applications from failure of a single location.

An attendee cited software licensing as an issue with cloud computing and virtualization.?

"The challenge with enterprise software is a lot of enterprise software license terms are bound by hardware configurations," said Mehmet Orun, a senior manager at a biotechnology firm that has used cloud computing.

He asked if vendor legal groups were ready to accommodate a flexible model to allowing for differing demands for software at different times, such as meeting peak demands at certain times of the year.

Putting a price on offshoring

Read any case study and you'll probably encounter overblown statistics that say offshore outsourcing reduced costs by 50 percent, reduced number of defects in production by 25 percent, reduced time to launch application by 40 percent, and so on.

Some even go a step further and extrapolate these figures to 'business value'. Example: launch time reduced by 10 weeks implies 10 weeks of additional revenue or reduced costs. So 10 divided by 52, then multiplied by annual revenues or IT annual spend equals business value from reduced launch time. Lo and behold -- suddenly you have a number in the tens of millions. Add up all the other sources of value and you may reach hundreds of millions and even billions as the business value. Sounds good, right? Especially in this time of recessionary woes.

[ What technologies can you not afford to cut in the current recession? InfoWorld reveals the top 5 spending priorities you can't compromise on. | Also check out what InfoWorld's Ephraim Schwartz has to say about how to survive your outsourcer's downfall. ]

But if this was accurate, customers would not be so unsure about whether offshore outsourcing has delivered value. Numerous surveys indicate that anywhere between 17 percent and 53 percent of customers have not realized business value/return on investment from offshore outsourcing. Yes, statistics can prove just about anything, but whatever the number, there are customers who have not realized tangible returns from offshore outsourcing. And this article is for you folks.

When quantifying the business value of offshore outsourcing, customers must consider three important aspects that are often ignored: the appropriate comparisons, the hidden costs, and the distinction between theory and reality.

The wrong assumptions
When it comes to building the business case for offshore outsourcing, the most common comparison is between onshore and offshore, apparently in answer to the question: "If we had to do the project in any other way apart from offshore, how much would that cost?"

Many assumptions end up wrongly over-estimating the onshore cost. Most common is using the same headcount number in both cases. When a project is done onshore, fewer people are required because of reduced activity levels in areas like knowledge capture, knowledge transfer, project coordination, and environment support. Then there is the productivity factor.

M. M. "Sath" Sathyanarayan, president and principal consultant of Global Development Consulting and author of Offshore Development and Technical Support: Proven Strategies and Tactics for Success, says that even if offshore personnel are as competent as your local employees -- which is your best-case scenario and unlikely to be the case when you are getting started -- there will still a productivity loss because of systemic issues.

Also, the assumption that all the onshore work will be done by newly hired internal employees may not be the right one to make; customers almost always leverage contractors and existing employees. For the former, use the relevant contractor rates that are likely to get negotiated and the appropriate loading factor (you don't pay pensions, holiday allowances, and so on to them). For the latter, consider if they can be treated differently: it could be a sunk cost for a period of time or a partially apportioned cost.

Finally, internal employee costs are excessively padded by something called "an overloading factor" to account for pensions, holidays, desk space, corporate overheads, and other factors. A figure of anywhere between 20 percent and 50 percent is normally used here -- choose the figure that reflects reality, and take into account that you can't recover any of those costs anyway.

The straightforward costs are fairly easy to see -- costs related to personnel, communications, IT infrastructure, and tools and licences -- although sometimes the uplift required for converting single-site to multi-site licences can be hidden.

Many cost elements are not obvious. In their article Hidden Costs Impact Value in Outsourcing, authors Whitfield and Joslin state that potential outsourcers in all industries commonly assume that outsourcing can be plug and play, that the company will only have to absorb limited up-front costs before large savings can be realized, and that offshoring for labour arbitrage will ensure more than 60 percent cost savings.

In reality, 10 percent to 15 percent savings are more realistic for highly commoditized service areas, and 40 percent to 50 percent savings can be achieved only in optimal circumstances.

Hidden costs
Travel of a customer's onshore staff first comes to mind as a hidden expense: a leading European software provider indicated that it takes 40 trips per annum to manage its offshore product testing program.

Equaterra, an outsourcing consultancy , points out a couple of interesting examples of hidden costs. One is the hidden cost of work retained onshore, internally. One retailer had outsourced the work of 1,100 employees, but held onto 50 percent of the work for 200 of those employees. As a result, the company overstated its business case by $24M (£15M).

Another overlooked expenditure is the hidden cost of internal, transitional headcount. Companies usually don't account for the costs of employees who help in the transition. For example, one pharmaceutical company kept about 20 percent of its staff for six months after the go-live date, which added $1.5M (£950,000) in cost. Over ambitious headcount estimates can cut projected savings by between 10 percent and 20 percent.

Other examples of hidden costs are set-up (initial knowledge transfer, training, retraining, for example) and managing the offshore outsourcing engagement (governance system, additional personnel, management time). A McKinsey study suggests a figure of 10 percent for additional transactional costs and 10 percent for additional monitoring costs, though particular cost elements were not specified.

A recent white paper by a leading offshore outsourcer in collaboration with a top-tier industry analyst reported that their return-on-outsourcing model takes into account benefits from cost savings, efficiency gains, and revenue improvement. But the bulk of the benefit actually comes from revenue improvement rather than tangible cost savings.

Assumptions on revenue impact are open to theoretical debate and as a result are seldom evidenced in financial statements. It's not that there is no revenue impact for offshore outsourcing, but customers should make the distinction between what benefits will actually hit the books versus benefits that are more theoretical in nature.

Statistics can prove just about anything. You need to exercise diligence and your own prudent judgment in the quantification process, otherwise you will end up building unrealistic, unseen, and unfeasible expectations of business value from offshore outsourcing.

CIO.co.uk is an InfoWorld affiliate.

Thursday, January 29, 2009

IT News HeadLines (InfoWorld) 29/01/2009

No comments: