Factors Shaping the Future of Cloud Computing
By
MASSACHUSENTS INSTITUTE
OF TECHNOLOGY
Steven Francis
JUN 15 2011
BA
University of Washington, 1995
LIBRARIES
SUBMITTED TO THE MIT SLOAN SCHOOL OF MANAGEMENT IN PARTIAL
FUFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF
ARCHWIv
MASTER OF BUSINESS ADMINISTRATION
AT THE
MASSACHUSETTS INSTITUTE OF TECHNOLOGY
JUNE 2011
© 2011 Steven Francis. All Rights Reserved.
The author hereby grants MIT permission to reproduce and to distribute publicly
copies of this thesis document in whole or in part in any medium now known or
hereafter created.
Signature of Author:
MIT Sloan School of Management
May 6, 2011
Certified By:
Professor Michael Cusumano
Sloan Management Review Distinguished Professor of Management
Thesis Supervisor
Accepted By:
Stephen Sacca
4-Sioan Fellows' Program in Innovation and Global Leadership
Program Director
This page intentionally left blank
Sloan Fellow
Francis, Sloan
Steve Francis,
Steve
Fellow 2011
2011
Page 2
Page 2
Factors Shaping the Future of Cloud Computing
By
Steve Francis
Submitted to the MIT Sloan School of Management on May 6, 2011 in
partial fulfillment of the requirements for the degree of Master of
Business Administration
ABSTRACT
Many different forces are currently shaping the future of the Cloud Computing Market. End user
demand and end user investment in existing technology are important drivers. Vendor innovation and
competitive strategy are also important determinants of what cloud solutions will look like in the future.
Regulatory requirements, although they are not intended to, also play an important role. Finally, the
constant pressure on Information Technology departments to provide everything as a business service
has perhaps the most profound influence. When investigated and viewed together, these factors
provide powerful insight into how the Cloud Computing market is likely to evolve.
Thesis Supervisor: Professor Michael Cusumano
Title: Sloan Management Review Distinguished Professor of Management
Sloan Fellow
Francis, Sloan
Steve Francis,
Fellow 2011
2011
Page 3
Page 3
This page intentionally left blank
2011
Fellow 2011
Sloan Fellow
Steve Francis, Sloan
Page 4
Page 4
Table of Contents
1. Objective
2. Introduction
3. Background and Definitions
4. Cloud Enabling Technologies
4.1. Provisoining
4.2. Virtualization
4.3. Software Appliances
5. The Market Today
6. History of Cloud and Shared Services
7. Cloud Market Forces
7.1. Infrastructure As A Service
7.2. Platform As A Service
7.3. Software As A Service
8. Customer Specific Forces
8.1. Virtualization
8.2. Cloud Management and Provisioning
8.3. Privacy and Security
8.3.1. Identity Federation
8.3.2. Security Responsibility
8.4. Regulatory Requirements
8.4.1. Labor Laws and Labor Influence
8.4.2. Net Neutrality
8.4.3. State Data Privacy Laws and Regulations
8.4.4. Federal Data Privacy Laws and Regulations
9. What Customers Did Not Say
10. The Role of Standards
11. Conclusions
11.1. Consolidation vs. Sprawl
11.2. Valuation
11.3. Partnering for Service Delivery
11.4. Regulatory Landscape
11.5. Speed of Change
11.6. Platforms Will Prevail
Sloan Fellow
Steve Francis,
Francis, Sloan
Fellow 2011
2011
Page 5
Page 5
1. Objective
The objective of this thesis is to examine forces that have influenced and continue to
influence the cloud computing market in order to gain predictive power over how this
market might evolve. These forces can be categorized as follows.
1. The History of the Market
2. Current Market Composition and Landscape
3. Vendor Innovation and Strategy
4. Customer Preferences and Concerns
By understanding these forces we can hopefully better understand where the market
will go, including what cloud based solutions will look like in the future and the value that
customers will receive from them. Although "government forces" are not addressed
separately here, I will address this as part of the customer discussions, and throughout
the document.
We will begin with some definitions in order to put the paper in context, review some
market history and the evolution of cloud technology, and will then move on to a snap
shot of the industry today. This will include a review of some vendor solutions and
technologies. Next we will take a close look at customer requirements and preferences,
based on extensive customer interviewing. Finally, I will address how standards might
shape the market and will investigate a couple of specific technologies, and will then
Steve Francis, Sloan Fellow 2011
Page 6
move on to conclusions.
2. Introduction
The amount of written material dedicated to the definition of cloud computing will be
limited, since much has been written on this already. A common definition has emerged
for cloud computing and can be summarized as follows: Internet based services for
software applications, software platforms or hardware that are usually paid for by
subscription. These services are elastic, pay per use, multi-tenant, and managed by a
3 rd
party so that customers need not worry about hardware specifications,
administration or software licenses.
This description, and cloud computing in general, has a lot of jargon, so I will explain a
few important concepts to help clarify. Because the preceding definition may be
somewhat confusing to those outside of the IT field it is worth pointing out some of the
practical advantages for organizations that use cloud based technology. They do not
need to purchase or wait for physical hardware to arrive. No software installations are
required. No system configuration or performance tuning is required. Capacity
planning becomes fairly unimportant. Expenditures for hardware upgrades/refreshes
are eliminated. Costs rise directly in line with usage, eliminating large unplanned
purchases for more capacity. Under capacity and over capacity problems are
eliminated. It is for these reasons that there has been so much enthusiasm about cloud
Steve Francis, Sloan Fellow 2011
Page 7
computing. You may have noticed that most of these benefits sound exactly like
benefits from purchasing software over the web. This is true, although cloud
encompasses far more than just web based software.
3. Background and Definitions
Software As A Service (SAAS) is software delivered over the internet, typically via a
web browser, that provides end user business functionality such as HRMS (Human
Resource Management System), ERP (Enterprise Resource Planning) or SFA (Sales
Force Automation). NetSuite, Workday and Salesforce.com are examples of SAAS
vendors. SAAS solutions are typically paid for on a subscription basis. Technology
Research firm IDC reports that SAAS, or cloud based applications, accounted for more
than half of public cloud revenues in 2009. Over the next four years, all segments of the
"as-a-service" market are forecast to exhibit strong growth, although applications are
forecast to drop to one-third of "as-a-service" revenue, while expenditures on PAAS and
IAAS are forecast to increase (6)
Platform As a Service (PAAS) is software delivered over the internet, which other
software applications can be built on. Such platforms may provide easy to use
frameworks for rapid application development, as well as reusable objects and services
to speed the creation and delivery of new software applications. Examples of reusable
services are email capabilities, calendar capabilities and contact lists. Such
applications, once created, will be hosted with the service provider. Examples of PAAS
Steve Francis, Sloan Fellow 2011
Page 8
solutions are Microsoft Azure, Salesforce.com's force.com platform, Google AppEngine,
Bungee Connect, IBM LotusLive and Amazon Web Services.
Infrastructure As a Service (IAAS) typically refers to hardware that is hosted and
accessible via the internet. This includes storage, memory, network capabilities and
processing power. Rackspace, Amazon EC2, Zumodrive, Drop Box, HP and IBM
Computing on Demand are examples of IAAS solutions.
Even though SAAS has accounted for more than 50% of public cloud expenditures so
far, it seems likely, and congruous with IDC's forecasts, that future investments will
become more balanced across different "as-a-service" offerings. One reason for this is
that a continuum of complexity exists from SAAS, to IAAS to PAAS (figure 1). SAAS
solutions are the least complex, and involve the least amount of vendor lock in and
overall investment along this continuum. PAAS solutions are the most complex, and
represent the highest level of vendor lock-in. For these reasons, it is not surprising that
adoption of "as-a-service" technologies looks like a pyramid, with SAAS at the bottom,
representing the broadest adoption, and PAAS at the top, representing the smallest
adoption. This is consistent with the adoption pattern of most technologies, where the
least risky solutions are adopted first and then later, after the lower risk technologies are
proven, adoption advances to more sophisticated solutions. This is also a consistent
with how vendors have innovated. The leading SAAS vendor, Salesforce.com, was
founded in 1999. Next, Amazon.com, the leading vendor in the IAAS market, launched
their services starting in 2006. Finally, Microsoft and Google launched their respective
Steve Francis, Sloan Fellow 2011
Page 9
PAAS offerings, Azure and App Engine, in 2008.
High Complexity
High Lock In
Many Specialized Skills
Low Complexity
Low Lock In
Few Specialized Skills
SAAS
IAAS
PAAS
Figure 1
Pay Per Use - Perhaps the most important characteristic of cloud computing is that
resources can be purchased on a per use basis. Customers no longer have to buy
quantities of hardware, software and other computing resources to match times of peak
use. Customers using cloud technology no longer need large data centers full of
expensive hardware and software that have an average utilization of 10 to 15 percent.
Cloud vendors will run the hardware and/or software and utilization becomes their
problem. Vendors can achieve higher levels of utilization by mixing workloads and
using virtualization technology, which is transparent to customers. Customers can scale
their use up or down on an as-needed basis and they only need to pay for what they
use. The following graphic (figure 2) illustrates the savings (shaded) that might be
achieved from adopting cloud technologies that are pay per use vs. running all
computing resources in a dedicated corporate data center.
Steve Francis, Sloan Fellow 2011
Page 10
-
required capacity
month end
a
73
'o
|
WASTE
a
E
o
used capacity
30 day period
Figure 2
Elastic - Elastic computing resources expand when needed. This concept is closely
related to pay-per-use, although elasticity is more of a technical concept. Elasticity is a
system's ability to automatically provision more resources when needed, whether it is
storage, memory or other resources. Traditional IT assets that are hosted on-premise
are not elastic. For example, an IT shop might have a software license that allows them
to run a database program on a two CPU machine. This would also require a two CPU
machine to run this software on. Ifthis system ran out of capacity it might require
repurposing or throwing away the old machine, buying a new bigger machine and
Steve Francis, Sloan Fellow 2011
Page 11
additional software licenses for the new bigger machine. With software purchased as a
service, if the user load increases, the vendor provisions more resources as needed
and the customer does not even need to know about it. They are just billed for the
additional use. Elasticity, or provisioning additional capacity in an automated and
efficient manner is one of the qualities of cloud computing that makes it so compelling.
Multi Tenant - Multi tenant resources are resources that are shared by more than one
party. For example, a software application that supports users from multiple
companies, within the same database schema, where data is kept separate through
primary-foreign key relationships, would be considered multi tenant. Or, a machine that
has multiple "virtual machines" running on it, each with its own operating system,
database and platform software stack, would be considered multi-tenant. Multi tenancy
can be achieved in a variety of ways and multi tenant resources may be found at any
layer of the IT stack. Multi Tenancy is typically of much greater benefit to the vendor or
service provider than it is to the customer. Multi tenancy allows vendors or cloud
service providers to achieve high levels of efficiency and utilization. Theoretically,
customers should not care whether a cloud application is multi tenant or not, as long as
their service levels are met. However, due to legislative, privacy and security issues,
they often do care, and I will explore this more later.
