Dealership Infrastructure Guidelines

Service level Agreements (SLAs) are an important part of dealer/vendor relationships. These documents are used to assist both parties in understanding the guidelines and requirements relating to the service the vendor is supplying. An SLA can be used for both internal and external services. For this document we will focus only on the external aspects.

An SLA is a legally binding contract that outlines, in detail, the product or services being provided to the dealership. It covers areas of services, support, availability, upgrades and legal.

Every service being provided to a dealer should be accompanied by an SLA. This allows the dealer to fully understand what will be provided setting expectations. The dealer is protected in the event that a service is not provided as outlined by the SLA; the service provider is protected against a dealer escalating expectations.

The SLA includes all the areas that are affected by outside support. These areas include detailed information about the service expectations.

Service

This is a description of what is being provided. For example, a Data Storage SLA states what data is being stored, what mechanism is being used to store the data, duration of storage , how to retrieve the data, who may retrieve the data, etc.

Hours of Export

Specifies the specific days and hours that data extraction will occur.. This is vital since extracting data during operating hours could negatively impact the dealer's system performance. These details should be specified and agreed upon between the two parties.

Location of storage

This is a detailed outline of the location of the data. It includes location of building, location within the building, hardware used, etc.

Support

The SLA details timeframes for support. Included are: response times for classes of issues; the normal hours of support; arranging off-hours (after hours and weekend) support; and any costs for support not included in the basic contract document.

Information Access

The SLA details the dealer's right to access the information including time restrictions. It details any outlined costs for access and should outline the process for getting that information. Any administrative burden associated with information storage or access, expected to be borne by the dealer, should be explicitly stated.

Downtime and Penalties

If the service is entitled to some downtime, the amount, for instance 2%, is specified here. When the service exceeds the specified downtime limit, the vendor is required to pay some penalty, such as discounting the monthly/yearly fees. The SLA should include information about what the service will do if downtime materially affects the service, i.e., the necessary information was not stored during the outage and a mechanism to address these issues.

Legal

This will cover any intellectual property, Legal Compliances, etc. It would be in the best interest of the dealership to have a legal representative review these areas.

Most vendors should have an SLA in place. There may be areas missing so make sure to review it and ask them to add any information that is not addressed.

In the event that a vendor does not have an SLA the dealer should request one be created. The dealer should feel free to create a SLA to be presented to the vendor. There are various websites and documents that can be utilized to help a dealer create the necessary details to be included in an SLA. Below is a list of a few websites that will assist in the creation of an SLA:

http://www.itil-itsm-world.com/

http://www.service-level-agreement.net/

http://en.wikipedia.org/wiki/Service_level_agreement

http://www.businesscontingency.com/checklist-sla.php

http://www.nkarten.com/handbook.pdf

The primary advantage of upgrading the dealership's network infrastructure is to reduce the complexity and cost of supporting proprietary solutions previously required for each of the dealer's franchises. Consolidating the network infrastructure can contribute to the reduction of equipment requirements, maintenance responsibilities, and related expenses.

Every effort has been made to provide quality solutions within the economic scope of dealerships of all sizes. The following section contains information about the physical elements within the dealership network. These include wiring, hubs, routers, switches, and other network components.

Defined within this section are installation guidelines for a dealership Local Area Network (LAN)and some minimum specifications and requirements for network hardware. Both dealership personnel and potential network suppliers must be familiar with network environments and with the information necessary to build a suitable network infrastructure. The network and its components must comply with industry standards.

Recommendations are given to ensure all equipment is reliable, upgradeable, and scalable. Overall, flexibility of the network is necessary to accommodate changing and emerging technologies, as well as to allow open integration with other OEMs.

The network must be Ethernet based with the standard speeds (100BaseT or 1000BaseT) allowed. However, on any given segment of the LAN, the speed is limited by the slowest component; e.g., using 100Mbps LAN cards with a 10Mbps hub will result in an overall network speed of 10Mbps.

The dealer is expected to build an Ethernet LAN according to computer industry standards (referred to as Category 5 standard). OEMs strongly recommend that this LAN have a central wiring repository where all cables runs are terminated on patch panels. It is strongly recommended that wiring hubs, switches, routers, and communications equipment are located nearby and that all equipment is securely mounted on racks or shelves. Precautions are required to protect this equipment from damage due to poor power conditions and changes in temperature and humidity.

Figure 2.1. Simplified Dealership Wiring

A sample wiring configuration is demonstrated above (see Figure 2.1, “Simplified Dealership Wiring” ). This diagram represents the base configuration that allows a Personal Computer (PC) in the dealership to access the Internet. Dealer Management System (DMS) equipment, any satellite or OEM-specified equipment, and other dealership installed equipment comprising the remainder of the entire dealership network are not shown on this diagram.

Network utilization is the amount of traffic on the network compared to the peak amount that the network can support. This is generally specified as a percentage.

There are various times throughout the normal course of business when a network is busier, i.e., the network utilization is high. As a result, users experience a slow down when the network utilization is high enough. Response times grow greater than expectations preventing normal business processes from operating efficiently. Performance degradations are generally a nuisance but can become significant enough to result in lost revenues. It is important to understand the factors that can cause high network utilization and how to manage the network preventing it from negatively impacting the business.

Factors that can affect performance

The type of software that you purchase will depend greatly on what the needs of the dealership are. Some of the keys items to consider when purchasing or outsourcing network utilization tools are:

In a situation where the network monitoring is outsourced, the dealership needs the option to monitor the reporting, change any network settings, etc. If these features are not available, the dealership should construct and SLA specifying a pre-defined list of report dates, etc.

Management

In an effort to reduce latency due to excessive traffic or other contributing factors it is important that certain steps be taken. For example, ensure a proper network infrastructure layout has been established. If that is not possible, review the current infrastructure and determine which areas can be enhanced or re-engineered to improve performance. Often, a single infrastructure bottleneck is found to be a significant source of performance issues.

In addition to setting up the infrastructure correctly the network will need ongoing maintenance and monitoring to ensure that other factors such as hardware/software failures, bugs, viruses or misuse of resources are not occurring. Many organizations have begun implementing policies restricting usage of Internet resources to minimize the impact of non-business related activity on the network.

A business that has multiple locations can often benefit from leveraging resources such as computer data, business applications, servers, and other devices through a network connection between buildings. Additionally, services such as centralized voice, video, faxing, administration and broadband Internet may be utilized by an entire organization. The increased capabilities and benefits will often offset the expense of these connections. Campus Networks and Wide Area Networks (WAN) are two types of networks, which allow sharing of networked resources between buildings or remote locations.

If there is a desire to access these resources from another location, it must be determined whether the business need warrants the cost of the connections. There are elements to consider when establishing the value in connecting each location. Consider the following when deciding:

Each location needs to be individually evaluated for connectivity and bandwidth requirements. Factors such as the number of users running remote applications or the amount of data transferred can help determine bandwidth requirements. If connection reliability is critical, then Service Level Agreements (SLAs) will be of great importance.

A qualified supplier should be able to provide assistance in making an accurate estimate of business needs. An approach to finding suppliers might include contacting local suppliers of phone services, long distance service, network services, telecommunications equipment, and web related services. It is recommended that credentials, certifications and references be obtained.

Many factors should be taken into account when determining connection requirements:

2.4.4. Multi-Location Recommendations

If a business has "right of way" and/or wireless is a viable option, then a Campus Network should be considered due to lower recurring costs and generally better performance than a WAN. In some instances the local telephone company will grant the right of way and install or lease the necessary cabling in order to establish a campus connection. If there is no right of way, or wireless is not an option, a WAN or VPN should be considered. The choice of connection method is based on business requirements, available technologies, performance and associated costs. If cost effective broadband Internet access is available from multiple locations, an Internet VPN may be preferable. In some scenarios, a hybrid design combining campus, WAN and VPN technologies may be the best solution.

Figure 2.2. Campus Network Options

As with all technologies, multiple proposals are recommended for network solutions. While evaluating solutions from vendors, it is advisable to get network diagrams that indicate both logical and physical layouts. The solutions should be detailed in order to properly compare cost, technologies, bandwidth, and performance variables. A bill of materials, statement of work and maintenance contracts should be included with each proposal. Because technology is changing so rapidly it is strongly recommended that data communications contracts be limited to one year if possible.

OEMs are standardizing their applications to run over the Internet diminishing the need for custom OEM hardware, software and network requirements inside the dealership. During the transition period, while OEM applications migrate to the Internet, provisions MUST allow for legacy network paths. Additional OEMs and dealership system providers may have their own requirements inside the dealerships. To avoid potential network communication problems, a single point of exchange is employed to manage traffic. The OEMs see that exchange point as the network switch. The dealership must understand that the multiple-OEM dealership integration will become complex in the short term until all applications are migrated to the Internet. A competent individual or third party is required to manage IP addressing and some of the more intricate aspects of networking (e.g., VLANs)

Each dealership needs a path to the Internet that goes through the Internet router and firewall controlled by the dealership. Other paths to the Internet must be similarly controlled or isolated from the dealership's private network. Any system providers that accept this view can join the standard by attaching equipment to the delearship's switch, thereby accepting dealership control.

Implementation Information

The configuration of the network comes from a detailed network design plan. This plan should take into account any router, switches, hubs, cabling and other network interface-related items. The complexity of the design will depend on the needs of each dealership. If there is a need for network segregation to accommodate different vendor equipment or additional user needs this must be documented in the plan from the beginning. While equipment quantity and capability may vary, the role and function of the network will essentially be the same for most dealerships.

In addition to the general network design that is needed, the dealership may want to give access to guests. It is important that this access be segmented from the rest of the dealership LAN.

