Can the Internet of Highly Insecure Things Be Trusted to Run the One True Network?
As the dust settles on the recent changes at SAP, and with SAPPHIRE looming large, it’s worth taking a look at what I think will be one of the most interesting, ambitious, and potentially lucrative bets SAP has made in a long time. The bet is on Ariba and its vision for a global, competitor-crushing, B2B network. At stake is nothing short of a major reconfiguration of the global economy, global trade, global service delivery, and pretty everything else that falls under the rubric of B2B commerce as we know it.
In other words, Ariba wants to change how business conducts business. And the Ariba vision is a good one, so good that the question is not whether the shift that Ariba wants to create will happen. That’s a given. The real question is whether Ariba, and SAP, will have the role they hope to have as the progenitors of a brave new world of B2B networks.
Because lurking behind the scenario of building an all-encompassing, all-knowing one true business network are more than a few reasons why Ariba and SAP have their work cut out for them. And, ironically, the problem starts with the very businesses Ariba envisions will reap the benefits of its vision.
The vision is an old one, dating at least to the days of the Silk Road, by way of the Tower of Babel. If only we could transact business in a many-to-many network, where all business transactions and their documents (important detail, more on this in a moment) are mediated in an electronic exchange that automatically allows all participants to interact regardless of what their internal business systems or business processes look like.
In case you don’t remember, we saw the trailer for this movie in the dotcom era. Fast forward a couple of recessions, and now Ariba wants to create a network that connects the global business community in a hub and spoke topography that would translate and otherwise execute business transactions, provide transparency and visibility, and generate an enormous amount of data about what works, and what doesn’t work – and who works and who doesn’t work – in the global economy.
While this idea came up during the end of the last century, Ariba’s ability to execute on the current version is orders of magnitude better than what was possible back then. First of all, Ariba already has a business network for its procurement functionality that is 1.4 million companies strong and generated $500 million in spend last year. Second, it’s now owned by the largest enterprise software vendor in the world, SAP, which lays claim to the bragging rights that some huge quantity of the world’s economy is “touched” by SAP’s software.
(A side comment about this claim is warranted: In truth the actual number is a little squishy – sometimes SAP execs say 60%, sometimes they say 70%. But the actual role of SAP in this much of the global GDP can be misleading, and the importance of that role is easy to exaggerate. As I wrote in reference to Microsoft CEO Satya Nadella’s similar claim about Microsoft’s being ubiquitous in the global economy, just because a vendor is ubiquitous doesn’t mean it’s strategic. “Touched by” doesn’t necessarily “couldn’t take place without”.)
Regardless, that combination of a strong business network base and a strong “touched by” base gives Ariba a credible shot at pulling this off. A common mantra among new customers to the Ariba Network is that a significant number of their existing business partners were already on the network when the customer signed up. One customer told the audience at this year’s Ariba Live user conference that 50 percent of its suppliers were already part of the network when the customer signed up, another told me in their case it was more like 66 percent of their vendors were in the network. That kind of built-in momentum pretty much guarantees the Ariba Network will be able to ramp up fast and grow rapidly.
In addition to enabling the day-to-day transactions that are the bread and butter of the network, Ariba also has the ability to provide some serious analytical services to its network customers. As I have argued many times in the past, the value of these analytical services and the meta-data they create could in many ways outstrip the value of the transactions themselves.
Part of the secret sauce that Ariba can apply to the network is the 15 years of historical data that it can use for analytical purposes. This combination of real-time transaction data and historical data is a data scientist’s dream – and when the majority of the Ariba Network back-end is running on HANA in a couple of years, the dream will take on a luster that is hard to fathom. Modeling, predictive analytics, sourcing and spend visibility, workforce deployment… the list of uses and capabilities is pretty impressive.
Ariba’s take is that this capability needs to be embedded in a single, global network – not geography-specific or industry-specific networks, but a One True Network that will connect the global economy to itself via Ariba and SAP. I’m not sure I agree with that, but it may be a matter of nomenclature as much as anything else – clearly no single entity on the Ariba Network today expects to transact with all 1.4 million of its fellow members, and almost by dint of the physics of the global economy there are discernible sub-networks that have to emerge around specific industries or supplier categories – direct versus indirect materials, aerospace versus durable goods, etc.
But while I do agree that scale is important, and more scale is better than less scale, I have serious questions about whether a single global network can be run effectively for the benefit of all. Some things, as I have said before, aren’t just too big to fail, they’re too big to succeed.
So what could go wrong? Turns out, lots – most of which originate from forces outside Ariba’s control. Much of this Ariba can, at least in theory, deal with, as long as the millions of businesses it wishes to connect are on board with the solutions.
The major problem can be stated in two words: security and safety. One of the ironies we are facing about our current One True Network, the public Internet, is that it’s becoming obvious that we let the genii out the bottle a little too quickly when it comes to basics like the security and safety of our data, personas, and privacy. Of the many many recent breaches in security and safety, the one that involves an actual security service, OpenSSL, is perhaps the most telling, as this service was designed specifically to prevent data from leaking out of insecure websites.
