factors shaping the future of cloud computing

7/29/2019 Factors Shaping the Future of Cloud Computing

1/92

Factors Shaping the Future of Cloud Computing

By

Steven Francis

BAUniversity of Washington, 1995

SUBMITTED TO THE MIT SLOAN SCHOOL OF MANAGEMENTIN PARTIAL FUFILLMENT OF THE REQUIREMENTS FOR THE

DEGREE OF

MASTER OF BUSINESS ADMINISTRATIONAT THE

MASSACHUSETTS INSTITUTE OF TECHNOLOGY

JUNE 2011

2011 Steven Francis. All Rights Reserved.

Signature of Author:____________________________________________________________________

MIT Sloan School of ManagementMay 6, 2011

Certified By:__________________________________________________________________________

Professor Michael CusumanoSloan Management Review Distinguished Professor of Management

Thesis Supervisor

Accepted By:__________________________________________________________________________

Stephen SaccaSloan Fellows Program in Innovation and Global Leadership

Program Director

Steve Francis, Sloan Fellow 2011 Page 1


2/92

This page intentionally left blank



3/92

Factors Shaping the Future of Cloud Computing

By

Steve Francis

Submitted to the MIT Sloan School of Management onMay 6, 2011 in partial fulfillment of the requirements for

the degree of Master of Business Administration

ABSTRACT

Many different forces are currently shaping the future of the Cloud ComputingMarket. End user demand and end user investment in existing technology areimportant drivers. Vendor innovation and competitive strategy are also importantdeterminants of what cloud solutions will look like in the future. Regulatoryrequirements, although they are not intended to, also play an important role.Finally, the constant pressure on Information Technology departments to provideeverything as a business service has perhaps the most profound influence. Wheninvestigated and viewed together, these factors provide powerful insight into howthe Cloud Computing market is likely to evolve.

Thesis Supervisor: Professor Michael CusumanoTitle: Sloan Management Review Distinguished Professor of Management



4/92

This page intentionally left blank



5/92

Table of Contents

1. Objective

2. Introduction

3. Background and Definitions

4. Cloud Enabling Technologies

4.1. Provisoining

4.2. Virtualization

4.3. Software Appliances

5. The Market Today

6. History of Cloud and Shared Services

7. Cloud Market Forces

7.1. Infrastructure As A Service

7.2. Platform As A Service

7.3. Software As A Service



6/92

8. Customer Specific Forces

8.1. Virtualization

8.2. Cloud Management and Provisioning

8.3. Privacy and Security

8.3.1. Identity Federation

8.3.2. Security Responsibility

8.4. Regulatory Requirements

8.4.1. Labor Laws and Labor Influence

8.4.2. Net Neutrality

8.4.3. State Data Privacy Laws and Regulations

8.4.4. Federal Data Privacy Laws and Regulations

9. What Customers Did Not Say

10. The Role of Standards

11. Conclusions

11.1. Consolidation vs. Sprawl

11.2. Valuation

11.3. Partnering for Service Delivery

11.4. Regulatory Landscape

11.5. Speed of Change

11.6. Platforms Will Prevail

1. Objective

The objective of this thesis is to examine forces that have influenced and continue to

influence the cloud computing market in order to gain predictive power over how this

market might evolve. These forces can be categorized as follows.



7/92

1. The History of the Market

2. Current Market Composition and Landscape

3. Vendor Innovation and Strategy

4. Customer Preferences and Concerns

By understanding these forces we can hopefully better understand where the market

will go, including what cloud based solutions will look like in the future and the value that

customers will receive from them. Although government forces are not addressed

separately here, I will address this as part of the customer discussions, and throughout

the document.

We will begin with some definitions in order to put the paper in context, review some

market history and the evolution of cloud technology, and will then move on to a snap

shot of the industry today. This will include a review of some vendor solutions and

technologies. Next we will take a close look at customer requirements and preferences,

based on extensive customer interviewing. Finally, I will address how standards might

shape the market and will investigate a couple of specific technologies, and will then



8/92

move on to conclusions.

2. Introduction

The amount of written material dedicated to the definition of cloud computing will be

limited, since much has been written on this already. A common definition has emerged

for cloud computing and can be summarized as follows: Internet based services for

software applications, software platforms or hardware that are usually paid for by

subscription. These services are elastic, pay per use, multi-tenant, and managed by a

3rd party so that customers need not worry about hardware specifications, administration

or software licenses.

This description, and cloud computing in general, has a lot of jargon, so I will explain a

few important concepts to help clarify. Because the preceding definition may be

somewhat confusing to those outside of the IT field it is worth pointing out some of the

practical advantages for organizations that use cloud based technology. They do not

need to purchase or wait for physical hardware to arrive. No software installations are

required. No system configuration or performance tuning is required. Capacity



9/92

planning becomes fairly unimportant. Expenditures for hardware upgrades/refreshes

are eliminated. Costs rise directly in line with usage, eliminating large unplanned

purchases for more capacity. Under capacity and over capacity problems are

eliminated. It is for these reasons that there has been so much enthusiasm about cloud

computing. You may have noticed that most of these benefits sound exactly like

benefits from purchasing software over the web. This is true, although cloud

encompasses far more than just web based software.

3. Background and Definitions

Software As A Service (SAAS) is software delivered over the internet, typically via a

web browser, that provides end user business functionality such as HRMS (Human

Resource Management System), ERP (Enterprise Resource Planning) or SFA (Sales

Force Automation). NetSuite, Workday and Salesforce.com are examples of SAAS

vendors. SAAS solutions are typically paid for on a subscription basis. Technology

Research firm IDC reports that SAAS, or cloud based applications, accounted for more

than half of public cloud revenues in 2009. Over the next four years, all segments of the

as-a-service market are forecast to exhibit strong growth, although applications are



10/92

forecast to drop to one-third of as-a-service revenue, while expenditures on PAAS and

IAAS are forecast to increase (6)

Platform As a Service (PAAS) is software delivered over the internet, which other

software applications can be built on. Such platforms may provide easy to use

frameworks for rapid application development, as well as reusable objects and services

to speed the creation and delivery of new software applications. Examples of reusable

services are email capabilities, calendar capabilities and contact lists. Such

applications, once created, will be hosted with the service provider. Examples of PAAS

solutions are Microsoft Azure, Salesforce.coms force.com platform, Google AppEngine,

Bungee Connect, IBM LotusLive and Amazon Web Services.

Infrastructure As a Service (IAAS) typically refers to hardware that is hosted and

accessible via the internet. This includes storage, memory, network capabilities and

processing power. Rackspace, Amazon EC2, Zumodrive, Drop Box, HP and IBM

Computing on Demand are examples of IAAS solutions.

Even though SAAS has accounted for more than 50% of public cloud expenditures so



11/92

far, it seems likely, and congruous with IDCs forecasts, that future investments will

become more balanced across different as-a-service offerings. One reason for this is

that a continuum of complexity exists from SAAS, to IAAS to PAAS (figure 1). SAAS

solutions are the least complex, and involve the least amount of vendor lock in and

overall investment along this continuum. PAAS solutions are the most complex, and

represent the highest level of vendor lock-in. For these reasons, it is not surprising that

adoption of as-a-service technologies looks like a pyramid, with SAAS at the bottom,

representing the broadest adoption, and PAAS at the top, representing the smallest

adoption. This is consistent with the adoption pattern of most technologies, where the

least risky solutions are adopted first and then later, after the lower risk technologies are

proven, adoption advances to more sophisticated solutions. This is also a consistent

with how vendors have innovated. The leading SAAS vendor, Salesforce.com, was

founded in 1999. Next, Amazon.com, the leading vendor in the IAAS market, launched

their services starting in 2006. Finally, Microsoft and Google launched their respective

PAAS offerings, Azure and App Engine, in 2008.