On Premise - Infrastructure or software that runs in a data center or facility owned by
the entity using it is considered "on premise". This is the traditional computing model.
2011
Fellow 2011
Steve Francis,
Francis, Sloan Fellow
Page 12
Page 12
Off Premise (hosted) - Infrastructure or software that runs in a data center or facility that
is not owned by the entity using it is considered "hosted" or "off premise". Cloud
resources are hosted, or off-premise.
Public Cloud - A public cloud is any cloud "as-a-service" solution that is hosted by a
vendor that supporting multiple customers. IDC predicts that by 2014, public cloudrelated projects will account for one-quarter of net new IT product spending growth (7).
Private Cloud - A private cloud is any cloud infrastructure or software that is hosted in a
corporate (or government) data center that supports internal customers. Such
customers are typically different departments or groups of employees within the same
organization.
Hybrid Cloud - A hybrid cloud is a combination of private and public clouds.
Increasingly, it is likely that more cloud environments will be defined as hybrid. Hybrid
clouds are characterized by services that may be delivered to the end customers either
by an internal IT group, or by 3 rd party cloud service providers, depending on which
makes the most sense in terms of cost, control, privacy/security and other factors. The
end user likely has no idea where the services he is using originate from.
4. Cloud Enabling Technologies
4.1.
Provisioning
Steve Francis, Sloan Fellow 2011
Page 13
Workflows and processes that define how services are deployed to new or existing
customers are commonly called "provisioning" processes. Provisioning processes exist
for adding a new customer, adding a new service for an existing customer or removing
a service from an existing customer (de-provisioning). Provisioning processes must
include both technical and business functions. New customers must be set up for billing
and invoicing, and they must also be provided with the services that they ordered, which
includes system resources, security credentials and instructions. Cloud customers are
also typically given the ability to perform some level of customization to the services
they receive. Examples of such customization are as follows:
" Adding configuration information to integrate with a corporate directory such as
Active Directory, or another LDAP directory
" Performance and service level options
" Backup and recovery options
" Encryption options
" Changing fonts, colors, logos or other branding information
This is just a few examples of customizations that might be part of a provisioning
process. Deploying services to new customers quickly and easily is part of what makes
cloud computing so attractive. Generally, provisioning of cloud services tends to be
more automated than with traditional services. This is because multiple customers may
be supported, which makes repeatability, and investments in automation for customer
Steve Francis, Sloan Fellow 2011
Page 14
on-boarding, very important.
4.2 Virtualization
Virtualization, or "server virtualization", makes one machine look like many machines. It
enables the simultaneous operation of multiple operating system environments on a
single machine. Each environment appears to be a unique physical machine.
Virtualization is an extremely important concept in cloud computing. It is a key enabler
of cloud infrastructures. During my cloud customer interviews, when I asked customers
which vendor was most important to their cloud strategy, each customer cited their
virtualization vendor, without exception. Although virtualization is not a "cloud"
technology per-se, it is one of the main enablers of cloud computing
Server virtualization is enabled by the use of Virtual Machines. Virtual Machines have a
management layer called a "hypervisor" that enable the core virtualization functions.
There are two types of hypervisors, Type 1 and Type 2. Type 1 hypervisors run on bare
metal and enable the provisioning of virtual machines at the hardware layer. Type 2
hypervisors run on a host operating system (2, Rhoton, pg 39)
Thanks to virtualization, when a SAAS vendor wants to provide service to a new
customer, it can be as easy as making a new copy of a virtual environment for this
customer, and providing web based administration tools to the customer so that he can
Steve Francis, Sloan Fellow 2011
Page 15
make customizations to the environment on his own. No lengthy installation or set up
processes are required. Although it has less to do with virtualization, and more to do
with service provisioning, the procurement process should enable the selection of
options and basic customizations at the time of purchase. These choices should be
reflected in the customer's billing and in the virtual environment that is provisioned to
him.
There are many types of virtualization, and most are useful to cloud service providers
(CSPs), be they public or private cloud service providers. In addition to virtualization of
servers, network resources, storage and desktops, it is also possible to virtualize
clusters of machines. This enables multiple servers to look and act, like a single server.
For example, Oracle provides technology to virtualize their database software and
middleware software in this way. They can make 4, 6 or 20 database servers or
application servers look and act like one big database server or application server. This
enables customers or CSPs to use many pieces of inexpensive hardware to run many
large workloads simultaneously, and it also provides a high degree of fault tolerance
and availability. (4). This affords CSPs with a great deal of flexibility. CSPs can either
dissect a single machine into multiple smaller virtual machines, or they can put multiple
machines together to look like one very large Machine, which can then run multiple
simultaneous workloads. With respect to running an automated "as a service" data
center that supports many different customers, such flexibility is very powerful and
creates compelling economies of scale. Without powerful tools to support
administration, monitoring and provisioning however, such sophisticated technology can
Steve Francis, Sloan Fellow 2011
Page 16
be very difficult to manage.
4.3 Software Appliances
Some special focus should be given to software appliances, as an important and
emergent cloud enabling technology. Software appliances for data warehousing have
been around for years. Neteeza (now part of IBM) and Teradata have done well in this
market for quite some time. A software appliance is just what it sounds like. You plug it
in and it works, like a refrigerator, or that's the idea anyway. There is no installation and
very little configuration, performance tuning or administration. There are also hardware
appliances and other types of appliances. Many newer appliances take advantage of
virtualization software to quickly stand up new environments with a high degree of
isolation, which is important for CSPs and their customers.
Oracle's Exadata is especially worth notice because in effect, this is Oracle's cloud
strategy. Growth of Oracle's appliance solutions have been "explosive" (31) and could
approach $2 billion in the next two years. Oracle already provides database and
middleware software via appliances. Inthe future this approach will likely extend to
applications, and possibly Oracle's entire software stack. This is truly a new way to
deliver value to customers. Oracle appliances have best of breed hardware and
software, designed to work together, pre-configured and optimized based on best
practices. This significantly cuts down on the number of vendors required, the number
of moving parts and the total deployment effort. Virtualization technology makes such
Steve Francis, Sloan Fellow 2011
Page 17
solutions easy to provision to new customers, whether over public or private clouds.
5. The Market Today
Most likely, cloud computing is slightly past its apex of the Gartner Hype Cycle (1).
Gartner calls this apex "The Peak of Inflated Expectations". The Gartner Hype Cycle
(Figure 3) shows the trajectory of market enthusiasm for technology. It is characterized
by a steep rise to a peak, and then a sharp decline as over exuberance gives way to
failures and disappointments. Next, as users begin to adopt the technology in more
sensible ways, enthusiasm increases again, but at a more gradual pace than before.
Even though growth rates may be slowing with "as-a-service" solutions, they are merely
slowing from light speed to super-sonic speed. In 2008, IDC forecast that spending
on cloud computing services would reach US$42 billion worldwide by 2012.
This was approaching a three-fold increase from 2008 levels of $16.5 billion (8)
More recently in 2011, IDC forecast that from 2009 to 2014, U.S. public IT cloud
services revenue would grow 21.6%, from $11.1 billion to $29.5 billion. (6) Although
these forecasts are not directly comparable, they seem to indicate diminished (although
still very high) growth expectations.
2011
Fellow 2011
Sloan Fellow
Francis, Sloan
Steve Francis,
Page 18
Page 18
VISIBILITY
Peak of Inflated Expectations
Plateau of Productivity
Slope of Enlightenment
Trough of Disillusionment
Technology Trigger
TIME
Figure 3
The amount of hype around cloud computing harkens to the heady days of 1999 when
fundamental corporate valuation ceased to matter, and people imagined that cost
structures and profit margins would structurally improve for any company that
intelligently used the internet. It has even been said that "the cloud is more important
than the web" (5). Such enthusiasm is admirable but is comparable to saying that the
invention of taxi cabs was more important than the invention of the internal combustion
engine and the entire automobile industry. Fortunately, this time around it has mostly
been technology journalists that have gotten carried away with heightened expectations
for the cloud computing market. Many of the executives at cloud vendor and cloud
Steve Francis, Sloan Fellow 2011
Page 19
consumer organizations are the ones that survived, and learned painful lessons, from
the dot com era. Many of these executives have avoided most of the over building and
over investing that characterized the technology industry in the late 1990s.
6. History of Cloud and Shared Services
There have also been many histories written about the evolution of cloud computing that
trace cloud ancestry from timesharing on mainframes, to the PC revolution, to internet
hosting companies, to application service providers (ASPs) and ultimately to the cloud.
This history is largely accurate, but incomplete.
What is missing from this picture is the evolving role of IT organizations as service
providers, or as vendors to internal customers. 20 years ago IT organizations were
largely viewed as necessary evils, cost centers, the equivalent of yesterday's typists
and book keepers. As the importance of Information Technology increased, and it
became apparent that IT strategy could lead to business differentiation in terms of
speed, efficiency, responsiveness, customer service and agility, interest from other
executives grew. As executives better understood the potential, they wanted and
expected more. They wanted more control, and they wanted to be treated more like
customers. After all, their division kept the lights on and kept the money flowing. Sure,
technology was important, but it was there to support and enhance the core business.
This ultimately led to a trend called "Shared Services". Shared Services allowed service
providers within an organization to provide the services that are expected of them as
Steve Francis, Sloan Fellow 2011
Page 20
elective services, similar to how vendors provide services. Since the vendor was an
insider however, there should be advantages and economies of scale to keep costs low.
Shared services are a way to achieve greater accountability and business alignment
from IT. Shared services can be established not just for IT, but for other internal service
delivery organizations as well, such as HR for example. Shared services are a way to
define expectations, service levels, communication, costing and accountability. Today
over 80% of the Global 2000 largest companies receive back office support from either
an internal or an external third party Shared Services Organizations (3)
Around the same time that Shared Services were becoming main stream in IT
departments (1999-2000), web services also began to gain traction. Web services are
a set of technology standards that enable the creation of software in a way that is
reusable, and in a format that is agreed upon by everyone. The technology was in
perfect alignment with the concept of shared services. The confluence of these two
trends led to another manifestation of the Gartner hype cycle, which led to many
impetuous and unsuccessful web services and shared services initiatives.
Many of these failures occurred not because the ideas and the technology were bad,
but because IT governance was lacking. In many early failures services were often
created at a level of granularity that was not practical and too much control was given to
the service providers instead of the service consumers. Still, the focus on services
makes sense, and is completely aligned with the advantages of cloud computing.
Today, Shared Service Organizations typically provide savings on the services that they
Steve Francis, Sloan Fellow 2011
Page 21
deliver of between 15-30% (3).
Web services, shared services, and the three pillars of cloud computing (Software-as-aService, Infrastructure-as-a-Service and Platform-as-a-Service) all share similar
heritage. They exist because customers, whether internal or external, want to be
empowered to chart their own course with respect to the services that they need.
