Zip Realty takes this approach, Tavistock says. “We feel more comfortable with formal licensing arrangements,” he says, and thus licenses Google Maps and MapQuest data for its mashups. “If it’s not a core feature, we might be willing to use something that’s not under a formal relationship,” he notes, such as a data source made freely available à la the open source model.

IBM’s Gisolfi believes that control will be hard for most enterprise IT departments to maintain, especially as mashup tools designed for nontechnical users emerge. Under those circumstances, he says IT will have to educate business departments on the need to get formal licenses with external providers whose information is used for ongoing business purposes.

Governance also comes into play for internal data sources, to ensure that confidential information is not inadvertently shared. This requires good governance in the form of policies, access management, and at least spot-checked approval. “For example, a business analyst has the right to mashup the call center screens, but a customer service rep does not,” ZapThink’s Bloomberg says. Over time, he expects mashup development tools to help enforce access and use policies, allowing IT to set the policies and less technical staff to assemble mashups based on their roles. But in the meantime, “you can only tell them what to do and get on their case if they don’t.”

Mashup governance goes beyond policies, Bloomberg notes. “Part of the challenge for IT is to build the right services at the right granularity,” he says, so that mashup assemblers aren’t tempted to go around IT. The use of external services and data sources should be treated the same way, vetted by IT -- and perhaps the legal department -- and made available in a sanctioned repository.

A Pandora’s box?
Because mashups are easier to create than many traditional applications, they might not get the same scrutiny for security, JotSpot’s Kraus warns. “A lot of these apps rely on JavaScript, which has too many leaks. Randomly installing external mashup components is dangerous -- you don’t know what the apps will do, given that users want to mix and match what’s interesting to them by using third-party resources.”

Although IT may understand the security issues related to JavaScript or other technologies underlying mashups, it’s too early to tell precisely what the new risks are. “We don’t yet know enough about mashup security issues,” says IBM’s Gisolfi, so there are no clear security best practices for mashups.

Although attractive for lightweight, rapidly developed apps, mashups also have obvious limitations. “Mashups make sense for 80 percent of noncritical IT processes and logic,” suggests Stefan Andreasen, co-founder and CTO of Kapow Technologies, which creates products that convert any Web-accessible information into standards-based forms that can be used in portals and mashups. “But no company would rely on a lightweight model [such as mashups] for critical information.” So IT should pay attention to where mashups are used, so they don’t creep into such business-critical areas.