The designing and building of a local area network is only a small part of the work that is involved in actually using the network. Managing the flow of traffic and the usability of the network will take more effort over time. Address schemes will need to be designed and routing tables set up accordingly. Some of this work is completed when the network is first set up. Barring any equipment failures, it may not need to be done again. However, even small networks need oversight on a regular basis. This is minimized if dynamic tools are used to assign network addressing and to resolve those addresses. The Internet Service Provider (ISP) may insist that these tools be used for the Internet connection. Even more benefits are seen if they are used inside the dealership as well.

The kinds of skills needed to perform this function are not found in every dealership. It requires a very good understanding of computer networking and addresses schemes. You MUST place a good deal of trust in this person as well. Mistakes on their part can bring the dealership network completely to a halt. If service providers are not able or willing to support equipment in the dealership, an outside resource can be contracted.

An ISP should provide the dealership with routable Internet Protocol (IP) addressing. Routable addresses are required for users on the Internet to communicate with the dealership and their sites. The addresses will be assigned to the router. Devices on the Local Area Network (LAN) can use either routable addresses or reserved private addresses. OEMs recommend the use of dynamic IP addressing served by the router. If routable addresses are used, it is essential that the ISP reserve these addresses. A detailed review of IP addressing is located in the Appendix.

Network devices use a routing table to maintain knowledge about where IP networks and IP hosts are located. IP addresses and subnet masks identify these networks and hosts. In addition, routing tables are important because they provide needed information to each local host regarding how to communicate with remote networks and hosts.

Private addressing (RFC1918) uses IP addresses that have been designated for private use only. This means that these IP addresses can be used in private network environments and cannot be routed over the public Internet. Whereas non-routable addressing is IP address space that is registered with the Internet Network Information Center (InterNIC), but has not been made available to be routed over the public Internet.

Router configuration varies from supplier to supplier. It is best to have a professional technician handle the configuration of the router. However, there are some basic rules that installers should follow:

Change the default password. More often than not equipment manufacturers use the same default password in all of their products. These passwords are widely known. This is done so that installers can quickly get the product up and running without referring to documentation or having to call the manufacturer. If the installers change the password, make sure they give it to someone designated in the dealership as an administrator. That same person should know how to change it after the installer leaves. If the dealership is going to manage it's own router, there is no reason for anyone outside the dealership to know the password. However, at least two people in the dealership should know what that password is.

Ask for a copy of the configuration file on disk. If for some reason the router has to be replaced, having a copy of the latest configuration files on disk can save time and significant money. Rebuilding a router configuration files from the beginning can take significant time. Having a disk on hand could mean a restore time of a few minutes. Be sure to get a new copy of the configuration after each change and keep this disk in a safe place. It is also advisable to keep several generations of the configurations. Problems are not always discovered right away. It may be necessary to restore the configuration used before the last couple of changes were made in order to truly correct the problem.

Insist on labeling each interface and cable. This will save time when tracing back cables and acts as a self-documenting process others can follow.

Secure the router in a rack or on a wall shelf. Placing a delicate instrument on a tabletop or in an area where it can be moved or dropped is inviting trouble. Take the time to mount the device securely. Preferably, this should be in a rack with other communications gear.

Be sure the router can come back after a power surge. Do not let the technician leave without demonstrating that the router can restore itself after a full power outage.

The concepts of having visibility to the network and having the ability to control network infrastructure are elements that are often overlooked when installing a Local Area Network (LAN) and Wide Area Network (WAN). Consider the following requirements when purchasing a router. This will insure that the device can be serviced quickly or problems could be solved without a service call.

Management of the router via web interface, telnet or GUI software (this avoids having to go to the wiring closet to work on the router):

Most ISPs will offer the router as part of the service provided to the dealers. Regardless of whether the dealer chooses to purchase its own router or it is provided by the ISP, the following are some basic guidelines to follow.

Routers offer a wide range of features. Since it is a significant portion of the LAN equipment costs, it makes sense to look at models and features to determine the best fit for the dealership. The dealership will want to avoid spending too much initially. However, the ability to add features, as the dealership and the network grow, is essential. Most routers can be configured with different expansion cards and software (called feature sets) to meet the needs of the dealership.

When evaluating router technology consider the following:

Network Address Translation (NAT) is a method of connecting multiple computers to the Internet (or any other IP network) using one IP address. This allows home users and small businesses to connect their network to the Internet economically and efficiently. NAT should be a required feature in any router.

Reasons for using Network Address Translation:

A detailed review of Network Address Translation is located in the Appendix.

Dynamic Host Configuration Protocol (DHCP) is a method of assigning IP addresses dynamically. Many routers contain the option for a DHCP server. DHCP allows client computers to be configured automatically; when a computer is switched on, it searches for a DHCP server and obtains TCP/IP setup information. Network configuration changes are done centrally at the server. The administrator does not need to apply the change to every computer in the network. The clients will be updated when the request information from the DHCP server during their boot-up cycle. For example, if it is necessary to reconfigure a private addressing scheme in order to merge the network with the network in another store, all clients will automatically start using the new addresses the next time they boot-up. Some ISPs will require the use of DHCP as a prerequisite for using their network.

The Domain Name Service (DNS) is an Internet directory service used to translate readable domain names (e.g. joes.autorepair.com) and Internet Protocol (IP) addresses (e.g. 192.168.45.230). Domain names consist of two or more levels separated by dot '.' and MUST be registered by the operator of the top level of the name (e.g. .com in joes.autorepair.com is operated by VeriSign). The directory of domain names is distributed across the Internet and DNS is widely used by most Internet services to locate Internet domains (web sites) and to control Internet email delivery. That is, a registered unique name can be entered into a browser as the identifier for a website. Computers however must still use the numeric addresses, so the text names have to be converted into numeric addresses. The Internet has a collection of servers that together provide for two-way name-to-address translation. When Internet names and addresses are"registered" an entry is placed into the lookup tables used by DNS.

There are two types of top-level domains (TLDs), generic and country codes. The most common generic top-level domains are three letters but can be longer or shorter. The following table lists some common generic top-level domains.

A standardized list of country codes domains are also used for top-level domain names (e.g. Norway is .no, United Kingdom is .uk, the United States is .us). Internet Assigned Numbers Authority (iana) at www.iana.org maintains this list.

For dealerships' continued growth there may be need to allow Non-Dealer vendors into the network to extract information that will help generate business. This may for instance help dramatically improve sales, but if the wrong person gets in or misuses privileges the business could come to a screeching halt. Preventing people from abusing a network requires taking the proper steps for self protection.

http://www.corenic.org

http://www.ietf.org

Networks consist of connections between machines (computers) allowing the machines to communicate and work together. The simplest network is between two machines in the same room connected with a cable in that room. This network is private. It is as secure as the room occupied by the machines provided the computers do not have other connections.

When machines being connected are not in the same building, they can still be connected privately by using a connection leased from telecommunications provider. They can also be connected privately by using the public switched network. Both of these are substantially less expensive than running a private wire across a long distance.

Leased lines are expensive and the switched network is limited in communication capacity (slow). The Internet generally provides a lower-cost alternative. However, depending upon the service provider capability, these configurations may be vulnerable to third party wire taps, and messages traveling over the Internet can be intercepted by third parties with a computer and a little ingenuity. Low-end internet service providers may be more costly in the long run due to these security risks, as well as interruptions and slowdowns.

Virtual Private Networks address these concerns by providing software that makes the Internet appear as a leased connection to the machines being connected. Each machine acts as though it were connected to the other using a Local Area Network wire.

VPNs may be LAN-based or client based. Typically, LAN-based configurations use hardware to maintain the VPN whereas client-based ones require software to be installed, configured and maintained on each machine - raising the costof the VPN to greater than just using the Internet.

Privacy concerns are addressed by encrypting the message before sending it out through the VPN and decrypting on the way in. Penetrating the encryption requires a great deal of time and computing power making the VPN risks akin to the wire tap risks of leased lines.

Alternatives to VPNs could involve private networks such as ANX (Automotive Network Exchange). This network was created to allow Internet like facility between Automotive OEMs and their suppliers. ANX is not considered feasible for dealer communications because of interoperability issues and cost.

Private networks are closed because they limit contact with other networks. Traffic is safe and reliable because there is no possibility of interference from outside sources. There is a cost for that level of service though. Private networks tend to be more expensive because the communication medium is dedicated. The satellite networks that many of the OEMs use are examples of private networks. A virtual private network (VPN) is a private data network that makes use of the public telecommunication infrastructure. A VPN can use public switched networks or, in some cases, the Internet. Privacy is maintained by using software-based tunneling protocols or hardware-based gateways. A VPN can be contrasted with a system of owned or leased lines that can only be used by one company. The goal of a VPN is to give the company the same capabilities of a private network at much lower cost by using the shared public infrastructure. A VPN adds a supplemental level of security when sharing data over public resources.

Using a VPN involves encrypting data before sending it through the public network and decrypting it at the receiving end. An additional level of security involves encrypting not only the data but also the originating and receiving network addresses. There are several ways of implementing a VPN, including client-to-server and network-to-network technologies. This extra processing requires complex network set-ups, ongoing management, and increased bandwidth requirements.

Due to the additional complexities, the cost of using a VPN is higher than that of using the public Internet even if the Internet is used to transport data. In situations where higher security is required, the cost can be justified. Where reliability is a critical factor, private networks are chosen over public options. Most of the automobile OEMs have connections to a VPN called Automotive Network Exchange (ANX). Only a few Certified Service Providers (CSP) are allowed to provide ANX connectivity service nationwide. This network handles communication among large suppliers involved in the manufacturing process. The large volume of mission-critical data transferred on this network requires the kind of dependability and safety a private network offers. Many CSP's provide Internet access through the ANX network.

