factors shaping the future of cloud computing
TRANSCRIPT
-
7/29/2019 Factors Shaping the Future of Cloud Computing
1/92
Factors Shaping the Future of Cloud Computing
By
Steven Francis
BAUniversity of Washington, 1995
SUBMITTED TO THE MIT SLOAN SCHOOL OF MANAGEMENTIN PARTIAL FUFILLMENT OF THE REQUIREMENTS FOR THE
DEGREE OF
MASTER OF BUSINESS ADMINISTRATIONAT THE
MASSACHUSETTS INSTITUTE OF TECHNOLOGY
JUNE 2011
2011 Steven Francis. All Rights Reserved.
Signature of Author:____________________________________________________________________
MIT Sloan School of ManagementMay 6, 2011
Certified By:__________________________________________________________________________
Professor Michael CusumanoSloan Management Review Distinguished Professor of Management
Thesis Supervisor
Accepted By:__________________________________________________________________________
Stephen SaccaSloan Fellows Program in Innovation and Global Leadership
Program Director
Steve Francis, Sloan Fellow 2011 Page 1
-
7/29/2019 Factors Shaping the Future of Cloud Computing
2/92
This page intentionally left blank
Steve Francis, Sloan Fellow 2011 Page 2
-
7/29/2019 Factors Shaping the Future of Cloud Computing
3/92
Factors Shaping the Future of Cloud Computing
By
Steve Francis
Submitted to the MIT Sloan School of Management onMay 6, 2011 in partial fulfillment of the requirements for
the degree of Master of Business Administration
ABSTRACT
Many different forces are currently shaping the future of the Cloud ComputingMarket. End user demand and end user investment in existing technology areimportant drivers. Vendor innovation and competitive strategy are also importantdeterminants of what cloud solutions will look like in the future. Regulatoryrequirements, although they are not intended to, also play an important role.Finally, the constant pressure on Information Technology departments to provideeverything as a business service has perhaps the most profound influence. Wheninvestigated and viewed together, these factors provide powerful insight into howthe Cloud Computing market is likely to evolve.
Thesis Supervisor: Professor Michael CusumanoTitle: Sloan Management Review Distinguished Professor of Management
Steve Francis, Sloan Fellow 2011 Page 3
-
7/29/2019 Factors Shaping the Future of Cloud Computing
4/92
This page intentionally left blank
Steve Francis, Sloan Fellow 2011 Page 4
-
7/29/2019 Factors Shaping the Future of Cloud Computing
5/92
Table of Contents
1. Objective
2. Introduction
3. Background and Definitions
4. Cloud Enabling Technologies
4.1. Provisoining
4.2. Virtualization
4.3. Software Appliances
5. The Market Today
6. History of Cloud and Shared Services
7. Cloud Market Forces
7.1. Infrastructure As A Service
7.2. Platform As A Service
7.3. Software As A Service
Steve Francis, Sloan Fellow 2011 Page 5
-
7/29/2019 Factors Shaping the Future of Cloud Computing
6/92
8. Customer Specific Forces
8.1. Virtualization
8.2. Cloud Management and Provisioning
8.3. Privacy and Security
8.3.1. Identity Federation
8.3.2. Security Responsibility
8.4. Regulatory Requirements
8.4.1. Labor Laws and Labor Influence
8.4.2. Net Neutrality
8.4.3. State Data Privacy Laws and Regulations
8.4.4. Federal Data Privacy Laws and Regulations
9. What Customers Did Not Say
10. The Role of Standards
11. Conclusions
11.1. Consolidation vs. Sprawl
11.2. Valuation
11.3. Partnering for Service Delivery
11.4. Regulatory Landscape
11.5. Speed of Change
11.6. Platforms Will Prevail
1. Objective
The objective of this thesis is to examine forces that have influenced and continue to
influence the cloud computing market in order to gain predictive power over how this
market might evolve. These forces can be categorized as follows.
Steve Francis, Sloan Fellow 2011 Page 6
-
7/29/2019 Factors Shaping the Future of Cloud Computing
7/92
1. The History of the Market
2. Current Market Composition and Landscape
3. Vendor Innovation and Strategy
4. Customer Preferences and Concerns
By understanding these forces we can hopefully better understand where the market
will go, including what cloud based solutions will look like in the future and the value that
customers will receive from them. Although government forces are not addressed
separately here, I will address this as part of the customer discussions, and throughout
the document.
We will begin with some definitions in order to put the paper in context, review some
market history and the evolution of cloud technology, and will then move on to a snap
shot of the industry today. This will include a review of some vendor solutions and
technologies. Next we will take a close look at customer requirements and preferences,
based on extensive customer interviewing. Finally, I will address how standards might
shape the market and will investigate a couple of specific technologies, and will then
Steve Francis, Sloan Fellow 2011 Page 7
-
7/29/2019 Factors Shaping the Future of Cloud Computing
8/92
move on to conclusions.
2. Introduction
The amount of written material dedicated to the definition of cloud computing will be
limited, since much has been written on this already. A common definition has emerged
for cloud computing and can be summarized as follows: Internet based services for
software applications, software platforms or hardware that are usually paid for by
subscription. These services are elastic, pay per use, multi-tenant, and managed by a
3rd party so that customers need not worry about hardware specifications, administration
or software licenses.
This description, and cloud computing in general, has a lot of jargon, so I will explain a
few important concepts to help clarify. Because the preceding definition may be
somewhat confusing to those outside of the IT field it is worth pointing out some of the
practical advantages for organizations that use cloud based technology. They do not
need to purchase or wait for physical hardware to arrive. No software installations are
required. No system configuration or performance tuning is required. Capacity
Steve Francis, Sloan Fellow 2011 Page 8
-
7/29/2019 Factors Shaping the Future of Cloud Computing
9/92
planning becomes fairly unimportant. Expenditures for hardware upgrades/refreshes
are eliminated. Costs rise directly in line with usage, eliminating large unplanned
purchases for more capacity. Under capacity and over capacity problems are
eliminated. It is for these reasons that there has been so much enthusiasm about cloud
computing. You may have noticed that most of these benefits sound exactly like
benefits from purchasing software over the web. This is true, although cloud
encompasses far more than just web based software.
3. Background and Definitions
Software As A Service (SAAS) is software delivered over the internet, typically via a
web browser, that provides end user business functionality such as HRMS (Human
Resource Management System), ERP (Enterprise Resource Planning) or SFA (Sales
Force Automation). NetSuite, Workday and Salesforce.com are examples of SAAS
vendors. SAAS solutions are typically paid for on a subscription basis. Technology
Research firm IDC reports that SAAS, or cloud based applications, accounted for more
than half of public cloud revenues in 2009. Over the next four years, all segments of the
as-a-service market are forecast to exhibit strong growth, although applications are
Steve Francis, Sloan Fellow 2011 Page 9
-
7/29/2019 Factors Shaping the Future of Cloud Computing
10/92
forecast to drop to one-third of as-a-service revenue, while expenditures on PAAS and
IAAS are forecast to increase (6)
Platform As a Service (PAAS) is software delivered over the internet, which other
software applications can be built on. Such platforms may provide easy to use
frameworks for rapid application development, as well as reusable objects and services
to speed the creation and delivery of new software applications. Examples of reusable
services are email capabilities, calendar capabilities and contact lists. Such
applications, once created, will be hosted with the service provider. Examples of PAAS
solutions are Microsoft Azure, Salesforce.coms force.com platform, Google AppEngine,
Bungee Connect, IBM LotusLive and Amazon Web Services.
Infrastructure As a Service (IAAS) typically refers to hardware that is hosted and
accessible via the internet. This includes storage, memory, network capabilities and
processing power. Rackspace, Amazon EC2, Zumodrive, Drop Box, HP and IBM
Computing on Demand are examples of IAAS solutions.
Even though SAAS has accounted for more than 50% of public cloud expenditures so
Steve Francis, Sloan Fellow 2011 Page 10
-
7/29/2019 Factors Shaping the Future of Cloud Computing
11/92
far, it seems likely, and congruous with IDCs forecasts, that future investments will
become more balanced across different as-a-service offerings. One reason for this is
that a continuum of complexity exists from SAAS, to IAAS to PAAS (figure 1). SAAS
solutions are the least complex, and involve the least amount of vendor lock in and
overall investment along this continuum. PAAS solutions are the most complex, and
represent the highest level of vendor lock-in. For these reasons, it is not surprising that
adoption of as-a-service technologies looks like a pyramid, with SAAS at the bottom,
representing the broadest adoption, and PAAS at the top, representing the smallest
adoption. This is consistent with the adoption pattern of most technologies, where the
least risky solutions are adopted first and then later, after the lower risk technologies are
proven, adoption advances to more sophisticated solutions. This is also a consistent
with how vendors have innovated. The leading SAAS vendor, Salesforce.com, was
founded in 1999. Next, Amazon.com, the leading vendor in the IAAS market, launched
their services starting in 2006. Finally, Microsoft and Google launched their respective
PAAS offerings, Azure and App Engine, in 2008.
