Wednesday, 26 February 2014

Reverse Innovation: Business Strategy and Technology

What is Reverse Innovation?

Reverse Innovation is the strategy of innovating in emerging (or developing) markets and then distributing/marketing these innovations in developed markets. Many companies are developing products in emerging countries like China and India and then distributing them globally.

Some Examples:
  • South Korea based LG Electronics (LG) planned to develop low-cost air conditioners targeting the middle and lower-middle classes in India. Their goal was to manufacture air conditioners at the cost of air coolers which were very common.
  • NestlĂ© learned that it could sell its low-cost and low-fat dried noodles (Maggi) originally created for rural India and position the same product as a healthy alternative in Australia and New Zealand.

Understanding Reverse Innovation:

Innovations typically originated in rich countries and later flowed downhill to the developing world. If you see the above examples of Maggi and LG air conditioners, they swam against the tide. It was a reverse innovation. A reverse innovation is any innovation that is adopted first in the developing world. To be clear: What makes an innovation a reverse innovation has nothing to do with where the innovators are, and it has nothing to do with where the companies are. It has only to do with where the customers are. Surprisingly often, these innovations defy gravity and flow uphill. Historically, reverse innovations have been rare.
Under that set of assumptions, a strategy known as glocalization makes perfect sense. As practiced by multinational businesses, glocalization posits that the work of innovation has already occurred. Glocalization is the practice of conducting business according to both local and global considerations. Emerging markets can be tapped simply by exporting lightly modified versions of global products developed for rich-world customers – mainly de-featured lower-end models.

Case Study: Mahindra & Mahindra

In 1994, when Mahindra and Mahindra (M&M) arrived on American shores, it was already a powerhouse in its native India. Their tractors were very popular in India, priced affordably and fuel efficient and were sized appropriately for small Indian farms. Over the years, M&M continued to innovate to perfect its offerings, and its tractors proliferated throughout India’s vast agricultural regions. By the mid-1990s, the company was one of India’s top tractor manufacturers — and it was ready for new challenges. The lucrative U.S. market beckoned.
When Mahindra USA opened for business, Deere & Company was the dominant brand. Deere’s bread and butter were enormous machines ranging as high as 600-horsepower for industrial scale agribusiness. Rather than trying to develop a product that could compete head-on with Deere, M&M aimed for a smaller agricultural niche, one in which it could grow and make the most of its strengths.  Flying below the radar, M&M decided to make its mark through personalized service. It built close relationships with small dealerships, particularly family-run operations. Rather than saddle dealers with expensive inventory, M&M allowed them to run on a just-in-time basis, offering to deliver a tractor within 24–48 hours of receiving the order. M&M also facilitated financing. In return, Mahindra benefited from the trust the dealers enjoyed in their communities. M&M’S U.S. sales growth averaged 40 percent per year; making M&M has become the number one tractor maker worldwide, as measured by units sold.

Reverse innovation is an opportunity of sustain growth for countries and companies. Glocalization and Reverse innovation need to cooperate and the companies need to be on both sides of this strategy.

About Author:
Shweta Samudra is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, she actively contributes to the areas of Technology and Information Security. She can be contacted at: shweta.samudra@spluspl.com

Software as a Service (SaaS)

Installing and maintaining applications on client’s desktop and server pose many challenges and limitations. There is added cost of infrastructure involved for companies. This can be avoided by implementing SaaS products.

SaaS (Software as a Service) is software delivery technique in which the software and the related data is centrally located on a cloud. To access this software, the only thing the users need is an internet connection and a web browser. SaaS bypasses all the trouble of installing servers and infrastructure. The installation and maintenance cost is reduced tremendously. For these reasons, many business applications today have adopted this method of software delivery.  SaaS pricing is based on monthly or yearly fee where the company pays the service providers.

SaaS Architecture:

SaaS uses multitenant architecture in which all the users use the common infrastructure and code which is centrally maintained. Vendors save valuable time by maintaining just one version of the code which can be modified quickly. Moreover, each user can easily customize the application to suit his/her needs without having to modify the common infrastructure.