ANX is not presently considered a reasonable option for dealerships to OEM communication because of interoperability issues and high costs. The kind of dependability and security needed for dealership applications can be provided using the public Internet with far less cost. Some OEM's and DMS providers may choose to use ANX or some other VPN. Those networks can also be used to communicate with OEMs that have a web presence as long as these VPNs have gateways to the Internet. Those gateways should allow individual dealers to configure Internet access and security policies.

Wireless LANs enable network communication and connectivity without the physical restraints of hard wired cabling. (see Figure 6.1, “Wireless LAN” ). Wireless technology can be especially useful in building-to-building communication or connecting laptops, printers, or other wireless capable items such as PDAs to a network where wired cabling is difficult or expensive. Gaining a better understanding of wireless technologies (types, protocols, leading trends, etc) will be an important foundation to begin researching and exploring how wireless networks can fit your needs. Keep in mind that wireless technology and protocols are constantly changing which will require the person to stay up-to-date and informed on the latest information.

Figure 6.1. Wireless LAN

There are many situations where a wireless solution can be very beneficial. Users can now move freely from office to office, building-to-building, and location-to-location and access network resources and the Internet. A wireless network can be leveraged for a temporary set up during remodeling, peak seasons, or special projects such as tent sales. If the dealership is utilizing wireless for the primary means of network connectivity it is important to ensure redundancy in case of outages and full bandwidth for full coverage and connectivity.

Figure 6.2. Access Point

Currently the primary standard used in the deployment of wireless communications, is 802.11n and is recommended for new installations. However, where frequency interference has been identified as an issue 802.11a or 802.11g may be a solution. Comparisons of these are documented below.

The General recommendation is the industry standard wireless LAN 802.11g for new installations, which uses unlicensed radio frequencies in the 2.4GHz band without requiring line of sight for most installations and offers the highest speed and greatest distance combination. Please refer to Wireless Recommendations for important information, requirements and recommendations on incorporating security to any wireless network.

Use 802.11n only when:

Use 802.11a only when:

Use 802.11g when:

The need for security on any network is paramount, even more so with wireless networks. Typical wired networks have a degree of security inherent in them because physical access is limited by the confines of a building structure. Wireless networks on the other hand are more vulnerable because data is transmitted through the air, making access possible from anyone within range of the wireless access point.

A comprehensive wireless security solution can protect interests and thwart attacks. Proper security implementation is essential, as someone with a laptop or handheld device with wireless LAN capabilities sitting in the parking lot or across the street can access the network. Anyone with access to the Wireless Local Area Network (WLAN) can launch Internet attacks, or more concerning, may eavesdrop on network traffic. This exposes user information.

Anyone successful in obtaining user account information can gain access to databases, steal sensitive customer information, and install back doors via modems and the Internet. Malicious hackers may even destroy data, halting or severely hampering business operations. Wireless handheld devices and neighboring businesses with improperly configured WLANs within range can inadvertently access each other's networks causing performance problems. A comprehensive security solution can be achieved by using

All of these measures are integral to a comprehensive security policy, which is only as strong as its weakest link. Planning and implementing wireless network security has significant costs associated with it. In most cases the cost of having a strong security model clearly out weighs that of having information stolen or corrupted. A clear cost benefit should be established before choosing wireless solution over wired traditional methods. Careful planning should be exercised to ensure that the WLAN is as secure and cost effective as traditional wired methods. Consulting with a professional wireless LAN expert should be considered when planning a wireless LAN.

There are several different options when it comes to wireless security. The two main formats are WPA and WEP. Previously WEP was the industry standard; however with new technologies and stronger requirements a new standard has emerged. WPA is a stronger and more effective format. It is strongly recommended that all security settings be update to utilize the new standard. Note: some legacy devices may not be able to update to WPA or WEP.

Because security is ever changing and more robust tools are introduce to combat hackers it is important that a dealership be diligent with staying informed of new technologies to help protect vital infrastructure and data.

The most important element of a good network design is also the most often overlooked – security. Too often security outlays are considered expensive, never ending line items that can be trimmed or eliminated when looking for budget reductions. However, security spending is a strategic investment that protects the business. There is no single magic ingredient to the formula for complete network security. Some networks simply place a firewall device between themselves and the Internet and assume that all is safe. In reality, even the best firewall provides minimal help if its configuration is weak or out of date. A proactive security approach will help avoid problems by layering people, hardware, and software to create reasonable and safe protections around the network.

A firewall examines all traffic attempting to pass between two networks and only passes traffic that meets predefined criteria. The firewall should be placed so that all inbound and outbound Internet traffic MUST pass through it. No backdoors or other network paths should be available. It can also manage public access to private networked resources such as host applications. It can be used to log all attempts to enter the private network, and trigger alarms when hostile or unauthorized entry is attempted.

Does every dealership need a firewall? Yes! Any private LAN network that is connected to the Internet needs firewall protection. Furthermore, anyone who connects so much as a single computer to the Internet via modem should have at least personal firewall software. Many dial-up Internet users believe that anonymity will protect them, feeling that no malicious intruder would be motivated to break into their computer. Dial up users who have been victims of malicious attacks and who have lost entire days of work, perhaps having to reinstall their operating system, know that this is not true. Irresponsible pranksters can use automated robots to scan random IP addresses and attack whenever the opportunity presents itself.

Firewalls should run on network appliances, such as routers, or UNIX servers. Operating systems such as Microsoft Windows should not be considered to host firewall software due to security risks.

Figure 7.1. Dealership Demilitarized Zones (DMZ)

Blocking vulnerable ports is a minimum requirement for perimeter security, not a comprehensive firewall specification list. A far better rule is to block all unused ports. Even after these ports are blocked, they still should be actively monitored to detect intrusion attempts. WARNING: Blocking some of the ports in the following list may disable needed services. During the initial configuration, all Transmission Control Protocol (TCP) ports should be disabled. Ports should then be enabled only for identified applications. Standard ports should be used whenever possible. Please consider the potential effects of the following recommendations before implementing them (although this list represents many of the known potential problems, understand that it is not inclusive):

To further lock down your Internet connection, certain inbound access methods can be used. The following examples of inbound access will discuss the positives and negatives of each method. The positive:

Packet filters deliver the most basic form of firewall security and are a standard feature of most routers. Although packet filtering should always be used, it only provides minimal protection and MUST be used in conjunction with other firewall techniques. Packet filters inspect the header of each incoming and outgoing packet for user-defined content, such as an IP address or a specific bit pattern, but do not validate or track the state of sessions. Packet filters can also filter at the application port level (e.g., FTP generally uses port 21). However, since any packet with the right IP address can pass through the filter once the port is enabled; there is a security hole for other applications or sessions addressed to the same port.

Source routing is a routing mechanism whereby the path to a target machine is determined by the source, rather than by intermediate routers. Source routing is used mostly for debugging network problems but could also be used to attack a host. If an attacker has knowledge of some trust relationship between hosts, source routing can be used to make it appear that the malicious packets are coming from a trusted host. Therefore, because of this security threat, a packet filtering router can be configured to reject packets containing source-route options. Thus, a site that wishes to avoid the problem of source routing entirely would write a policy to that effect.

Packet filters can be used in a variety of ways to block connections to or from specific systems or networks, and to block connections to specific ports. A site might wish to block connections from certain addresses, such as from systems or sites that it considers hostile or untrustworthy. Alternatively, a site may wish to block connections from all addresses external to the site (with certain exceptions, such as with Simple Mail Transfer Protocol [SMTP] for receiving email).

Personal Firewall Software operates like a persistent “traffic cop.” When the Personal Firewall Software detects inappropriate access to a computer, it blocks access to the offending user. Other Internet access remains open and unaffected. The user can continue to browse the web, send email, and listen to Internet radio stations while Personal Firewall Software rejects the hackers.

When a Personal Computer (PC) connects to the Internet, it becomes part of a global network. A hacker can use widely available networking tools to connect to that computer and send it commands. Since the link to the Internet is active hackers can identify the user’s system and break into it.

The Personal Firewall Software should consist of two components:

Personal firewalls have a place on every machine, but there are areas where they become a necessity. Traveling personnel with portable devices should always use a personal firewall since there are no guarantees that the network that they are on has a firewall. Understand the placement of firewalls on every machine can add additional administrator overhead since it takes someone to look at all the policies to determine what is actually correct to block and what should not be.

Corporate networks can also benefit from using personal firewalls. Most attacks come from internal malicious users, so a firewall on every laptop, PC and server can help with this kind of attack. Also, since most personal firewalls can monitor outgoing traffic from the PC, it is easier to identify and attack security vulnerabilities like Trojans and worms.

If connections inbound from the Internet are required, the dealer should set up an external safe area usually called a Demilitarized Zone (DMZ or Transaction Zone). A DMZ is a portion of the network that logically sits between the Internet and the local area network (see Figure 7.1, “Dealership Demilitarized Zones (DMZ)” ). Physically, a DMZ is established as a separate segment with traffic directed to it from the dealership router. A DMZ is accessible from both the internal network and the Internet, but does not allow machines on the Internet to access directly the dealer’s internal network.

This DMZ configuration creates a divided approach. Information that is bound for the internal network now has to make twp stops (one into the DMZ from the Internet and one from the DMZ to the internal network). Users who are sending this content do not have direct access to the internal network. This is important as the network administrator can stop any traffic at any time for certain applications if he/she feels there may be a malicious attack.