Steve Francis, Sloan Fellow 2011 Page 11
-
7/29/2019 Factors Shaping the Future of Cloud Computing
12/92
Figure 1
Pay Per Use Perhaps the most important characteristic of cloud computing is that
resources can be purchased on a per use basis. Customers no longer have to buy
quantities of hardware, software and other computing resources to match times of peak
use. Customers using cloud technology no longer need large data centers full of
expensive hardware and software that have an average utilization of 10 to 15 percent.
Cloud vendors will run the hardware and/or software and utilization becomes their
problem. Vendors can achieve higher levels of utilization by mixing workloads and
using virtualization technology, which is transparent to customers. Customers can scale
their use up or down on an as-needed basis and they only need to pay for what they
use. The following graphic (figure 2) illustrates the savings (shaded) that might be
achieved from adopting cloud technologies that are pay per use vs. running all
Steve Francis, Sloan Fellow 2011 Page 12
-
7/29/2019 Factors Shaping the Future of Cloud Computing
13/92
computing resources in a dedicated corporate data center.
Figure 2
Elastic Elastic computing resources expand when needed. This concept is closely
related to pay-per-use, although elasticity is more of a technical concept. Elasticity is a
systems ability to automatically provision more resources when needed, whether it is
storage, memory or other resources. Traditional IT assets that are hosted on-premise
Steve Francis, Sloan Fellow 2011 Page 13
-
7/29/2019 Factors Shaping the Future of Cloud Computing
14/92
are not elastic. For example, an IT shop might have a software license that allows them
to run a database program on a two CPU machine. This would also require a two CPU
machine to run this software on. If this system ran out of capacity it might require
repurposing or throwing away the old machine, buying a new bigger machine and
additional software licenses for the new bigger machine. With software purchased as a
service, if the user load increases, the vendor provisions more resources as needed
and the customer does not even need to know about it. They are just billed for the
additional use. Elasticity, or provisioning additional capacity in an automated and
efficient manner is one of the qualities of cloud computing that makes it so compelling.
Multi Tenant Multi tenant resources are resources that are shared by more than one
party. For example, a software application that supports users from multiple
companies, within the same database schema, where data is kept separate through
primary-foreign key relationships, would be considered multi tenant. Or, a machine that
has multiple virtual machines running on it, each with its own operating system,
database and platform software stack, would be considered multi-tenant. Multi tenancy
can be achieved in a variety of ways and multi tenant resources may be found at any
layer of the IT stack. Multi Tenancy is typically of much greater benefit to the vendor or
Steve Francis, Sloan Fellow 2011 Page 14
-
7/29/2019 Factors Shaping the Future of Cloud Computing
15/92
service provider than it is to the customer. Multi tenancy allows vendors or cloud
service providers to achieve high levels of efficiency and utilization. Theoretically,
customers should not care whether a cloud application is multi tenant or not, as long as
their service levels are met. However, due to legislative, privacy and security issues,
they often do care, and I will explore this more later.
On Premise Infrastructure or software that runs in a data center or facility owned by
the entity using it is considered on premise. This is the traditional computing model.
Off Premise (hosted) Infrastructure or software that runs in a data center or facility that
is not owned by the entity using it is considered hosted or off premise. Cloud
resources are hosted, or off-premise.
Public Cloud A public cloud is any cloud as-a-service solution that is hosted by a
vendor that supporting multiple customers. IDC predicts that by 2014, public cloud-
related projects will account for one-quarter of net new IT product spending growth (7).
Private Cloud A private cloud is any cloud infrastructure or software that is hosted in a
Steve Francis, Sloan Fellow 2011 Page 15
-
7/29/2019 Factors Shaping the Future of Cloud Computing
16/92
corporate (or government) data center that supports internal customers. Such
customers are typically different departments or groups of employees within the same
organization.
Hybrid Cloud A hybrid cloud is a combination of private and public clouds.
Increasingly, it is likely that more cloud environments will be defined as hybrid. Hybrid
clouds are characterized by services that may be delivered to the end customers either
by an internal IT group, or by 3rd party cloud service providers, depending on which
makes the most sense in terms of cost, control, privacy/security and other factors. The
end user likely has no idea where the services he is using originate from.
4. Cloud Enabling Technologies
4.1. Provisioning
Workflows and processes that define how services are deployed to new or existing
customers are commonly called provisioning processes. Provisioning processes exist
for adding a new customer, adding a new service for an existing customer or removing
Steve Francis, Sloan Fellow 2011 Page 16
-
7/29/2019 Factors Shaping the Future of Cloud Computing
17/92
a service from an existing customer (de-provisioning). Provisioning processes must
include both technical and business functions. New customers must be set up for billing
and invoicing, and they must also be provided with the services that they ordered, which
includes system resources, security credentials and instructions. Cloud customers are
also typically given the ability to perform some level of customization to the services
they receive. Examples of such customization are as follows:
Adding configuration information to integrate with a corporate directory such as
Active Directory, or another LDAP directory
Performance and service level options
Backup and recovery options
Encryption options
Changing fonts, colors, logos or other branding information
This is just a few examples of customizations that might be part of a provisioning
process. Deploying services to new customers quickly and easily is part of what makes
cloud computing so attractive. Generally, provisioning of cloud services tends to be
more automated than with traditional services. This is because multiple customers may
Steve Francis, Sloan Fellow 2011 Page 17
-
7/29/2019 Factors Shaping the Future of Cloud Computing
18/92
be supported, which makes repeatability, and investments in automation for customer
on-boarding, very important.
4.2 Virtualization
Virtualization, or server virtualization, makes one machine look like many machines. It
enables the simultaneous operation of multiple operating system environments on a
single machine. Each environment appears to be a unique physical machine.
Virtualization is an extremely important concept in cloud computing. It is a key enabler
of cloud infrastructures. During my cloud customer interviews, when I asked customers
which vendor was most important to their cloud strategy, each customer cited their
virtualization vendor, without exception. Although virtualization is not a cloud
technology per-se, it is one of the main enablers of cloud computing
Server virtualization is enabled by the use of Virtual Machines. Virtual Machines have a
management layer called a hypervisor that enable the core virtualization functions.
There are two types of hypervisors, Type 1 and Type 2. Type 1 hypervisors run on bare
Steve Francis, Sloan Fellow 2011 Page 18
-
7/29/2019 Factors Shaping the Future of Cloud Computing
19/92
metal and enable the provisioning of virtual machines at the hardware layer. Type 2
hypervisors run on a host operating system (2, Rhoton, pg 39)
Thanks to virtualization, when a SAAS vendor wants to provide service to a new
customer, it can be as easy as making a new copy of a virtual environment for this
customer, and providing web based administration tools to the customer so that he can
make customizations to the environment on his own. No lengthy installation or set up
processes are required. Although it has less to do with virtualization, and more to do
with service provisioning, the procurement process should enable the selection of
options and basic customizations at the time of purchase. These choices should be
reflected in the customers billing and in the virtual environment that is provisioned to
him.
There are many types of virtualization, and most are useful to cloud service providers
(CSPs), be they public or private cloud service providers. In addition to virtualization of
servers, network resources, storage and desktops, it is also possible to virtualize
clusters of machines. This enables multiple servers to look and act, like a single server.
For example, Oracle provides technology to virtualize their database software and
Steve Francis, Sloan Fellow 2011 Page 19
-
7/29/2019 Factors Shaping the Future of Cloud Computing
20/92
middleware software in this way. They can make 4, 6 or 20 database servers or
application servers look and act like one big database server or application server. This
enables customers or CSPs to use many pieces of inexpensive hardware to run many
large workloads simultaneously, and it also provides a high degree of fault tolerance
and availability. (4). This affords CSPs with a great deal of flexibility. CSPs can either
dissect a single machine into multiple smaller virtual machines, or they can put multiple
machines together to look like one very large Machine, which can then run multiple
simultaneous workloads. With respect to running an automated as a service data
center that supports many different customers, such flexibility is very powerful and
creates compelling economies of scale. Without powerful tools to support
administration, monitoring and provisioning however, such sophisticated technology can
be very difficult to manage.