Advantages of SaaS Model
  1. The administration is easier as all the application components are centrally located and only the provider has access to it.
  2. The updates can be efficiently managed as the changes have to be made only on the centrally located application.
  3. All the users will have the same version of the application avoiding any discrepancy.
  4. The overhead of installing, maintaining and deployment of software at client’s end is removed completely.
Disadvantages of SaaS Model:
  1. One of the main disadvantages of using a SaaS is that company data is stored on a central location and hence data security is at risk.
  2. Switching SaaS vendors poses many challenges as huge amount of data needs to be transferred via the internet.
  3. The use of SaaS applications is dependent on the internet speed.
  4. The adoption of newer version of the application cannot be controlled by the client. The newer version must be adopted by the client.
SaaS is being adopted by an increasing number of companies from various industries for the convenient features it offers. It is predicted that the adoption and production of SaaS applications will continue to increase. 

About Author:
Kintu Racca is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, she actively contributes to the areas of Technology and Information Security. She can be contacted at kintu.r@spluspl.com

Tuesday, 25 February 2014

ITO vs. Customer

The age old norm – outsourcing refers to reducing costs continues. But if initially outsourcing is costing more than doing the job in-house then it would not worth the effort. There are scenarios where the outsourcing engagement sometimes ends up costing more than what it was initially worth resulting in contract cancellation. So the question here arises is the ITO competent enough to handle the ad-hoc customer needs? When the term outsourcing is referred to it basically points to Indian IT companies which cover most of the ITO market. Most of these companies are now well experienced with different customers and have gain expertise in different field over the years.

Initially outsourcing was conceived as a way of reducing costs through labor arbitrage offered by low cost economies such as India. However over the years these low cost economies have seen dramatic rise in costs while at the same time has built up on experience and capabilities. ITO’s have grown from being a small service provider to an organization which has high end infrastructure and sophisticated delivery management processes which has made them competent than their customers. Many organizations are heading towards India for outsourcing their business with the clear mind of improving their efficiency and productivity. Also many existing organizations who are currently engaged are striving for more innovations and strategies for their business growth.

As mentioned earlier, ITO’s have come a long way in setting up their structure and making their presence felt worldwide. These have mainly developed due to their multiple client engagements and projects which have improved their expertise in various domains. Within an ITO, there are many domain experts who you can leverage for your improving your business processes rather than you designing a solution around it. These experts have multiple client experiences which come in handy during your business requirements stage which in turn will enable you to gain maximum value from the ITO arrangement

Another aspect on which CEO’s are constantly questioned about is innovation. How do you foresee yourself while going into an outsourcing engagement with an ITO? What are the provider’s innovation ideas and methods and how it will affect the customer in the long run? For such questions, an ITO needs to be equipped with the latest emerging industry trends. Customer might be expecting some innovations whilst in the engagement but the provider might not be able to fulfill it. So it is necessary on the customer part to set their expectations clearly with respect to innovations at the engagements initial stage itself. Often providers create innovations though the work they do for the existing or new clients. The offshore team sometimes takes innovative steps in delivering their services to the client who is mile away from them. Many organizations have a dedicated team or system to harvest innovations but at the same time the client must also actively participate in establishing a framework and incentives for the ITO’s to cultivate innovation.

The key factor an ITO engagement is sustaining your business in the long run with the expected business outcomes. While an ITO is capable enough of delivering technical solutions, but have they done, what they were asked to do? The gap over here is aligning your business requirements and the provider’s solution. The simplest way to fill this gap is building a relationship between the client and the provider which is outcome based. Both the parties must be following different processes for the same outcome with different efforts. The first step is to align all your business processes, get them structured and defined in such a way that they are measurable. ITO has a clear sight once all the target/metric have been configured and agreed upon mutually between the stakeholders having a common vision of those outcomes.

About Author:
Mihir Sakhle is consultant and part of Systems Plus Pvt. Ltd. He is a part of consulting team that delivers Sourcing and Vendor Managementg Office projects. He can be contacted at: mihir.s@spluspl.com

People or processes - what exactly leads to progress?