The normal install of A DMZ configuration consists of firewall rules governing access to servers inside the DMZ and another set of rules governing access to and from the internal network in order to enable them to perform specific functions. It is important to make these rules very specific down to IP and port number. It is even more effective if the rules are set up in such a way that internal machines are the only machines that can initiate a conversation with the DMZ, versus a DMZ machine that can access the internal network. With this configuration, a compromised (or hacked) machine on the DMZ is still very limited to what it can do and only has access to the DMZ it sits on.

Servers used to host dealership websites and external email services MUST be placed within the DMZ. Dealerships that allow inbound access to their networks should be aware that there is a broader scope of issues that exist which are not covered in this document. Dealerships should have a highly qualified supplier configure and maintain these networks.

Proxy servers provide additional security by hiding networks from each other. All communication between the networks goes through the proxy. In a dealership environment, the PC’s communicate with the proxy server, and the proxy server in turn communicates with the Internet. Data packets going to the Internet are “repackaged” with the IP address of the proxy server, so that intruders are not able to determine the true source of the packets.

A proxy server has many potential purposes, including:*

Proxy servers are not required to communicate with the OEMs over the Internet. However, they can be configured to provide additional services that may be desirable. These services may include:

Intrusion Detection Software (IDS) is used to provide an indication of a potential or real attack. It does not stop any attack. An attack or intrusion is a transient event, whereas vulnerability represents an exposure, which carries the potential for an attack or intrusion. The difference between an attack and vulnerability, then, is that an attack exists at a particular time, while vulnerability exists independently of the time of observation.

An intrusion detection system examines system or network activity to find possible intrusions or attacks. Intrusion detection systems are either network based or host based; suppliers are only beginning to integrate the two technologies.

Network based intrusion detection systems are most common, and examine passing network traffic for signs of intrusion. Host-based systems look at user and process activity on the local machine for signs of intrusion.

Intrusion Prevention Software (IPS), which is the next generation of IDS, works more in a real-time environment to identify and STOP attacks. IDS identifies the attacks and notifies the network administrator where as IPS actually tries to stop the attack.

IPS works under the same framework that IDS works, so network or host based clients still apply. The biggest difference is that a network administrator will get a warning that an attack has been stopped versus searching logs and trying to determine if an attack has happened.

It has been estimated that Melissa, the ExploreZip.worm and other such malicious virus attacks cost U.S. businesses in the late 1990’s a total of 7.6 billion dollars (U.S.) during a 12-month period. With the serious potential for that kind of damage, it seems imperative that all efforts be taken to protect the dealership’s network and information. Protecting networks from the growing threat of these costly computer viruses is no simple task. Over 45,000 viruses are known today and new ones are being created each month. With that in mind, fail-safe data protection is crucial. The effort begins with proper tools and continues by keeping ever vigilant for new viruses and by updating the tools used to combat them. Viruses can invade the system in a variety of ways. Files copied from infected diskettes, Trojan Horses acting as email attachments, or worms placed on servers by hackers can all wreak havoc if left unchecked. For those reasons tools are required at all levels of the network to protect the network investment and the information assets completely.

In the unlikely event that the dealership does suffer from an attack, the most important predictor of its ability to recover from that attack is the degree to which it prepared for that attack. The first step is to identify information that is pertinent to the operation of the dealership. That information should be copied (backed up) nightly. It is not necessary to backup all software as long as master copies are available if needed, but any configuration files or settings should be backed up when ever they change. Any data generated by dealership personnel MUST be backed up without question. This would include email folders and documents created on clients. Larger dealerships should consider storing that data on a central server. This will simplify the backup process and eliminate the need to have multiple users backing up their own data. It is always a smart idea to keep several generations of backup in case a file is lost or damaged and it is not noticed for several days.

Attack Recovery could be a full time job. Once a dealership decides to take on the responsibility of identifying and attacking this problem, it will most likely be the only activity that they could do. The Internet is constantly changing and there are new attacks and vulnerabilities that are being discovered daily. The best way to handle attacks is to partner with a company that has the resources available to handle it on an enterprise level.

Dealerships should establish a security policy and strictly enforce it. Users should be made aware of this policy upon initial access to dealership systems and be reminded on a periodic basis. Many companies use automatic pop-ups during login screens to remind employees of the corporate concern for security, and the ramifications of not following policy. Reference NADA Policy.

There are several important aspects of a DMS. Understanding and managing these key aspects can help determine how effective the DMS will be in achieving business goals. Demanding flexibility and open standards from the DMS will allow interaction with the myriad of applications and features that are available from a variety of sources, as well as utilizing the network infrastructure to its potential. Maintaining executive control and ownership of infrastructure and information will facilitate the ability to integrate with OEMs and third party suppliers. Following these guidelines will help preserve the dealer's customer relationship, ease the transition to new systems and suppliers and bolster competitiveness and innovation in the DMS market space. Look closely at the existing DMS and plan carefully when upgrading systems or changing suppliers.

One of the main premises of the Dealership Infrastructure Guidelines is that the dealer maintains control and ownership of their network infrastructure. The dealer should also remain the primary decision maker. All application requirements should be compliant with the Dealership Infrastructure Guidelines.

Most applications can be accessed from the single dealership network, whether the application is from an OEM, DMS Provider, or a third party supplier. Dealers who maintain control over their network infrastructure will have greater flexibility and freedom to enhance their business with applications from a variety of sources.

The Client-Server based DMS solution is comprised of a server and client PCs which are connected to the dealership LAN. In this solution the client PC actually does some application processing offering enhanced functionality. The server and related equipment are most often located and controlled in the dealership. In certain configurations remote access to the DMS is achieved via a WAN or VPN. Bandwidth requirements for this solution are moderate to heavy.

The Hybrid DMS configuration lets both PCs and green screens access the DMS. As the legacy terminal equipment becomes less feasible and more functionality is needed, users will move from terminal based green screens to networked PCs.

The ASP model DMS has a centrally located server which is accessed via the Internet or VPN. The DMS server is physically located and controlled outside of the dealership at the provider's hosting facility. Servers and infrastructure may be shared by other customers so the vendor must have security to prevent other customers from accessing your data. Data access is controlled by the DMS provider and the internet access providers. Any of them could impact access to dealership data if there are billing disputes or equipment failure. Bandwidth requirements are moderate to high as streaming video and picture content increase in applications.

While preparing to work with DMS providers, the Needs Assessment in Appendix can be invaluable. Dealerships should use this worksheet to gather information about their existing infrastructure and their current and future computing needs. Whether a dealership chooses to work with a third party network service supplier or their DMS provider, the answers to these questions will provide the supplier with pertinent information. Using the assessment may just save the dealership a considerable amount of time and money when comparing supplier offerings. Examples of issues that need to be worked out between the dealership and the DMS Provider include:

For more information review the checklist in the appendix. Additions, modifications or updates to the DMS may be needed in order for it to be placed on the dealership's Internet enabled infrastructure. Through proper planning and coordination, the DMS can seamlessly migrate to the dealership Internet infrastructure.

Switching to a new DMS provider can be a daunting task. Having an effective plan in place when migrating to a new system can ease the burden but dealers should expect at least 6 months of transition time to learn a new system. Prior to making a change, dealers should determine if a new system will require major changes to their LAN, fit the workflow process of all departments in their store and if all of their customer information can be converted over to a new system.

Once a dealer has committed to changing systems, it is important to have the proper training to learn a new system. Dealers should consult with their new DMS providers to ensure that adequate training is provided to help ease the transition period.

If a dealer is considering a change to a new DMS provider, it is important that they do as much research as possible before making a final decision.

DMS providers have been installing and supporting dealership applications for years. Some DMS providers offer a range of services from software only to complete LAN solutions including design and installation. Those DMS providers are also extending their product and service lines to include Internet based solutions. The DMS provider can be a valuable resource when the dealer is considering a change to their network infrastructure.

Knowing who is accessing DMS data and customer information and having a solid backup plan in place is critical for dealers to protect their customer information. With recently introduced rules and regulations regarding safeguarding customer data and privacy this is a matter that should be taken very seriously.

It is important for a dealer to know everyone who is accessing their DMS system for customer data. This includes OEM's as well as any third parties acquiring information to help the dealer with customer service, follow-up, etc. A dealer should also be aware of what information about their customers is being accessed, how it is being accessed and transmitted and what the other party is doing with the data once they receive it.

Another area of great importance is the backup of system data. For dealer's that have an onsite DMS server this should require a strict policy. Backups should be done on a frequent basis (daily is recommended). The transportation and location of the backup is also important. It is recommended that backup media be stored at a secure offsite location is case of acts of nature such as flooding, hurricanes, etc. A dealer should know which personnel are responsible for handling these steps in the event of an emergency.

For dealer's that utilize an offsite server or ASP solution with their DMS provider these backups are handled by the DMS provider in a secure manner.

Client hardware in the dealership is the responsibility of each individual dealer. Each OEM establishes the minimum specifications necessary to run their corporate applications. While a dealer is free to choose any hardware, using client hardware that meets or exceeds these specifications will ensure that all OEM applications will run as expected. Procedures are in place for the dealers to order standard configurations from OEM’s, PC vendors and value added resellers (VAR’s). Details on the configurations and the ordering process are found in the addendum provided by each OEM.

Several factors should be taken into account when deciding when and where to add Personal Computers (PCs) or to replace green-screen terminals. If a user only uses green screens, and the application will not be changing, there appears to be no need to place a PC at that location. On the other hand, if the applications they use will be browser based, then this green screen should be considered for replacement with a PC.

Another situation where replacement might make sense would include the substitution of one PC in place of multiple green screens. People who need to run browser-based applications, or users that require multiple applications from possibly dissimilar networks, are candidates for PCs.