12/92

Figure 1

Pay Per Use Perhaps the most important characteristic of cloud computing is that

resources can be purchased on a per use basis. Customers no longer have to buy

quantities of hardware, software and other computing resources to match times of peak

use. Customers using cloud technology no longer need large data centers full of

expensive hardware and software that have an average utilization of 10 to 15 percent.

Cloud vendors will run the hardware and/or software and utilization becomes their

problem. Vendors can achieve higher levels of utilization by mixing workloads and

using virtualization technology, which is transparent to customers. Customers can scale

their use up or down on an as-needed basis and they only need to pay for what they

use. The following graphic (figure 2) illustrates the savings (shaded) that might be

achieved from adopting cloud technologies that are pay per use vs. running all



13/92

computing resources in a dedicated corporate data center.

Figure 2

Elastic Elastic computing resources expand when needed. This concept is closely

related to pay-per-use, although elasticity is more of a technical concept. Elasticity is a

systems ability to automatically provision more resources when needed, whether it is

storage, memory or other resources. Traditional IT assets that are hosted on-premise



14/92

are not elastic. For example, an IT shop might have a software license that allows them

to run a database program on a two CPU machine. This would also require a two CPU

machine to run this software on. If this system ran out of capacity it might require

repurposing or throwing away the old machine, buying a new bigger machine and

additional software licenses for the new bigger machine. With software purchased as a

service, if the user load increases, the vendor provisions more resources as needed

and the customer does not even need to know about it. They are just billed for the

additional use. Elasticity, or provisioning additional capacity in an automated and

efficient manner is one of the qualities of cloud computing that makes it so compelling.

Multi Tenant Multi tenant resources are resources that are shared by more than one

party. For example, a software application that supports users from multiple

companies, within the same database schema, where data is kept separate through

primary-foreign key relationships, would be considered multi tenant. Or, a machine that

has multiple virtual machines running on it, each with its own operating system,

database and platform software stack, would be considered multi-tenant. Multi tenancy

can be achieved in a variety of ways and multi tenant resources may be found at any

layer of the IT stack. Multi Tenancy is typically of much greater benefit to the vendor or



15/92

service provider than it is to the customer. Multi tenancy allows vendors or cloud

service providers to achieve high levels of efficiency and utilization. Theoretically,

customers should not care whether a cloud application is multi tenant or not, as long as

their service levels are met. However, due to legislative, privacy and security issues,

they often do care, and I will explore this more later.

On Premise Infrastructure or software that runs in a data center or facility owned by

the entity using it is considered on premise. This is the traditional computing model.

Off Premise (hosted) Infrastructure or software that runs in a data center or facility that

is not owned by the entity using it is considered hosted or off premise. Cloud

resources are hosted, or off-premise.

Public Cloud A public cloud is any cloud as-a-service solution that is hosted by a

vendor that supporting multiple customers. IDC predicts that by 2014, public cloud-

related projects will account for one-quarter of net new IT product spending growth (7).

Private Cloud A private cloud is any cloud infrastructure or software that is hosted in a



16/92

corporate (or government) data center that supports internal customers. Such

customers are typically different departments or groups of employees within the same

organization.

Hybrid Cloud A hybrid cloud is a combination of private and public clouds.

Increasingly, it is likely that more cloud environments will be defined as hybrid. Hybrid

clouds are characterized by services that may be delivered to the end customers either

by an internal IT group, or by 3rd party cloud service providers, depending on which

makes the most sense in terms of cost, control, privacy/security and other factors. The

end user likely has no idea where the services he is using originate from.

4. Cloud Enabling Technologies

4.1. Provisioning

Workflows and processes that define how services are deployed to new or existing

customers are commonly called provisioning processes. Provisioning processes exist

for adding a new customer, adding a new service for an existing customer or removing



17/92

a service from an existing customer (de-provisioning). Provisioning processes must

include both technical and business functions. New customers must be set up for billing

and invoicing, and they must also be provided with the services that they ordered, which

includes system resources, security credentials and instructions. Cloud customers are

also typically given the ability to perform some level of customization to the services

they receive. Examples of such customization are as follows:

Adding configuration information to integrate with a corporate directory such as

Active Directory, or another LDAP directory

Performance and service level options

Backup and recovery options

Encryption options

Changing fonts, colors, logos or other branding information

This is just a few examples of customizations that might be part of a provisioning

process. Deploying services to new customers quickly and easily is part of what makes

cloud computing so attractive. Generally, provisioning of cloud services tends to be

more automated than with traditional services. This is because multiple customers may



18/92

be supported, which makes repeatability, and investments in automation for customer

on-boarding, very important.

4.2 Virtualization

Virtualization, or server virtualization, makes one machine look like many machines. It

enables the simultaneous operation of multiple operating system environments on a

single machine. Each environment appears to be a unique physical machine.

Virtualization is an extremely important concept in cloud computing. It is a key enabler

of cloud infrastructures. During my cloud customer interviews, when I asked customers

which vendor was most important to their cloud strategy, each customer cited their

virtualization vendor, without exception. Although virtualization is not a cloud

technology per-se, it is one of the main enablers of cloud computing

Server virtualization is enabled by the use of Virtual Machines. Virtual Machines have a

management layer called a hypervisor that enable the core virtualization functions.

There are two types of hypervisors, Type 1 and Type 2. Type 1 hypervisors run on bare



19/92

metal and enable the provisioning of virtual machines at the hardware layer. Type 2

hypervisors run on a host operating system (2, Rhoton, pg 39)

Thanks to virtualization, when a SAAS vendor wants to provide service to a new

customer, it can be as easy as making a new copy of a virtual environment for this

customer, and providing web based administration tools to the customer so that he can

make customizations to the environment on his own. No lengthy installation or set up

processes are required. Although it has less to do with virtualization, and more to do

with service provisioning, the procurement process should enable the selection of

options and basic customizations at the time of purchase. These choices should be

reflected in the customers billing and in the virtual environment that is provisioned to

him.

There are many types of virtualization, and most are useful to cloud service providers

(CSPs), be they public or private cloud service providers. In addition to virtualization of

servers, network resources, storage and desktops, it is also possible to virtualize

clusters of machines. This enables multiple servers to look and act, like a single server.

For example, Oracle provides technology to virtualize their database software and



20/92

middleware software in this way. They can make 4, 6 or 20 database servers or

application servers look and act like one big database server or application server. This

enables customers or CSPs to use many pieces of inexpensive hardware to run many

large workloads simultaneously, and it also provides a high degree of fault tolerance

and availability. (4). This affords CSPs with a great deal of flexibility. CSPs can either

dissect a single machine into multiple smaller virtual machines, or they can put multiple

machines together to look like one very large Machine, which can then run multiple

simultaneous workloads. With respect to running an automated as a service data

center that supports many different customers, such flexibility is very powerful and

creates compelling economies of scale. Without powerful tools to support

administration, monitoring and provisioning however, such sophisticated technology can

be very difficult to manage.