When we add the problems we’re already seeing when we try to expand our vision of the Internet to the Internet of Things – which IMO is looking more and more like the Internet of Highly Insecure Things – we’re finding that both the technological and philosophical/ethical underpinnings of the Internet are a little too loosey-goosey to protect the things that are important to us: our identities, bank accounts, our children’s safety, our trade secrets, our balance sheets, and our privacy, to name just a few.
So imagine if we took this flakey infrastructure and used it to dramatically up the ante for the $72 trillion global economy by not just interconnecting all the businesses in the world – something the Internet does today – but interconnecting their business processes, and by extension, their back offices in a single, seamless Ariba Network running on one of the world’s most sophisticated analytical and transactional systems. The bigger they come, the harder they fall suddenly takes on a whole new meaning.
The creation of a single point of vulnerability, one that, recent events show us, would be genuinely vulnerable to both economic sabotage and industrial espionage, need not stay Ariba’s vision from being realized. But the problems that I believe lurk in creating an Internet of Things based on our current Internet of Highly Insecure Things are as frightening, if not more frightening, when you look at creating an equally insecure business network.
The prescription for avoiding a global business network pandemic is relatively simple, but as I was just saying, its execution won’t necessarily be a piece of cake. The fundamental insecurity inherent in creating an Internet of Things today rests in the fact that vast majority of those things – controllers, sensors, things that spin, to use GE’s parlance – are running old software and old security systems. And old, in the modern world of security and safety, is measured in months and point releases, not years and full version upgrades.
A similar problem exists in the business software world. Older software prevails, particularly in tier two and beyond companies. Security systems are often second rate, if they exist at all, and relatively little priority is given to making systems security and safety a best practice, particularly in terms of protecting the internal network from the outside world. If ordering takeout food from a website is now a vector for hacking, it’s pretty clear that the majority of internal business systems, even the most up-to-date, aren’t secure enough for the modern world.
So, along with its ambitious plans for a one true network, Ariba has to make sure its ambitions extend to an absolutely state-of-the-art security regime. And that’s where the biggest barrier lies. Ariba can build the most secure network the world has ever known, but if its members haven’t upgraded their security software and practices, then Murphy’s Law pretty much guarantees that somewhere in this global network will be at least one, and probably many more, points of vulnerability that are going to make it way too easy to crash the Ariba network. At which point the devastation to the global economy will make the latest recession look like a bull market.
What’s clear to me is that the B2B network concept is going to become the way to do business, but having a one true network may not be the way to go for both organizational and security reasons: independent of the danger inherent in hacking the global economy, setting up a value-added network at the industry level seems to be a more doable task than trying to boil the ocean – or the entire global economy – in a single, very fell, swoop.
I think rather than a single global network, Ariba/SAP should work on tackling some key industries first, and focus on getting this right on an industry scale before going completely global. My assumption is that doing it right in a handful of key industries will take more effort than is obvious today, and in taking the industry route Ariba/SAP can build a more credible story for its vision than one that gambles an excess of vision against an excess of opportunity, and threatens to fall too far short on both in the process.
A final note: none of this makes sense without discussing the key role that documents play in this B2B transformation. When I met with Ariba executives at the conference they didn’t seem to understand the critical importance of having an advanced document lifecycle management system as part of this B2B network. I’m hoping they’ve seen the light in the ensuing months: there is no business transaction that doesn’t involve documents and supporting data, and no business transformation that doesn’t have to deal with those documents and supporting data as a fundamental component of change. (Italics added to emphasize that I think is really really important.)
One of the fundamental services an Ariba network will provide is mediating, transforming, transferring, and otherwise managing the docs and data that support the global economy – and which are the key targets of hackers and other criminals intent on stealing whatever they can. Providing the services that support the full doc and data lifecycle will be a key value add for Ariba, and keeping docs and data safe will be an important part of those services.
The Ariba vision is exciting because of its ability to define the intersection of business, cloud, analytics, and services in a unique way. It’s ambitious because it will eventually force millions of companies to rethink some of their core business processes, and therein lies the final frontier. The easiest thing in enterprise software is to do the same task – or process – a little faster and a little more cheaply. The hardest thing to do is create and promulgate an entirely different way of working, or improve an existing process to the point of effectively making a net new process. Either way people – those annoying humans that we still rely on to do the real work of the global economy – start to balk at change, and groups of people organized in companies tend to balk en masse at change.
In the end, overcoming this net new process effect will Ariba’s biggest hurdle. But even if it starts, as I believe it should, with the easy path of simply automating what’s already being done in a couple of key industries, the problems inherent in the Internet of Highly Insecure Things will need to be dealt with first. Remediating the problem after the fact will mean putting the genii back in the bottle, and that, I fear, will be too big a risk for the global economy to take.