Unprecedented resources needed to run .Net

By Mike Ricciuti and Robert Lemos
Staff Writers, CNET News.com
October 22, 2001, 4:00 a.m. PT

Imagine this: With a single password typed only once, a businessman from Detroit gets real-time updates to his calendar, e-mail account, instant messenger, travel schedule and bank statement, accessible from any computer, handheld device or cellular phone, whether he is in Tokyo, London or a plane 10,000 feet over the North Pole.

To provide that kind of service on a wide scale, a company would need to create and maintain a massive international infrastructure of server farms, distributed databases and secure networks updated automatically in real time, without a hitch. Which is exactly what Microsoft plans to do.

If its grand .Net plans succeed, Microsoft will have accomplished a feat no other company has attempted in the high-tech industry. In the process, it will have created the ultimate showcase for its products--much of the .Net My Services infrastructure will be built on Windows--constructed a new pipeline for profits, and finally established a reputation as a technology innovator--recognition that has long eluded Microsoft.

But the goals of its Web services strategy, aimed at consumers and businesses, are so ambitious that many question whether they are feasible even for the world's most powerful software company, especially considering that its record on software bugs and online security is anything but perfect.

"It's going to be quite a large investment in terms of hardware, software, manpower, etc., to run this thing," said Gary Hein, an analyst with Burton Group. "It's going to be a tough challenge, and they're taking a big risk with this."

In essence, the software leader has chosen to untangle a giant mess of incompatible devices, far-flung data stores and easily forgotten passwords that stand in the way of a truly successful commercial Internet. The resulting system could leave Microsoft as the primary toll taker for the bulk of transactions made online--surpassing only a handful of companies that could even think about competing on this level, chiefly AOL Time Warner.

For Microsoft, the payoff could be huge. For example, according to Jupiter Media Metrix, more than 67 million unique visitors went to MSN and other commercial Web sites operated by Microsoft in the month of August. If only 5 percent of those visitors sign up for just one of the new .Net My Services at a cost of $5 per month, Microsoft will have instantly created more than $200 million in gross annual revenue.

Indeed, Microsoft's marketing spiel seems aimed squarely at AOL Time Warner's "AOL Anywhere" campaign. .Net My Services, as the program is formally known, will let customers "access data anytime, anywhere, from any devices," said Christopher Payne, a vice president at Microsoft.

What makes the software company's plan far more difficult, however, is the sheer breadth of services it envisions. Microsoft says customers who sign up for .Net My Services, expected to debut in full next year, can expect to eventually get one-step access to electronic documents, contact lists and calendars; instant alerts on stock changes, weather forecasts and flight delays; and automated transactions, such as online banking, ticket purchases and stock trades, from Microsoft and its partners.

A huge job
That's an enormous task. The company needs to define and build core infrastructure, set standards of operation for partners participating in the plan, and--most importantly--erase any doubt that it can run a broad Internet operation without the outages or security lapses that have plagued its Hotmail e-mail service and Microsoft Network properties.

"Microsoft simply hasn't demonstrated that they can do something like this," said Rob Helm, editor in chief of Directions on Microsoft, which analyzes the company's business strategies. .Net My Services "represents something of a culture shift for Microsoft. Rather than selling software licenses, they are now in the services business. That's a very different kind of business and a very wrenching shift. It's not clear the company as a whole has the expertise and the culture to pull this off."

Because Microsoft has not fully described how it will make .Net My Services available to consumers, no firm estimates on the cost of the infrastructure are available. The company will surely use its existing online properties, as well as its instant messenger backbone. But the Herculean demands of its plans are sure to tax even the largest software company on the planet, despite its roughly $31 billion in cash and other assets.

Microsoft also is constructing multiple data centers to host the massive amount of information that will be housed under .Net My Services. The company will partner with hosting businesses as well. Microsoft did not disclose the location of those data centers or what they will cost to build. But Adam Sohn, Microsoft's product manager for .Net platform strategy, said design and construction are under way.

"We are very focused on running these services in scale, and the timing on when other partners will be involved is still being worked out," he said. The company has tapped Eric Hautala, a longtime employee who once ran MSN, to oversee the creation of the .Net My Services infrastructure.

Clearly, Microsoft cannot build the massive network alone. It will tap current partners and experienced online retailers such as eBay to help host data, and it must hire a roster of other commercial Web site operators and hosting services to keep hundreds of servers in operation around the globe, updating information in real time.

In addition, the company must devote considerable resources to solving some thorny computer-science problems endemic to the Internet, such as security, privacy and the capacity to handle expanding services.