4.3 Software Appliances

Some special focus should be given to software appliances, as an important and

emergent cloud enabling technology. Software appliances for data warehousing have

been around for years. Neteeza (now part of IBM) and Teradata have done well in this



21/92

market for quite some time. A software appliance is just what it sounds like. You plug it

in and it works, like a refrigerator, or thats the idea anyway. There is no installation and

very little configuration, performance tuning or administration. There are also hardware

appliances and other types of appliances. Many newer appliances take advantage of

virtualization software to quickly stand up new environments with a high degree of

isolation, which is important for CSPs and their customers.

Oracles Exadata is especially worth notice because in effect, this is Oracles cloud

strategy. Growth of Oracles appliance solutions have been explosive (31) and could

approach $2 billion in the next two years. Oracle already provides database and

middleware software via appliances. In the future this approach will likely extend to

applications, and possibly Oracles entire software stack. This is truly a new way to

deliver value to customers. Oracle appliances have best of breed hardware and

software, designed to work together, pre-configured and optimized based on best

practices. This significantly cuts down on the number of vendors required, the number

of moving parts and the total deployment effort. Virtualization technology makes such

solutions easy to provision to new customers, whether over public or private clouds.



22/92

5. The Market Today

Most likely, cloud computing is slightly past its apex of the Gartner Hype Cycle (1).

Gartner calls this apex The Peak of Inflated Expectations. The Gartner Hype Cycle

(Figure 3) shows the trajectory of market enthusiasm for technology. It is characterized

by a steep rise to a peak, and then a sharp decline as over exuberance gives way to

failures and disappointments. Next, as users begin to adopt the technology in more

sensible ways, enthusiasm increases again, but at a more gradual pace than before.

Even though growth rates may be slowing with as-a-service solutions, they are merely

slowing from light speed to super-sonic speed. In 2008, IDC forecast that spending

on cloud computing services would reach US$42 billion worldwide by 2012.

This was approaching a three-fold increase from 2008 levels of $16.5 billion (8)

More recently in 2011, IDC forecast that from 2009 to 2014, U.S. public IT cloud

services revenue would grow 21.6%, from $11.1 billion to $29.5 billion. (6) Although

these forecasts are not directly comparable, they seem to indicate diminished (although

still very high) growth expectations.



23/92

Figure 3

The amount of hype around cloud computing harkens to the heady days of 1999 when

fundamental corporate valuation ceased to matter, and people imagined that cost

structures and profit margins would structurally improve for any company that

intelligently used the internet. It has even been said that the cloud is more important

than the web (5). Such enthusiasm is admirable but is comparable to saying that the

invention of taxi cabs was more important than the invention of the internal combustion



24/92

engine and the entire automobile industry. Fortunately, this time around it has mostly

been technology journalists that have gotten carried away with heightened expectations

for the cloud computing market. Many of the executives at cloud vendor and cloud

consumer organizations are the ones that survived, and learned painful lessons, from

the dot com era. Many of these executives have avoided most of the over building and

over investing that characterized the technology industry in the late 1990s.

6. History of Cloud and Shared Services

There have also been many histories written about the evolution of cloud computing that

trace cloud ancestry from timesharing on mainframes, to the PC revolution, to internet

hosting companies, to application service providers (ASPs) and ultimately to the cloud.

This history is largely accurate, but incomplete.

What is missing from this picture is the evolving role of IT organizations as service

providers, or as vendors to internal customers. 20 years ago IT organizations were

largely viewed as necessary evils, cost centers, the equivalent of yesterdays typists

and book keepers. As the importance of Information Technology increased, and it



25/92

became apparent that IT strategy could lead to business differentiation in terms of

speed, efficiency, responsiveness, customer service and agility, interest from other

executives grew. As executives better understood the potential, they wanted and

expected more. They wanted more control, and they wanted to be treated more like

customers. After all, their division kept the lights on and kept the money flowing. Sure,

technology was important, but it was there to support and enhance the core business.

This ultimately led to a trend called Shared Services. Shared Services allowed service

providers within an organization to provide the services that are expected of them as

elective services, similar to how vendors provide services. Since the vendor was an

insider however, there should be advantages and economies of scale to keep costs low.

Shared services are a way to achieve greater accountability and business alignment

from IT. Shared services can be established not just for IT, but for other internal service

delivery organizations as well, such as HR for example. Shared services are a way to

define expectations, service levels, communication, costing and accountability. Today

over 80% of the Global 2000 largest companies receive back office support from either

an internal or an external third party Shared Services Organizations (3)

Around the same time that Shared Services were becoming main stream in IT



26/92

departments (1999-2000), web services also began to gain traction. Web services are

a set of technology standards that enable the creation of software in a way that is

reusable, and in a format that is agreed upon by everyone. The technology was in

perfect alignment with the concept of shared services. The confluence of these two

trends led to another manifestation of the Gartner hype cycle, which led to many

impetuous and unsuccessful web services and shared services initiatives.

Many of these failures occurred not because the ideas and the technology were bad,

but because IT governance was lacking. In many early failures services were often

created at a level of granularity that was not practical and too much control was given to

the service providers instead of the service consumers. Still, the focus on services

makes sense, and is completely aligned with the advantages of cloud computing.

Today, Shared Service Organizations typically provide savings on the services that they

deliver of between 15-30% (3).

Web services, shared services, and the three pillars of cloud computing (Software-as-a-

Service, Infrastructure-as-a-Service and Platform-as-a-Service) all share similar

heritage. They exist because customers, whether internal or external, want to be



27/92

empowered to chart their own course with respect to the services that they need.

Customers want choice, ownership and speed. Service delivery mechanisms such as

SAAS, IAAS, PAAS, shared services and web services all help to enable this. Hybrid

clouds, web mash-ups and service delivery models that combine services from internal

and multiple external sources will be increasingly common as a result.

7. Cloud Market Forces

All markets are conceived by interactions between vendors and customers, buyers and

sellers. Vendors respond to a customer need, demand or problem with some kind of

solution. Sometimes vendors may see a customer need in advance however, and

create a solution in anticipation of a market movement. Other times, customers

practically have to bang on their vendors table and shout their needs to them.

Customers often want their vendors to provide solutions that are portable, standardized

and that work nicely with what they already own. On the other hand, vendors often

want to create solutions that are sticky, and will create some level of lock-in. These

dynamics change over time. Early innovation in a market often comes from visionary

and creative people. Years later, after significant customer adoption and the



28/92

emergence of competitors, innovation in this same market might be led by specific

customer demands. For these reasons, the sources of innovation may be an indication

of what stage of maturity a market is in. This tug-of-war between vendors and

customers will largely determine the trajectory of innovation. Incongruous incentives

between vendors and customers may be called an agency problem, or principal-agent

problem, or a moral hazard problem. Whatever it is called, these forces are currently

unfolding in dramatic fashion in the cloud computing market.

Professor Arnoldo Haxs Delta Model (14) is well suited to help describe this tug-of-war

phenomenon, both in terms of where the cloud market is today, as well as where it is

likely to go in the future. Professor Haxs model (figure 4) is a powerful model that is

intended to be used by companies (or their consultants) to develop or refine a go-to-

market strategy. The Delta Model is highly customer focused, and emphasizes

customer bonding as the pinnacle (literally) of effective strategy. The great power of the

model is its primary emphasis on the customer, and how to deliver value to the

customer. There are 3 primary positions on the Delta Model.