Change is the only constant is a much used saying. Publications of best practice standards and frameworks have helped businesses become more lean and efficient. This has led to better performance for many organizations who have become giants in their own space. It has also made products better and this has resulted in increased consumer satisfaction and user experience. This is true for all industries from FMCG to automobiles or even IT. While most focus has been on the processes and technology aspect, organizations can fail if they neglect the human element of processes. A much occurring debate is how much focus should an organization pay to processes or what comes first process or people.

While there is no definitive answer to this debate, it is worthwhile to look into the aspects an organization needs to pay attention to while taking a decision on process implementation. The people element is a very key ingredient in a successful process implementation. It is therefore very important to have a buy in from the impacted team of people for any process which an organization plans to implement. This can be done by:

Involvement in Design: An organization cannot just design a process and hope that it will get implemented successfully. In fact people who are part of the current process are the best people to come up with suggestions and improvements in the process. This not only results in better ideas coming in but also ensures that the teams that will be responsible for the process already have committed to it and want to see it succeed. Top and senior management needs to be open to suggestions. Various techniques can also be used to elicit responses from the people involved in the process to seek their opinion on how they want the process to be changed / modified. 

Training: Many a times an existing process may not be in place at all and people would be used to ad hoc steps being taken. A classic example of this can be deletion of separated users on an application. In some cases HR teams may inform IT teams to disable the accounts. In other cases Application owners / Business may inform about account deletions etc. Also compliance requirements may demand that a process be changed. In such cases it is very important to ensure that all the people affected by the new process undergo a formal training to reduce ambiguity. In the example mentioned, since multiple teams are going to be involved conflicts may arise. It is important for the organization to quickly identify the potential areas of dispute and take measures to resolve them. This will ensure that when the process is actually rolled out, all stakeholders are aligned and implementation is smooth. It is very important to educate the users of the process to understand the benefits of the process. Once they see and realize how it will make their work easier the buy in from them will be a mere formality.

Monitor: A process implementation is not a onetime activity. It needs to be monitored continuously in order to ensure that it meets its set objectives. A process owner should be identified who will be responsible for the smooth functioning of the process and to suggest improvement measures. This is where even internal audits can help as it will identify any shortcomings and auditors can have the responsibility of suggesting remedial measures.

To sum it up, people and processes will always have to work hand in glove for both to be successful .One cannot do without the other. Organizations have to realize that a good process implementation is bound to fail if the people do not believe in it. On the other hand people are also likely to fail if there is no process being followed for activities to be performed.

About Author:
Kintu Racca is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, she actively contributes to the areas of Technology and Information Security. She can be contacted at: kintu.r@spluspl.com

Monday, 24 February 2014

Optimize your C# Code

Many of us are not tacking our code writing skill seriously, because of that we always get firing during Code review. Then we need to work on code optimization. So; better to write code in optimized way right from initial stage.

Below are few techniques.

1. Learn when and how to use StringBuilder
You must have heard many times before that a StringBuilder is much faster at appending strings together than normal string types.

Well fact is StringBuilder is faster typically with big strings. It means if you have a loop that will add to a single string for many iterations then a StringBuilder class is definitely much faster than a string type.

However if you just want to append something to a string a single time; then StringBuilder class is overkill. So; in this case simple string variable improves resources use and readability of your code.

Conclusion is simply choosing correctly between StringBuilder objects and string types you can optimize your code.


2. Use string.Empty

This shall not give you much performance improvement but just for readability improvement, but it still counts as code optimization.
So, if you are comparing string variable whether with empty text then it’s better to compare with string.Empty.

if (str == "")

Preferred is:
if (str == string.Empty)

This is simply better programming practice and has no negative impact on performance.
However, checking a string's length to be ‘0’ is faster than comparing it to an empty string. But you need to see what fits your requirement of code/logic.

3. Replace ArrayList with List<>
ArrayList are useful when storing multiple types of objects within the same list. However, if you are keeping the same type of variables in one ArrayList, you can gain a performance boost by using List<> objects instead.