4.3 Software Appliances
Some special focus should be given to software appliances, as an important and
emergent cloud enabling technology. Software appliances for data warehousing have
been around for years. Neteeza (now part of IBM) and Teradata have done well in this
Steve Francis, Sloan Fellow 2011 Page 20
-
7/29/2019 Factors Shaping the Future of Cloud Computing
21/92
market for quite some time. A software appliance is just what it sounds like. You plug it
in and it works, like a refrigerator, or thats the idea anyway. There is no installation and
very little configuration, performance tuning or administration. There are also hardware
appliances and other types of appliances. Many newer appliances take advantage of
virtualization software to quickly stand up new environments with a high degree of
isolation, which is important for CSPs and their customers.
Oracles Exadata is especially worth notice because in effect, this is Oracles cloud
strategy. Growth of Oracles appliance solutions have been explosive (31) and could
approach $2 billion in the next two years. Oracle already provides database and
middleware software via appliances. In the future this approach will likely extend to
applications, and possibly Oracles entire software stack. This is truly a new way to
deliver value to customers. Oracle appliances have best of breed hardware and
software, designed to work together, pre-configured and optimized based on best
practices. This significantly cuts down on the number of vendors required, the number
of moving parts and the total deployment effort. Virtualization technology makes such
solutions easy to provision to new customers, whether over public or private clouds.
Steve Francis, Sloan Fellow 2011 Page 21
-
7/29/2019 Factors Shaping the Future of Cloud Computing
22/92
5. The Market Today
Most likely, cloud computing is slightly past its apex of the Gartner Hype Cycle (1).
Gartner calls this apex The Peak of Inflated Expectations. The Gartner Hype Cycle
(Figure 3) shows the trajectory of market enthusiasm for technology. It is characterized
by a steep rise to a peak, and then a sharp decline as over exuberance gives way to
failures and disappointments. Next, as users begin to adopt the technology in more
sensible ways, enthusiasm increases again, but at a more gradual pace than before.
Even though growth rates may be slowing with as-a-service solutions, they are merely
slowing from light speed to super-sonic speed. In 2008, IDC forecast that spending
on cloud computing services would reach US$42 billion worldwide by 2012.
This was approaching a three-fold increase from 2008 levels of $16.5 billion (8)
More recently in 2011, IDC forecast that from 2009 to 2014, U.S. public IT cloud
services revenue would grow 21.6%, from $11.1 billion to $29.5 billion. (6) Although
these forecasts are not directly comparable, they seem to indicate diminished (although
still very high) growth expectations.
Steve Francis, Sloan Fellow 2011 Page 22
-
7/29/2019 Factors Shaping the Future of Cloud Computing
23/92
Figure 3
The amount of hype around cloud computing harkens to the heady days of 1999 when
fundamental corporate valuation ceased to matter, and people imagined that cost
structures and profit margins would structurally improve for any company that
intelligently used the internet. It has even been said that the cloud is more important
than the web (5). Such enthusiasm is admirable but is comparable to saying that the
invention of taxi cabs was more important than the invention of the internal combustion
Steve Francis, Sloan Fellow 2011 Page 23
-
7/29/2019 Factors Shaping the Future of Cloud Computing
24/92
engine and the entire automobile industry. Fortunately, this time around it has mostly
been technology journalists that have gotten carried away with heightened expectations
for the cloud computing market. Many of the executives at cloud vendor and cloud
consumer organizations are the ones that survived, and learned painful lessons, from
the dot com era. Many of these executives have avoided most of the over building and
over investing that characterized the technology industry in the late 1990s.
6. History of Cloud and Shared Services
There have also been many histories written about the evolution of cloud computing that
trace cloud ancestry from timesharing on mainframes, to the PC revolution, to internet
hosting companies, to application service providers (ASPs) and ultimately to the cloud.
This history is largely accurate, but incomplete.
What is missing from this picture is the evolving role of IT organizations as service
providers, or as vendors to internal customers. 20 years ago IT organizations were
largely viewed as necessary evils, cost centers, the equivalent of yesterdays typists
and book keepers. As the importance of Information Technology increased, and it
Steve Francis, Sloan Fellow 2011 Page 24
-
7/29/2019 Factors Shaping the Future of Cloud Computing
25/92
became apparent that IT strategy could lead to business differentiation in terms of
speed, efficiency, responsiveness, customer service and agility, interest from other
executives grew. As executives better understood the potential, they wanted and
expected more. They wanted more control, and they wanted to be treated more like
customers. After all, their division kept the lights on and kept the money flowing. Sure,
technology was important, but it was there to support and enhance the core business.
This ultimately led to a trend called Shared Services. Shared Services allowed service
providers within an organization to provide the services that are expected of them as
elective services, similar to how vendors provide services. Since the vendor was an
insider however, there should be advantages and economies of scale to keep costs low.
Shared services are a way to achieve greater accountability and business alignment
from IT. Shared services can be established not just for IT, but for other internal service
delivery organizations as well, such as HR for example. Shared services are a way to
define expectations, service levels, communication, costing and accountability. Today
over 80% of the Global 2000 largest companies receive back office support from either
an internal or an external third party Shared Services Organizations (3)
Around the same time that Shared Services were becoming main stream in IT
Steve Francis, Sloan Fellow 2011 Page 25
-
7/29/2019 Factors Shaping the Future of Cloud Computing
26/92
departments (1999-2000), web services also began to gain traction. Web services are
a set of technology standards that enable the creation of software in a way that is
reusable, and in a format that is agreed upon by everyone. The technology was in
perfect alignment with the concept of shared services. The confluence of these two
trends led to another manifestation of the Gartner hype cycle, which led to many
impetuous and unsuccessful web services and shared services initiatives.
Many of these failures occurred not because the ideas and the technology were bad,
but because IT governance was lacking. In many early failures services were often
created at a level of granularity that was not practical and too much control was given to
the service providers instead of the service consumers. Still, the focus on services
makes sense, and is completely aligned with the advantages of cloud computing.
Today, Shared Service Organizations typically provide savings on the services that they
deliver of between 15-30% (3).
Web services, shared services, and the three pillars of cloud computing (Software-as-a-
Service, Infrastructure-as-a-Service and Platform-as-a-Service) all share similar
heritage. They exist because customers, whether internal or external, want to be
Steve Francis, Sloan Fellow 2011 Page 26
-
7/29/2019 Factors Shaping the Future of Cloud Computing
27/92
empowered to chart their own course with respect to the services that they need.
Customers want choice, ownership and speed. Service delivery mechanisms such as
SAAS, IAAS, PAAS, shared services and web services all help to enable this. Hybrid
clouds, web mash-ups and service delivery models that combine services from internal
and multiple external sources will be increasingly common as a result.
7. Cloud Market Forces
All markets are conceived by interactions between vendors and customers, buyers and
sellers. Vendors respond to a customer need, demand or problem with some kind of
solution. Sometimes vendors may see a customer need in advance however, and
create a solution in anticipation of a market movement. Other times, customers
practically have to bang on their vendors table and shout their needs to them.
Customers often want their vendors to provide solutions that are portable, standardized
and that work nicely with what they already own. On the other hand, vendors often
want to create solutions that are sticky, and will create some level of lock-in. These
dynamics change over time. Early innovation in a market often comes from visionary
and creative people. Years later, after significant customer adoption and the
Steve Francis, Sloan Fellow 2011 Page 27
-
7/29/2019 Factors Shaping the Future of Cloud Computing
28/92
emergence of competitors, innovation in this same market might be led by specific
customer demands. For these reasons, the sources of innovation may be an indication
of what stage of maturity a market is in. This tug-of-war between vendors and
customers will largely determine the trajectory of innovation. Incongruous incentives
between vendors and customers may be called an agency problem, or principal-agent
problem, or a moral hazard problem. Whatever it is called, these forces are currently
unfolding in dramatic fashion in the cloud computing market.
Professor Arnoldo Haxs Delta Model (14) is well suited to help describe this tug-of-war
phenomenon, both in terms of where the cloud market is today, as well as where it is
likely to go in the future. Professor Haxs model (figure 4) is a powerful model that is
intended to be used by companies (or their consultants) to develop or refine a go-to-
market strategy. The Delta Model is highly customer focused, and emphasizes
customer bonding as the pinnacle (literally) of effective strategy. The great power of the
model is its primary emphasis on the customer, and how to deliver value to the
customer. There are 3 primary positions on the Delta Model.