The schedule for the business system providers to convert to browser-based applications is also an important consideration. Given the current rate of change in the PC industry, a PC’s useful lifespan is approximately three years. After this time, consider refreshing and or replacing PCs.

Choosing products to work with business networks can be a daunting task and most small to medium size businesses do not have IT departments to make these complicated decisions. There are many factors that companies should look for when choosing items such as printers, faxes, uninterruptible power supplies and; back-up and recovery systems. This chapter is a compilation of checklists, considerations, and best practices regarding the implementation of network devices and computer peripherals in the office environment. (Dell)

There six are basic considerations for selecting any add-on to a computer network. They are:

The two most common and critical server peripherals are usually a device to back up the files on your server and an uninterruptible power supply (UPS). The UPS will help to prevent both hardware and software damage which can result from fluctuating power levels and will allow any equipment plugged into it to run on its battery for a short period of time in the event of a power outage and allow the equipment to shut down. The backup device will allow you to make copies of important files like customer contact data as well as sales and service activity, separate from the server or other computers, to safeguard your company against loss of data which could result from computer failures. The UPS should be checked periodically.

Selecting a printer includes more than consideration for the cost and functionality. Data privacy and security issues also need to be addressed. This section will deal with how to select a printer for the dealership’s needs and the best practices for implementing both the functional and security needs of the dealership.

A printer located in a public place opens the risk of giving unauthorized people access to confidential information when documents are left on or near the printer. Also, intruders may be able to access documents by hacking into the printer's spooling device or by utilizing a reprint feature on the printer.

Recommendations

The following recommendations can reduce security risks associated with printers and their printed documents:

Basic Printer Etiquette

Anytime multiple people are using a central device there is potential for conflict and frustration. Basic printer etiquette is not just about good manners; it helps ensure a business functions smoothly. Because of this many business apply printer etiquette policies to avoid conflict. Common requirements are:

Fax Machine Considerations

Traditional Fax machines carry similar risk to privacy and confidentiality when used in community setting. As with a printer, users who utilize a heavy load of sensitive faxed data should have their own dedicated fax machine in a secure location.

Modern fax modems that are in most late model PCs have the ability to send a fax to either a fax machine or an email address. For some sensitive data the later may be the better choice.

Tablet PCs are fully-functional laptop computers. They may include touch-sensitive screens designed to interact with a digital pen or a person's fingers. The pen or finger replaces the mouse and/or keyboard and can do things like select, drag, open files, allow for handwritten notes and communication.

Tablet PCs have advantages and disadvantages compared to laptops and desktop units.

Credit Card Processing enables businesses to expand payment options and therefore may increase revenue. Below are features that should be evaulated when choosing Payment Gateways and credit card processing devices and service providers:

A solid-state disk/drive (SSD) is a data storage device that uses solid-state memory to store data. Unlike hard disk drives, which have spinning platters and drive heads, solid state drives should contain no moving parts. For dealerships, this may be an area for consideration for systems that require instant ‘on’ capability, or for portable systems in an abusive environment

SSDs may be preferred over traditional disk drives for a number of reasons. One advantage is in the speed of booting-up; hard disk drives need to be spinning and therefore have a "spin up" time which solid state drives do not. In addition, information on solid state drives can be accessed immediately so there is no delay experienced when data is transferred. The data captured in SSDs is stored in memory and can be accessible almost instantaneously. The storage on SSDs is handled by flash memory chips, which provides three strong advantages: less power usage, faster data access and higher reliability.

SSDs are greater in cost when compared to hard disks. SSDs are a higher cost per megabyte of storage and are more expensive per gigabyte compared to hard drives. A normal flash drive may cost US$1.50-3.45 per gigabyte, hard drives are around US$0.38 per gigabyte. But in some applications the overall cost turns out to be less costly when comparing the higher reliability and no spinning parts of SSDs to the cost of possibly having to replace multiple hard disks.

SSDs are a rapidly developing technology that may be significant to how a dealerships data infrastructure is developed and managed. Understanding the full range of uses, advantages, disadvantages and costs of SSDs should be considered when evaluating the different types of data storage within dealerships. Some applications within the dealers infrastructure may benefit from SSD like active directory servers or other applications where immediate booting-up would be required. SSD will however not replace data storage where a great deal of data writes are required like database servers or email systems.

A smartphone is a mobile phone that offers more advanced computing ability and connectivity than a basic 'feature phone'. Smartphones and feature phones may be thought of as handheld computers integrated within a mobile telephone, but feature phones run applications on platforms developed to support phones. Smartphones on the other hand run on a complete operating system software providing a robust platform for application developers.

Demand continues for smartphones that are more powerful than the previous versions and are equipped with faster processors, more memory, larger color screens and open operating systems. Their rate of adoption has far outpaced the rest of the mobile phone market for several years. A recent study determined that smartphones would outnumber regular phones by 2015. Most smartphones are equipped with one of the following operating systems: Android, BlackBerry OS, iOS, and Windows Mobile.

The feature rich smartphones enable the consumer to always be connected to the internet for access to email, texting, social media sites, videos, as well as phone services. An increasing number of automotive vehicles include wireless or Bluetooth features to “link” the smartphone to the vehicle’s infotainment features. 

Retailers and manufacturers will have additional opportunities to communicate with their customers relative to their transportation and vehicle servicing needs. The communications will be able to be tailored to each customer’s preferences. With customers accessing social media sites and location-based services in increasing numbers retailers and manufacturers have new “locations” and methods of providing targeted, time-sensitive marketing advertisements to customers.

VoIP is technology that allows two-way voice communications over an IP data network such as the Internet, enterprise IP connections, WANs or LANs. Traditional phone equipment can be hooked up to specialized devices which connect to the Internet or dedicated IP network. Voice calls are converted into data packets and sent to a VoIP service provider who converts them back and routes the calls to the Public Switched Telephone Network (PSTN). VoIP service may allow businesses to reduce or augment traditional local and long-distance voice services. Intra-company voice calling can be setup in a similar fashion via an IP based WAN without the need for PSTN connections or VoIP service providers. VoIP has the potential to offer substantial discounts for voice services. (VoIPReview)

Great care should be taken when choosing a VoIP provider. There are two key considerations that outweigh cost factors:

Having a functional, efficient computer and network systems has become vital to most dealerships Original Equipment Manufacturers (OEMs), and Retail Service Providers (RSPs). The use of computers and the Internet has simplified essential tasks such as data creation, storage, access and exchange. However, the added conveniences, particularly of the Internet, have brought additional threats to individual computers and businesses as a whole.

As computer technology has advanced it has become less likely that problems with a system originate with the flaws in the computer's hardware. The introduction of malicious software to systems from the Internet and internal sources has become one of the biggest threats to information security and computer productivity. Malicious software is defined as any software that attempts to subvert the confidentiality, integrity or availability of a system. Spyware, viruses, worms, logic bombs, trapdoors, and Trojans are all considered malicious software. These unwanted intruders cause a variety problems, from slowing computer-processing speeds, which can reduce productivity, to outright stealing of privileged information, which could lead to liability.

Because the industry has become dependent on computer technology to conduct business, protection must be a priority. Desktop Management is a combination of products and solutions (i.e. Virus software, Anti-Spyware, Patch Management) to help facilitate keeping the desktop running at peak efficiency. These products do many things including protecting your personal computer (PC) from viruses and other malicious software to detecting patch application and operating system vulnerabilities.

This section will discuss the different types of malicious software, what effect they have on the PC, and what can be done to help prevent them from infecting a system. There are many products that help to protect against malicious software. Unfortunately there is no one, PC or server based, product that does it all. In this chapter, the DIG is going to examine the different tools and procedures that can be followed to help avoid these problems.

A tremendous amount of time and effort can be saved by standardizing the equipment and software that is utilized by the dealership. This means that the majority, if not all, PCs in the dealership should be built on the same hardware and software platforms. Adopting this practice will streamline deployment and simplify training and support for users and staff.

These are some benefits of having standardized systems:

Malicious software is any software that the user did not authorize to be loaded or software that collects data about a user without their permission. The following is a list of terminology commonly used to describe the various types of malicious software:

Attacks using malicious software are growing in number and sophistication. Antivirus, Anti-Spyware and other protection products continue to play a game of catch-up. New, increasingly complex variations are continuously being introduced and can sometimes spread widely before protection software companies deliver the latest detection strings and solutions.

Dealerships need to develop a malicious software strategy that clearly outlines the objectives and procedures for malicious software control and recovery. Introducing security measures can involve some risk and these practices should be done under the advice of qualified dealer network management.

A recovery and containment procedure should be developed as part of an organization's malicious software strategy. The recovery procedure should also outline the process for making users aware of their requirements to report and act in the event of a virus contamination.

The principle requirements of a recovery procedure are:

There are a wide variety of security products that can be incorporated into your overall security plan. Below are some of the key requirements to look for in different types of protection.

Patch Management Software:

Anti-virus, Anti-Spyware and other Protection Software:

Active Content Filter:

Both PC and Server based security options are available. Generally server based security products, particularly for anti-virus and Spyware, are considered superior because they block threats before they reach the individual PC level. However, server based products have an increased degree of complexity and need to be administered by qualified network management.

With the increasing threats to you networks and individual PC's it is tempting to install as many security products as possible. In theory this sounds like a good idea, however, installing multiple competing products can lead to serious problems. When changing brands or vendors make sure previous versions are uninstalled.

In networks that use centralized administration all servers, services and computing resources including support staff are located in centralized data center. This data center may be onsite or in some cases such as large OEMs located remotely. Centralized administration offers the best control over change management, version control, security management and other service continuity management issues. However, reliable high bandwidth WAN links to all sites will be necessary to deploy this type of network management.