Customers want choice, ownership and speed. Service delivery mechanisms such as
SAAS, IAAS, PAAS, shared services and web services all help to enable this. Hybrid
clouds, web mash-ups and service delivery models that combine services from internal
and multiple external sources will be increasingly common as a result.
7. Cloud Market Forces
All markets are conceived by interactions between vendors and customers, buyers and
sellers. Vendors respond to a customer need, demand or problem with some kind of
solution. Sometimes vendors may see a customer need in advance however, and
create a solution in anticipation of a market movement. Other times, customers
practically have to bang on their vendor's table and shout their needs to them.
Customers often want their vendors to provide solutions that are portable, standardized
and that work nicely with what they already own. On the other hand, vendors often
want to create solutions that are "sticky", and will create some level of "lock-in". These
dynamics change over time. Early innovation in a market often comes from visionary
and creative people. Years later, after significant customer adoption and the
Steve Francis, Sloan Fellow 2011
Page 22
emergence of competitors, innovation in this same market might be led by specific
customer demands. For these reasons, the sources of innovation may be an indication
of what stage of maturity a market is in. This tug-of-war between vendors and
customers will largely determine the trajectory of innovation. Incongruous incentives
between vendors and customers may be called an "agency problem", or "principal-agent
problem", or a "moral hazard" problem. Whatever it is called, these forces are currently
unfolding in dramatic fashion in the cloud computing market.
Professor Arnoldo Hax's Delta Model (14) is well suited to help describe this tug-of-war
phenomenon, both in terms of where the cloud market is today, as well as where it is
likely to go in the future. Professor Hax's model (figure 4) is a powerful model that is
intended to be used by companies (or their consultants) to develop or refine a go-tomarket strategy. The Delta Model is highly customer focused, and emphasizes
customer bonding as the pinnacle (literally) of effective strategy. The great power of the
model is its primary emphasis on the customer, and how to deliver value to the
customer. There are 3 primary positions on the Delta Model.
1. Best Product - This position, on the lower right of the Delta Model, is characterized
by the features and functions of the product offered. Demand for a product is highly
price elastic at this position of the Delta Model. Products in this position are highly
commoditized.
2. Total Customer Solutions - This position, on the lower left of the Delta Model, is
characterized by greater solution breadth and/or greater solution differentiation.
Steve Francis, Sloan Fellow 2011
Page 23
Solutions at this position of the Delta Model do not require the same amount of price
competition as products in the "Best Product" category would require. Total
Customer Solutions will be more closely aligned with customer's business needs,
but typically lack the trust and close collaborative relationships that are characteristic
of "System Lock-In" offerings.
3. System Lock-In - This position, at the top of the Delta Model, is characterized by tight
customer bonding. Such bonding is often the result of collaborative relationships,
high levels of trust, partnering and a vendor's ability to bring a complete and
differentiated solution to the customer that specifically addresses their unique
requirements. This may include a great breadth of products and intimate
understanding of the customer's business or it may be an ecosystem of
complimentary partner solutions, specifically designed to address the customer's
unique challenges.
Although the pinnacle of the pyramid is called "System Lock-In", I do not find this to
be a very fitting label because System Lock-In is something that customers typically
try to avoid. With respect to the Delta Model, System Lock-In is typically a positive
thing for both the vendor and customer. There may be collaborative business
processes at this position of the Delta Model, where demand forecasts are shared or
vendors can issue purchase orders on behalf of customers. Or, there may be
proprietary technology that is broadly adopted by a customer that makes a vendor's
solution extremely difficult to replace, although the technology is highly valued by the
customer. The Delta Model implies that the value that the customer receives from
Steve Francis, Sloan Fellow 2011
Page 24
using a "System Lock-In" solution is greater than the cost of using it. I believe that
this should be viewed positively for both vendor and customer.
System Lock-In
Establish dominance inthe
market
Total Customer Solutions
Best Product
Provide the customer with a
customized solution to the
most pressing needs
Attract the customer by
the characteristics of a
superior product
Figure 4
With respect to the Delta Model, Cloud Computing needs to be viewed in terms of IAAS,
PAAS and SAAS. Let's take a look at where each "as-a-service" offering (as a category
of products or market segment, not by vendor) sits along the delta Model, and how it
might evolve in the future.
7.1 IAAS and the Delta Model
Fellow 2011
Sloan Fellow
Francis, Sloan
Steve Francis,
2011
Page 25
Page 25
IAAS solutions typically compete on technical specifications and price. This is a highly
technical market, where technically oriented features and benefits determine vendor
selection, along with price. Amazon is the clear leader in the IAAS market, although
they have significant competition at the low end of the market, and increasing
competition at the high end. Amazon's lead is significant, and is a result of several
factors:
* First mover advantage
" A strong existing brand
" A true low cost advantage based on unique technology
" Breadth of offering (compute, storage, load balancing, HA, VMWare VM import...)
" Strategic partnerships
Traditional vendors such as IBM and HP have entered this market, as well as many
newer players such as Rackspace and Mezeo.
AAS is primarily a "best product"
solution that occupies the lower right hand are of the Delta Model. This is the least
enviable position on the Delta Model. It is the least defensible position with the lowest
margins. Amazon should be able to defend their leadership position if they continue
with their rapid pace of innovation, as this will enable them to maintain their cost
advantage.
Even though customers must currently use proprietary Application Programming
Interfaces (APIs) to access IAAS offerings, the cost of switching an application from one
Steve Francis, Sloan Fellow 2011
Page 26
IAAS provider to another is typically not that great. Furthermore, until now most
applications running on IAAS are typically either short lived applications or applications
that are not highly mission critical (11). In the future it is likely that standard APIs will
emerge for IAAS offerings, which will reduce switching costs even more.
It is very unlikely that many IAAS only vendors will still exist in five years. IAAS vendors
are moving into PAAS and PAAS vendors are moving into IAAS. Further, with the
entrance of HP, IBM and other behemoth technology vendors in this market,
consolidation will occur rapidly. These vendors can use IAAS offerings as loss leaders
for higher margin products and services. IAAS will likely cease to exist as a meaningful
standalone market and will merely be a product category offered by a number of larger
technology vendors. Unless a highly innovative vendor with massively differentiated
technology that is patent protected emerges, this trend, which is already well underway,
will continue.
7.2 PAAS on the Delta Model
PAAS offerings compete mostly by targeting the developers that use the platform to
build software applications. These developers are segmented based on the skills they
possess and the languages that they know. Java developers who like to use open
source technology might gravitate to Google AppEngine.
.net
developers would likely
gravitate to Microsoft Azure. Java developers who are well versed in using frameworks
provided by IBM would likely gravitate to IBM's solution. This indeed creates a high
Steve Francis, Sloan Fellow 2011
Page 27
degree of stickiness, or "lock in". However, in the context of the Delta Model, this lockin does not place PAAS offerings at the Apex of the Delta Model. The reason for this is
that there is not a high degree of personal interaction or business collaboration that
occurs between the PAAS provider and the PAAS customer. For this reason,
successful PAAS offerings today can be categorized as "Total Customer Solutions".
Although the current market PAAS market leaders are very large technology companies
such as Salesforce.com, Microsoft and Google, these were not the first entrants into this
market. Google entered the market in 2010. Bunjee launched a powerful and user
friendly PAAS offering more than two years earlier, in 2008. Even with this large of a
head start, larger competitors have completely eclipsed Bunjee in the PAAS market.
Some of the reasons for this were the proprietary nature of Bunjee's offering (not just
straight java or .net); lack of an existing sales channel; and a general trend toward
consolidation in the technology industry.
What will PAAS vendors need to do to compete in the future? Is it possible for them to
move to the "System Lock-In" position on the Delta Model? There are several things
that might help PAAS vendors become more valuable to their customers and move to
the top of the Delta Model. Here are a few. Some vendors are already beginning to do
some of these things.
* Leverage common languages and skills, such as java, .net, Python, Ruby and Perl.
" Adopt standards for cloud computing as they emerge, and show leadership with
Steve Francis, Sloan Fellow 2011
Page 28
helping to drive standards. However, PAAS vendors should not be constrained by
any standards and should extend and enhance standards when needed. This is an
old game played by many successful technology companies. Honestly claim
conformance to an open standard while extending the standard to such an extent
that is in effect, proprietary.
- Offer training and certification for PAAS offerings
" Create community interest groups both locally, and on line using social media.
* Build an ecosystem of partners (implementers and software providers) around the
PAAS offering
- Offer expert services to help build, test and certify applications built on the PAAS
offering.
" Connectivity options to other software products, whether on-premise or "as-a-service"
* Monitoring, administration and configuration capabilities that are complementary to
existing tools.
There is a lot at stake with PAAS. Inthe client-server and internet era, software
development platforms had tremendous influence over how and where IT dollars were
spent. In the cloud era, the same is likely to be true for PAAS. Following is a
comparison of the leading PAAS solutions:
Steve Francis,
Francis, Sloan
Sloan Fellow
Fellow 2011
2011
Page 29
Page 29
.net framework languages, Rub,.
Java, Python, %
Java, KuDy, rr1r, .net, VVeL
Java, C++, PHP, Web Services
Support, Ruby
Services Support
Med-High
Med-Low
Med-High
Med
Med-Low
Med-High
Support
ols (Low to
iagement
YsHigh)
Yes
Yes
Yes
Yes
Yes
Yes
id Blob
Yes
Yes
Yes
for
No
No
Yes
for Trials
Limited
Tier 1
25 hours small compute instance
Yes
500 MB and up to 5 million
Free to 100 users, 1GB
page views free
750 hours of small compute
$8 per user per month. Max
$50 per user per month, 100+ db
instance, 10 gb storage, $59.95
of $1000 per month per app
objects, more storage, more
storage, CRM integration
per month
Pricing, Tier 3
Add 10 GB SQL Server database
$8 per user per month. Max
$75 per user per month, 24x7
to Tier 1 for $109.95 per month
of $1000 per month per app
support, up to 2000 db objects,
more storage
Visual BPM
No
No
Yes
Integration to 3" Party
Yes, but mostly MS based
No
Yes, but not Oracle, SAP or
Apps
solutions
Social Media Support
MS Live Only
No
Chatter and Facebook
Lock-In with Using Add
Med
Low-Med: Some with HA and
High
many traditional vendors.
browser notificaiton
ins (Low to High)
capabilities
Exchange Platform for
Yes, App Market and Data Market
Marketing Apps
Steve Francis, Sloan Fellow 2011
Yes, Google Apps
Yes, Force.com App Exchange
Marketplace
Page 30
If 99.95% availability not met then
99.9% uptime
Unclear
Microsoft's platform falls
High performance and
Incredibly feature rich and
somewhere between the Google
uncompromising standards
innovative. Easy to build
platform and the Force.com
based platform. Very little
sophisticated applications with
platform. It is more feature rich
capabilities beyond basic
graphical frameworks. Significant
that Google's solution and less so
cloud hosting for standards
toolkits and integration to
than Force.com. However, it does
based applications however.
party products and services.
have rich language support and a
Google Apps, their SAAS
Fairly high level of lock-in when
lower level of lock-in risk than
offering, offers a higher
using advanced capabilities and
Force.com. Microsoft's SAAS
degree of customization than
frameworks. Nearly seamless
offering, Office 365, is not easily
does Microsoft Office 365
integration across SAAS and
extensible or customizable. In
although the level of
PAAS offerings.
order for Microsoft to find better
integration between products
synergy between their PAAS and
is not as good. Google Apps
SAAS offerings, they will likely
does offer complete web
need to improve in this area. As a
services interfaces, which
side note, Office 365 augments,
increase the synergy that
rather than replaces, Microsoft
exists between their SAAS
Office.
and PAAS offerings.