1. Best Product This position, on the lower right of the Delta Model, is characterized
Steve Francis, Sloan Fellow 2011 Page 28
-
7/29/2019 Factors Shaping the Future of Cloud Computing
29/92
by the features and functions of the product offered. Demand for a product is highly
price elastic at this position of the Delta Model. Products in this position are highly
commoditized.
2. Total Customer Solutions This position, on the lower left of the Delta Model, is
characterized by greater solution breadth and/or greater solution differentiation.
Solutions at this position of the Delta Model do not require the same amount of price
competition as products in the Best Product category would require. Total
Customer Solutions will be more closely aligned with customers business needs,
but typically lack the trust and close collaborative relationships that are characteristic
of System Lock-In offerings.
3. System Lock-In This position, at the top of the Delta Model, is characterized by tight
customer bonding. Such bonding is often the result of collaborative relationships,
high levels of trust, partnering and a vendors ability to bring a complete and
differentiated solution to the customer that specifically addresses their unique
requirements. This may include a great breadth of products and intimate
understanding of the customers business or it may be an ecosystem of
complimentary partner solutions, specifically designed to address the customers
unique challenges.
Steve Francis, Sloan Fellow 2011 Page 29
-
7/29/2019 Factors Shaping the Future of Cloud Computing
30/92
Although the pinnacle of the pyramid is called System Lock-In, I do not find this to
be a very fitting label because System Lock-In is something that customers typically
try to avoid. With respect to the Delta Model, System Lock-In is typically a positive
thing for both the vendor and customer. There may be collaborative business
processes at this position of the Delta Model, where demand forecasts are shared or
vendors can issue purchase orders on behalf of customers. Or, there may be
proprietary technology that is broadly adopted by a customer that makes a vendors
solution extremely difficult to replace, although the technology is highly valued by the
customer. The Delta Model implies that the value that the customer receives from
using a System Lock-In solution is greater than the cost of using it. I believe that
this should be viewed positively for both vendor and customer.
Steve Francis, Sloan Fellow 2011 Page 30
-
7/29/2019 Factors Shaping the Future of Cloud Computing
31/92
Figure 4
With respect to the Delta Model, Cloud Computing needs to be viewed in terms of IAAS,
PAAS and SAAS. Lets take a look at where each as-a-service offering (as a category
of products or market segment, not by vendor) sits along the delta Model, and how it
might evolve in the future.
7.1 IAAS and the Delta Model
Steve Francis, Sloan Fellow 2011 Page 31
-
7/29/2019 Factors Shaping the Future of Cloud Computing
32/92
IAAS solutions typically compete on technical specifications and price. This is a highly
technical market, where technically oriented features and benefits determine vendor
selection, along with price. Amazon is the clear leader in the IAAS market, although
they have significant competition at the low end of the market, and increasing
competition at the high end. Amazons lead is significant, and is a result of several
factors:
First mover advantage
A strong existing brand
A true low cost advantage based on unique technology
Breadth of offering (compute, storage, load balancing, HA, VMWare VM import)
Strategic partnerships
Traditional vendors such as IBM and HP have entered this market, as well as many
newer players such as Rackspace and Mezeo. IAAS is primarily a best product
solution that occupies the lower right hand are of the Delta Model. This is the least
enviable position on the Delta Model. It is the least defensible position with the lowest
margins. Amazon should be able to defend their leadership position if they continue
Steve Francis, Sloan Fellow 2011 Page 32
-
7/29/2019 Factors Shaping the Future of Cloud Computing
33/92
with their rapid pace of innovation, as this will enable them to maintain their cost
advantage.
Even though customers must currently use proprietary Application Programming
Interfaces (APIs) to access IAAS offerings, the cost of switching an application from one
IAAS provider to another is typically not that great. Furthermore, until now most
applications running on IAAS are typically either short lived applications or applications
that are not highly mission critical (11). In the future it is likely that standard APIs will
emerge for IAAS offerings, which will reduce switching costs even more.
It is very unlikely that many IAAS only vendors will still exist in five years. IAAS vendors
are moving into PAAS and PAAS vendors are moving into IAAS. Further, with the
entrance of HP, IBM and other behemoth technology vendors in this market,
consolidation will occur rapidly. These vendors can use IAAS offerings as loss leaders
for higher margin products and services. IAAS will likely cease to exist as a meaningful
standalone market and will merely be a product category offered by a number of larger
technology vendors. Unless a highly innovative vendor with massively differentiated
technology that is patent protected emerges, this trend, which is already well underway,
Steve Francis, Sloan Fellow 2011 Page 33
-
7/29/2019 Factors Shaping the Future of Cloud Computing
34/92
will continue.
7.2 PAAS on the Delta Model
PAAS offerings compete mostly by targeting the developers that use the platform to
build software applications. These developers are segmented based on the skills they
possess and the languages that they know. Java developers who like to use open
source technology might gravitate to Google AppEngine. .net developers would likely
gravitate to Microsoft Azure. Java developers who are well versed in using frameworks
provided by IBM would likely gravitate to IBMs solution. This indeed creates a high
degree of stickiness, or lock in. However, in the context of the Delta Model, this lock-
in does not place PAAS offerings at the Apex of the Delta Model. The reason for this is
that there is not a high degree of personal interaction or business collaboration that
occurs between the PAAS provider and the PAAS customer. For this reason,
successful PAAS offerings today can be categorized as Total Customer Solutions.
Although the current market PAAS market leaders are very large technology companies
such as Salesforce.com, Microsoft and Google, these were not the first entrants into this
Steve Francis, Sloan Fellow 2011 Page 34
-
7/29/2019 Factors Shaping the Future of Cloud Computing
35/92
market. Google entered the market in 2010. Bunjee launched a powerful and user
friendly PAAS offering more than two years earlier, in 2008. Even with this large of a
head start, larger competitors have completely eclipsed Bunjee in the PAAS market.
Some of the reasons for this were the proprietary nature of Bunjees offering (not just
straight java or .net); lack of an existing sales channel; and a general trend toward
consolidation in the technology industry.
What will PAAS vendors need to do to compete in the future? Is it possible for them to
move to the System Lock-In position on the Delta Model? There are several things
that might help PAAS vendors become more valuable to their customers and move to
the top of the Delta Model. Here are a few. Some vendors are already beginning to do
some of these things.
Leverage common languages and skills, such as java, .net, Python, Ruby and Perl.
Adopt standards for cloud computing as they emerge, and show leadership with
helping to drive standards. However, PAAS vendors should not be constrained by
any standards and should extend and enhance standards when needed. This is an
old game played by many successful technology companies. Honestly claim
Steve Francis, Sloan Fellow 2011 Page 35
-
7/29/2019 Factors Shaping the Future of Cloud Computing
36/92
conformance to an open standard while extending the standard to such an extent
that is in effect, proprietary.
Offer training and certification for PAAS offerings
Create community interest groups both locally, and on line using social media.
Build an ecosystem of partners (implementers and software providers) around the
PAAS offering
Offer expert services to help build, test and certify applications built on the PAAS
offering.
Connectivity options to other software products, whether on-premise or as-a-service
Monitoring, administration and configuration capabilities that are complementary to
existing tools.
There is a lot at stake with PAAS. In the client-server and internet era, software
development platforms had tremendous influence over how and where IT dollars were
spent. In the cloud era, the same is likely to be true for PAAS. Following is a
comparison of the leading PAAS solutions:
Steve Francis, Sloan Fellow 2011 Page 36
-
7/29/2019 Factors Shaping the Future of Cloud Computing
37/92
Platform As A Service Comparison ** Amazon is about to enter the PAAS market with Beanstalk, now in Beta
Features Microsoft Azure Google App Engine Salesforce Force.comLanguages .net framework languages, Ruby,
Java, C++, PHP, Web Services
Support
Java, Python, Web Services
Support, Ruby
Java, Ruby, PHP, .net, Web
Services Support
Monitoring Tools (Low to
High)
Med-High Med-Low Med-High
Lifecycle Management
Tools (Low to High)
Med Med-Low Med-High
Web Sites Yes Yes Yes
Web Apps Yes Yes Yes
Structured and Blob
Storage
Yes Yes Yes
ISV Support for
Distribution
No No Yes
ISV Support for Trials Limited No Yes
Pricing, Tier 1 25 hours small compute instance 500 MB and up to 5 million
page views free
Free to 100 users, 1 GB
Pricing, Tier 2 750 hours of small compute
instance, 10 gb storage, $59.95
per month
$8 per user per month. Max
of $1000 per month per app
$50 per user per month, 100+ db
objects, more storage, more
storage, CRM integration
Pricing, Tier 3 Add 10 GB SQL Server database
to Tier 1 for $109.95 per month
$8 per user per month. Max
of $1000 per month per app
$75 per user per month, 24x7
support, up to 2000 db objects,
more storage
Visual BPM No No Yes
Integration to 3rd Party
Apps
Yes, but mostly MS based
solutions
No Yes, but not Oracle, SAP or many
traditional vendors.