1. Best Product This position, on the lower right of the Delta Model, is characterized



29/92

by the features and functions of the product offered. Demand for a product is highly

price elastic at this position of the Delta Model. Products in this position are highly

commoditized.

2. Total Customer Solutions This position, on the lower left of the Delta Model, is

characterized by greater solution breadth and/or greater solution differentiation.

Solutions at this position of the Delta Model do not require the same amount of price

competition as products in the Best Product category would require. Total

Customer Solutions will be more closely aligned with customers business needs,

but typically lack the trust and close collaborative relationships that are characteristic

of System Lock-In offerings.

3. System Lock-In This position, at the top of the Delta Model, is characterized by tight

customer bonding. Such bonding is often the result of collaborative relationships,

high levels of trust, partnering and a vendors ability to bring a complete and

differentiated solution to the customer that specifically addresses their unique

requirements. This may include a great breadth of products and intimate

understanding of the customers business or it may be an ecosystem of

complimentary partner solutions, specifically designed to address the customers

unique challenges.



30/92

Although the pinnacle of the pyramid is called System Lock-In, I do not find this to

be a very fitting label because System Lock-In is something that customers typically

try to avoid. With respect to the Delta Model, System Lock-In is typically a positive

thing for both the vendor and customer. There may be collaborative business

processes at this position of the Delta Model, where demand forecasts are shared or

vendors can issue purchase orders on behalf of customers. Or, there may be

proprietary technology that is broadly adopted by a customer that makes a vendors

solution extremely difficult to replace, although the technology is highly valued by the

customer. The Delta Model implies that the value that the customer receives from

using a System Lock-In solution is greater than the cost of using it. I believe that

this should be viewed positively for both vendor and customer.



31/92

Figure 4

With respect to the Delta Model, Cloud Computing needs to be viewed in terms of IAAS,

PAAS and SAAS. Lets take a look at where each as-a-service offering (as a category

of products or market segment, not by vendor) sits along the delta Model, and how it

might evolve in the future.

7.1 IAAS and the Delta Model



32/92

IAAS solutions typically compete on technical specifications and price. This is a highly

technical market, where technically oriented features and benefits determine vendor

selection, along with price. Amazon is the clear leader in the IAAS market, although

they have significant competition at the low end of the market, and increasing

competition at the high end. Amazons lead is significant, and is a result of several

factors:

First mover advantage

A strong existing brand

A true low cost advantage based on unique technology

Breadth of offering (compute, storage, load balancing, HA, VMWare VM import)

Strategic partnerships

Traditional vendors such as IBM and HP have entered this market, as well as many

newer players such as Rackspace and Mezeo. IAAS is primarily a best product

solution that occupies the lower right hand are of the Delta Model. This is the least

enviable position on the Delta Model. It is the least defensible position with the lowest

margins. Amazon should be able to defend their leadership position if they continue



33/92

with their rapid pace of innovation, as this will enable them to maintain their cost

advantage.

Even though customers must currently use proprietary Application Programming

Interfaces (APIs) to access IAAS offerings, the cost of switching an application from one

IAAS provider to another is typically not that great. Furthermore, until now most

applications running on IAAS are typically either short lived applications or applications

that are not highly mission critical (11). In the future it is likely that standard APIs will

emerge for IAAS offerings, which will reduce switching costs even more.

It is very unlikely that many IAAS only vendors will still exist in five years. IAAS vendors

are moving into PAAS and PAAS vendors are moving into IAAS. Further, with the

entrance of HP, IBM and other behemoth technology vendors in this market,

consolidation will occur rapidly. These vendors can use IAAS offerings as loss leaders

for higher margin products and services. IAAS will likely cease to exist as a meaningful

standalone market and will merely be a product category offered by a number of larger

technology vendors. Unless a highly innovative vendor with massively differentiated

technology that is patent protected emerges, this trend, which is already well underway,



34/92

will continue.

7.2 PAAS on the Delta Model

PAAS offerings compete mostly by targeting the developers that use the platform to

build software applications. These developers are segmented based on the skills they

possess and the languages that they know. Java developers who like to use open

source technology might gravitate to Google AppEngine. .net developers would likely

gravitate to Microsoft Azure. Java developers who are well versed in using frameworks

provided by IBM would likely gravitate to IBMs solution. This indeed creates a high

degree of stickiness, or lock in. However, in the context of the Delta Model, this lock-

in does not place PAAS offerings at the Apex of the Delta Model. The reason for this is

that there is not a high degree of personal interaction or business collaboration that

occurs between the PAAS provider and the PAAS customer. For this reason,

successful PAAS offerings today can be categorized as Total Customer Solutions.

Although the current market PAAS market leaders are very large technology companies

such as Salesforce.com, Microsoft and Google, these were not the first entrants into this



35/92

market. Google entered the market in 2010. Bunjee launched a powerful and user

friendly PAAS offering more than two years earlier, in 2008. Even with this large of a

head start, larger competitors have completely eclipsed Bunjee in the PAAS market.

Some of the reasons for this were the proprietary nature of Bunjees offering (not just

straight java or .net); lack of an existing sales channel; and a general trend toward

consolidation in the technology industry.

What will PAAS vendors need to do to compete in the future? Is it possible for them to

move to the System Lock-In position on the Delta Model? There are several things

that might help PAAS vendors become more valuable to their customers and move to

the top of the Delta Model. Here are a few. Some vendors are already beginning to do

some of these things.

Leverage common languages and skills, such as java, .net, Python, Ruby and Perl.

Adopt standards for cloud computing as they emerge, and show leadership with

helping to drive standards. However, PAAS vendors should not be constrained by

any standards and should extend and enhance standards when needed. This is an

old game played by many successful technology companies. Honestly claim



36/92

conformance to an open standard while extending the standard to such an extent

that is in effect, proprietary.

Offer training and certification for PAAS offerings

Create community interest groups both locally, and on line using social media.

Build an ecosystem of partners (implementers and software providers) around the

PAAS offering

Offer expert services to help build, test and certify applications built on the PAAS

offering.

Connectivity options to other software products, whether on-premise or as-a-service

Monitoring, administration and configuration capabilities that are complementary to

existing tools.

There is a lot at stake with PAAS. In the client-server and internet era, software

development platforms had tremendous influence over how and where IT dollars were

spent. In the cloud era, the same is likely to be true for PAAS. Following is a

comparison of the leading PAAS solutions:



37/92

Platform As A Service Comparison ** Amazon is about to enter the PAAS market with Beanstalk, now in Beta

Features Microsoft Azure Google App Engine Salesforce Force.comLanguages .net framework languages, Ruby,

Java, C++, PHP, Web Services

Support

Java, Python, Web Services

Support, Ruby

Java, Ruby, PHP, .net, Web

Services Support

Monitoring Tools (Low to

High)

Med-High Med-Low Med-High

Lifecycle Management

Tools (Low to High)

Med Med-Low Med-High

Web Sites Yes Yes Yes

Web Apps Yes Yes Yes

Structured and Blob

Storage

Yes Yes Yes

ISV Support for

Distribution

No No Yes

ISV Support for Trials Limited No Yes

Pricing, Tier 1 25 hours small compute instance 500 MB and up to 5 million

page views free

Free to 100 users, 1 GB

Pricing, Tier 2 750 hours of small compute

instance, 10 gb storage, $59.95

per month

$8 per user per month. Max

of $1000 per month per app

$50 per user per month, 100+ db

objects, more storage, more

storage, CRM integration

Pricing, Tier 3 Add 10 GB SQL Server database

to Tier 1 for $109.95 per month

$8 per user per month. Max

of $1000 per month per app

$75 per user per month, 24x7

support, up to 2000 db objects,

more storage

Visual BPM No No Yes

Integration to 3rd Party

Apps

Yes, but mostly MS based

solutions

No Yes, but not Oracle, SAP or many

traditional vendors.