The issues are so difficult that Microsoft has yet to determine how the business side of the plan will work. Jim Allchin, the Microsoft vice president in charge of Windows XP and other key initiatives, said recently that the .Net My Services business plan is still in flux.

"I just don't think it's fleshed out yet," Allchin conceded in an August interview with CNET News.com. "On the business side, there's a lot of thought that needs to happen. A lot of thought."

At least one thing is certain: Microsoft plans to charge for access to .Net My Services. Individuals will be asked to pay a monthly or yearly rate for an account; some analysts are guessing there will be a base charge of $25 to $50 per year, plus additional fees based on how often the service is used and what functions are employed. Software developers and Web site operators, in turn, will be charged a minimal fee for access to those customers, as Microsoft is banking on the big money to come from consumers and business customers.

Central to the plan is an identification mechanism called Passport, which grew out of the Microsoft Network online service and offers consumers a single-step log-on process that allows access to any participating Web site. Already, the company's Passport system processes more than 2 billion authentications each month for 165 million active accounts.

The keys to the kingdom
Consumers register for a Passport account, which requires an e-mail address and a password, through Microsoft Network, Hotmail, Windows XP or a list of partner sites estimated at 60 and growing. After initially signing in to enter a Web site, an individual can gain access to other Passport-protected sites and services simply by clicking a link instead of logging in each time.

As an example of how .Net My Services might be used, Microsoft began a preview this month of a feature called .Net Alerts that uses the company's instant messenger to send bulletins on stock updates, auction bidding and other information to MSN subscribers. Microsoft has inked deals with eBay and 19 other undisclosed sites to offer this service to customers as well.

Although Passport's proprietary security software is not yet compatible with other single sign-on technologies, Microsoft said last month that it would open up the authentication system by basing it on a network security standard called Kerberos.

To date, Microsoft has maintained a central database of Passport customer information at its headquarters in Redmond, Wash. As .Net My Services is introduced, Passport information will be replicated around the world through what the company terms a "federation" of partner sites that it hopes eventually will form an enormous marketplace for .Net My Services offerings.

Microsoft plans to establish agreements specifying privacy policies and operating principles for these partners, which will pay for exposure to individuals with Passport accounts. For example, partners such as telecommunications companies will be able to register Passport members or create secure links between proprietary networks and .Net My Services.

"While you obviously can't guarantee that the data hoster will always be up, you can make sure you have the right principles across this federated network," Payne said.

It is here where concerns are raised about the safety of doing business in this Microsoft-controlled marketplace. Many security experts and privacy advocates have questioned Microsoft's ability to keep its .Net My Services and Passport systems available, secure and free of bugs.

Any one-size-fits-all plan such as this is inherently dangerous, said William Malik, vice president and research director for security at market research firm Gartner.

"The idea itself is really risky: Let's put all our eggs in one basket," he said. "Microsoft is waving an awfully big target out there and saying, 'Hit me if you can.' And history has shown that they have not come out on top in those battles."

Sohn said Microsoft is taking steps to gather expert opinion on how best to construct the .Net My Services infrastructure. "We will be very public on the principles behind this and will let others grade that. We'll be more open about this than we have been in the past" for Microsoft's other services.

A dubious track record
It hasn't helped that a steady stream of technological problems has plagued the company and undermined confidence in the security of its software.

In 1999, Microsoft posted advisories warning of 60 software flaws that weakened the security of its products. That total jumped to 100 bugs found in 2000 and is forecast to fall between the two points this year.

In January, encryption technology provider VeriSign issued two digital certificates in Microsoft's name to an unknown person. The certificates could be used to sign programs and make the code appear to have originated from the software giant.

This summer, a single flaw that affected nearly every Web server using Microsoft software made much of the Internet vulnerable to the Code Red worm. Although Microsoft issued a patch a month before Code Red hit the Net, more than half a million system administrators did not apply it.

"The concern is that the quality of the output from Redmond has always been a problem," Malik said. "Typically, Microsoft takes three times to get it right. That's not going to work here."

Add to the equation that home users have never been exceedingly conscious of security, and concerns about .Net My Services rise exponentially.

Microsoft is well aware that safety is key to making its plans work and says it is conducting several security audits of the proposed network.

"We are looking very hard at how the data travels through the network," Microsoft's Sohn said. "We are coming up with an architecture that we feel can be scaled and will be secure."

Many Web services developers are examining the same problems from their end, but no consensus is imminent.

"I love Web services, but that is the only thing that comes up when people ask about it," said Peter Osbourne, a technology manager at Dollar Rent A Car Systems and an early Web services developer. "It's not whether it can handle volume or throughput or any of that stuff. The question now is always security."  

Software: The end of forced upgrades?