One issue is the integrity of data external to the enterprise. FedEx and Google may be trusted, but more and more businesses are publishing XML APIs available to the Web at large. “Common sense says you should be careful with whom you integrate,” Zimbra’s Dargahi says.
Kinetic Results’ Gallucci expects businesses with established partnerships to adopt the mashup approach as a way to exchange information and better integrate processes. In this case, the external data provider is an organization with which you already have a trust-based relationship. An obvious example would be mashup dashboards across members of a supply chain, using data feeds from various members to provide a common view. He expects early intercompany mashups to be created informally as test cases by project developers or business analysts. “Once they see it working, they can push it up the food chain and make it formal,” he says.
Zip Realty takes this approach, Tavistock says. “We feel more comfortable with formal licensing arrangements,” he says, and thus licenses Google Maps and MapQuest data for its mashups. “If it’s not a core feature, we might be willing to use something that’s not under a formal relationship,” he notes, such as a data source made freely available à la the open source model.
IBM’s Gisolfi believes that control will be hard for most enterprise IT departments to maintain, especially as mashup tools designed for nontechnical users emerge. Under those circumstances, he says IT will have to educate business departments on the need to get formal licenses with external providers whose information is used for ongoing business purposes.
Governance also comes into play for internal data sources, to ensure that confidential information is not inadvertently shared. This requires good governance in the form of policies, access management, and at least spot-checked approval. “For example, a business analyst has the right to mashup the call center screens, but a customer service rep does not,” ZapThink’s Bloomberg says. Over time, he expects mashup development tools to help enforce access and use policies, allowing IT to set the policies and less technical staff to assemble mashups based on their roles. But in the meantime, “you can only tell them what to do and get on their case if they don’t.”
Mashup governance goes beyond policies, Bloomberg notes. “Part of the challenge for IT is to build the right services at the right granularity,” he says, so that mashup assemblers aren’t tempted to go around IT. The use of external services and data sources should be treated the same way, vetted by IT -- and perhaps the legal department -- and made available in a sanctioned repository.
A Pandora’s box?
Although attractive for lightweight, rapidly developed apps, mashups also have obvious limitations. “Mashups make sense for 80 percent of noncritical IT processes and logic,” suggests Stefan Andreasen, co-founder and CTO of Kapow Technologies, which creates products that convert any Web-accessible information into standards-based forms that can be used in portals and mashups. “But no company would rely on a lightweight model [such as mashups] for critical information.” So IT should pay attention to where mashups are used, so they don’t creep into such business-critical areas.