Social Media Support MS Live Only No Chatter and Facebook

Lock-In with Using Add

Ins (Low to High)

Med Low-Med: Some with HA and

browser notificaiton

capabilities

High

Exchange Platform for Yes, App Market and Data Market Yes, Google Apps Yes, Force.com App Exchange



38/92

Marketing Apps Marketplace

Service Level If 99.95% availability not met then

10% service credit

If 99% availability not met then

25% service credit.

99.9% uptime Unclear

Summary Microsofts platform falls

somewhere between the Google

platform and the Force.com

platform. It is more feature rich

that Googles solution and less so

than Force.com. However, it does

have rich language support and a

lower level of lock-in risk than

Force.com. Microsofts SAAS

offering, Office 365, is not easily

extensible or customizable. In

order for Microsoft to find better

synergy between their PAAS and

SAAS offerings, they will likely

need to improve in this area. As a

side note, Office 365 augments,

rather than replaces, Microsoft

Office.

High performance and

uncompromising standards

based platform. Very little

capabilities beyond basic

cloud hosting for standards

based applications however.

Google Apps, their SAAS

offering, offers a higher

degree of customization than

does Microsoft Office 365

although the level of

integration between products

is not as good. Google Apps

does offer complete web

services interfaces, which

increase the synergy that

exists between their SAAS

and PAAS offerings.

Incredibly feature rich and

innovative. Easy to build

sophisticated applications with

graphical frameworks. Significant

toolkits and integration to 3rd party

products and services. Fairly

high level of lock-in when using

advanced capabilities and

frameworks. Nearly seamless

integration across SAAS and

PAAS offerings.

Table 1

7.3 SAAS on the Delta Model



39/92

Only one SAAS vendor, Salesforce.com, is currently positioned at the System Lock-In

location on the Delta Model. Other vendors are located at the two other vertices, or

somewhere between them. The reason for this is that no other vendor has succeeded

like Salesforce.com has in terms of both their PAAS offering and their SAAS offering.

The synergies of these two offerings, combined with the customer focus that is deeply

ingrained in Salesforce.coms culture, makes their offerings very sticky indeed. This is a

stickiness that is characterized more by customer satisfaction than it is by dependence

or technical lock-in. Salesforce.com has a truly unique focus on delivering exceptional

value and success to their customers. This is a cultural obsession, which is clear from

reading Behind the Cloud, a book by Salesforce.coms founder Marc Benifoff (15).

This was also clear when interviewing Kraig Swensrud, a Sr. Executive at

Salesforce.com (11)

What is perhaps the most important lesson from Salesforce.com however is that their

success, which for the moment appears to be sustainable, depends not on one single

thing, but on a large number of things. Customers that extend Salesforce.coms

application (SAAS offering) will become familiar with their PAAS offering. This is a win



40/92

for both Salesforce.com and their customers. Salesforces obsession with customers,

aggressive and edgy marketing, adoption of open standards, creative partnerships

(such as their VMWare partnership) and a multitude of other factors have made

Salesforce.com one of the fastest growing technology companies in history.

Although Google and Microsoft both offer PAAS and SAAS solutions, their strategies

are not as coherent and their products are not as integrated as Salesforces.

8. Customer Specific Forces

During my interviews with customers I noticed more similarities than differences among

customers with respect to how they are currently using, and how they plan to use, cloud

computing. Customers have largely adopted cloud technologies in similar patterns, and

have similar views on what is missing. Following are the most prominent themes that I

observed.

Virtualization was unanimously cited as the centerpiece of customer cloud strategies,

and VMWare was cited, almost unanimously, as the most strategic cloud vendor



41/92

among customers that I interviewed.

Customers with more mature cloud and virtualization infrastructures often indicated

that the availability of suitable management and provisioning tools was lacking.

Privacy and security concerns were shared by all customers interviewed. This

includes regulatory requirements as well as general concerns over the

confidentiality, privacy and protection of critical information. Many customers cited

specific statues and regulations and others were far less specific when asked for

detail.

Customer adoption of cloud solutions has been opportunistic, not strategic. Few

customers have clearly defined cloud strategies or roadmaps but instead have

(wisely) chosen to move applications and infrastructure into the cloud on an ad hoc

basis driven by savings and ROI.

Customers view the cloud as central to their shared services initiatives to a greater

extent than vendors or technology journalists do. A comment from John Hancocks

CIO, Allen Hackney, provides a good example of this. The ability to separate

physical layers of infrastructure from provisioning of resources in order to produce a

business application is central to our strategy.. I found this to be a remarkably

astute statement.



42/92

The primacy of these themes in customer discussions warrants a closer look at each

one.

8.1 VIRTUALIZATION

Each customer that I interviewed cited their virtualization vendor as their most strategic

cloud vendor. It is worth taking a look at some of the key innovations in this market to

get a sense for how it is evolving, and what it may look like in the future.

In addition to core virtualization services, and a hypervisor that is best-of-breed,

VMWare seems to have a compelling vision for the future of cloud computing.

Customer and market buy-in are extremely high, as evidenced by rapid earnings

growth, and a very rich corporate valuation. As of 2/11/2011 VMWare had a $37 billion

market capitalization, a price/earnings ratio of 106, a price/sales ratio of 13.1, 37% year-

over-year quarterly revenue growth, and a 91.36% share price increase over the

previous 52 weeks (10). I will reserve comment on whether the growth expectations

that are implicit in this valuation are warranted, but it is clear from these numbers that



43/92

market interest and optimism about VMWare is very high.

Part of VMWares great success is a clear and obvious Return on Investment (ROI) for

their customers. When customers virtualize their data centers on VMWare, they can

often reduce the number of servers they use by an order of magnitude. This massively

reduces costs for hardware, data center floor space, software licenses, heating and

cooling and administrative personnel. It is true that there are new costs associated with

purchasing and implementing VMWare software and training staff to use this

technology, but VMWares strategy appears to be that we will shrink the IT spending

pie but will take an increasingly larger slice of this shrinking pie

Perhaps VMWares most game changing innovation is their vCloud API. The vCloud

API enables customers using VMWare virtualized workloads move their workloads to

data centers that support the vCloud API, or vCloud services. This means that the

vCloud API gives customers flexibility to switch their cloud vendor, or cloud service

provider, more easily than ever before. vCloud technology enables a customer to run a

workload in their own environment, to move that workload to a CSP, and then to move

the workload to yet another CSP for any reason they choose. CSPs must support the



44/92

vCloud API to enable this flexibility, but many large CSPs have already signed up and

have made their data centers vCloud compatible. The number of CSPs supporting

vCloud is currently around 3000. Here is VMWares description of the vCloud API:

The vCloud API is an interface for providing and consuming virtual resources in the

cloud. It enables deploying and managing virtualized workloads in private and public

clouds as well as interoperability between clouds. The vCloud API enables the upload,

download, instantiation, deployment and operation of vApps, networks and virtual

datacenters. There are two major components in vCloud API, the User API focused on

vApp provisioning and Admin API focused on platform/tenant administration. (9)

There are a couple of other very innovative technologies that VMWare offers that help

to explain their meteoric valuation. VMWare now provides technology that will pool

large numbers of distributed virtual resources into a logical pool. This is in effect,

virtualizing virtulized environments. This capability enables the management,

administration and provisioning of resources over a large distributed environment.