10% service credit
If 99% availability not met then
25% service credit.
3d
Table 1
7.3 SAAS on the Delta Model
Only one SAAS vendor, Salesforce.com, is currently positioned at the "System Lock-In"
location on the Delta Model. Other vendors are located at the two other vertices, or
somewhere between them. The reason for this is that no other vendor has succeeded
like Salesforce.com has in terms of both their PAAS offering and their SAAS offering.
Steve Francis, Sloan Fellow 2011
Page 31
The synergies of these two offerings, combined with the customer focus that is deeply
ingrained in Salesforce.com's culture, makes their offerings very sticky indeed. This is a
stickiness that is characterized more by customer satisfaction than it is by dependence
or technical lock-in. Salesforce.com has a truly unique focus on delivering exceptional
value and success to their customers. This is a cultural obsession, which is clear from
reading "Behind the Cloud", a book by Salesforce.com's founder Marc Benifoff (15).
This was also clear when interviewing Kraig Swensrud, a Sr. Executive at
Salesforce.com (11)
What is perhaps the most important lesson from Salesforce.com however is that their
success, which for the moment appears to be sustainable, depends not on one single
thing, but on a large number of things. Customers that extend Salesforce.com's
application (SAAS offering) will become familiar with their PAAS offering. This is a win
for both Salesforce.com and their customers. Salesforce's obsession with customers,
aggressive and edgy marketing, adoption of open standards, creative partnerships
(such as their VMWare partnership) and a multitude of other factors have made
Salesforce.com one of the fastest growing technology companies in history.
Although Google and Microsoft both offer PAAS and SAAS solutions, their strategies
are not as coherent and their products are not as integrated as Salesforce's.
8. Customer Specific Forces
2011
Fellow 2011
Francis, Sloan Fellow
Steve Francis,
Page 32
Page 32
During my interviews with customers I noticed more similarities than differences among
customers with respect to how they are currently using, and how they plan to use, cloud
computing. Customers have largely adopted cloud technologies in similar patterns, and
have similar views on what is missing. Following are the most prominent themes that I
observed.
" Virtualization was unanimously cited as the centerpiece of customer cloud strategies,
and VMWare was cited, almost unanimously, as the most strategic cloud vendor
among customers that I interviewed.
* Customers with more mature cloud and virtualization infrastructures often indicated
that the availability of suitable management and provisioning tools was lacking.
" Privacy and security concerns were shared by all customers interviewed. This
includes regulatory requirements as well as general concerns over the
confidentiality, privacy and protection of critical information. Many customers cited
specific statues and regulations and others were far less specific when asked for
detail.
" Customer adoption of cloud solutions has been opportunistic, not strategic. Few
customers have clearly defined cloud strategies or roadmaps but instead have
(wisely) chosen to move applications and infrastructure into the cloud on an ad hoc
basis driven by savings and ROI.
" Customers view the cloud as central to their shared services initiatives to a greater
extent than vendors or technology journalists do. A comment from John Hancock's
CIO, Allen Hackney, provides a good example of this. "The ability to separate
Steve Francis, Sloan Fellow 2011
Page 33
physical layers of infrastructure from provisioning of resources in order to produce a
business application is central to our strategy.". I found this to be a remarkably
astute statement.
The primacy of these themes in customer discussions warrants a closer look at each
one.
8.1 VIRTUALIZATION
Each customer that I interviewed cited their virtualization vendor as their most strategic
cloud vendor. It is worth taking a look at some of the key innovations in this market to
get a sense for how it is evolving, and what it may look like in the future.
In addition to core virtualization services, and a hypervisor that is best-of-breed,
VMWare seems to have a compelling vision for the future of cloud computing.
Customer and market buy-in are extremely high, as evidenced by rapid earnings
growth, and a very rich corporate valuation. As of 2/11/2011 VMWare had a $37 billion
market capitalization, a price/earnings ratio of 106, a price/sales ratio of 13.1, 37% yearover-year quarterly revenue growth, and a 91.36% share price increase over the
previous 52 weeks (10). I will reserve comment on whether the growth expectations
that are implicit in this valuation are warranted, but it is clear from these numbers that
market interest and optimism about VMWare is very high.
2011
Sloan Fellow
Francis, Sloan
Fellow 2011
Steve Francis,
Page 34
Page 34
Part of VMWare's great success is a clear and obvious Return on Investment (ROI) for
their customers. When customers virtualize their data centers on VMWare, they can
often reduce the number of servers they use by an order of magnitude. This massively
reduces costs for hardware, data center floor space, software licenses, heating and
cooling and administrative personnel. It is true that there are new costs associated with
purchasing and implementing VMWare software and training staff to use this
technology, but VMWare's strategy appears to be that "we will shrink the IT spending
pie but will take an increasingly larger slice of this shrinking pie"
Perhaps VMWare's most game changing innovation is their vCloud API. The vCloud
API enables customers using VMWare virtualized workloads move their workloads to
data centers that support the vCloud API, or vCloud services. This means that the
vCloud API gives customers flexibility to switch their cloud vendor, or cloud service
provider, more easily than ever before. vCloud technology enables a customer to run a
workload in their own environment, to move that workload to a CSP, and then to move
the workload to yet another CSP for any reason they choose. CSP's must support the
vCloud API to enable this flexibility, but many large CSPs have already signed up and
have made their data centers vCloud compatible. The number of CSPs supporting
vCloud is currently around 3000. Here is VMWare's description of the vCloud API:
"The vCloud API is an interface for providing and consuming virtual resources in the
cloud. It enables deploying and managing virtualized workloads in private and public
clouds as well as interoperability between clouds. The vCloud API enables the upload,
download, instantiation, deployment and operation of vApps, networks and "virtual
Steve Francis, Sloan Fellow 2011
Page 35
datacenters". There are two major components in vCloud API, the User API focused on
vApp provisioning and Admin API focused on platform/tenant administration." (9)
There are a couple of other very innovative technologies that VMWare offers that help
to explain their meteoric valuation. VMWare now provides technology that will pool
large numbers of distributed virtual resources into a logical pool. This is in effect,
virtualizing virtulized environments. This capability enables the management,
administration and provisioning of resources over a large distributed environment.
Resource utilization and resource management are enhanced to an even greater
degree than with simple virtualization alone. It facilitates fine grained provisioning and
allocation of resources and it also enables changes to be made uniformly and
consistently across a large number of separate physical environments. Differentiation
of infrastructure is enabled so that tiered delivery of pricing and service delivery is
possible. Tools, portals and APIs are provided to enable self service delivery of catalog
based services. VMWare describes this as follows: "Whenever internal users need IT
services, they should be able to get them as easily as finding and downloading an
application from Apple's App Store." (9)
Chargeback is a concept that is important to private clouds. The concept of
chargeback, as it relates to "as-a-service" solutions, has roots in the 1990s along with
shared services. Internal service providers must be able to recoup their costs
somehow. Although some internal service providers may be allowed to operate at a
loss, it is important that they have a fair and consistent way of charging internal
Steve Francis, Sloan Fellow 2011
Page 36
customers for the services that they provide. The concept of chargeback is closely
related to provisioning, which I will address shortly. VMWare offers chargeback
capabilities that enable Cloud Service Providers to charge customers based on Fixed
Costs, Allocation or Utilization. Fixed Cost charges are simply based on the number of
virtual machines used. Allocation based chargeback is determined by the amount of
capacity that is allocated and available to use. Utilization based chargeback is based
on the amount of capacity that is actually used. (9)
Although some customers acknowledged challenges with their ability to charge back to
customers, none of the customers interviewed were using VMWare's chargeback
product. This may be due to the limited number chargeback options that exist however.
Options such as user counts, transaction counts or chargeback for non-virtualized
resources are not presently available.
8.2. CLOUD MANAGEMENT AND PROVISIONING
For both public and private clouds, provisioning cloud resources to new customers or
users is very important. Because muti-tenancy is a fundamental part of cloud,
practically by definition, adding new tenants quickly and easily is a focus of much
attention, although results have been elusive. Although Google, Microsoft, VMWare,
Salesforce and other leading cloud and cloud infrastructure vendors have made
considerable efforts to automate provisioning processes, this automation is mostly
focused on their own technologies. VMWare can provision virtualized resources well,
Steve Francis, Sloan Fellow 2011
Page 37
Google can provision App Engine resources and applications well, etc.. However, tools
to automate provisioning across a range of services and technologies provided by
different vendors have been lacking. As a result, the traditional system management
vendors have stepped in with what appear to be the most capable solutions at this time.
BMC Patrol, IBM Tivoli, CA Unicenter and HP OpenView have always always been
leaders at providing centralized administrative and monitoring capabilities for all kinds of
networking, server, desktop, storage and even software infrastructure. Most
organizations have large investments in these platforms already. Furthermore, HP and
BMC made significant acquisitions in the past several years that give them broader
scope to address cloud provisioning requirements. A small software vendor in Renton
WA, Parallels, has some unique and very sophisticated capabilities here. Parallels is a
private company, probably between 100m and 150m in revenue, and offers the
capability to provision cloud based resources from a large variety of CSPs (12). They
not only handle the technical provisioning of the software but also handle the ordering,
billing, invoicing and payment of services. These services are provided, not
surprisingly, via the cloud.
HP OpenView products were rebranded as part of the HP Software Division in 2007,
along with some recently acquired technology from a number of different technology
vendors. BMC has taken a very similar approach, segmenting their business based on
legacy products and newly acquired products. Also, each company has built out their
software portfolios in similar ways. The software portfolios of both organizations are
well suited to handle the complexities of provisioning services in the cloud. (17)(18)
Steve Francis, Sloan Fellow 2011
Page 38
Based on customer feedback, HP and BMC appear to have taken the lead in the cloud
provisioning market, and are continuing to innovate and partner to enhance their
solutions.
STRATEGIC ACQUISITIONS
HP
BMC
Mercury Interactive - Application Management,
BladeLogic - Enables server provisioning, release,
Application Delivery, Change and Configuration
change and configuration management.
Management
OpsWare - Server and Network Provisioning, and
Remedy - Market leading helpdesk application.
Configuration and Change Management help to
ensure consistency and best practices.