Take the following example:

ArrayList intList = new ArrayList();
intList.add(10);
return (int)intList[0] + 20;

If you notice; above ArrayList only contains interger values. So using a List<> class is can be lot better.
To convert it to a typed List, only the variable types need to be changed:

List<int> intList = new List<int>();
intList.add(10)
return intList[0] + 20;

Notice that there is no need to cast types with List<>. So the performance increase can be significant.

4. Use && and || operators
When building if statements, simply make sure to use the double-and notation (&&) and/or the double-or notation (||), (in Visual Basic they are AndAlso and OrElse).
If statements that use & and | must check every part of the statement and then apply the "and" or "or". On the other hand, && and || go through the statements one at a time and stop as soon as the condition has either been met or not met.

Executing less code is always a performance benefit but it also can avoid run-time errors, consider the following C# code:

if (object1 != null && object1.runMethod())
If object1 is null, with the && operator, object1.runMethod()will not execute. If the && operator is replaced with &, object1.runMethod() will run even if object1 is already known to be null, causing an exception.

5. Smart Try-Catch
Try-Catch statements are meant to catch exceptions that are beyond the programmers’ control.
But it’s been see that programmer’s are using generic exception all the time, start using specific exceptions instead.

E.g. if you are performing mathematical calculation and expecting exception in that, then use Arithmetic exception instead of “Exception”
Also if expecting silly errors like “divide by 0” then better to check that in a condition rather than letting handled by exception.

6. Replace Divisions
C# is relatively slow when it comes to division operations. One alternative is to replace divisions with a multiplication-shift operation to further optimize C#. The article explains in detail how to make the conversion.

About Author:
Harshad Pednekar is budding technology geek, who actively contributes toSystems Plus with his creativity and research on technology. To read more interesting articles from him, please follow: http://harshadpednekar.blogspot.in

Wednesday, 19 February 2014

IT Application Support – A Sustained Value Add

For an organization to be able to make efficient use of its applications and extract sustained value, it is important to have right application management strategy in place. IT Application support and maintenance has a key role to play for the success of this strategy.
Mentioned below are some key areas through which right value can be realized from the Application support:
  • Alignment and benefit realization: The support operation should be aligned with the business and IT goals. It is important to identify the criticality of business and the key areas that needs a support focus. Service model should then support the business and improve the value over time at an affordable cost. For e.g. an ERP implementation that is taking care of the company’s operations would be extremely critical and any disruption in that might result not only in heavy losses but also a bad customer experience. Thus identifying the right focus areas would be give better cost effective solution.
  • Cost optimization: There is always a tradeoff between service cost and the risk involved. Challenge is to find the optimal balance between cost and risk. The manager needs to weigh the cost that is associated with the disruption (risk) and the cost involved in support to mitigate this risk and take an informed decision on same.
  • Processes: Adopt best practice and processes resulting in efficient and effective application management. People should be well trained and uniformly comply with all the outlined practices. Also it is important to identify key challenges in the support management like prioritization, lack of documentation, failure to fix recurring problems, right communication strategy, handling of peaks, etc to make the team efficient and extract best value from the same.
  • People: Once the key areas of focus is identified by the management, it is important that based on the findings, right mix of people should be provided to the support team with required knowledge and available at right time to support and enhance the system. 
  • Tools and Technology: An able and motivated team can perform to its best only if right infrastructure is available to enable them execute the defined processes efficiently and within the time. The tools and technology used must be assessed regularly to identify the gaps and provide necessary support for that.
  • Governance: Right policies and controls must be defined with appropriate structures to make sure these are enforced and followed. Regular process audits should be conducted to ensure that the controls are in place and process is seamless.
  • Performance Measurement: Key metrics should be identified to measure the performance and effectiveness of the support team. These key metrics must align with the business/IT goals. Support framework should evaluate progress against each required parameter regularly and identify the areas of improvement. The framework should be flexible to encompass any change that is required as per evaluation. This would ensure that all the risks are mitigated and make the framework robust.
An ideal application management strategy would encompass all the service and cost objectives to optimize a support model. It should leverage effective processes, resources and technology to deliver efficient and effective solution on time.
True value can only be gained from an application if an organization has an effective application management strategy in place with right model of support and technology. The focus areas must be identified based on the business goals to make sure the system is cost effective at the same time.