Resource utilization and resource management are enhanced to an even greater

degree than with simple virtualization alone. It facilitates fine grained provisioning and

allocation of resources and it also enables changes to be made uniformly and



45/92

consistently across a large number of separate physical environments. Differentiation

of infrastructure is enabled so that tiered delivery of pricing and service delivery is

possible. Tools, portals and APIs are provided to enable self service delivery of catalog

based services. VMWare describes this as follows: Whenever internal users need IT

services, they should be able to get them as easily as finding and downloading an

application from Apples App Store. (9)

Chargeback is a concept that is important to private clouds. The concept of

chargeback, as it relates to as-a-service solutions, has roots in the 1990s along with

shared services. Internal service providers must be able to recoup their costs

somehow. Although some internal service providers may be allowed to operate at a

loss, it is important that they have a fair and consistent way of charging internal

customers for the services that they provide. The concept of chargeback is closely

related to provisioning, which I will address shortly. VMWare offers chargeback

capabilities that enable Cloud Service Providers to charge customers based on Fixed

Costs, Allocation or Utilization. Fixed Cost charges are simply based on the number of

virtual machines used. Allocation based chargeback is determined by the amount of

capacity that is allocated and available to use. Utilization based chargeback is based



46/92

on the amount of capacity that is actually used. (9)

Although some customers acknowledged challenges with their ability to charge back to

customers, none of the customers interviewed were using VMWares chargeback

product. This may be due to the limited number chargeback options that exist however.

Options such as user counts, transaction counts or chargeback for non-virtualized

resources are not presently available.

8.2. CLOUD MANAGEMENT AND PROVISIONING

For both public and private clouds, provisioning cloud resources to new customers or

users is very important. Because muti-tenancy is a fundamental part of cloud,

practically by definition, adding new tenants quickly and easily is a focus of much

attention, although results have been elusive. Although Google, Microsoft, VMWare,

Salesforce and other leading cloud and cloud infrastructure vendors have made

considerable efforts to automate provisioning processes, this automation is mostly

focused on their own technologies. VMWare can provision virtualized resources well,

Google can provision App Engine resources and applications well, etc.. However, tools



47/92

to automate provisioning across a range of services and technologies provided by

different vendors have been lacking. As a result, the traditional system management

vendors have stepped in with what appear to be the most capable solutions at this time.

BMC Patrol, IBM Tivoli, CA Unicenter and HP OpenView have always always been

leaders at providing centralized administrative and monitoring capabilities for all kinds of

networking, server, desktop, storage and even software infrastructure. Most

organizations have large investments in these platforms already. Furthermore, HP and

BMC made significant acquisitions in the past several years that give them broader

scope to address cloud provisioning requirements. A small software vendor in Renton

WA, Parallels, has some unique and very sophisticated capabilities here. Parallels is a

private company, probably between 100m and 150m in revenue, and offers the

capability to provision cloud based resources from a large variety of CSPs (12). They

not only handle the technical provisioning of the software but also handle the ordering,

billing, invoicing and payment of services. These services are provided, not

surprisingly, via the cloud.

HP OpenView products were rebranded as part of the HP Software Division in 2007,

along with some recently acquired technology from a number of different technology



48/92

vendors. BMC has taken a very similar approach, segmenting their business based on

legacy products and newly acquired products. Also, each company has built out their

software portfolios in similar ways. The software portfolios of both organizations are

well suited to handle the complexities of provisioning services in the cloud. (17)(18)

Based on customer feedback, HP and BMC appear to have taken the lead in the cloud

provisioning market, and are continuing to innovate and partner to enhance their

solutions.

STRATEGIC ACQUISITIONS

HP BMC

Mercury Interactive Application Management,

Application Delivery, Change and Configuration

Management

BladeLogic Enables server provisioning, release,

change and configuration management.

OpsWare Server and Network Provisioning, and

Configuration and Change Management help to

ensure consistency and best practices.

Remedy Market leading helpdesk application.

3PAR Utility Storage that enable multi-tenant

deployments which are well suited to SAAS and

IAAS deployments

Tideway Systems Enables automated discovery

of system resources and more dynamic monitoring

and administration.Peregrine Systems IT Asset Management and

Service Management Software.

Table 2



49/92

The partnering strategies of both BMC and HP also demonstrate a strong commitment

to building their cloud offerings.

BMC has formed a collaborative partnership with Cisco and VMWare to provide a cloud

in a box solution that relies heavily on BMCs BladeLogic acquisition. The solution

provides virtualized resources of many kinds that can easily be managed, configured

and provisioned in an automated fashion. HP partners with both Microsoft and VMWare

for virtualization capabilities, depending on whether a customer is more Windows or

Unix oriented. Allen Hackney from John Hancock specifically mentioned that his

organization is aligned with and leverages capabilities from the VMWare and HP

partnership. (11)

8.3 PRIVACY AND SECURITY

There are many legitimate reasons having to do with privacy and security that may

diminish a customers enthusiasm for deploying IT resources in the cloud. There are

also some political reasons.



50/92

Cloud deployments typically reduce requirements for data center space, hardware

assets, software assets, employees and budget. Some managers may resist initiatives

that result in reduced headcount, assets and budget. In such instances, security

concerns may become somewhat of a boogey man used by IT managers to help resist

non-technical managers that are pushing for savings from cloud adoption. Although this

is somewhat of a simplification and may sound cynical, I did get this impression from

more than one customer that I interviewed. Change is never easy or riskless and many

factors other than reduced IT relevance play an important role in the reluctance that

some IT managers may feel regarding cloud adoption. Ultimately, as cloud adoption

becomes increasingly common, IT managers will likely begin to view the cloud more

positively, as a way to shrink their IT backlog, align more closely with the business and

unburden their teams from purely technical responsibilities.

8.3.1 Identity Federation

Leaving aside whether cloud environments (public, private or hybrid) are either more or

less secure than traditional infrastructure, they are certainly different. Traditional trust

boundaries no longer apply because software applications might be a mash up of 3rd



51/92

party services, applications and internal infrastructure. CSPs need to be a partner in

the security process. The enterprise data center is just one security zone, or realm that

needs to be considered. A federated approach is needed to address increasingly

distributed authentication requirements. Fortunately, federated security processes have

been evolving since before the rapid growth of cloud computing. Federated security

simply means two or more organizations that share a trust boundary. (16) Once a user

is authenticated in one environment then he is automatically trusted at some level in

another 3rd party environment.

Protocols such as SAML (Security Assertion Markup Language) provide a common

format that can be used by enterprises, 3rd party CSPs and business partners to

represent security authentication and policy data in federated processes. Partners in

SAML processes may either be Identity Providers or Service Providers. Identity

providers will likely be corporate data centers that assert the identity of the users or

processes that are accessing services. Service Providers will use these identity

assertions to determine which resources should be made available. This can provide

benefits such as single-sign-on and simplified administration.