Social Media Support MS Live Only No Chatter and Facebook
Lock-In with Using Add
Ins (Low to High)
Med Low-Med: Some with HA and
browser notificaiton
capabilities
High
Exchange Platform for Yes, App Market and Data Market Yes, Google Apps Yes, Force.com App Exchange
Steve Francis, Sloan Fellow 2011 Page 37
-
7/29/2019 Factors Shaping the Future of Cloud Computing
38/92
Marketing Apps Marketplace
Service Level If 99.95% availability not met then
10% service credit
If 99% availability not met then
25% service credit.
99.9% uptime Unclear
Summary Microsofts platform falls
somewhere between the Google
platform and the Force.com
platform. It is more feature rich
that Googles solution and less so
than Force.com. However, it does
have rich language support and a
lower level of lock-in risk than
Force.com. Microsofts SAAS
offering, Office 365, is not easily
extensible or customizable. In
order for Microsoft to find better
synergy between their PAAS and
SAAS offerings, they will likely
need to improve in this area. As a
side note, Office 365 augments,
rather than replaces, Microsoft
Office.
High performance and
uncompromising standards
based platform. Very little
capabilities beyond basic
cloud hosting for standards
based applications however.
Google Apps, their SAAS
offering, offers a higher
degree of customization than
does Microsoft Office 365
although the level of
integration between products
is not as good. Google Apps
does offer complete web
services interfaces, which
increase the synergy that
exists between their SAAS
and PAAS offerings.
Incredibly feature rich and
innovative. Easy to build
sophisticated applications with
graphical frameworks. Significant
toolkits and integration to 3rd party
products and services. Fairly
high level of lock-in when using
advanced capabilities and
frameworks. Nearly seamless
integration across SAAS and
PAAS offerings.
Table 1
7.3 SAAS on the Delta Model
Steve Francis, Sloan Fellow 2011 Page 38
-
7/29/2019 Factors Shaping the Future of Cloud Computing
39/92
Only one SAAS vendor, Salesforce.com, is currently positioned at the System Lock-In
location on the Delta Model. Other vendors are located at the two other vertices, or
somewhere between them. The reason for this is that no other vendor has succeeded
like Salesforce.com has in terms of both their PAAS offering and their SAAS offering.
The synergies of these two offerings, combined with the customer focus that is deeply
ingrained in Salesforce.coms culture, makes their offerings very sticky indeed. This is a
stickiness that is characterized more by customer satisfaction than it is by dependence
or technical lock-in. Salesforce.com has a truly unique focus on delivering exceptional
value and success to their customers. This is a cultural obsession, which is clear from
reading Behind the Cloud, a book by Salesforce.coms founder Marc Benifoff (15).
This was also clear when interviewing Kraig Swensrud, a Sr. Executive at
Salesforce.com (11)
What is perhaps the most important lesson from Salesforce.com however is that their
success, which for the moment appears to be sustainable, depends not on one single
thing, but on a large number of things. Customers that extend Salesforce.coms
application (SAAS offering) will become familiar with their PAAS offering. This is a win
Steve Francis, Sloan Fellow 2011 Page 39
-
7/29/2019 Factors Shaping the Future of Cloud Computing
40/92
for both Salesforce.com and their customers. Salesforces obsession with customers,
aggressive and edgy marketing, adoption of open standards, creative partnerships
(such as their VMWare partnership) and a multitude of other factors have made
Salesforce.com one of the fastest growing technology companies in history.
Although Google and Microsoft both offer PAAS and SAAS solutions, their strategies
are not as coherent and their products are not as integrated as Salesforces.
8. Customer Specific Forces
During my interviews with customers I noticed more similarities than differences among
customers with respect to how they are currently using, and how they plan to use, cloud
computing. Customers have largely adopted cloud technologies in similar patterns, and
have similar views on what is missing. Following are the most prominent themes that I
observed.
Virtualization was unanimously cited as the centerpiece of customer cloud strategies,
and VMWare was cited, almost unanimously, as the most strategic cloud vendor
Steve Francis, Sloan Fellow 2011 Page 40
-
7/29/2019 Factors Shaping the Future of Cloud Computing
41/92
among customers that I interviewed.
Customers with more mature cloud and virtualization infrastructures often indicated
that the availability of suitable management and provisioning tools was lacking.
Privacy and security concerns were shared by all customers interviewed. This
includes regulatory requirements as well as general concerns over the
confidentiality, privacy and protection of critical information. Many customers cited
specific statues and regulations and others were far less specific when asked for
detail.
Customer adoption of cloud solutions has been opportunistic, not strategic. Few
customers have clearly defined cloud strategies or roadmaps but instead have
(wisely) chosen to move applications and infrastructure into the cloud on an ad hoc
basis driven by savings and ROI.
Customers view the cloud as central to their shared services initiatives to a greater
extent than vendors or technology journalists do. A comment from John Hancocks
CIO, Allen Hackney, provides a good example of this. The ability to separate
physical layers of infrastructure from provisioning of resources in order to produce a
business application is central to our strategy.. I found this to be a remarkably
astute statement.
Steve Francis, Sloan Fellow 2011 Page 41
-
7/29/2019 Factors Shaping the Future of Cloud Computing
42/92
The primacy of these themes in customer discussions warrants a closer look at each
one.
8.1 VIRTUALIZATION
Each customer that I interviewed cited their virtualization vendor as their most strategic
cloud vendor. It is worth taking a look at some of the key innovations in this market to
get a sense for how it is evolving, and what it may look like in the future.
In addition to core virtualization services, and a hypervisor that is best-of-breed,
VMWare seems to have a compelling vision for the future of cloud computing.
Customer and market buy-in are extremely high, as evidenced by rapid earnings
growth, and a very rich corporate valuation. As of 2/11/2011 VMWare had a $37 billion
market capitalization, a price/earnings ratio of 106, a price/sales ratio of 13.1, 37% year-
over-year quarterly revenue growth, and a 91.36% share price increase over the
previous 52 weeks (10). I will reserve comment on whether the growth expectations
that are implicit in this valuation are warranted, but it is clear from these numbers that
Steve Francis, Sloan Fellow 2011 Page 42
-
7/29/2019 Factors Shaping the Future of Cloud Computing
43/92
market interest and optimism about VMWare is very high.
Part of VMWares great success is a clear and obvious Return on Investment (ROI) for
their customers. When customers virtualize their data centers on VMWare, they can
often reduce the number of servers they use by an order of magnitude. This massively
reduces costs for hardware, data center floor space, software licenses, heating and
cooling and administrative personnel. It is true that there are new costs associated with
purchasing and implementing VMWare software and training staff to use this
technology, but VMWares strategy appears to be that we will shrink the IT spending
pie but will take an increasingly larger slice of this shrinking pie
Perhaps VMWares most game changing innovation is their vCloud API. The vCloud
API enables customers using VMWare virtualized workloads move their workloads to
data centers that support the vCloud API, or vCloud services. This means that the
vCloud API gives customers flexibility to switch their cloud vendor, or cloud service
provider, more easily than ever before. vCloud technology enables a customer to run a
workload in their own environment, to move that workload to a CSP, and then to move
the workload to yet another CSP for any reason they choose. CSPs must support the
Steve Francis, Sloan Fellow 2011 Page 43
-
7/29/2019 Factors Shaping the Future of Cloud Computing
44/92
vCloud API to enable this flexibility, but many large CSPs have already signed up and
have made their data centers vCloud compatible. The number of CSPs supporting
vCloud is currently around 3000. Here is VMWares description of the vCloud API:
The vCloud API is an interface for providing and consuming virtual resources in the
cloud. It enables deploying and managing virtualized workloads in private and public
clouds as well as interoperability between clouds. The vCloud API enables the upload,
download, instantiation, deployment and operation of vApps, networks and virtual
datacenters. There are two major components in vCloud API, the User API focused on
vApp provisioning and Admin API focused on platform/tenant administration. (9)
There are a couple of other very innovative technologies that VMWare offers that help
to explain their meteoric valuation. VMWare now provides technology that will pool
large numbers of distributed virtual resources into a logical pool. This is in effect,
virtualizing virtulized environments. This capability enables the management,
administration and provisioning of resources over a large distributed environment.