About Author:
Mohini Bhandari is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, she actively contributes to the areas of Technology and Information Security. She can be contacted at mohini.b@spluspl.com

Role of Business Analyst in Start Ups

Define Start up? American Heritage Dictionary suggests it is “a business or undertaking that has recently begun operation.” Therein lies the rub – to be a startup, you must have set up shop recently.

But with the rapidly changing world and corporate environment the definition of “startup” has changed drastically. As quoted by Neil Blumenthal, cofounder and co-CEO of Warby Parker on Forbes, “A startup is a company working to solve a problem where the solution is not obvious and success is not guaranteed,”  “Startup is a state of mind,” says Adora Cheung, cofounder and CEO of Homejoy.

The above quotes clearly indicate that in the present market scenario start ups are in constant quest of resources within them that can adapt and restore themselves with the volatile market needs, demands competition and constantly come out with the innovative ideas and products that will cater the market demands.

Business Analyst is one such key resource that can help startups in achieving the above mentioned objective.

IIBA mentions, Job title for business analysis practitioners include not only business analyst, but also business systems analyst, systems analyst, requirement engineer, process analyst, product manager, product owner, enterprise analyst, business architect, management consultant, business intelligence analyst, data scientist and more. It also mentions that many other jobs, such as management, project management, product management, quality assurance and integration design rely heavily on Business analysis skills for success.

Business Analysis in a startup can be involved in some of the following activities due to the unique BA skills they possess:
  • Identify need / Market Analysis: BA can play an important in excavating the details about the need which start up might have identified.
  • Competitor’s  analysis: BA can play an important role in competitors’ analysis in different aspects viz (i) Understand competitors offerings for the similar needs (ii) understand different strategies adopted by the competitors (iii) Analyze current process adopted by them in terms of product development/ manufacture.
  • Solution: This is the major task that the BA performs. Based on the analysis mentioned above, BA can come up with probable solutions. The solution depends on the need; it can be a service, product or process innovation. 
  • BA communicates / aligns with the business with the findings and helps business to finalize the most feasible solution.
  • Process Management/ Product Management / Project management: Start ups which generally have limited human resources, (As mentioned by IIBA) BA skills can also be utilized for the above mentioned roles.  BA being the key resource involved in the solution development cycle right from the beginning, he/she acts as a walking encyclopedia as far as the solution to be implemented is concerned. Based on the solution, BA can perform additional roles as Product/Project/Process Manager.
  • Quality Assurance: BA plays a key role in verification and validation of the solution being implemented. He is a person who helps in monitoring whether right people are creating a right thing in right time in right manner.
From the above it can be concluded that the BA plays a key role in a startup in developing deliverables that will help startups to “Sustain” in the market.

About Author:
Saurabh Kane is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, he actively contributes to the areas of Technology and Information Security. He can be contacted at: saurabh.k@spluspl.com

Tuesday, 18 February 2014

Aligning SLAs to Outsourcing Contracts

The intent of a service level agreement (SLA) is to measure the provider’s overall performance by virtue of brief, definite metrics with targeted levels of performance that are easily understandable by the client community and are simple to validate from a client’s perspective. As the outsourcing industry has matured, providers have developed a large amount of service level measures they can propose to their clients. Some are more relevant to the client’s business than others. When negotiating a new outsourcing agreement, clients face the challenge of determining the service levels that are most meaningful to the business. Fortunately, there are several common service levels within the outsourcing marketplace that align nicely to the perception of lines of business and end users. The following metrics serve as a guideline for defining the service level requirements.