52/92

8.3.2 Security Responsibility

A continuum of responsibility exists with regard to security of cloud based resources. At

one end of the spectrum are on-premise resources and at the other end of the

spectrum is SAAS, where a vendor is responsible for the development, support,

infrastructure and delivery of applications. IAAS and PAAS fall between these two

levels. IAAS is closest to on-premise resources, since the development, support and

delivery of the application are still the responsibility of the organization developing the

application. PAAS falls closer to SAAS since (1) PAAS may be thought of as a super

set of IAAS and (2) more layers of network architecture are contained in a PAAS stack

than in an IAAS stack. It cannot be said with certainty which party should be

responsible for which layer of security in all cases, but the importance of service levels

and clearly defined contractual responsibilities cannot be over stated.



53/92

Figure 5

Following is a list of security concerns that must be addressed by CSPs and their

customers. This is by no means an exhaustive list. Customers and CSPs must work

collaboratively to determine whose responsibility it is to ensure that data, software and

infrastructure are protected.

Host security Host security in a public cloud is the responsibility of the CSP since

details of the host are abstracted from the customer. It may be wise for customers

to demand that the CSP share information through a controls assessment

framework such as SysTrust or ISO 27002 however. (13)

Perimeter security Perimeter security includes all of the resources that are used by

a computer system that need to be protected. Cloud computing complicates this

boundary because the boundary is no longer made up of on premise resources

only. With hyper-distributed cloud based environments, where each layer may be

hosted by a different CSP, or different components within the same layer may be

hosted by a different CSP, it is important to maintain visibility of resources across



54/92

providers, and to ensure that policies and procedures are standardized to the

greatest extent possible. Although such hyper-distributed are not common today,

this will become increasingly common in the future. System wide visibility and

documentation are very important to perimeter security and will help to manage this

process as system and application boundaries change with continued adoption of

cloud based resources.

Authentication and Authorization Making sure that appropriate data and systems

are available to appropriate people is the responsibility of both the customer and the

CSP. Because customers will likely have some administrative responsibilities

delegated to them, they will likely have some responsibility for cleaning up orphaned

accounts and ensuring that rules are consistently followed with respect to user

credentials with the CSP. The CSP will also have responsibility for ensuring that the

granularity of access control meets the customers requirement, rules for strong

passwords are implemented (this may be a shared responsibility) and best practices

are consistently enforced across customers.

Application security Threats to application security exploit vulnerabilities in

underlying applications. Because SAAS are applications delivered over the web, by

definition, application security is the responsibility of the SAAS application vendor.



55/92

With IAAS vendors, application security is the responsibility of the application owner

or administrator. With PAAS solutions, this responsibility will likely be shared. It will

be the PAAS vendors responsibility to provide a security framework that is robust

and well documented, and the application developers (customer) responsibility to

ensure that this framework is implemented properly.

Data-in-transit: Protecting data on the wire calls for the use of an established and

robust encryption algorithm. CSPs must have a well developed strategy here and

may offer different options of whether data is encrypted and if so at what level, or

transmitted in-the-clear.

Data-at-rest: Protecting data stored on disk may also call for the use of a well

established and robust encryption algorithm. Alternatively, a well developed

Information Lifecycle Management (ILM) strategy may be adequate, although

communication of such policies and procedures will likely need to be documented in

a format where they can easily be shared between vendor and customer. An ILM

strategy will define what happens to data as it is aged and moves to backup,

reporting and other systems, as well as how disks are handled when they are retired

and disposed of.



56/92

It is common for strong security at one layer to prevent a breech or vulnerability at

another layer. For example, if the authentication process for a customer is robust then it

is less likely that a user could spoof or hijack a customers credentials and exploit a

vulnerability at the application layer.

8.4 Regulatory Requirements

During my customer interviews, state and federal laws and regulations were often cited

as factors inhibiting adoption of cloud technology. Many laws and regulations exist to

ensure data privacy and security of sensitive data and personally identifiable

information. Data related to income, wealth, health, financial aid and employment

history often have such restrictions. There are also labor laws and the specter of net

neutrality laws that impact how and when cloud based services can be offered, or might

be offered in the future. Labor laws are in place, mostly in the public sector, that

prevent workforce reductions resulting from outsourcing work to a 3rd party or from

automation. Although the following list is not exhaustive, each of these laws or

regulations has the potential to effect the advancement and adoption of cloud

technology. For state law I will focus on Massachusetts and Washington State only.



57/92

This is because covering all 50 states would not be helpful, and would be overly

lengthy. Further, both states are home to large populations of technology and internet

companies and have legislatures that are not timid with regard to commercial regulation.

8.4.1 Labor Laws and Labor Influence

Massachusetts Pacheco Law In a nod to Public Employee Unions and employees,

Massachusetts enacted Anti-Privitization legislation, the Pacheco law, in 1993. This law

effectively prohibits the contracting of work to the private sector that can be performed

by state employees. (23). With regard to cloud computing, this practically eliminates the

prospect of achieving savings from well proven IAAS offerings such as ones provided

by Amazon and Rackspace. Outsourced email, calendaring, collaboration and other

services that are currently provided by state employees, often at very high cost, are also

off limits.

Federal Senate spending bill S.3677 Bill S. 3677, passed July 29 2010, reduced

funding for federal cloud computing efforts 58% from 2010 to 2011. Although Federal

workers are not unionized, this decision is highly incongruous with government



58/92

spending trends and spending on cloud computing initiatives in general. Overall funding

for technology spending in this bill saw an increase from 2010, although cloud spending,

that was intended to consolidate data centers, shrank significantly. (24)

City of Seattle IT workers at City of Seattle are unionized. Based on interviews that I

conducted with (non union) technology leadership at City of Seattle, it seems unlikely

that services such as email will be delivered via the cloud. Microsoft, Google and other

vendors offer such services through the cloud and can typically demonstrate

considerable savings when compared to purchasing, deploying, supporting and

administering in house email systems such as Microsoft Exchange, which was deployed

in 2009 at City of Seattle. Due to union influence however, such moves seem very

unlikely.

8.4.2 Net Neutrality

Net neutrality simply means that internet users should have unrestricted and

undifferentiated access to any legal content on the internet. This is tricky though. What

is counter intuitive about this is that to achieve net neutrality would require either legal



59/92

precedence based on related case law, or a specific bill leading to new laws or

regulations. Net neutrality is not currently enforced via any specific law or regulation. In

practice however, it almost universally exists. The internet is highly democratic for both

producers and consumers of content. Opponents of net neutrality say that creating new

laws or regulations around the internet to achieve net neutrality would be fixing

something that is not broken, and that new laws or regulations, intended to make sure

that content consumers and producers are treated equitably and fairly, would open the

door to further regulation and government control, which might ultimately hurt the

internet and diminish its value. They feel that the internet has gotten by just fine without

such regulation up until now and that greater regulation would lead to influence by

special interests, or over reach by government. Net neutrality arguments, either for or

against, have the potential to result in 1st amendment issues, although this is not likely

any time soon.

Proponents of net neutrality feel that providers of internet bandwidth, such as Comcast

or AT&T for example, might use their power to discriminate against certain content

providers. For example, Comcast could theoretically provide a lower quality of service

to content providers that require a great deal of bandwidth, such as Youtube or Netflix,



60/92

or they could provide a lower quality of service to competitors potentially.

A 2008 case filed by the Federal Communication Commission (FCC) against Comcast

charged that Comcast unlawfully blocked or slowed access to a peer sharing web site,

Bit Torrent. An April 2010 ruling on this case determined that the FCC lacked the

authority to dictate how Comcast should treat internet traffic and Comcast won the case,

successfully defending their right to treat their customers and use their infrastructure as

they wish.