Resource utilization and resource management are enhanced to an even greater
degree than with simple virtualization alone. It facilitates fine grained provisioning and
allocation of resources and it also enables changes to be made uniformly and
Steve Francis, Sloan Fellow 2011 Page 44
-
7/29/2019 Factors Shaping the Future of Cloud Computing
45/92
consistently across a large number of separate physical environments. Differentiation
of infrastructure is enabled so that tiered delivery of pricing and service delivery is
possible. Tools, portals and APIs are provided to enable self service delivery of catalog
based services. VMWare describes this as follows: Whenever internal users need IT
services, they should be able to get them as easily as finding and downloading an
application from Apples App Store. (9)
Chargeback is a concept that is important to private clouds. The concept of
chargeback, as it relates to as-a-service solutions, has roots in the 1990s along with
shared services. Internal service providers must be able to recoup their costs
somehow. Although some internal service providers may be allowed to operate at a
loss, it is important that they have a fair and consistent way of charging internal
customers for the services that they provide. The concept of chargeback is closely
related to provisioning, which I will address shortly. VMWare offers chargeback
capabilities that enable Cloud Service Providers to charge customers based on Fixed
Costs, Allocation or Utilization. Fixed Cost charges are simply based on the number of
virtual machines used. Allocation based chargeback is determined by the amount of
capacity that is allocated and available to use. Utilization based chargeback is based
Steve Francis, Sloan Fellow 2011 Page 45
-
7/29/2019 Factors Shaping the Future of Cloud Computing
46/92
on the amount of capacity that is actually used. (9)
Although some customers acknowledged challenges with their ability to charge back to
customers, none of the customers interviewed were using VMWares chargeback
product. This may be due to the limited number chargeback options that exist however.
Options such as user counts, transaction counts or chargeback for non-virtualized
resources are not presently available.
8.2. CLOUD MANAGEMENT AND PROVISIONING
For both public and private clouds, provisioning cloud resources to new customers or
users is very important. Because muti-tenancy is a fundamental part of cloud,
practically by definition, adding new tenants quickly and easily is a focus of much
attention, although results have been elusive. Although Google, Microsoft, VMWare,
Salesforce and other leading cloud and cloud infrastructure vendors have made
considerable efforts to automate provisioning processes, this automation is mostly
focused on their own technologies. VMWare can provision virtualized resources well,
Google can provision App Engine resources and applications well, etc.. However, tools
Steve Francis, Sloan Fellow 2011 Page 46
-
7/29/2019 Factors Shaping the Future of Cloud Computing
47/92
to automate provisioning across a range of services and technologies provided by
different vendors have been lacking. As a result, the traditional system management
vendors have stepped in with what appear to be the most capable solutions at this time.
BMC Patrol, IBM Tivoli, CA Unicenter and HP OpenView have always always been
leaders at providing centralized administrative and monitoring capabilities for all kinds of
networking, server, desktop, storage and even software infrastructure. Most
organizations have large investments in these platforms already. Furthermore, HP and
BMC made significant acquisitions in the past several years that give them broader
scope to address cloud provisioning requirements. A small software vendor in Renton
WA, Parallels, has some unique and very sophisticated capabilities here. Parallels is a
private company, probably between 100m and 150m in revenue, and offers the
capability to provision cloud based resources from a large variety of CSPs (12). They
not only handle the technical provisioning of the software but also handle the ordering,
billing, invoicing and payment of services. These services are provided, not
surprisingly, via the cloud.
HP OpenView products were rebranded as part of the HP Software Division in 2007,
along with some recently acquired technology from a number of different technology
Steve Francis, Sloan Fellow 2011 Page 47
-
7/29/2019 Factors Shaping the Future of Cloud Computing
48/92
vendors. BMC has taken a very similar approach, segmenting their business based on
legacy products and newly acquired products. Also, each company has built out their
software portfolios in similar ways. The software portfolios of both organizations are
well suited to handle the complexities of provisioning services in the cloud. (17)(18)
Based on customer feedback, HP and BMC appear to have taken the lead in the cloud
provisioning market, and are continuing to innovate and partner to enhance their
solutions.
STRATEGIC ACQUISITIONS
HP BMC
Mercury Interactive Application Management,
Application Delivery, Change and Configuration
Management
BladeLogic Enables server provisioning, release,
change and configuration management.
OpsWare Server and Network Provisioning, and
Configuration and Change Management help to
ensure consistency and best practices.
Remedy Market leading helpdesk application.
3PAR Utility Storage that enable multi-tenant
deployments which are well suited to SAAS and
IAAS deployments
Tideway Systems Enables automated discovery
of system resources and more dynamic monitoring
and administration.Peregrine Systems IT Asset Management and
Service Management Software.
Table 2
Steve Francis, Sloan Fellow 2011 Page 48
-
7/29/2019 Factors Shaping the Future of Cloud Computing
49/92
The partnering strategies of both BMC and HP also demonstrate a strong commitment
to building their cloud offerings.
BMC has formed a collaborative partnership with Cisco and VMWare to provide a cloud
in a box solution that relies heavily on BMCs BladeLogic acquisition. The solution
provides virtualized resources of many kinds that can easily be managed, configured
and provisioned in an automated fashion. HP partners with both Microsoft and VMWare
for virtualization capabilities, depending on whether a customer is more Windows or
Unix oriented. Allen Hackney from John Hancock specifically mentioned that his
organization is aligned with and leverages capabilities from the VMWare and HP
partnership. (11)
8.3 PRIVACY AND SECURITY
There are many legitimate reasons having to do with privacy and security that may
diminish a customers enthusiasm for deploying IT resources in the cloud. There are
also some political reasons.
Steve Francis, Sloan Fellow 2011 Page 49
-
7/29/2019 Factors Shaping the Future of Cloud Computing
50/92
Cloud deployments typically reduce requirements for data center space, hardware
assets, software assets, employees and budget. Some managers may resist initiatives
that result in reduced headcount, assets and budget. In such instances, security
concerns may become somewhat of a boogey man used by IT managers to help resist
non-technical managers that are pushing for savings from cloud adoption. Although this
is somewhat of a simplification and may sound cynical, I did get this impression from
more than one customer that I interviewed. Change is never easy or riskless and many
factors other than reduced IT relevance play an important role in the reluctance that
some IT managers may feel regarding cloud adoption. Ultimately, as cloud adoption
becomes increasingly common, IT managers will likely begin to view the cloud more
positively, as a way to shrink their IT backlog, align more closely with the business and
unburden their teams from purely technical responsibilities.
8.3.1 Identity Federation
Leaving aside whether cloud environments (public, private or hybrid) are either more or
less secure than traditional infrastructure, they are certainly different. Traditional trust
boundaries no longer apply because software applications might be a mash up of 3rd
Steve Francis, Sloan Fellow 2011 Page 50
-
7/29/2019 Factors Shaping the Future of Cloud Computing
51/92
party services, applications and internal infrastructure. CSPs need to be a partner in
the security process. The enterprise data center is just one security zone, or realm that
needs to be considered. A federated approach is needed to address increasingly
distributed authentication requirements. Fortunately, federated security processes have
been evolving since before the rapid growth of cloud computing. Federated security
simply means two or more organizations that share a trust boundary. (16) Once a user
is authenticated in one environment then he is automatically trusted at some level in
another 3rd party environment.
Protocols such as SAML (Security Assertion Markup Language) provide a common
format that can be used by enterprises, 3rd party CSPs and business partners to
represent security authentication and policy data in federated processes. Partners in
SAML processes may either be Identity Providers or Service Providers. Identity
providers will likely be corporate data centers that assert the identity of the users or
processes that are accessing services. Service Providers will use these identity
assertions to determine which resources should be made available. This can provide
benefits such as single-sign-on and simplified administration.