More information on these subjects can be found on the NADA website at the following link: Http://www.nada.org

Software piracy is the unauthorized copying or distribution of copyrighted software. When you purchase software, you are actually purchasing a license to use it, not the actual software. The license is what tells you how many times you can install the software. If you make more copies of the software than the license permits, you are breaking the law. Whenever you are copying, downloading, sharing, selling, or installing multiple copies of software onto personal or work computers, you are committing software piracy.[Ref_Software_Piracy_Definition]

Types of Software Piracy include:

[Ref_Software_Piracy_Types]

Using unlicensed software in your dealerships poses a significant risk to your dealership(s) in terms of potential fines, audit and legal fees, additional software licenses and maintenance fees, business disruption, and reputational damage. The risk of being audited by a software vendor has risen greatly in recent years, and the consequences can be substantial.

For dealers the best way to avoid being fined for software piracy is to develop an internal software management plan. Though this can be complex, resource consuming, and frustrating, the software purchaser is responsible for complying with the software license agreement. Internal auditors can help reduce the risk of adverse software audits by ensuring that an asset-management process has been implemented and that the dealership is prepared for a possible audit. As part of the software asset-management plan, the organization should review all software license agreements, perform a self-audit, and correct identified licensing deficiencies.[Ref_Software_Piracy_Audit]

With a business climate notable for rapid change, dealer owner/operators contend with reduced cycle time and the need to continually adjust their operations to meet new product launches and emerging market conditions. Important training and marketing information can be effectively communicated using existing and new content delivery methods. Multimedia delivery is the distribution of rich multimedia content to users. Multimedia content is the presentation of integrated text, graphics, video, animation and sound.

OEMs and third parties deliver diverse types of multimedia content, through a variety of media. While CDs and DVDs remain popular, the internet also has become a primary means of distribution, via webinars, webcasts, chat sessions, blogs, and social media sites.

Inevitably the dealership will be presented with one or more types of multimedia content. Becoming familiar with different aspects of multimedia delivery and how it fits in the overall dealership infrastructure will help in preparing for the costs and logistics of implementation. Some Multimedia technologies can be bandwidth intensive making it difficult or impossible to function on low speed connections such as dial-up and may impact performance on shared connections.

Adobe Flash and Microsoft Silverlight are browser based animation technologies with optional audio and video. Bandwidth consumption ranges from low to high depending upon the amount of video and audio content used, and typically uses less bandwidth than traditional video files.

Streaming media technology delivers audio and video to the PC via the Internet. Streaming media is used for distance learning, corporate communications, and product training and marketing. Two common approaches to streaming media are “progressive download” and "true streaming". Streaming media files can be produced at different quality levels. The quality is in large part determined by the encoded bit rate. The higher the encoded bit rate the better the quality. Higher quality presentations will be larger in size causing a greater demand for bandwidth. . In some cases the user can select a presentation with lower bit rate which requires less bandwidth. However, this option will provide a lower quality presentation and may not be the best choice if attention to detail is needed.

Progressive download refers to online media that users can watch as the files are downloaded. Because progressive download material is placed on a standard HTTP or FTP server, it is easier to administer, and generally introduces fewer problems with firewalls. Progressive download is strictly an on-demand technology and does not work for live broadcasts. Progressive download delivery is well suited to short movies that you want to be viewed at high quality, such as movie trailers and product advertisements. Progressive download is not a good solution for long videos or material the user may want to randomly access, such as lectures, speeches or presentations. Progressive download caches the content so subsequent viewing will run locally, avoiding impact to the network and may allow media files to be saved for redistribution. Higher quality presentations will have longer download duration than those of lower quality. Higher quality presentations will have a greater delay allowing a portion of the content to cache before viewing begins. Progressive download may tie up a great deal of bandwidth during the download so it is suggested to this at times when computer activity among the users is lower. This option may be a good alternative for dealerships with lower bandwidth and when firewall constraints prevent streaming.

True streaming refers to technologies that deliver media in real-time. True streaming delivery is well suited to live events. It also supports random access of material, so the user can fast forward to other parts of the video. True streaming uses special network protocols, such as RTSP (Real-time Streaming Protocol), MMS (Microsoft Media Server) and RTMP (Real-Time Messaging Protocol). These protocols can sometimes have trouble with firewalls, so viewers may not be able to see true streaming material from certain locations. True streaming media requires special servers, these servers give you a greater level of control over media delivery but can be more complicated to set up and administer than a standard HTTP server. Higher quality presentations require proportionately more bandwidth because they stream in real time with a nominal amount of buffering. True streaming will use network resources each time they are viewed and typically cannot be saved and redistributed.

Popular types of streaming media are Real Systems Media, Windows Media, QuickTime and Flash Video.

Webinars (or eSeminars) and Webcasts are online tutorials and presentations which make use of one or more of the above technologies for delivering multimedia content. Browser plugins are usually required, and bandwidth and system memory usage will vary depending upon the technology, and the type and amount of content. Closing other applications while working with this content is usually good a precautionary step to avoid a system slowdown.

Multimedia content can be delivered via the Internet, or by more traditional methods such as CDs and DVDs.

No single recommendation can be made for Multimedia delivery. Decisions MUST be made on individual dealership needs as well as OEM and third parties offerings. Dealerships should consider the following criteria in determining if and how to make use of Multimedia content:

With the growth of the Internet, telephone companies and Internet Service Providers (ISP) have created numerous products offerings. The most promising offerings were evaluated to determine possible solutions for a dealership’s Internet access needs. A summary of each these methods including their strengths is listed below.

Traditional network access has been offered in the form of dial-up, leased, satellite, or Integrated Services Digital Network (ISDN) products (ISDN has moved to more of a backup strategy, but is still a viable option) There is widespread availability of these methods.

Their capacities have range from low-speed 28.8Kbps dial-up (about 29,000 bits per second) to moderate speed 1.5Mbps leased lines (about 1.5 million bits a second).

Cost will vary depending on type and speed of access. Dial-up connections can use an existing telephone line with an inexpensive modem. ISDN and leased circuits require special connections and equipment and installation costs alone can approach $2,000. In addition monthly fees can be more than $1,000. Because these products have been available for some time, suppliers can easily match requirements to the various products. When searching for a product, make sure you check with different providers. These different providers can offer different pricing depending on the area and services available.

Emerging technologies can be found in newer products such as Digital Subscriber Line (DSL), aggregate dial-up, cable modems, wireless access, and enhanced satellite. These new products provide high capacity, ranging up to 10Mbps, at costs that rival older technologies. However, since development and deployment of these technologies is ongoing, availability is often poor and suppliers have difficulty matching products to needs. However as these products mature, those problems should be remedied. Also, when looking at these new solutions, verify that there is a Service Level Agreement (SLA) associated with the service.

At the end of this chapter, a recommendation is provided based on the overall strengths and weaknesses of each access method. It will help to decide which Internet connection method is right for the dealership. Individual decisions are guided by availability of service, capacity requirements, and cost for the dealership. Products with high ratios of bandwidth to costs, like DSL, are usually the most attractive but may not be available in some areas. Therefore, a more traditional service may have to be used. Because the market constantly offers new products, it would be wise to avoid any long-term commitments to connection services. Reviewing connection alternatives on a yearly basis will allow dealerships to take advantage of new products or downward shifts in current product pricing.

Businesses connecting their local networks to the Internet today are placing a great deal of attention on the Service Level Agreement (SLA) that they receive with their Internet connection. The SLA will detail the Quality of Service (QoS) that the provider offers with their service – in other words, their guarantee that the connection and the service will deliver as promised. In the past, suppliers have avoided making these kinds of guarantees. The large number of suppliers and a lack of coordination between them made it difficult to measure and track performance. As the Internet has matured, aggressive suppliers are concentrating more on customer service. Some Internet Service Providers (ISP's) now offer SLA's that differentiates them from competitors, and they can demand the same high-quality service from their suppliers. SLA's should cover such topics as connection availability, performance, and response time when outages or problems occur.

Connection availability is the amount of time that the connection is "up" and usable. Uptime figures usually exclude planned maintenance periods. Promised connection availability of 99.9% can be obtained. Standard SLA's usually offer something a few tenth of a percent less than that. SLA's designed for business users will have higher guarantees. Gray areas can exist when using separate Internet Service Providers and telephone carriers. An ISP may have a problem receiving traffic from the dealership. The dealer would consider the circuit unusable. The carrier may consider the line up if that the circuit is alive at both ends. Confusion over configuring and provisioning circuits is often blamed on the other supplier. It is best to combine elements of SLA’s so suppliers reselling services cannot hide behind another supplier’s lack of quality service.

Performance is measured both by the consistency of the connection and by the amount of data that can be sent using the connection (the bandwidth). Consistency guarantees are usually measured by the amount of latency on a connection. This is determined by sending traffic (called pinging) from one end of the network to the other. Performance SLA’s are restricted to the portion of the network that the carrier controls. Since the carrier is not providing a telephone or leased line directly from the dealership to the OEM’s data center, they must hand traffic off to other carriers. Once it has been handed off, the carrier will no longer guarantee its speed or even its safe arrival. Carrier SLA’s cover performance from the dealership router (the beginning of their network) to the point where they exchange traffic with other carriers (the end of their network). As a guideline, round-trip latency within the United States should be less than 85 milliseconds for wired connections. Watch the wording of performance SLA’s carefully. Find out how many exchange points traffic will have to go through. With the involvement of additional carriers and exchange points, the additional complexity can effect performance.