3PAR - Utility Storage that enable multi-tenant
Tideway Systems - Enables automated discovery
deployments which are well suited to SAAS and
of system resources and more dynamic monitoring
IAAS deployments
and administration.
Peregrine Systems - ITAsset Management and
Service Management Software.
Table 2
The partnering strategies of both BMC and HP also demonstrate a strong commitment
to building their cloud offerings.
BMC has formed a collaborative partnership with Cisco and VMWare to provide a "cloud
in a box" solution that relies heavily on BMC's BladeLogic acquisition. The solution
Steve Francis, Sloan Fellow 2011
Page 39
provides virtualized resources of many kinds that can easily be managed, configured
and provisioned in an automated fashion. HP partners with both Microsoft and VMWare
for virtualization capabilities, depending on whether a customer is more Windows or
Unix oriented. Allen Hackney from John Hancock specifically mentioned that his
organization is aligned with and leverages capabilities from the VMWare and HP
partnership. (11)
8.3 PRIVACY AND SECURITY
There are many legitimate reasons having to do with privacy and security that may
diminish a customer's enthusiasm for deploying IT resources in the cloud. There are
also some political reasons.
Cloud deployments typically reduce requirements for data center space, hardware
assets, software assets, employees and budget. Some managers may resist initiatives
that result in reduced headcount, assets and budget. In such instances, security
concerns may become somewhat of a "boogey man" used by IT managers to help resist
non-technical managers that are pushing for savings from cloud adoption. Although this
is somewhat of a simplification and may sound cynical, I did get this impression from
more than one customer that I interviewed. Change is never easy or riskless and many
factors other than reduced IT relevance play an important role in the reluctance that
some IT managers may feel regarding cloud adoption. Ultimately, as cloud adoption
becomes increasingly common, IT managers will likely begin to view the cloud more
Steve Francis, Sloan Fellow 2011
Page 40
positively, as a way to shrink their IT backlog, align more closely with the business and
unburden their teams from purely technical responsibilities.
8.3.1 Identity Federation
Leaving aside whether cloud environments (public, private or hybrid) are either more or
less secure than traditional infrastructure, they are certainly different. Traditional trust
boundaries no longer apply because software applications might be a mash up of
3 rd
party services, applications and internal infrastructure. CSPs need to be a partner in
the security process. The enterprise data center is just one security zone, or realm that
needs to be considered. A "federated" approach is needed to address increasingly
distributed authentication requirements. Fortunately, federated security processes have
been evolving since before the rapid growth of cloud computing. Federated security
simply means two or more organizations that share a trust boundary. (16) Once a user
is authenticated in one environment then he is automatically trusted at some level in
another 3 rd party environment.
Protocols such as SAML (Security Assertion Markup Language) provide a common
format that can be used by enterprises,
3 rd
party CSPs and business partners to
represent security authentication and policy data in federated processes. Partners in
SAML processes may either be Identity Providers or Service Providers. Identity
providers will likely be corporate data centers that assert the identity of the users or
processes that are accessing services. Service Providers will use these identity
Steve Francis, Sloan Fellow 2011
Page 41
assertions to determine which resources should be made available. This can provide
benefits such as single-sign-on and simplified administration.
8.3.2 Security Responsibility
A continuum of responsibility exists with regard to security of cloud based resources. At
one end of the spectrum are "on-premise" resources and at the other end of the
spectrum is SAAS, where a vendor is responsible for the development, support,
infrastructure and delivery of applications. IAAS and PAAS fall between these two
levels. IAAS is closest to "on-premise" resources, since the development, support and
delivery of the application are still the responsibility of the organization developing the
application. PAAS falls closer to SAAS since (1) PAAS may be thought of as a super
set of IAAS and (2) more layers of network architecture are contained in a PAAS stack
than in an IAAS stack. It cannot be said with certainty which party should be
responsible for which layer of security in all cases, but the importance of service levels
and clearly defined contractual responsibilities cannot be over stated.
SECURITY RESPONSIBILITY
Vendor (CSP)
Customer
on premise
paas
iaas
saas
Figure 5
Steve Francis, Sloan Fellow 2011
Page 42
Following is a list of security concerns that must be addressed by CSPs and their
customers. This is by no means an exhaustive list. Customers and CSPs must work
collaboratively to determine whose responsibility it is to ensure that data, software and
infrastructure are protected.
" Host security - Host security in a public cloud is the responsibility of the CSP since
details of the host are abstracted from the customer. It may be wise for customers
to demand that the CSP share information through a controls assessment
framework such as SysTrust or ISO 27002 however. (13)
" Perimeter security - Perimeter security includes all of the resources that are used by
a computer system that need to be protected. Cloud computing complicates this
boundary because the boundary is no longer made up of "on premise" resources
only. With hyper-distributed cloud based environments, where each layer may be
hosted by a different CSP, or different components within the same layer may be
hosted by a different CSP, it is important to maintain visibility of resources across
providers, and to ensure that policies and procedures are standardized to the
greatest extent possible. Although such hyper-distributed are not common today,
this will become increasingly common in the future. System wide visibility and
documentation are very important to perimeter security and will help to manage this
process as system and application boundaries change with continued adoption of
cloud based resources.
Steve Francis, Sloan Fellow 2011
Page 43
"
Authentication and Authorization - Making sure that appropriate data and systems
are available to appropriate people is the responsibility of both the customer and the
CSP. Because customers will likely have some administrative responsibilities
delegated to them, they will likely have some responsibility for cleaning up orphaned
accounts and ensuring that rules are consistently followed with respect to user
credentials with the CSP. The CSP will also have responsibility for ensuring that the
granularity of access control meets the customer's requirement, rules for strong
passwords are implemented (this may be a shared responsibility) and best practices
are consistently enforced across customers.
" Application security - Threats to application security exploit vulnerabilities in
underlying applications. Because SAAS are applications delivered over the web, by
definition, application security is the responsibility of the SAAS application vendor.
With IAAS vendors, application security is the responsibility of the application owner
or administrator. With PAAS solutions, this responsibility will likely be shared. It will
be the PAAS vendor's responsibility to provide a security framework that is robust
and well documented, and the application developer's (customer) responsibility to
ensure that this framework is implemented properly.
" Data-in-transit: Protecting data on the wire calls for the use of an established and
robust encryption algorithm. CSPs must have a well developed strategy here and
may offer different options of whether data is encrypted and if so at what level, or
transmitted in-the-clear.
" Data-at-rest: Protecting data stored on disk may also call for the use of a well
established and robust encryption algorithm. Alternatively, a well developed
Steve Francis, Sloan Fellow 2011
Page 44
Information Lifecycle Management (ILM) strategy may be adequate, although
communication of such policies and procedures will likely need to be documented in
a format where they can easily be shared between vendor and customer. An ILM
strategy will define what happens to data as it is aged and moves to backup,
reporting and other systems, as well as how disks are handled when they are retired
and disposed of.
It is common for strong security at one layer to prevent a breech or vulnerability at
another layer. For example, if the authentication process for a customer is robust then it
is less likely that a user could spoof or hijack a customer's credentials and exploit a
vulnerability at the application layer.
8.4 Regulatory Requirements
During my customer interviews, state and federal laws and regulations were often cited
as factors inhibiting adoption of cloud technology. Many laws and regulations exist to
ensure data privacy and security of sensitive data and personally identifiable
information. Data related to income, wealth, health, financial aid and employment
history often have such restrictions. There are also labor laws and the specter of net
neutrality laws that impact how and when cloud based services can be offered, or might
be offered in the future. Labor laws are in place, mostly in the public sector, that
prevent workforce reductions resulting from outsourcing work to a 3 rd party or from
automation. Although the following list is not exhaustive, each of these laws or
Steve Francis, Sloan Fellow 2011
Page 45
regulations has the potential to effect the advancement and adoption of cloud
technology. For state law I will focus on Massachusetts and Washington State only.
This is because covering all 50 states would not be helpful, and would be overly
lengthy. Further, both states are home to large populations of technology and internet
companies and have legislatures that are not timid with regard to commercial regulation.
8.4.1 Labor Laws and Labor Influence
Massachusetts Pacheco Law - In a nod to Public Employee Unions and employees,
Massachusetts enacted Anti-Privitization legislation, the Pacheco law, in 1993. This law
effectively prohibits the contracting of work to the private sector that can be performed
by state employees. (23). With regard to cloud computing, this practically eliminates the
prospect of achieving savings from well proven IAAS offerings such as ones provided
by Amazon and Rackspace. Outsourced email, calendaring, collaboration and other
services that are currently provided by state employees, often at very high cost, are also
off limits.
Federal Senate spending bill S.3677 - Bill S. 3677, passed July 29 2010, reduced
funding for federal cloud computing efforts 58% from 2010 to 2011. Although Federal
workers are not unionized, this decision is highly incongruous with government
spending trends and spending on cloud computing initiatives in general. Overall funding
for technology spending in this bill saw an increase from 2010, although cloud spending,
that was intended to consolidate data centers, shrank significantly. (24)
Steve Francis, Sloan Fellow 2011
Page 46
City of Seattle - IT workers at City of Seattle are unionized. Based on interviews that I
conducted with (non union) technology leadership at City of Seattle, it seems unlikely
that services such as email will be delivered via the cloud. Microsoft, Google and other
vendors offer such services through the cloud and can typically demonstrate
considerable savings when compared to purchasing, deploying, supporting and
administering in house email systems such as Microsoft Exchange, which was deployed
in 2009 at City of Seattle. Due to union influence however, such moves seem very
unlikely.
8.4.2 Net Neutrality
Net neutrality simply means that internet users should have unrestricted and
undifferentiated access to any legal content on the internet. This is tricky though. What
is counter intuitive about this is that to achieve net neutrality would require either legal
precedence based on related case law, or a specific bill leading to new laws or
regulations. Net neutrality is not currently enforced via any specific law or regulation. In
practice however, it almost universally exists. The internet is highly democratic for both
producers and consumers of content. Opponents of net neutrality say that creating new
laws or regulations around the internet to achieve "net neutrality" would be fixing
something that is not broken, and that new laws or regulations, intended to make sure
that content consumers and producers are treated equitably and fairly, would open the
door to further regulation and government control, which might ultimately hurt the
Steve Francis, Sloan Fellow 2011
Page 47
internet and diminish its value. They feel that the internet has gotten by just fine without
such regulation up until now and that greater regulation would lead to influence by
special interests, or over reach by government. Net neutrality arguments, either for or
against, have the potential to result in 1't amendment issues, although this is not likely
any time soon.
Proponents of net neutrality feel that providers of internet bandwidth, such as Comcast
or AT&T for example, might use their power to discriminate against certain content
providers. For example, Comcast could theoretically provide a lower quality of service
to content providers that require a great deal of bandwidth, such as Youtube or Netflix,
or they could provide a lower quality of service to competitors potentially.