Steve Francis, Sloan Fellow 2011 Page 51
-
7/29/2019 Factors Shaping the Future of Cloud Computing
52/92
8.3.2 Security Responsibility
A continuum of responsibility exists with regard to security of cloud based resources. At
one end of the spectrum are on-premise resources and at the other end of the
spectrum is SAAS, where a vendor is responsible for the development, support,
infrastructure and delivery of applications. IAAS and PAAS fall between these two
levels. IAAS is closest to on-premise resources, since the development, support and
delivery of the application are still the responsibility of the organization developing the
application. PAAS falls closer to SAAS since (1) PAAS may be thought of as a super
set of IAAS and (2) more layers of network architecture are contained in a PAAS stack
than in an IAAS stack. It cannot be said with certainty which party should be
responsible for which layer of security in all cases, but the importance of service levels
and clearly defined contractual responsibilities cannot be over stated.
Steve Francis, Sloan Fellow 2011 Page 52
-
7/29/2019 Factors Shaping the Future of Cloud Computing
53/92
Figure 5
Following is a list of security concerns that must be addressed by CSPs and their
customers. This is by no means an exhaustive list. Customers and CSPs must work
collaboratively to determine whose responsibility it is to ensure that data, software and
infrastructure are protected.
Host security Host security in a public cloud is the responsibility of the CSP since
details of the host are abstracted from the customer. It may be wise for customers
to demand that the CSP share information through a controls assessment
framework such as SysTrust or ISO 27002 however. (13)
Perimeter security Perimeter security includes all of the resources that are used by
a computer system that need to be protected. Cloud computing complicates this
boundary because the boundary is no longer made up of on premise resources
only. With hyper-distributed cloud based environments, where each layer may be
hosted by a different CSP, or different components within the same layer may be
hosted by a different CSP, it is important to maintain visibility of resources across
Steve Francis, Sloan Fellow 2011 Page 53
-
7/29/2019 Factors Shaping the Future of Cloud Computing
54/92
providers, and to ensure that policies and procedures are standardized to the
greatest extent possible. Although such hyper-distributed are not common today,
this will become increasingly common in the future. System wide visibility and
documentation are very important to perimeter security and will help to manage this
process as system and application boundaries change with continued adoption of
cloud based resources.
Authentication and Authorization Making sure that appropriate data and systems
are available to appropriate people is the responsibility of both the customer and the
CSP. Because customers will likely have some administrative responsibilities
delegated to them, they will likely have some responsibility for cleaning up orphaned
accounts and ensuring that rules are consistently followed with respect to user
credentials with the CSP. The CSP will also have responsibility for ensuring that the
granularity of access control meets the customers requirement, rules for strong
passwords are implemented (this may be a shared responsibility) and best practices
are consistently enforced across customers.
Application security Threats to application security exploit vulnerabilities in
underlying applications. Because SAAS are applications delivered over the web, by
definition, application security is the responsibility of the SAAS application vendor.
Steve Francis, Sloan Fellow 2011 Page 54
-
7/29/2019 Factors Shaping the Future of Cloud Computing
55/92
With IAAS vendors, application security is the responsibility of the application owner
or administrator. With PAAS solutions, this responsibility will likely be shared. It will
be the PAAS vendors responsibility to provide a security framework that is robust
and well documented, and the application developers (customer) responsibility to
ensure that this framework is implemented properly.
Data-in-transit: Protecting data on the wire calls for the use of an established and
robust encryption algorithm. CSPs must have a well developed strategy here and
may offer different options of whether data is encrypted and if so at what level, or
transmitted in-the-clear.
Data-at-rest: Protecting data stored on disk may also call for the use of a well
established and robust encryption algorithm. Alternatively, a well developed
Information Lifecycle Management (ILM) strategy may be adequate, although
communication of such policies and procedures will likely need to be documented in
a format where they can easily be shared between vendor and customer. An ILM
strategy will define what happens to data as it is aged and moves to backup,
reporting and other systems, as well as how disks are handled when they are retired
and disposed of.
Steve Francis, Sloan Fellow 2011 Page 55
-
7/29/2019 Factors Shaping the Future of Cloud Computing
56/92
It is common for strong security at one layer to prevent a breech or vulnerability at
another layer. For example, if the authentication process for a customer is robust then it
is less likely that a user could spoof or hijack a customers credentials and exploit a
vulnerability at the application layer.
8.4 Regulatory Requirements
During my customer interviews, state and federal laws and regulations were often cited
as factors inhibiting adoption of cloud technology. Many laws and regulations exist to
ensure data privacy and security of sensitive data and personally identifiable
information. Data related to income, wealth, health, financial aid and employment
history often have such restrictions. There are also labor laws and the specter of net
neutrality laws that impact how and when cloud based services can be offered, or might
be offered in the future. Labor laws are in place, mostly in the public sector, that
prevent workforce reductions resulting from outsourcing work to a 3rd party or from
automation. Although the following list is not exhaustive, each of these laws or
regulations has the potential to effect the advancement and adoption of cloud
technology. For state law I will focus on Massachusetts and Washington State only.
Steve Francis, Sloan Fellow 2011 Page 56
-
7/29/2019 Factors Shaping the Future of Cloud Computing
57/92
This is because covering all 50 states would not be helpful, and would be overly
lengthy. Further, both states are home to large populations of technology and internet
companies and have legislatures that are not timid with regard to commercial regulation.
8.4.1 Labor Laws and Labor Influence
Massachusetts Pacheco Law In a nod to Public Employee Unions and employees,
Massachusetts enacted Anti-Privitization legislation, the Pacheco law, in 1993. This law
effectively prohibits the contracting of work to the private sector that can be performed
by state employees. (23). With regard to cloud computing, this practically eliminates the
prospect of achieving savings from well proven IAAS offerings such as ones provided
by Amazon and Rackspace. Outsourced email, calendaring, collaboration and other
services that are currently provided by state employees, often at very high cost, are also
off limits.
Federal Senate spending bill S.3677 Bill S. 3677, passed July 29 2010, reduced
funding for federal cloud computing efforts 58% from 2010 to 2011. Although Federal
workers are not unionized, this decision is highly incongruous with government
Steve Francis, Sloan Fellow 2011 Page 57
-
7/29/2019 Factors Shaping the Future of Cloud Computing
58/92
spending trends and spending on cloud computing initiatives in general. Overall funding
for technology spending in this bill saw an increase from 2010, although cloud spending,
that was intended to consolidate data centers, shrank significantly. (24)
City of Seattle IT workers at City of Seattle are unionized. Based on interviews that I
conducted with (non union) technology leadership at City of Seattle, it seems unlikely
that services such as email will be delivered via the cloud. Microsoft, Google and other
vendors offer such services through the cloud and can typically demonstrate
considerable savings when compared to purchasing, deploying, supporting and
administering in house email systems such as Microsoft Exchange, which was deployed
in 2009 at City of Seattle. Due to union influence however, such moves seem very
unlikely.
8.4.2 Net Neutrality
Net neutrality simply means that internet users should have unrestricted and
undifferentiated access to any legal content on the internet. This is tricky though. What
is counter intuitive about this is that to achieve net neutrality would require either legal
Steve Francis, Sloan Fellow 2011 Page 58
-
7/29/2019 Factors Shaping the Future of Cloud Computing
59/92
precedence based on related case law, or a specific bill leading to new laws or
regulations. Net neutrality is not currently enforced via any specific law or regulation. In
practice however, it almost universally exists. The internet is highly democratic for both
producers and consumers of content. Opponents of net neutrality say that creating new
laws or regulations around the internet to achieve net neutrality would be fixing
something that is not broken, and that new laws or regulations, intended to make sure
that content consumers and producers are treated equitably and fairly, would open the
door to further regulation and government control, which might ultimately hurt the
internet and diminish its value. They feel that the internet has gotten by just fine without
such regulation up until now and that greater regulation would lead to influence by
special interests, or over reach by government. Net neutrality arguments, either for or
against, have the potential to result in 1st amendment issues, although this is not likely
any time soon.
Proponents of net neutrality feel that providers of internet bandwidth, such as Comcast
or AT&T for example, might use their power to discriminate against certain content
providers. For example, Comcast could theoretically provide a lower quality of service
to content providers that require a great deal of bandwidth, such as Youtube or Netflix,
Steve Francis, Sloan Fellow 2011 Page 59
-
7/29/2019 Factors Shaping the Future of Cloud Computing
60/92
or they could provide a lower quality of service to competitors potentially.
A 2008 case filed by the Federal Communication Commission (FCC) against Comcast
charged that Comcast unlawfully blocked or slowed access to a peer sharing web site,
Bit Torrent. An April 2010 ruling on this case determined that the FCC lacked the
authority to dictate how Comcast should treat internet traffic and Comcast won the case,
successfully defending their right to treat their customers and use their infrastructure as
they wish.