The bandwidth of the connection is measured by the amount of data that can be sent over the connection each second. SLA’s should clearly state the promised bandwidth. For connections that do not provide consistent bandwidth, the guarantee should be based on minimum performance. If the connection does not provide equal bandwidth going to and from the dealership, both minimums should be listed. Bandwidth can be checked by sending a large file over the network using a utility program that employs the File Transfer Protocol (FTP). These products are publicly available. You can also use performance tools that are available on some websites. The “Useful Websites” listing at the end of this chapter contains a link to such a site.

Problems never seem to be resolved fast enough. In order to make sure that the dealership has an acceptable level of service, the SLA should detail when service is available as well as how quickly response is expected. This is especially critical with telephone circuits, because a physical repair may be required to solve the problem. Consideration should be given to the need for support on the weekends or late at night. A Standard SLA offers daytime/workweek coverage. Business-level offerings can add later hours and weekend coverage. If charges are incurred for problems after hours, the charges should be noted. If necessary, full 24/7 coverage can be obtained.

All guarantees made must be measurable and monitoring the service will verify that guaranteed service levels are being obtained. Carriers should be asked to provide statistical reports on a regular basis to quantify their performance. The SLA should also detail the penalties that can be imposed on the provider if the service is not delivered as expected. Generally, these penalties are limited to credits applied to the account with the carrier or service provider.

All access methods are grouped into two categories: wired and non-wired. Wired methods can be broken down further as dedicated line and non-dedicated line.

What is the impact on network performance as more users are added to the network? Will the connection that is planned for installation now for use by six users handle the addition of 10 more users over the next year? It is not always possible to estimate this accurately. Carriers and ISPs may have some formulas that predict needed bandwidth based on the numbers of users. The nature of Internet usage, dealership processes, and data communication protocols make it difficult to obtain meaningful predications. It is important to consider the maximum number of users that will be using the Internet at any one time (concurrent users). Also, consider whether fixed bandwidth is required. If variable bandwidth is acceptable, base requirements on the peak usage period in the dealership. Once the connection is in use, review its performance on a monthly basis using reports showing average and peak usage provided by the carrier.

Preliminary estimates indicate that dealers will initially need at least 128Kbps of bandwidth. As more applications become available, and as more employees in the dealership use the Internet, the bandwidth requirements will increase. These figures are generalizations based on a study of traffic between dealers and OEM’s only. Individual dealers may have a greater or a lesser need. Bandwidth will have to increase if a significant amount of traffic is present to and from other websites.

Installing a connection now that cannot have its bandwidth adjusted later may not be a wise move. Consider options for increasing and decreasing the bandwidth capability for the connection before ordering the connection. If the connection has little or no growth beyond the bandwidth estimate for the dealership, it probably is not the correct choice.

No matter what type of wired telephone circuit is ordered the Local Exchange Carrier (LEC) is responsible for installing it at the site. Depending on the rules from the LEC, the point of installation can vary greatly. The spot at which the LEC terminates the circuit in the building is referred to as the point of demarcation (D-marc). In most cases, the LEC will terminate the circuit at the Minimum Point of Entry (MPOE) inside the building. Normally existing voice circuits would be located at the same spot. If the circuit needs to be continued into another portion of the building to be located near computer equipment, the wiring must be extended. In cases where the LEC is unwilling to extend that circuit themselves, the dealer or another supplier is responsible to provide that wiring extension. When the circuit is initially ordered, find out where the circuit will be terminated and whether the LEC will extend the circuit. If need be, arrange for the extension from another supplier. Waiting until the circuit is installed can cause a delay of several weeks. The circuit will not be usable until the wiring extension is performed.

Please refer to specific OEM addendum for details.

No communications method is perfect. Despite promises made in carrier SLA, connections will go down occasionally. Remedies under SLA’s only include fees paid for inoperative circuits. Larger sums of money may be at stake in the form of lost business if the connection is down for an extended time. While most connection outages are very short in duration, a backup for that connection is still a requirement. This backup should be a dialed connection attached to the router. The router should have the intelligence to sense that the primary line is down and automatically activate the backup line. In most cases, the dealership users will not even realize this has happened. Once the router sees the primary circuit working again, it will drop the dialed connection. Care should be taken when setting the router‘s sensitivity to circuit outages. Connections can drop for a few seconds quite frequently. If the router is too quick, it will dial a new connection when one is not necessary. Each dialed connection increases the backup cost. Likewise, connections being reestablished often come up briefly, go back down, and then come up for good later. If the router is too quick to drop the dialed connection, it will only have to redial the connection right away.

For smaller dealerships whose total bandwidth is not much more than the minimum 128Kbps, a dialed backup providing 56Kbps is sufficient. Dialed connections with lesser bandwidth may work but performance will be noticeably downgraded. Larger dealers that require primary connections well above the 128Kbps minimum may need to explore the use of ISDN, DSL, or dialed backup connections. The greater the bandwidth on the primary connection, the greater the backup bandwidth should be. Again, the dialed connections will work, but the lower capacity is noticeable to users and it will affect their productivity. It is quite common to see installations with dedicated or frame relay service using ISDN backups instead of standard dialed connections. Backup communication connections should be checked at least monthly. Nothing is more frustrating to systems administrators than having their backup plans fail. The whole goal of the backup connection is to function in a crisis. When it does not, the dealership loses productivity and the system administrator looks foolish. This backup configuration can be tested by simply disconnecting the primary connection. Within the set time the router should open the backup connection. Once that has been completed, reconnect the primary connection, and the router should drop the backup connection again after the set time.

In worst-case scenarios, it would be wise to keep a dial-up account that can be used from a single PC in the event that access from the LAN cannot be made through the router. This would be caused by the failure of the primary and the backup connections or, more likely, a hardware failure by the router. This secondary backup method will not perform very well, and it cannot service every dealership user at the same time. However, it will serve well enough to transfer parts orders before the shipping deadline, or car orders before the allocation closes.

There are several different methods available that allow access to the public Internet. Each has advantages and disadvantages. The number of PC’s, cost, availability, as well as the anticipated number of concurrent users, need to be factored into the decision process. While the final decision is the dealerships, a table is provided in Recommended Access Methods section to give some assistance in the selection. In order to avoid installation and connection delays, determine where the chosen access method will be terminated, as this point (demarcation) may need to be extended to a different location in the building.

Along with the primary public Internet access method, a primary backup method (usually connected to the router) with an ISDN or telephone line will allow for the continuation of business, but with an impact on performance. An alternate backup method is highly recommended in case of a major failure, such as a nonfunctional router. A dial-up connection from a stand-alone PC would allow access to the public Internet until the primary or the primary backup solutions are in place. The backup solution should be tested on a regular basis to ensure functionality in the case of a real outage. Since the Internet technology is changing at such a rapid pace, keeping the Internet access method contract to as short a term as possible is highly recommended. A month-to-month contract would be ideal and a two-year contract should be considered the maximum.

Internet content filtering is just one part of a complete security solution that is necessary to protect a business against Internet risks such as viruses, malicious code and Internet misuse. However, providing access to the Internet brings many capabilities to a dealership including email capabilities for communicating with customers and suppliers, web sites containing information important, if not critical to daily business operations, manufacturer applications, and instant messaging. The challenge is to provide access to the beneficial aspects of the Internet while protecting corporate users and assets from the potential hazards.

Internet content filtering should not be confused with virus protection. Virus) protection is used to stop a virus from being transferred to a user’s computer. Internet content filtering is used to restrict a user’s access to certain information or their ability to release information outside of the work environment. Internet content filtering screens information leaving the company network as well as information entering the network. Information that a company may identify as warranting filtering often includes confidential company and employee information, discriminating or obscene material. The content restriction may be applied to an entire company, specific groups or individuals.

Many companies are taking steps to monitor and limit network usage by implementing Internet content filtering products. These products can be strictly software or a combination of hardware and software. Typical sites that may be considered for filtering include those that carry illegal copyrighted material, adult content, games and high bandwidth audio and video streams. Restricting access from certain Internet sites poses a challenge due to the sheer number of new sites that appear daily. For that reason, many content filtering vendors constantly update lists that categorize the types of Internet sites. These updates are usually offered as a subscription download service. Filtering products can also provide reports on what type of usage patterns exist in a dealership. By monitoring usage patterns, companies can begin to proactively mitigate the risks and cost of sensitive information losses, bandwidth overload and employee issues.

To complement filtering tools, employees need to understand the importance and benefits of content security. Dealerships should create a written Acceptable Usage Policy (AUP) document. The AUP will help employees to understand how to use network assets. The purpose of an AUP is to encourage employee behavior that will increase network security, limit legal liability, improve employee productivity and maximize network bandwidth. If monitoring is conducted without employee knowledge it could be counterproductive to the very goals it is attempting to achieve. The most benefit will be derived from programs that utilize monitoring tools in conjunction with employee training in the areas of information security and appropriate uses of company resources. Electronic surveillance laws vary by county, state and country so be sure to consult with a legal advisor before implementing any monitoring program.

Content filters can use a variety of methods to evaluate content. The most common are:

Filters can be used to evaluate email content, browser and instant messaging activity. One example is email blocking. Incoming emails are blocked using a scoring system based on certain attributes present in the email and/or based on the sender’s email ID or other system information. Specific filter lists may also be established by administrators or users to block specific emails.

Increasingly, filtering packages are using both site blocking and keyword blocking usually with a Graphic User Interface (GUI) to ease administration.

Additionally, web-rating systems can be built into web sites and browsers by the authors. The system works by rating web sites by content type. A content advisor setting in the web browser can be configured to accept or reject content based on rating levels. The most well known rating system is called the Platform for Internet Content Selection (PICS), developed by the World Wide Web Consortium (W3C). For example, in Microsoft Internet Explorer, ratings can be administered under the Tools Tab / Internet Options / Content Tab / Content Advisor Enable Button. This feature is a standard component of Internet Explorer. Note that participation in web rating systems is voluntary and therefore it is not guaranteed that all sites will have ratings.