A 2008 case filed by the Federal Communication Commission (FCC) against Comcast
charged that Comcast unlawfully blocked or slowed access to a peer sharing web site,
Bit Torrent. An April 2010 ruling on this case determined that the FCC lacked the
authority to dictate how Comcast should treat internet traffic and Comcast won the case,
successfully defending their right to treat their customers and use their infrastructure as
they wish.
During my interviews, Bruce Chatterley, President of MegaPath (merger of Covad,
Megapath and Speakeasy.net) mentioned net neutrality as a potentially important issue
for cloud adoption (11). As customers put increasingly mission critical infrastructure and
applications in the cloud, they will be likely to demand higher qualities of performance
Steve Francis, Sloan Fellow 2011
Page 48
and service reliability. Government efforts to implement net neutrality laws or
regulations could inhibit the ability of Cloud Service Providers to differentiate service in
such ways.
Arguments made by groups that are either for or against net neutrality regulation may
sound very similar. Both sides are likely to say that their position will increase (or have
the potential to increase) innovation. To some extent, both sides are correct. If net
neutrality laws are passed, the specter of large bandwidth and infrastructure providers
treating potential competitors unfairly is unlikely to emerge, although in reality this has
not happened yet anyway. If net neutrality laws are not passed, we will continue with
the status quo of a largely unregulated internet that has created hundreds of billions of
dollars of wealth in the past decade alone.
8.4.3 State Data Privacy Laws and Regulations
" Breach Notification Laws - Nearly all states now have security breach laws in place
that require notification of the effected party, those whose personally identifiable
information has been disclosed, of such a breach.
" Washington House Bill 1149 - Effective 07/01/10, this bill extends the scope of
typical Breach Notification Laws by requiring that the commercial organization
responsible for the breach reimburse banks for the costs associated with cancelling
and reissuing credit and-or debt cards. 1149 also incorporates the Payment Card
Industry Data Security Standard ("_PC") into the law (21)
Steve Francis, Sloan Fellow 2011
Page 49
"
Massachusetts Executive Order 504 - "An Order signed by Governor Patrick on
September 19, 2008 that recognizes the importance of protecting personal
information and specifically outlines how all state agencies in the Executive Branch
must address the security and confidentiality of personal information." (19)
* Massachusetts General Law 93H - This appears to be the first state law imposing
specific requirements on business to protect Personally Identifiable Information (20).
Attorney Greg Duff summarizes the rather onerous requirements on his web site,
www.duffonhospitalitylaw.com. He summarizes the requirements as follows:
.
Encrypt all data, including on mobile devices (laptops, PDAs, etc,)
.
Restrict physical access to records containing P11
.
Develop written information security policies and adhere to them
.
Regularly monitor networks for unauthorized activity
93H requirements are laudable as consumer protections but they will unquestionably
increase costs for business. The language in 93H is also unclear as to what constitutes
compliance and this could lead to costly "over implementation", as has been the case
with other ambiguous regulation such as Section 404 in the Federal Sarbanes Oxley
Act. There is certainly a tradeoff between consumer protection provisions, and the
increased cost of doing business, which may become as a disincentive for new
eBusiness firms to locate in Massachusetts, which could hurt employment growth and
capital formation.
2011
Fellow 2011
Francis, Sloan Fellow
Steve Francis,
Page 50
Page 50
8.4.4 Federal Data Privacy Laws and Regulations
US Patriot Act - The US Patriot Act may be one reason that cloud adoption has been
faster in the US than in other countries. Any data that is physically stored in the United
States is subject to the Patriot Act. The Patriot Act allows the US Federal Government
to access data stored within US borders. (26) Although such access requires a
request, or application by a Special Agent from the FBI, the approval of such an
application may be granted by a Federal Judge. The fact that commercial and
proprietary information may be accessed by the US government is unsettling for many
private and public organizations outside of the US that might otherwise consider
adopting cloud offerings from US companies.
Stefan Ried from Forrester writes about this problem and discusses how Data
Integration Software Maker Informatica has designed an integration-as-a-service
architecture to circumvent this problem. (26) Informatica provides integration-as-aservice so that customers in Europe can use their US based integration service and no
data will actually touch servers on US soil, which would make the data subject to the
Patriot Act. When vendors architect their solutions around regulations and laws, it may
be a good sign that the regulatory and legislative processes are having a hard time
keeping up with the market, and are in need of being updated.
Steve Francis,
Francis, Sloan
Sloan Fellow
Fellow 2011
2011
Page 51
Page 51
Federal Information Security Management Act (FISMA) - The Federal Information
Security Management Act of 2002 requires all Federal Agencies to implement an
agency wide information security strategy.
The National Institute of Standards and Technology (NIST) is responsible for working
with Federal agencies to implement FISMA. Although the US government spends
several billion per year on security and FISMA related compliance costs, the standards
developed by NIST appear to be quite rational and in line with best practices that I have
observed in the private sector. NIST's web site states that their vision is (26): "To
promote the development of key security standards and guidelines to support the
implementation of and compliance with the Federal Information Security Management
Act including:
.
Standards for categorizing information and information systems by mission
impact
.
Standards for minimum security requirements for information and information
systems
.
Guidance for selecting appropriate security controls for information systems
.
Guidance for assessing security controls in information systems and determining
security control effectiveness
.
Guidance for the security authorization of information systems
Fellow 2011
Sloan Fellow
Francis, Sloan
2011
Steve Francis,
Page 52
Page 52
.
Guidance for monitoring the security controls and the security authorization of
information systems"
Although FISMA compliance costs are high, the mission seems worthwhile and it is
reassuring to observe that many private sector organizations have developed security
strategies that align closely to NIST's. It appears that the government has provided
some valuable leadership to the private sector.
Health Insurance Portability and Accountability Act (HIPAA) - HIPAA was mainly a way
to ensure citizens can keep their existing insurance in the event that they lose a job. In
addition to this, there are aspects of the regulation that help to bring the health care field
up to date with the demands of our digital age.
HIPAA regulates the use of protected health information (PHI) by health care providers
and health plans (13). Health care providers and health plans must notify patients if any
of their PHI is shared or disclosed to other parties. Also, patients have the right to
access any of their PHI and are able to correct or updated such information if needed.
Graam Leach Bliley Act (GLBA) - The GLBA, also called the Financial Services
Modernization act of 1999, was a major piece of financial services legislation. It partly
repealed the Glass-Steagall Act of 1933. This was largely a banking deregulation bill,
but it also brought regulation up to date for information security for financial services
Fellow 2011
Steve
Steve Francis,
Francis, Sloan
Sloan Fellow
2011
Page 53
Page 53
companies. There are two parts of the GLBA that are highly relevant to cloud
computing, the Financial Privacy Rule and the Safeguards Rule (13).
1. The Privacy Rule requires financial institutions to provide a privacy notification to
customers at the inception of a customer relationship, and also requires ongoing
annual notifications. This notification must explain to the customer how their
personal information will be used and give the customer the ability to opt out of
activities that involve the sharing of their personal information with
3 rd
parties.
2. The Safeguards Rule requires that financial institutions implement an information
security program that protects their customer's private data. The Safeguards Rule
requires that financial institutions not only create and implement such a program, but
that it is monitored and updated as needed, and that there is a single point of contact
with overall responsibility for the plan. This has led to the creation of the Chief
Information Security Officer (CISO) position in many organizations.
Federal Rules of Civil Procedure (FRCP) - FRCP requires that parties involved in a civil
lawsuit must disclose to the opposing party any information that will be used in their
claim or defense (13). In 2006 FRCP was updated to better reflect increasingly digital
forms of information. The changes required that electronic information used in the
discovery process be made available quickly and easily. These changes led to a boom
in the eDiscovery market, for email and document archiving and recovery. FRCP has
major implications for cloud vendors, whether PAAS, IAAS or SAAS. Data may be
required from any of these sources as part of a legal discovery process.
Steve Francis, Sloan Fellow 2011
Page 54
Personal Data Privacy and Security Act of 2009 - Although this bill was never enacted, it came
close. Only due to a unification of the business community, including the Chamber of Commerce,
National Auto Dealers Association and several other trade and industry groups, was passage of
the bill prevented. 1490 was "a bill to prevent and mitigate identity theft, to ensure privacy, to
provide notice of security breaches, and to enhance criminal penalties, law enforcement
assistance, and other protections against security breaches, fraudulent access, and misuse of
personally identifiable information. " (22) Although many of these goals are commendable, the
duplication of existing state law and the onerous disclosure rules in this bill would have created
tremendous business costs. Businesses would have been required to disclose all digital
records about a customer, to that customer, at his request. Many businesses simply lack the
technical sophistication to perform such an activity without incurring tremendous costs
9. WHAT CUSTOMERS DID NOT SAY
In addition to the topics that customers identified as important to their cloud strategies,
let us address some topics that did not come up. I would like to briefly review these
topics because among my peer community, which is made up largely of employees
from major technology vendors (Oracle, VMWare, Salesforce, SAP, and Microsoft),
these topics are perceived to be important. When I spoke with customers however,
these topics did not come up unless I initiated a dialog about them. Although it was
surprising to me at first, customers did not seem concerned with these issues.
* I expected customers to express concern about integrating cloud based applications
Steve Francis, Sloan Fellow 2011
Page 55
to on-premise applications. They did not. Given the amount of effort and expense
that customers have put in to integration efforts and service oriented architecture
(SOA) efforts over the past 15 years, I imagined that the challenges associated with
integrating to applications run by a 3 rd party cloud service provider would be
concerning to customers.
Part of the reason for this lack of concern was made clear when I spoke with a Sr.
Executive at Salesforce.com. Using web service APIs, Salesforce.com customers
can and do integrate their Salesforce.com applications to their on-premise
applications easily and securely. In fact, Salesforce.com provides real time statistics
to customers about transaction volume on Salesforce.com. The day before I spoke
with the executive at Salesforce.com they recorded over 400 million transactions
and about
/2of
these transactions were API calls. (11)
I expected customers to express concern about vendor lock in with respect to "as-aservice" solutions. They did not. This may be an indication of the fairly low level of
maturity in this market however. Currently, customers have adopted SAAS offerings
for CRM (Customer Relationship Management) much more aggressively than they
have adopted things like ERP and HRMS. This may be due to the fact that CRM is
less essential to the operation of a business than ERP and HRMS. Sales and
services personnel can always manage CRM in spreadsheets in an emergency.
However, if ERP systems go down then firms cannot pay vendors and employees,
they cannot report their earnings to Wall Street or their owners and they cannot
execute many of the core business processes that are essential to their daily
Steve Francis, Sloan Fellow 2011
Page 56
operations. The stunning success of Salesforce.com (the leading SAAS CRM
vendor), compared to the more tepid growth of NetSuite (the leading SAAS ERP
vendor), illustrates this difference quite clearly. Salesforce.com has annual
revenues approaching $2 billion while Netsuite's annual revenues are around $200
million. (10)
Vendor-lock-in and support for open standards will likely be one of the next
battlegrounds in the cloud computing market. Such battles occur in technology
markets that are approaching a more mature phase of the market lifecycle. As new
vendors enter the market they will ask themselves (1)Who are the next targets for
Salesforce.com and what is Salesforce.com not providing? (2)Why has
Salesforce.com grown so much faster than Workday and NetSuite? The answers to
both of these questions will likely have a lot to do with vendor-lock-in, vendor exit
strategy and support for open standards. Open standards with respect to cloud
computing are very immature however. Leadership in open standards for the cloud
market may come from a standards body, or from a vendor that creates a de facto
standard. There are promising standards that are emerging now from both sources.