During my interviews, Bruce Chatterley, President of MegaPath (merger of Covad,
Megapath and Speakeasy.net) mentioned net neutrality as a potentially important issue
for cloud adoption (11). As customers put increasingly mission critical infrastructure and
applications in the cloud, they will be likely to demand higher qualities of performance
and service reliability. Government efforts to implement net neutrality laws or
regulations could inhibit the ability of Cloud Service Providers to differentiate service in
such ways.
Arguments made by groups that are either for or against net neutrality regulation may
Steve Francis, Sloan Fellow 2011 Page 60
-
7/29/2019 Factors Shaping the Future of Cloud Computing
61/92
sound very similar. Both sides are likely to say that their position will increase (or have
the potential to increase) innovation. To some extent, both sides are correct. If net
neutrality laws are passed, the specter of large bandwidth and infrastructure providers
treating potential competitors unfairly is unlikely to emerge, although in reality this has
not happened yet anyway. If net neutrality laws are not passed, we will continue with
the status quo of a largely unregulated internet that has created hundreds of billions of
dollars of wealth in the past decade alone.
8.4.3 State Data Privacy Laws and Regulations
Breach Notification Laws Nearly all states now have security breach laws in place
that require notification of the effected party, those whose personally identifiable
information has been disclosed, of such a breach.
Washington House Bill 1149 Effective 07/01/10, this bill extends the scope of
typical Breach Notification Laws by requiring that the commercial organization
responsible for the breach reimburse banks for the costs associated with cancelling
and reissuing credit and-or debt cards. 1149 also incorporates the Payment Card
Industry Data Security Standard ("PCI") into the law (21)
Steve Francis, Sloan Fellow 2011 Page 61
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtmlhttps://www.pcisecuritystandards.org/security_standards/pci_dss.shtml -
7/29/2019 Factors Shaping the Future of Cloud Computing
62/92
Massachusetts Executive Order 504 An Order signed by Governor Patrick on
September 19, 2008 that recognizes the importance of protecting personal
information and specifically outlines how all state agencies in the Executive Branch
must address the security and confidentiality of personal information. (19)
Massachusetts General Law 93H This appears to be the first state law imposing
specific requirements on business to protect Personally Identifiable Information (20).
Attorney Greg Duff summarizes the rather onerous requirements on his web site,
www.duffonhospitalitylaw.com. He summarizes the requirements as follows:
Encrypt all data, including on mobile devices (laptops, PDAs, etc,)
Restrict physical access to records containing PII
Develop written information security policies and adhere to them
Regularly monitor networks for unauthorized activity
93H requirements are laudable as consumer protections but they will unquestionably
increase costs for business. The language in 93H is also unclear as to what constitutes
compliance and this could lead to costly over implementation, as has been the case
with other ambiguous regulation such as Section 404 in the Federal Sarbanes Oxley
Steve Francis, Sloan Fellow 2011 Page 62
http://www.duffonhospitalitylaw.com/http://www.duffonhospitalitylaw.com/ -
7/29/2019 Factors Shaping the Future of Cloud Computing
63/92
Act. There is certainly a tradeoff between consumer protection provisions, and the
increased cost of doing business, which may become as a disincentive for new
eBusiness firms to locate in Massachusetts, which could hurt employment growth and
capital formation.
8.4.4 Federal Data Privacy Laws and Regulations
US Patriot Act The US Patriot Act may be one reason that cloud adoption has been
faster in the US than in other countries. Any data that is physically stored in the United
States is subject to the Patriot Act. The Patriot Act allows the US Federal Government
to access data stored within US borders. (26) Although such access requires a
request, or application by a Special Agent from the FBI, the approval of such an
application may be granted by a Federal Judge. The fact that commercial and
proprietary information may be accessed by the US government is unsettling for many
private and public organizations outside of the US that might otherwise consider
adopting cloud offerings from US companies.
Stefan Ried from Forrester writes about this problem and discusses how Data
Steve Francis, Sloan Fellow 2011 Page 63
-
7/29/2019 Factors Shaping the Future of Cloud Computing
64/92
Integration Software Maker Informatica has designed an integration-as-a-service
architecture to circumvent this problem. (26) Informatica provides integration-as-a-
service so that customers in Europe can use their US based integration service and no
data will actually touch servers on US soil, which would make the data subject to the
Patriot Act. When vendors architect their solutions around regulations and laws, it may
be a good sign that the regulatory and legislative processes are having a hard time
keeping up with the market, and are in need of being updated.
Federal Information Security Management Act (FISMA) - The Federal Information
Security Management Act of 2002 requires all Federal Agencies to implement an
agency wide information security strategy.
The National Institute of Standards and Technology (NIST) is responsible for working
with Federal agencies to implement FISMA. Although the US government spends
several billion per year on security and FISMA related compliance costs, the standards
developed by NIST appear to be quite rational and in line with best practices that I have
observed in the private sector. NISTs web site states that their vision is (26): To
promote the development of key security standards and guidelines to support the
Steve Francis, Sloan Fellow 2011 Page 64
http://csrc.nist.gov/drivers/documents/FISMA-final.pdfhttp://csrc.nist.gov/drivers/documents/FISMA-final.pdf -
7/29/2019 Factors Shaping the Future of Cloud Computing
65/92
implementation of and compliance with the Federal Information Security Management
Act including:
Standards for categorizing information and information systems by mission
impact
Standards for minimum security requirements for information and information
systems
Guidance for selecting appropriate security controls for information systems
Guidance for assessing security controls in information systems and determining
security control effectiveness
Guidance for the security authorization of information systems
Guidance for monitoring the security controls and the security authorization of
information systems
Although FISMA compliance costs are high, the mission seems worthwhile and it is
reassuring to observe that many private sector organizations have developed security
strategies that align closely to NISTs. It appears that the government has provided
some valuable leadership to the private sector.
Steve Francis, Sloan Fellow 2011 Page 65
-
7/29/2019 Factors Shaping the Future of Cloud Computing
66/92
Health Insurance Portability and Accountability Act (HIPAA) HIPAA was mainly a way
to ensure citizens can keep their existing insurance in the event that they lose a job. In
addition to this, there are aspects of the regulation that help to bring the health care field
up to date with the demands of our digital age.
HIPAA regulates the use of protected health information (PHI) by health care providers
and health plans (13). Health care providers and health plans must notify patients if any
of their PHI is shared or disclosed to other parties. Also, patients have the right to
access any of their PHI and are able to correct or updated such information if needed.
Graam Leach Bliley Act (GLBA) The GLBA, also called the Financial Services
Modernization act of 1999, was a major piece of financial services legislation. It partly
repealed the Glass-Steagall Act of 1933. This was largely a banking deregulation bill,
but it also brought regulation up to date for information security for financial services
companies. There are two parts of the GLBA that are highly relevant to cloud
computing, the Financial Privacy Rule and the Safeguards Rule (13).
Steve Francis, Sloan Fellow 2011 Page 66
-
7/29/2019 Factors Shaping the Future of Cloud Computing
67/92
1. The Privacy Rule requires financial institutions to provide a privacy notification to
customers at the inception of a customer relationship, and also requires ongoing
annual notifications. This notification must explain to the customer how their
personal information will be used and give the customer the ability to opt out of
activities that involve the sharing of their personal information with 3rd parties.
2. The Safeguards Rule requires that financial institutions implement an information
security program that protects their customers private data. The Safeguards Rule
requires that financial institutions not only create and implement such a program, but
that it is monitored and updated as needed, and that there is a single point of contact
with overall responsibility for the plan. This has led to the creation of the Chief
Information Security Officer (CISO) position in many organizations.
Federal Rules of Civil Procedure (FRCP) FRCP requires that parties involved in a civil
lawsuit must disclose to the opposing party any information that will be used in their
claim or defense (13). In 2006 FRCP was updated to better reflect increasingly digital
forms of information. The changes required that electronic information used in the
discovery process be made available quickly and easily. These changes led to a boom
Steve Francis, Sloan Fellow 2011 Page 67
-
7/29/2019 Factors Shaping the Future of Cloud Computing
68/92
in the eDiscovery market, for email and document archiving and recovery. FRCP has
major implications for cloud vendors, whether PAAS, IAAS or SAAS. Data may be
required from any of these sources as part of a legal discovery process.
Personal Data Privacy and Security Act of 2009 Although this bill was never enacted, it came
close. Only due to