Content filtering products can use the techniques below to block a request. The filtering may be applied to emails, web content, or downloaded content.

There are a number of things that user training can address related to secure Internet usage. These include, but are not limited to:

In addition, more information for Internet Explorer can be found at:

http://www.microsoft.com/windows/ie/default.mspx

The single most effective step users can take to protect the network is not opening unknown email attachments, even if they are from an email address they recognize. This is the most common method virus writers use to spread their virus.

There are four options for content filtering: Client based software, server based software, stand-alone appliances (hardware) and managed service.

Some Internet Service Providers (ISP’s) provide content filtering as part of a business grade broadband offering. Check your local ISP offerings for more information.

Dedicated content filtering systems can enhance network performance and control bandwidth usage. Content filtering products may also be used in conjunction with firewall port blocking. For more information refer to Dealership Security.

The following links provide for reference only and it does not imply endorsement of any company or product.

Content Rating

Security

Sample Usage Policies

Other

There are several laws that affect how dealers handle and share customer information. Laws change from time to time and it is important that the dealership team be vigilant about understanding current and new laws that apply to the dealership.

We strongly recommend a review of a detailed guide for dealers as a first step in developing safeguard programs. There are two areas for research, the first guide, "Safeguarding Customer Information," has been developed by NADA and can be ordered from their web site, www.nada.org. It provides guidelines for dealers as they develop and administer an effective program to comply with the Safeguards Rule.

It is also recommended that the dealer reviews all the necessary information located at the FTC website for implementing Red Flag Rules and determining what activities are considered to be Red Flags. NADA has developed a management guide, "FTC Red Flags and Address Discrepancy Rules: Protecting Against Identity Theft," that may be ordered on the NADA website. In addition to researching the legal requirements a dealer should contact vendors they work with and make sure to have a Service Level Agreement (SLA) from them that includes compliance with the Rules.

Because of the seriousness of the GLB Act and the potential for a significant amount of liability from its noncompliance penalties, dealers should consider consulting legal counsel.

Creating a backup plan can be a difficult task. However having a backup capability will not do any good if there is no plan to implement and maintain it. This includes ensuring that dealership personnel are fully aware and comfortable with the functions of the plan. It is also important to understand what needs to be protected and how to maintain that information for retrieval when needed. Some of the reasons for Business Continuation and Disaster Recovery are:

Before you begin your planning you first need to understand the difference between business continuation and disaster recovery.

Disaster recovery - The recovery time objective (RTO) is the maximum tolerable length of time that a computer, system, network, or application can be down after a failure or disaster occurs. The RTO is a function of the extent to which the interruption disrupts normal operations and the amount of revenue lost per unit time as a result of the disaster. These factors in turn depend on the affected equipment and application(s). The RTO is measured in seconds, minutes, hours, or days, and is an important consideration in disaster recovery planning (DRP). (whatis.com)

Business Continuation – A Business Continuation plan looks at the immediate and temporary restoration of critical business functions so a company can survive a disaster. A BC plan does not address the complete restoration of a business to its pre-disaster condition. (Mehling)

The main purpose of risk analysis is to help the dealership identify all the areas for which there may be a risk of loss. This can be hardware, software, building, personnel, etc. After the various items have been identified the dealership can identify the level of each risk and determine how that risk affects the dealership.

As with any level of risk the actual loss that is felt is completely determinate on the level of protection that already exists. To understand how to mitigate these and other risks go to the Mitigating Risk section in this chapter

To help identify some of the various categories of risk, below is a list of some of the risks that a dealership may be faced with. Review the list below:

Important emerging trends in Information Technology can be summarized as Service Based paradigm and Virtualization. With “Service Based paradigm” we condense different acronyms such as Service Oriented Architecture (SOA) and the popular concept Cloud Computing that has relevant business implications. “The main enabling technology for cloud computing, is virtualization. Virtualization provides the agility required to speed up IT operations, and reduces cost by increasing infrastructure utilization”(Wikipedia).

Virtualization, in computing, means to create a virtual version of a device or resource, such as a server, storage device, network, etc. where the “framework” divides the resource into one or more execution environments. Applications and human users are able to interact with the virtual resource as if it were a real single physical resource.

For instance in a traditional environment if you have 12 different applications (such as DMS, e-mail, CRM, workflow management, HR, etc.) you often have 12 different servers, one for each application (to simplify application management and resource management); in a virtualized environment you can have only 1 actual server with 12 virtual machines on it, while each application believes to run on a physical server. Obviously the new server has to be much more powerful than each single server, but definitely less powerful and much cheaper than the sum of the 12 different servers.

In a dealer environment the most relevant areas for virtualization are Server Virtualization and Client Virtualization, both are interesting and assure consistent savings.

Unfortunately the architecture of today’s X86 computers comes from Personal Computer architecture: they are designed to run just one operating system and application at a time. As a result, even small data centers have to deploy many servers, each often operating at just 10 percent to 30 percent of their capacity.

Virtualization software solves the problem by enabling several operating systems and applications to run on one physical server or “host.” Each self-contained “virtual machine” is isolated from the others, and uses as much of the host’s computing resources as it requires.

The main benefits of Server Virtualization are:

Three products support virtualization of Windows and Linux (the most popular operating systems) and their main applications: VmWare (by far the market leader), XEN (an Open source product, initially developed by University of Cambridge Computer Laboratory) and Hyper-V (by Microsoft).

VmWare has developed different products to virtualize the data centers and to manage them, and sell them with different offering criteria, trying to satisfy both large enterprises and very small organizations. Dealers should spend some time to understand which is the best choice for their needs.

For instance vSphere (a data center virtualization product) is sold through the following licenses: Enterprise Plus; Enterprise; Standard; Essential plus; Essential. Each license provides for different types of use and functionality.

Almost all the new applications run on VmWare, for instance, but some old applications might have problems. Therefore before moving or buying an application it’s important to check with the software providers if it runs in a virtualized environment.

Client Virtualization, often dubbed Desktop Virtualization, is the concept of separating the logical desktop environment seen by users from the actual machine (normally a PC). Applications and data run on a remote system, with only display, keyboard, and mouse information communicated with the local client device, which may be a traditional PC, a thin client device, or even a mobile device (tablet or smartphone).

There are different possibilities to virtualize the user desktop, a basic classification, based on hardware choice, is:

The thin client choice is getting more and more popular because of its many advantages: reduced power consumption, central management and increased security, not to mention the fact that they are cheap and simple.

When calculating electricity savings, also the air conditioning has to be considered; in some cases electricity saving alone could justify the replacement of all desktop PCs with thin clients (with an ROI of less than 3 years). Reduced maintenance costs are another advantage.

Centralized management is probably the most interesting possibility offered by thin clients: software updates can be performed instantly, and for instance you can automatically apply profile policies to groups of thin clients with similar configurations and even switch them on and off automatically at a predefined time.

Increased security is another good point, because no virus exists for thin clients and back-up can be managed and performed centrally, at server level. Through desktop virtualization users can only use the system for company needs, because they don’t have admin authorization to install software and USB ports can be eliminated or disabled: this improves security

Thick clients are an appropriated choice when a laptop is needed (e.g. when connectivity is not assured or local applications are needed) and benefits of client virtualization (mainly centralized management and back-up) are desirable.

Another possibility is to reuse old PCs as a client. Indeed the hardware requirement for a thin client is very low (e.g. 1 GB RAM and 1 GHz processor), thus making possible the use of the old PCs as “dumb terminal”, for instance loading Linux via network (e.g. etherboot). This approach extends the life of old PCs, allowing to delay hardware replacement.

The following table summarizes main pros and cons of the different solutions:

Where: “+” means “worst , low grade” and “++++” means “best, very high level” *) Note: for TCO (Total Cost of Ownership) “+” means maximum cost, while “++++” is minimum cost.

In some cases different devices can be used by the same person, for instance a Thin client plus a Mobile client (e.g. iPad) when travelling.

“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” (NIST definition - National Institute of Standards and Technology).

Cloud computing relies on sharing resources to achieve economies of scale, similar to a utility (like the electricity grid) over a network. At the foundation of cloud computing is the broader concept of shared and standardized services, exploited with a consumption model.

Accordingly to NIST, the cloud model is composed of three basic service models:

E-mail and CRM are already used by many dealers with a SaaS model. Many DMS providers (such as CDK and R&R) are already offering something similar to a SaaS model for their DMS (almost all the current DMSs are not designed to be “in the cloud”, but have been adapted to be used via internet). The other 2 models, are rarely adopted by dealers with few exceptions (e.g. IaaS for disaster/recovery is an interesting option).

To be really effective cloud computing requires service standardization, it doesn’t matter if officially defined (such as ISO documents) or “de facto” (such as iOS APIs by Apple). Through standardization, interfaces complexity and integration issues are addressed and misunderstandings are minimized.

Unfortunately this is an evolving field; at technical level some standards are emerging, as WSDL (Web Services Description Language), HTTP (Hypertext Transfer Protocol), Jason (JavaScript Object Notation), REST (Representational State Transfer) and HTML5. Unfortunately the semantic level, i.e. defining and standardizing the business objects (e.g. defining a vehicle), is far from being achieved, in spite of STAR efforts within automotive retail business.

When deciding to leverage a SaaS offering, a preliminary analysis of possible integration issues (e.g. integration between DMS and CRM, if supplied by different vendors) and a specific focus on data ownerships and usability (also after contract termination) is recommended.