A good example of a vendor engineered technology with the potential to become a
de facto standard is VMWare's vCloud API, which I reviewed earlier. I will cover
more of these organizations and technologies subsequently.
Regardless of where the technology comes from however, it highly probable that
some vendor(s) will successfully leverage some type of open technology to gain an
Steve Francis, Sloan Fellow 2011
Page 57
advantage. They will make claims such as "if we don't do a good job you can switch
vendors" or "more developers will be available to you at lower prices because this is
standard technology" and they will be partially correct. These are not
transformational or disruptive messages however. They are merely value added
messages. For this reason, it is likely that leading vendors such as Google, Amazon
and Salesforce.com will acquire promising vendors that emerge with such
messages, or that they will co-opt the messaging of these vendors and alter their
approach to the market accordingly.
The lack of concern about these issues is partly due to the opportunistic approach that
customers have taken to cloud adoption thus far, and due to the fact that SAAS
adoption is far ahead of IAAS and PAAS adoption. Cloud vendors are on top of these
topics however, and it is likely that this will be the battleground for cloud vendors in the
future. Although customers are less concerned about making technology vendor
selections based on architecture than they have been in the past, this will become more
important as customers increasingly adopt PAAS and IAAS technology. PAAS and
IAAS solutions are largely IT driven. IT departments will have far more influence over
IAAS and PAAS vendor selections than they have over SAAS vendor selections. As
momentum in the "as-a-service" market tilts more toward IAAS and PAAS solutions,
integration and portability will become hot topics.
10. The Role of Standards
2011
Fellow 2011
Francis, Sloan Fellow
Steve Francis,
Page 58
Page 58
Segments of the technology market are often gripped with wild enthusiasm for some
technology standard. In middleware software, CORBA, java, j2ee, dcom, .com, .net,
xml, web services, struts, spring and various off shoots of these technologies, whether
de-facto or de-jure, have each held the interest of large swaths of the software
development community at different times. This is not to say that all of these
technologies were of similar value and promise, only that the fortunes and careers of
many software professionals and software vendors have been profoundly impacted by
these trends. To embrace such technologies ahead of the pack, at the right time, or to
be a pioneer or innovator of such technologies, can be an enormous advantage. To
ignore such technologies as they become battlegrounds for competitive vendors can be
a grave mistake. I make no assumptions about which of the following technologies (or
organizations attempting to create standards) may become widely adopted, only that
some will become widely adopted. Those that do gain traction may not be mentioned
here, but as the cloud market evolves, standards will surely play an increasingly
important role.
* Distributed Management Task Force, DMTF - DMTF boasts some of the biggest
names in the IT industry, including IBM, Oracle, Microsoft, SAP, VMWare, HP,
Cisco, EMC, CA, and many other leading vendors. DMTF is responsible for
promoting standardization across a variety of distributed computing markets. DMTF
is interesting in that their web site does not provide information (that I could find)
about a mission, a vision or clear objectives. The closest thing I could find was an
explanation of the "Value of Membership" in DMTF. Although there are some
Steve Francis, Sloan Fellow 2011
Page 59
potentially important innovations coming out of DMTF such as WS-MAN, WBEM,
OVF and others, I found it interesting that neither Amazon.com nor Salesforce.com
were DMTF members. As the de-facto leaders in the "as-a-service" market, the
absence of these important players is curious. Amazon.com and Salesforce.com
are unique in that their entry into the cloud computing market was not guided by any
previous investment or install base. Both companies were "web" companies since
their inception, and this differentiates them from the majority of the DMTF
membership. I will make no conclusions about the relevance of this observation
other than that is interesting, and potentially meaningful. As I reviewed press
releases and vendor commentary about support for DMTF standards such as OVF,
it was clear that vendors supporting these standards were using their support as a
differentiator against market leaders such as Amazon.com and Salesforce.com. (27)
Both Amazon.com and Salesforce.com have large enough leads in the various "asa-service" markets that they have the power to create their own de-facto standards
and do not necessarily need to wait to respond to movements in the market. They
are in the enviable position of being able to lead the market.
" Open Virtualization Format (OVF) - OVF provides a standardized way of packaging
and describing virtual environments. Adopted as an ANSI standard in August 2010,
OVF has the momentum and the credibility to become significant factor in the cloud
and virtualization market. Many vendors already provide support for OVF virtualized
resources. (27)
" VMWare vCloud API - VMWare's vCloud API is based on OVF and implements core
OVF requirements, in addition to other value added features that VMWare provides
Steve Francis, Sloan Fellow 2011
Page 60
such as management, administration and scalability capabilities.
" US National Institute of Standards and Technology (NIST) - NIST is responsible for
the adoption of US Government Driven Cloud Computing Standards. It is their
responsibility to interpret and recommend adoption of technology standards, such as
DMTF standards, to federal agencies.
" Eucalyptus - Eucalyptus is software platform that delivers IAAS services such as
virtualization, Amazon EC2 support, security and other services in a single software
platform (29). Eucalyptus is open source software and is supported on many
operating systems. A company called "Eucalyptus Systems" acts as the steward of
this platform and they offer both an open source version of the platform, as well as a
licensable "Enterprise" version of the software.
" Application Packaging Standard (APS) - APS appears to be a standard that is
competitive with OVF, and therefore VMWare's vCloud API as well. APS is desribed
on the www.apsstandard.org web site as follows: "application packaging format
designed to help implement Software-as-a-Service (SaaS) business model for all
industry cloud services providers and independent software vendors." One midsized vendor that supports APS is Parallels. Parallels is a virtualization vendor that
is competitive with Vmware. They also make tools for automation of and
provisioning for many functions that are common for CSPs and hosting companies.
(28)
Although this is a very high level overview of just a few of the standards that exist today,
and those that are emerging, it provides a good starting point to understand the forces
Steve Francis, Sloan Fellow 2011
Page 61
of standardization that will become important for both leadership and adoption of cloud
computing technologies. Cloud APIs provided by vendors such as Amazon.com,
Salesforce.com, VMWare or Google may become de-facto standards. Because these
APIs are so widely used it is likely that other vendors will support them inside of
development tools, administrative tools and monitoring tools.
11. CONCLUSIONS
Cloud computing is dramatically changing the technical landscape of IT. Trust
boundaries are expanding beyond the corporate network; data governance
responsibilities are often shared by 3 rd parties; delivering on service level agreements
may require coordination among several organizations; computing environments are
increasingly distributed and customers may not even know how far the physical
boundaries extend.
11.1 Consolidation vs. Sprawl
IT departments have spent tremendous effort on consolidation during the past decade.
Consolidating hardware, software licenses, data centers, vendors and contracts in order
to cut costs and to try to build closer partnerships with vendors has been a primary goal
of IT departments. Cloud computing creates some challenges here
* New Vendors: New vendors are leading this market, leading to new agreements,
Steve Francis, Sloan Fellow 2011
Page 62
vendors and technology. It is important for customers to define a strategy with
respect to cloud computing. Just as John Hancock (11) has defined vendors and
architecture objectives for their cloud strategy, other organizations will benefit from
such decisions by limiting the number of new vendors and agreements that they
must support. This will help to improve investment returns by increasing leverage
with vendors, reducing contractual complexity and maximizing investments in
workforce training.
* New Assets: Deployment of cloud assets and virtualized assets creates sprawl
problems that can be difficult to manage. Although problems such as server sprawl,
data sprawl and software sprawl may be lessened with the use of cloud
technologies, new problems may emerge. The sprawl of virtual environments, cloud
environments and cloud resources must be tracked and managed closely, just like
other assets. Without close monitoring and control of such resources, costs may be
difficult to control. This is because organizations will typically not retire or stop
paying for cloud resources if they do not know what they or used for, or by whom.
Security is also an important consideration in cloud asset management. Because
cloud resources diminish the need for IT involvement, and empower business units
to directly provision the resources that they need, there may be a lack of consistency
and control over cloud resources. Virtual machines can be stored on personal
drives, thus easily replicating entire environments that may be highly proprietary or
sensitive. Further, without integrated or federated security with cloud service
providers, password policies and other security policies can easily be ignored.
2011
Steve Francis,
Francis, Sloan
Sloan Fellow
Fellow 2011
Page 63
Page 63
It is likely that cloud asset management will become an important topic as cloud sprawl
begins to replace traditional IT asset sprawl.
11.2 Valuation
Valuations of the more successful cloud service providers are very high.
Salesforce.com and Rackspace trade at very high multiples of their earnings and
revenues for example. (10). This is incongruent with the promise of the cloud, which is
that it is a more affordable way to buy compute resources of all kinds. Waste is
eliminated and customer costs increase only when there is a simultaneous increase on
the demands of CSP infrastructure. This means that the variable costs (not to mention
the fixed costs related to massive data center infrastructure) of CSPs are far greater
than the variable costs of traditional software or infrastructure vendors. The reason that
traditional software firms trade at higher earnings multiples than other types of
businesses is that the variable costs of distributing software, once it has been created,
are very low. This is not the case with cloud computing. Some IAAS and SAAS firms
may still achieve earnings growth that warrant very high valuations, although due to the
lower degree of operating leverage that is characteristic of CSPs this growth will be
harder to achieve.. Hardware and software vendors have traditionally offered many
inducements to get customers to "over buy". This will be more difficult for CSPs though
because this is a primary reason that customers are moving to the cloud, and also
because CSPs must mind their margins on every transaction.
2011
Fellow 2011
Francis, Sloan Fellow
Steve Francis,
Steve
Page 64
Page 64
It is important to distinguish from IAAS and SAAS here however. Although variable
costs grow in much the same way for both IAAS and SAAS, IAAS is much more of a
commodity offering than SAAS. To remain competitive in a purely IAAS business,
vendors will require a true low cost advantage delivered via proprietary technology and
outstanding execution. The comparison to SAAS and IAAS is similar to the comparison
of traditional hardware and software vendors, respectively. SAAS vendors will have
more pricing power than IAAS vendors. Given these dynamics, the valuation of
companies like Rackspace (Table 1), seem extremely high.
1.bbb
933M
bb.b96
/80M
91.69
260
98.58
10.58
110
22.97
32B
16B
2.02B
208B
4.93B
154.35B
12.51%
5.88%
2.86%
40.45%
10.2%
34%
10.91%
5.97%
-27%
44.35%
11.76%
21.59%
Table 3
As the cloud market matures, CSP margins will not be as rich as traditional software
vendors and they will not trade at multiples that are as high as traditional software
vendors.
