December 18, 2011

Day 18 - Why Businesses Do Things

This was written by Joseph Kern (

Imagine your whole professional career as a sysadmin and you never understood the OSI model. Those seven simple layers that allow you to build an effective internal framework of network communications. Without this model how would you even begin to understand larger and more complex systems or the complex interactions between multiple systems?

You might get by for a time; hard work and dedication can take you a long way. But you would never be able to progress beyond a certain point. The problem space becomes to complex to brute force.

Now imagine that successfully managing and running a business is at least as complex as managing a network. Managing a 1000 computers is much easier than managing a business of 1000 people. I'd like to take you into the shallow end of business management and show you how the services that we sysadmins maintain are viewed from a business perspective.

Fortunately this framework is simple and avoids any hand waving. We just need this three word phrase, "differentiation and neutralization."

Differentiation builds services that create competitive advantage. Neutralization builds services that seek to maintain competitive equilibrium. This interplay is the heart of what drives business and directs the supporting activities of enterprise level IT. Working DNS is needed for almost all aspects of modern enterprise IT infrastructure, and it will serve as a technical example for this discussion.

Building services that neutralize competitive advantage usually involves buying solutions; these are often disguised as "industry best practices", and have many accompanying white papers offered as proof. More often than not this niche is filled by Microsoft or other large software vendors. You can buy your way out of a problem.

When building a DNS service it is most often thought of as a way to neutralize the advantage of other organizations. Seldom is thought given to how an organization might run DNS 30% "better" (not necessarily faster or any particular quality) than its competitors. In most cases, "better" would not matter at all.

"Better" does not create an advantage with a neutralizing service. Instead, it in fact creates a disadvantage. Time, attention, and resources are being funneled into a project that creates no value from a business standpoint. The business does not (and should not) care about innovating in services that they consider neutralizing. (See footnote #1)

Building services that create competitive differentiation is much different than neutralization as most of these services are built rather than bought. These tend to be very custom to the environment. The prime consideration for these services is adaptability. You must be able to extend the software providing the service as this allows you to out maneuver your competition. You are able to think your way out of a problem.

Turning Neutralizing into Differentiating

OpenDNS took a service that was neutralizing and rebuilt it from the ground up and adding many other services such as anti-phishing, content filtering (based on domain), and reporting. These services created a differentiation in their business model and offered something new to the market. OpenDNS created a reason to build "better" DNS services, as this is their core business model and their competitive advantage.

As it turns out, setting security and content filtering at the DNS level works equally well across all devices all the time and requires no client installation. Now other businesses must appear to neutralize the differential advantage by creating their own services to match. Norton, for example, has followed suit with their Norton Everywhere product offering DNS services that largely mirror OpenDNS. (See footnote #2)

OpenDNS must now continue to differentiate their services from their competitors. OpenDNS recently started offering DNSCrypt, which creates an encrypted channel for DNS queries between the client and the DNS server. Consider it to be SSL for DNS. No doubt, there will be other service providers that follow suit, creating their own DNSCrypt implementations. (See footnote #3)

Why do businesses seemingly chase the tail of their competiors? This is because if organization declines the opportunity to neutralize the advantage of their competition, they will be excluded from further innovation in this field and may be locked out of the market entirely. A technical term for this is a "feature". As the differentiation of services increases, the cost to enter the market (the table stakes) increases accordingly.

Why Should You Care?

Senior sysadmins and engineers need to not only understand how to build a service, but we must also understand why we are building it and what the business requires from this deployment. Understanding the complete picture, we will understand what technology is required, how it needs to be implemented, and how much effort we should put into a project.

Both the engineer and the business get something valuable from this understanding - keeping time and attention focused on important projects. The next time you are asked to deploy a new service ask yourself (and your management) one simple question:

"Is this a service that neutralizes or differentiates?"

Knowing this helps you set your own expectations. If you find yourself wanting to spend energy improving a service, knowing whether it is neutralizing or differentiating will help you make the case to your team and managers that you should be working on it. Knowing it is a neutralizing service might help you set expectations such that you don't spend time and energy thinking hard about how to improve a service that doesn't benefit the business if improved, and having that knowledge and expectations can help keep you from burning out optimizing things that effectively are unimportant.


  1. Why do you think sharepoint is so popular? It's not because it does everything well ...

  2. In the light of Windows 8 coming preloaded with Anti-Virus software, Norton is facing an almost complete lockout of their traditional market.

  3. The great thing about standards, there are so many to choose from.

Further Reading


Anonymous said...

I am familiar with the funny quote about the many standards to choose from but it is inappropriate here: DNScrypt is not a standard in any way, it is pure OpenDNS-proprietary.

There are many standard solutions to do the same (TSIG, SIG(0), IPsec, DNS-over-DTLS, also DNSSEC validation on the host) and choosing one might be difficult. But OpenDNS decided to run their own solution.

Joseph Kern said...

Hi bortzmeyer,

DNSCrypt is an attempt to create a standard de jure. OpenDNS is hoping that their ability to provide application layer confidentiality will provide them with the means to continue their strategy of differentiation and stay ahead of the competition in this space

I believe DNSSEC only addresses the authenticity of a record and not the confidentiality. Consider DNSCrypt an application layer counterpart to DNSSEC. They do not conflict they compliment.