Service Desk

In many companies the service desk is the primary touch point into IT, and therefore measuring its performance aligns nicely to the business perception of IT. For example:
  • First call resolution – Directly ties to the user base experience of how well the service desk is equipped to solve their problems during the initial call.
  • Abandonment rate – A low abandonment rate indicates users are not getting frustrated waiting for a live agent.
  • End-user satisfaction surveys – Collects direct user feedback on their satisfaction with help desk services.
  • Install/move/add/change/delete (IMAC-D) requests – Measures how well the IT organization provisions requests from the business community.
Other service desk measures, while important to the IT group, may not be as relevant from a business perspective.

Projects

Project work performed by IT is usually the work most aligned and most visible to the business. There are many types of project-related metrics, and the following is a good subset to use to communicate project performance to the business:
  • On-time milestone completion – The project manager, working closely with his/her business counterparts, should develop a set of key milestones as part of the overall project plan. Measuring the on-time completion of these milestones communicates the progress being made and the maturity of the project management discipline being used.
  • Estimating accuracy – Measuring the accuracy of estimates that are provided to the business, especially when you can show sustained improvement over time, is a great way to build credibility with the business. The estimations could be in terms of schedule, cost and/or resource utilization.
  • Percent of budget/cost spent on strategic projects – This is an excellent measure to communicate how IT is driving down the “lights on” costs and reallocating to work that adds tangible business value.
There may be other metrics that better reflect your environment and what’s important to your business partners. The important point is to somehow showcase the value that IT is providing towards the execution of projects that are adding business value.

Change Management

Measuring and reporting the volume and success of changes to the environment is a good way to showcase the volume of work being done by IT “behind the curtain” and to illustrate how much goes right. This can provide good “air cover” whenever a delivery issue does occur that causes pain to the business. For example:
  • First time successful changes – Measures the percentage of changes that are correctly implemented the first time.
  • Percentage of non-emergency changes – Measures overall system stability and the maturity of the organization’s change management processes.
  • On-time change implementation – Measures how well IT activities are planned in advance.

General

Several other measures are closely aligned with business perception. Among these are:
  • On-time reporting – Many business units rely on the on-time delivery of accurate reports. This can be measured by identifying the list of critical reports and defining the time at which they must be completed (and in some cases, delivered).
  • Problem resolution – Ironically some providers will initially balk at this, stating that there is too much out of their control to commit to targeted resolution timeframes. However many will eventually agree to resolving a certain percentage of problems within a defined time frame. This is obviously one of the most visible signs of IT performance, and is important to demonstrate that even though problems are bound to occur, they can be quickly resolved due to the resources, tools and architecture in place.
  • Application availability – Most providers will supply standard service level called application availability, so the important thing is to ensure that it is a true end-to-end availability measurement that reflects the users’ experience. In other words, the metric should comprehend any IT issue that results in the application not being available to use as planned. This includes not only issues with the application itself but also the entire underlying infrastructure including the servers, databases, network and devices used to deliver the applications to the desktop.

About Author:
Prabhakar Ranjan works with Systems Plus Pvt. Ltd.  He is part of the consulting team that delivers Vendor Management Office projects. He can be contacted at prabhakar.r@spluspl.com

Manage IT - Event Management

Events in the IT world are mostly alerts triggered by the systems and can be considered as early warning signs. Event Management is needed in an organization for early detection of IT events that occur in different phases of the service environment. The difference between an event and an incident is that events are more proactive in nature whereas incidents management is reactive. Tickets that are raised as a result of an event would get classified mostly as service requests since there is no degradation in service yet. Managing events helps to take a proactive decision and prevents an event from occurring. As per ITIL (Information Technology Infrastructure Library), events are of 3 types based on their significance:
  1. Informational Event
  2. Exceptional Event
  3. Unusual Event
Informational Event: Have your missed out an opportunity to attend an important meeting or seminar, only because you were not reminded about it? Informational events are something similar. Such events could be about reminders about tasks, patch management upgrades etc. These events help you streamline activities and can help you in your day-to-day life as well. The gadget seminar could have been attended if a simple reminder could have been set up in your phone.