Fellow 2011
Sloan Fellow
Steve Francis, Sloan
2011
Page 65
Page 65
11.3 Partnering for Service Delivery
Based on research that I have conducted, I expect that in the future customers will be
able to order cloud services and resources from a variety of vendors through a single
CSP that acts as a broker for various other CSPs. This broker will manage highly
complex regulatory requirements, security policies, contracts, billing, administration,
performance requirements, availability requirements and overall services levels across
a variety of CSPs. Disparate resources will be provisioned in a consistent way and will
work together with greater ease than today as a result of the adoption of standards.
The composition of these CSP networks will be defined by support for various
computing standards. It is likely that vendors with strong competence in data center
management and operations will play the role of broker. Although much of what I
describe is occurring today there is still a lack of cooperation among vendors, a high
level of vendor inflexibility with regard to service level agreements and little agreement
among vendors on standards. Furthermore, tremendous improvement is needed with
regard to service provisioning of cloud based services and resources, particularly
across multiple vendors.
In a scenario such as the one described above, a CSP offering a variety of services will
play a critical role in ensuring consistency among service levels and operations. The
CSP will indemnify their customers from the risks of supporting multiple vendors and will
provide added value as an abstraction layer across many complex and sophisticated
services. The close operational relationships that exist between such a CSP, and other
Steve Francis, Sloan Fellow 2011
Page 66
upstream CSPs, and the volume of business that is conducted between these
organizations, will help to ensure improved service levels and competitive pricing. Risk
Management will play an increasingly important role in IT.
Major "as-a-service" vendors such as Amazon and Salesforce.com currently offer
almost no flexibility in their standard contracts or service levels (12). Given the number
of customers that they support, and their need to scale, this is understandable. Also,
the standard service levels and contractual terms that both vendors provide are quite
attractive. Still, customers want vendor-partners (11). They want vendors with "skin in
the game" that know their business and are committed to their success. Vendors such
as Salesforce and Amazon cannot do this effectively while supporting hundreds of
thousands of customers. They may be able to perform such services for their larger
customers, but these two vendors still have a limited scope in terms of what they
provide. This presents a valuable opportunity to those firms wishing to play the role of
"broker", that can add value in terms of management, administration, billing and other
services.
As technology and standards improve for integrating and managing services, an ever
increasing number of technologies will be offered as services. This has implications for
how services will be reused, built, consumed and rendered. It is an ongoing evolution of
what began as mostly an administrative concept for shared services. Services in the
cloud will be accessed through SOAP, REST or other APIs. There will be proxies and
translators for these APIs to support nearly any device or interface including iPhone,
Steve Francis, Sloan Fellow 2011
Page 67
iPad, blackberry, laptop, desktop, voice, events, rfid and many others. The cloud
obscures providers and consumers and extends tentacles out to resources, devices and
users of every kind, connecting them all.
11.4 Regulatory Landscape
It is likely that additional international standards will emerge with respect to data privacy
and security. There will continue to be many unique federal, state and local laws that
must also be complied with however. This will continue to create challenges for CSPs
wishing to expand internationally. It is likely that navigating international privacy and
regulatory requirements will increasingly be used as a differentiator for CSPs and other
technology vendors. As the rate of change in the cloud market continues to increase,
governments and regulatory bodies will be increasingly unable to keep up. This will
lead to innovation that is largely unproductive, and solely intended to exploit these
inconsistencies. Opportunities for regulatory arbitrage are growing rapidly in the CSP
market. Ultimately this will slow the pace of useful and productive innovation.
11.5 Speed of change
Cloud is here to last not only because it saves organizations money but it makes them
more responsive and agile. Business today is more competitive and changes faster
than ever before. This is true in both the public and private sector. A 2010 survey of
1541 CEOs and senior business and public sector executives was conducted by IBM
Steve Francis, Sloan Fellow 2011
Page 68
(30) and the results showed that "The vast majority of CEOs anticipate even greater
complexity in the future, and more than half doubt their ability to manage it."
Cloud enables customers to respond to change like never before by quickly adding or
removing compute resources and pulling together various services to quickly address a
business need. Technical resources are brought closer to the business users and the
role of IT is increasingly to act as program managers, vendor managers and stewards of
technology policy and standards. As this trend continues and cloud tools and standards
continue to evolve, the ability to easily create composite applications from multiple tiers
of architecture will improve. Development cycles will shorten and cloud technology may
come close to delivering what IT customers have imagined for many years, first with
shared services, then distributed objects, web services and now finally "anything-as-aservice". It is doubtful that cloud technology will soon enable us to graphically build
applications and drag and drop resources from different vendors and CSPs into a single
mash up, with graphical drag and drop integration across vendors from the same tool.
Such a vision might also include integrated ordering, billing, invoicing and service level
management across CSPs. Yes, it is doubtful that we will be there soon, but cloud
architectures get us much closer than we have ever been.
11.6 Platforms Will Prevail
As mentioned previously, it will not be long before pure IAAS vendors case to exist as
independent entities. The margins are thin and the competition fierce. As with other
technology wars, platforms will prevail. Vendors and solutions that are the most
Steve Francis, Sloan Fellow 2011
Page 69
complete, that have the deepest stacks, will win.
Amazon will either move into the platform-as-a-service market or be marginalized as an
"as-a-service" vendor. Their success in this market has been impressive, but they have
not extended their first mover advantage significantly beyond IAAS offerings and are
competing based on brand and on being the low cost provider. They do have good
partnerships, but partnerships are fickle, and their partnerships are not unusually sticky
ones in many cases. Amazon has a difficult position to defend.
Other "as-a-service" vendors will likely merge to create more complete platforms, or
larger vendors such as Google, Microsoft, HP and IBM may acquire them for scale, or
to complete their own platforms. Salesforce.com is extremely well positioned in both
the PAAS and IAAS market and has an excellent opportunity to extend their lead.
Given the success of AppExchange and Force.com, Salesforce has considerable
momentum the PAAS market. This success helps to drive their SAAS business
because the tools and skills that customers use are the same for both offerings. The
same is true in the opposite direction as well. There is a positive reinforcing dynamic at
work that should continue to propel their business. Oracle is building a unique story
around their appliance offerings. These appliances will enable Oracle's customers to
offer SAAS to their customers, whether public or private. VMWare has a commanding
lead in the critical virtualization business although the threats from XEN, embedded
hypervisors and very low cost hypervisors are significant. VMWare is innovating at an
impressive pace, and leadership with technologies such as vCloud may yet warrant the
Steve Francis, Sloan Fellow 2011
Page 70
high earnings multiples that VMWare trades at. Microsoft and Google will play an
important role in the do-it-yourself cloud shops that use either net or java technology,
respectively. The key for these two organizations is to capture the document
management and cloud email business of their customers. Once they have this it will
be considerably easier for them to grow their footprint by adding integrated SAAS or
PAAS offerings and building on the data and the objects that are already part of their
document and email services.
The cloud market is young enough, and is evolving quickly enough, where vendors that
are yet unknown may still rocket to the top of the market with innovative technology and
solutions. To stay at the top as an independent player however will require deep
capabilities and broad appeal that is based on support for existing languages and
technologies. Currently only Microsoft, Google and Salesforce.com are well positioned
to command dominant positions in the PAAS market. Microsoft and Google will
compete for the "build" business and are likely to do large volumes of business at
relatively low margins. Salesforce.com is better positioned in the "buy" market for
business applications and they should enjoy higher margins as a result, although they
will also be competitive in the market for small businesses organizations that are
comfortable with a "build" strategy.
Steve
Steve Francis,
Francis, Sloan
Sloan Fellow
Fellow 2011
2011
Page 71
Page 71
REFERENCES
(1) Fenn, Jackie (1995-01-01). "Word Spy: hype cycle". When to Leap on the Hype Cycle.
Gartner Group.
(2) Cloud Computing Explained, by John Rhoton, 2009
(3)The New Administration's Shared Services Opportunity, By John Marshall, July 2009
(4) Oracle web site, www.oracle.com, Feb 2011
(5) Mike Nelson, University of Georgetown Professor, speaking at "World Future Society" in
Boston
(6) IDC Forecasts, Feb 08 2011, U.S. Public IT Cloud Services Revenue to Grow 21.6%
(7) Cloud Computing Set to Soar, IDC Predicts, Enterprise Systems, 06/29/2010, Stephen
Swoyer
(8) IDC analyst blog, http://blogs.idc.com/ie/?p=224
(9) VMware and Cloud Computing, An Evolutionary Approach to an IT Revolution, VMWare
2010
(10) finance.yahoo.com
(11) Customer interviews included: Liberty Mutual, John Hancock Financial, MegaPath
Communication, Commonwealth of Massachusetts, State of Washington Department of
Information Services, Staples, Seattle City Lignt and Starbucks
(12) Vendor interviews included: Moster.com, Salesforce.com, Microsoft, VMWare, Parallels
and SAP
(13) Cloud Security and Privacy, 2009: Tim Mather, Subra Kumaraswamy, Shahed Latif
(14) The Delta Model, Arnoldo Hax, Springer; December 14, 2009
(15) Behind the Cloud, Marc Benioff, Oct 19 2009
(16) IDENTITY FEDERATION IN A HYBRID CLOUD COMPUTING ENVIRONMENT
SOLUTION GUIDE, Junpier Networks, 2009
(17) http://www.hp.com
(18) http://www.bmc.com
(19) http://www.mass.gov, department of Administration and Finance
(20) http://www.duffonhospitalitylaw.com, Greg Duff, 05/28/2010
(21) http://apps.leg.wa.gov
(22) http://www.govtrack.us/congress/bill.xpd?bill=sl 11-1490
(23) Pioneer Institute I Agenda for Leadership 2002 Pacheco Law
Steve Francis, Sloan Fellow 2011
Page 72
(24) Senate Funds Web Services, Cuts Cloud Computing, By Elizabeth Montalbano
InformationWeek , August 9, 2010
(25) Comcast vs FCC: In Battle For Net Neutrality, Did the Courts Hand Comcast a
Pyrrhic Victory? By Stacey Higginbotham Apr. 6, 2010
(26) http://blogs.forrester.com/stefanried/1 0-07-06informaticascloudservice flying_underradar especiallyeuropean_customers, Forrester
Analyst Stefan Ried, July 6 2010
(27) Virtualization, cloud standard on the fast track?, Wednesday, September 15, 2010, By
Denise Dubie, http://www.networkperformancedaily.com
(28) http://www.apsstandard.org/
(29) http://www.eucalyptus.com
(30) Capitalizing on Complexity, IBM CEO Survey 2010 - IBM Institute for Business Value
(31) http://blogs.barrons.com, Oracle: Exadata Exploding, Says Piper, Tiernan Ray, March 2011
(32) http://appengine.google.com
(33) http://www.microsoft.com
(34) http://www.salesforce.com/platform
Francis, Sloan
Steve Francis,
Sloan Fellow
Fellow 2011
2011
Page 73
Page 73