|Property of iStockPhoto.com|
At the last ALA Conference in Anaheim back in June 2012, I looked at all the major new library service platforms. These included: OCLC’s Worldshare (which was announced at this same conference would be what EBSCO would be using coupled with EDS to provide a complete library services platform), Serials Solutions’ Intota, Innovative’s Sierra, Ex Libris’s Alma and Kuali’s OLE. Since that time, VTLS has announced a new platform, tentatively called “Open Skies”. With the exception of VTLS’s offering, which was not yet available at that conference, I kicked the tires, peeked under the hoods, and took a few test drives of each of these new platforms. In other words, I did all the usual routines any potential buyer at an ALA conference would do. I walked away with a lot of impressions and thoughts about these new product offerings. Many people routinely ask me about these systems and thinking that others might also benefit, I thought I’d write up some of my impressions and perceptions. So over the next week (or two, since life seems a bit hectic these days), I’ll be posting my personal analysis of each of these platforms. As I’ve noted, these represent my thoughts and impressions and I’ll welcome any comments and/or factual corrections from anyone who might want to submit them.
However, before getting underway with that analysis, I want to share some definitions I’ll be using as a framework for my analysis. This is necessary because there is really some important distinctions to be made between these library service platforms based on these definitions. I’ll be analyzing these platforms using the following definitions/descriptions:
- SaaS. This stands for Software as a Service and really should be viewed primarily as a different way of delivering software services. The major difference is that when using SaaS, you’re using a remotely hosted machine instead of a locally installed machine. Coupled with that, the company hosting the machine takes on the responsibility for maintaining the system, so library staff is freed from this set of task.
- Cloud Computing. This term, as noted by the Gartner Group in October of 2010, moved into the “Peak of Inflated Expectations” where it has remained in the latest survey (2012). The reason is because it has been over used in the marketing of the concept and has become an all-inclusive remedy for whatever ails your library. There is actually an agreed up definition from the National Institute of Standards which states that a cloud computing system supports the following:
- “On-demand self-service: A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.
- Broad network access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).
- Resource pooling: The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location-independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or data center). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.
- Rapid elasticity: Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.
- Measured service: Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be managed, controlled, and reported providing transparency for both the provider and consumer of the utilized service."
Of course, in reading this definition, it seems aimed at describing consumer facing applications more than those aimed at those organizations in-between the cloud-service and the end-user. Which, of course, is where libraries are more typically found. Still even within the products being marketed directly to libraries, you can still find wide variations in how it the term “cloud-computing” is being used and which parts of the definition they’re applying to their offering. One of the most frequent “stretches” of the definition is when a firm markets their SaaS service as a “cloud computing” solution, while others organizations are truly bringing major new functionality and new software architecture to the market and using the same “cloud computing” description (although you will frequently also find the term “Webscale” bundled into those descriptions, but NOT always).
- Multi-tenant software. This has to be one of the most frequently misunderstood concepts of cloud computing. While briefly mentioned in the definition above, a “light” definition can be derived from WhatIs.Com, which states (emphasis is my own):
- Security certifications. The security of these new systems is really a complex and important topic. Without a secure cloud-computing or SaaS system you’re potentially increasing the exposure of your library to legal liability. As a result, when procuring a new cloud-computing or SaaS library management system, you, your legal and procurement people, should make sure the supplier meets some certified standard of security. Note: Most certifications only apply to the data center. So these security certifications may not provide any assurance that data leaving the data center and traversing the larger net are being transferred in an encrypted, secure manner. Again, this is something you should check separately and as part of your procurement. In the analysis I’ll do in the days ahead of these new systems, I’ll only be asking what the security certification the data center has met. Those typically consist of one or more of the following (although you should also carefully note that some providers indicated they have NO data center security certifications):
“Multi-tenancy is an architecture in which a single instance of a software application serves multiple customers. Each customer is called a tenant. Tenants may be given the ability to customize some parts of the application, such as color of the user interface or business rules, but they cannot customize the application's code. Multi-tenancy can be economical because software development and maintenance costs are shared. It can be contrasted with single-tenancy, an architecture in which each customer has their own software instance and may be given access to code. With a multi-tenancy architecture, the provider only has to make updates once. With a single-tenancy architecture, the provider has to touch multiple instances of the software in order to make updates.”This has incredibly important implications for you as a customer. Restating what is said above, this translates into your supplier being able to run a far more efficient operation, i.e., it will likely take less computer resources than those systems running in a SaaS architecture, which should ultimately translate into lower costs to your library for this type of technology. As mentioned above, another reason, also that costs should be lower, is that if a supplier is supporting all their customers (and for a working number, let’s say 500) from this one software instance, when they upgrade that instance of the software to the latest version, all 500 customers are upgraded at the same time. If a supplier is using one instance of the software per customer, even if hosted in an SaaS architecture, then they have to upgrade each instance individually. You’re probably already familiar with what that means for you in terms of waiting for an upgrade and the overhead that creates. It is costly overhead that is not eliminated unless the software architecture is that of a true multi-tenant architecture. As we’ll see in the days ahead, some of these new systems are, and some aren’t, multi-tenant.
- ISO/IEC 27001. This standard is focused on security aspects and thus is the most appropriate for addressing your security concerns. (NOTE: SAS 70 or SASE 16, mentioned below, are focused more on quality issues, which can include security, so they’re also good, but you should know the focus is different. The Wikipedia entry on ISO 27001 says in part:
“ISO/IEC 27001 requires that management:
• Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts;
• Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
• Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.”
Compliance to the above can be audited by companies that specialize in this type of work and you can request to see a copy of the certification (although do not expect to see a copy of the detailed assessment as this very request would compromise the security of the system). Also note that the certification should be for the data center where your data will be hosted because they are location specific.
- SAS 70 (NOTE: SAS 70 has now been superseded by SSAE 16, however you might encounter either of these in asking for a security certification). This standard, written in 1992 was originally designed for accounting service standards and it performs an examination of a service organization's controls and processes. Per the website certification to this standard “represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes.” The newer SSAE 16 dates from 2010 and while upon first examination may not be thought to be applicable, in fact, just like SAS 70, it too examines controls applicable to service organizations and even has a related guide (SOC 1) that is applicable to organizations providing computing services to a customer. See this blog post for more details.
NOTE: This is one post in a series. All the posts are listed below:
1. Introduction (this post)
2. Sierra by Innovative
3. Intota by Serials Solutions
4. Worldshare by OCLC
5. OLE by Kuali
6. Alma by Ex Libris
6a. Ex Libris and Golden Gate Capital
7. Open Skies by VTLS