Exceptional Event: Given a scenario that you were reminded about the gadget seminar and you drive yourself to the place. There is always a process that you need to follow before moving in your car. For example, adjusting the mirrors, checking the dashboard etc. When fuel is low the needle points to "E" indicating an empty tank. In this case the fuel indicated to you is the exception and thus falls under the category of an Exceptional Event. So refer it back to an IT scenario, this could be about storage space nearing threshold limit or licenses about to expire which need to be renewed etc. These are events which would not occur daily but the IT team would not be surprised when they receive such an alert.

Unusual Event: Given the same scenario as above when the car does not start, you experience reduced performance etc is an Unusual Event. In an IT setup, this could relate to alerts being received about virus attacks on the network. Such events would not happen in the day to day operations of the IT setup.

IT is important to know difference between an unusual event and an exceptional event. Exceptional events typically would happen although not on a daily basis whereas unusual events would in most cases indicate that there is something definitely amiss within the IT organization

A good even management can help the IT organization process
  • In proactive decision making leading to reduced incidents and business outages
  • In obtaining operational information, exceptions and unusual behaviours which can lead to better planning for the future


About Author:
Dimpy Thurakhia is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, she actively contributes to the areas of Technology and Information Security. She can be contacted at dimpy.t@spluspl.com

Monday, 17 February 2014

Claim Based Authentication

Problem with current authentication

We make several user accounts at several portals/websites. Every time we need to access the corresponding website, we need to remember the username and password to get the access of the account again. And every time we might not remember all these details. Also, it is never advisable to write your user credentials physically.

One more problem, most of the applications use some authentication mechanism, mainly Classic UserName and Password. As most of the developers are not really security experts; they leave loopholes during development which are easy to break. So it is a major security risk.

As a user, we create new user credentials (username and password) to many applications on the internet like Facebook, Yahoo, Gmail, etc. and some in-house sites like some college portal, etc. or some enterprise application. So to create new credentials every time and to remember all these credentials and see that all are secure enough is very tedious. If there are any errors, you might lose some credentials and could end up in a big loss.


Solution

Nowadays, when we create an application which has an authentication page, we need to understand how it works. Actually when user logs in, an Identity is assigned to that session and that Identity is maintained throughout the session until the user logs out or it expires. So let’s view the current scenario:

So the basic idea is, if there are some applications that do the authentication and provide the Identity (called Identity Provider), and applications rely on this identity, like in our daily life:


Claim Based Authentication

The same mechanism is also followed in Claim based Authentication. There are some authentication/identity providers which are used by various applications whenever a user tries to access some application. The application checks whether the user is authenticated or not, if not, it forwards the user to the Identity provider which actually authenticates the user, gives a token to the user and forwards the user to the application. The application verifies the token and the user is allowed to access the application.

Now if I am making an application and my application uses some Identity provider to authenticate a user, then the application must understand the token of that Identity provider and also there must be trust relation between the application and Identity providers, so that the application can rely on the token sent by that Identity provider.

Basics of Claim based Authentication 

The basic things involved in claim based authentication are:
  1. Identity: You can say Identity is a group of information that can uniquely identify anything. A digital identity is a group of information to identify a person.
  2. Token and Claims: When this digital identify is passed over wire, it is passed as a stream of bytes and that is known as token. Token contains some set of information about the user in the Claim format. A token can contain multiple claims and every claim contains some specific information. The token is digitally signed so that it can be verified at the receiver end.
  3. Identity Provider & STS: Identity provider is the key in this technology, this actually authenticates the user and creates the token with claims, as per the requirement and digitally signs it before sending. Identity provider is also known as Security token service.
  4. Relying Party: Relying party are the applications that use these Identity Providers for authentication. They just need to understand and verify the token and get all the data from the token itself which is required. But before all this, RP needs to build a trust relationship and tell the Identity provider what all data is needed for a user. So that next time it receives a token, it can verify the issuer and get the required data.

About Author:
Lovina Dodti is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, she actively contributes to the areas of Technology and Information Security. She can be contacted at lovina.d@spluspl.com