During my interviews, Bruce Chatterley, President of MegaPath (merger of Covad,

Megapath and Speakeasy.net) mentioned net neutrality as a potentially important issue

for cloud adoption (11). As customers put increasingly mission critical infrastructure and

applications in the cloud, they will be likely to demand higher qualities of performance

and service reliability. Government efforts to implement net neutrality laws or

regulations could inhibit the ability of Cloud Service Providers to differentiate service in

such ways.

Arguments made by groups that are either for or against net neutrality regulation may



61/92

sound very similar. Both sides are likely to say that their position will increase (or have

the potential to increase) innovation. To some extent, both sides are correct. If net

neutrality laws are passed, the specter of large bandwidth and infrastructure providers

treating potential competitors unfairly is unlikely to emerge, although in reality this has

not happened yet anyway. If net neutrality laws are not passed, we will continue with

the status quo of a largely unregulated internet that has created hundreds of billions of

dollars of wealth in the past decade alone.

8.4.3 State Data Privacy Laws and Regulations

Breach Notification Laws Nearly all states now have security breach laws in place

that require notification of the effected party, those whose personally identifiable

information has been disclosed, of such a breach.

Washington House Bill 1149 Effective 07/01/10, this bill extends the scope of

typical Breach Notification Laws by requiring that the commercial organization

responsible for the breach reimburse banks for the costs associated with cancelling

and reissuing credit and-or debt cards. 1149 also incorporates the Payment Card

Industry Data Security Standard ("PCI") into the law (21)

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtmlhttps://www.pcisecuritystandards.org/security_standards/pci_dss.shtml


62/92

Massachusetts Executive Order 504 An Order signed by Governor Patrick on

September 19, 2008 that recognizes the importance of protecting personal

information and specifically outlines how all state agencies in the Executive Branch

must address the security and confidentiality of personal information. (19)

Massachusetts General Law 93H This appears to be the first state law imposing

specific requirements on business to protect Personally Identifiable Information (20).

Attorney Greg Duff summarizes the rather onerous requirements on his web site,

www.duffonhospitalitylaw.com. He summarizes the requirements as follows:

Encrypt all data, including on mobile devices (laptops, PDAs, etc,)

Restrict physical access to records containing PII

Develop written information security policies and adhere to them

Regularly monitor networks for unauthorized activity

93H requirements are laudable as consumer protections but they will unquestionably

increase costs for business. The language in 93H is also unclear as to what constitutes

compliance and this could lead to costly over implementation, as has been the case

with other ambiguous regulation such as Section 404 in the Federal Sarbanes Oxley

http://www.duffonhospitalitylaw.com/http://www.duffonhospitalitylaw.com/


63/92

Act. There is certainly a tradeoff between consumer protection provisions, and the

increased cost of doing business, which may become as a disincentive for new

eBusiness firms to locate in Massachusetts, which could hurt employment growth and

capital formation.

8.4.4 Federal Data Privacy Laws and Regulations

US Patriot Act The US Patriot Act may be one reason that cloud adoption has been

faster in the US than in other countries. Any data that is physically stored in the United

States is subject to the Patriot Act. The Patriot Act allows the US Federal Government

to access data stored within US borders. (26) Although such access requires a

request, or application by a Special Agent from the FBI, the approval of such an

application may be granted by a Federal Judge. The fact that commercial and

proprietary information may be accessed by the US government is unsettling for many

private and public organizations outside of the US that might otherwise consider

adopting cloud offerings from US companies.

Stefan Ried from Forrester writes about this problem and discusses how Data



64/92

Integration Software Maker Informatica has designed an integration-as-a-service

architecture to circumvent this problem. (26) Informatica provides integration-as-a-

service so that customers in Europe can use their US based integration service and no

data will actually touch servers on US soil, which would make the data subject to the

Patriot Act. When vendors architect their solutions around regulations and laws, it may

be a good sign that the regulatory and legislative processes are having a hard time

keeping up with the market, and are in need of being updated.

Federal Information Security Management Act (FISMA) - The Federal Information

Security Management Act of 2002 requires all Federal Agencies to implement an

agency wide information security strategy.

The National Institute of Standards and Technology (NIST) is responsible for working

with Federal agencies to implement FISMA. Although the US government spends

several billion per year on security and FISMA related compliance costs, the standards

developed by NIST appear to be quite rational and in line with best practices that I have

observed in the private sector. NISTs web site states that their vision is (26): To

promote the development of key security standards and guidelines to support the

http://csrc.nist.gov/drivers/documents/FISMA-final.pdfhttp://csrc.nist.gov/drivers/documents/FISMA-final.pdf


65/92

implementation of and compliance with the Federal Information Security Management

Act including:

Standards for categorizing information and information systems by mission

impact

Standards for minimum security requirements for information and information

systems

Guidance for selecting appropriate security controls for information systems

Guidance for assessing security controls in information systems and determining

security control effectiveness

Guidance for the security authorization of information systems

Guidance for monitoring the security controls and the security authorization of

information systems

Although FISMA compliance costs are high, the mission seems worthwhile and it is

reassuring to observe that many private sector organizations have developed security

strategies that align closely to NISTs. It appears that the government has provided

some valuable leadership to the private sector.



66/92

Health Insurance Portability and Accountability Act (HIPAA) HIPAA was mainly a way

to ensure citizens can keep their existing insurance in the event that they lose a job. In

addition to this, there are aspects of the regulation that help to bring the health care field

up to date with the demands of our digital age.

HIPAA regulates the use of protected health information (PHI) by health care providers

and health plans (13). Health care providers and health plans must notify patients if any

of their PHI is shared or disclosed to other parties. Also, patients have the right to

access any of their PHI and are able to correct or updated such information if needed.

Graam Leach Bliley Act (GLBA) The GLBA, also called the Financial Services

Modernization act of 1999, was a major piece of financial services legislation. It partly

repealed the Glass-Steagall Act of 1933. This was largely a banking deregulation bill,

but it also brought regulation up to date for information security for financial services

companies. There are two parts of the GLBA that are highly relevant to cloud

computing, the Financial Privacy Rule and the Safeguards Rule (13).



67/92

1. The Privacy Rule requires financial institutions to provide a privacy notification to

customers at the inception of a customer relationship, and also requires ongoing

annual notifications. This notification must explain to the customer how their

personal information will be used and give the customer the ability to opt out of

activities that involve the sharing of their personal information with 3rd parties.

2. The Safeguards Rule requires that financial institutions implement an information

security program that protects their customers private data. The Safeguards Rule

requires that financial institutions not only create and implement such a program, but

that it is monitored and updated as needed, and that there is a single point of contact

with overall responsibility for the plan. This has led to the creation of the Chief

Information Security Officer (CISO) position in many organizations.

Federal Rules of Civil Procedure (FRCP) FRCP requires that parties involved in a civil

lawsuit must disclose to the opposing party any information that will be used in their

claim or defense (13). In 2006 FRCP was updated to better reflect increasingly digital

forms of information. The changes required that electronic information used in the

discovery process be made available quickly and easily. These changes led to a boom



68/92

in the eDiscovery market, for email and document archiving and recovery. FRCP has

major implications for cloud vendors, whether PAAS, IAAS or SAAS. Data may be

required from any of these sources as part of a legal discovery process.

Personal Data Privacy and Security Act of 2009 Although this bill was never enacted, it came

close. Only due to

factors shaping the future of cloud computing

Documents