vendor lock-in in the transistion to a cloud computing ...1110063/fulltext01.pdf · the thesis...
TRANSCRIPT
DEGREE PROJECT, IN , SECOND LEVEL
STOCKHOLM, SWEDEN 2015
Vendor Lock-in in the transistion to aCloud Computing platform
MENATALLA ASHRAF FAWZY KAMEL
KTH ROYAL INSTITUTE OF TECHNOLOGY
DEGREE IN INFORMATION AND COMMUNICATION TECHNOLOGY
I
DEGREE PROJECT, IN COMMUNICATION SYSTEMS (IK223X), SECOND LEVEL
STOCKHOLM, SWEDEN 2015
Vendor Lock-in in the transition to a Cloud Computing platform
Student:
Menatalla Ashraf Fawzy Kamel
Examiner:
Jan Markendahl
Supervisor:
Amirhossein Ghanbari
Industrial Manager:
Fredrik Husander
Industrial Supervisor:
Jan Mäehans
II
Abstract
The thesis introduces a study about the vulnerabilities that a company as Scania IT faces towards
vendor lock-in in the transition to a cloud computing platform. Cloud computing is a term that
refers to a network of remote servers hosted on the internet to store, manage and process data,
rather than on a local server or a personal computer. Vendor lock-in is an outcome that causes
companies to pay a significant cost to move between cloud providers. The effects that cause
vendor lock-in that will be described are portability, interoperability and federation are called the
lock-in effects. The goal of the research is to help Scania IT understand the vendor lock-in and
the vulnerabilities they can face in the transition to the cloud as well as to clarify the concern that
they may have against falling in vendor lock-in. The main purpose of the research is to present
the various lock-in effects that are related to the transition from one cloud provider to another
and the vulnerabilities that cause companies to fall in vendor lock-in. The thesis presents the
reasons that motivates why Scania IT would consider using the cloud and the concerns that they
may have against usage of a cloud computing platform. The results will be based on a case study
of a similar company that has moved to a cloud provider and specifically Microsoft Azure and an
interview of Microsoft Azure point of view with the risk of vendor lock-in. Finally, a process of
interviews with different people from Scania IT to extract the current bottleneck in the
development process that caused the company to think of a cloud computing platform. The
results show that companies should consider many risks and factors while moving to the cloud,
as vendor lock-in, cloud maturity index and their IT strategies. As a result, the thesis gives
recommendations of the steps needed to minimize the risks of the cloud while maintaining the
positivity of the cloud.
Keywords: Cloud computing, vendor lock-in, lock-in effects, portability, interoperability,
federation, Software as a Service, Platform as a Service, Infrastructure as a Service.
III
Sammanfattning Uppsatsen presenterar en studie om de sårbarheter som ett företag som Scania IT har mot
inlåsning i övergången till molntjänster. Molntjänster är en term som hänvisar till ett nätverk av
servrar som finns på internet för att lagra, hantera och processa data, istället för på en lokal
server eller en persondator. Inlåsning är ett resultat i vilket orsakar att företagen behöver betala
en betydande kostnad för att flytta mellan molnleverantörer. De effekter som orsakar inlåsning
vilket kommer att beskrivas är portabilitet, interoperabilitet och federation, dessa kallas
inlåsningseffekter. Målet med forskningen är att hjälpa Scania IT att förstå inlåsning och
sårbarheter som de kan möta i övergången till molnet. Dessutom är målet att klarlägga riskerna
som de kan ha mot att falla i inlåsning. Det huvudsakliga syftet med forskningen är att presentera
de olika inlåsningseffekter som är relaterade till övergången från en molnleverantör till en annan
samt de sårbarheter som orsakar företagen att falla i inlåsning. Uppsatsen presenterar skäl som
motiverar varför Scania IT ska överväga att använda molnet samt den oro som de kan ha mot
användning av en molnleverantör. Resultaten kommer att baseras på en fallstudie av ett liknande
företag som har flyttat till en molnleverantör och specifikt Microsoft Azure samt en intervju av
Microsoft Azure synvinkel med risken för inlåsning. Slutligen, en rad av intervjuer med olika
personer från Scania IT för att extrahera den nuvarande flaskhalsen i utvecklingsprocessen som
orsakade företaget att tänka på molntjänster. Resultaten visar att företagen bör överväga många
risker och faktorer när de flyttar till molnet, som exempelvis inlåsning, cloud maturity index och
deras IT-strategier. Som ett resultat ger examensarbetet nödvändiga rekommendationer för att
minimera riskerna för molnet samtidigt som positivitet av molnet.
Nykelord: Cloud computing, vendor lock-in, lock-in effects, portability, interoperability,
federation, Software as a Service, Platform as a Service, Infrastructure as a Service.
IV
Acknowledgements
This Master thesis is the last part of my degree program in Information and Communication
Technology at the Royal Institute of Technology in Stockholm. First and foremost, I want to
thank my dear family for their continuous support and encouragement throughout my whole
education.
The study was performed at Scania CV AB in Södertälje in the department INWR .Net
development. I want to begin by thanking my manager Fredrik Husander and supervisor Jan
Mäehans in Scania CV AB for giving me the opportunity to do my thesis with them and the
continuous support they gave me under the thesis process. I want to thank the staff in Scania CV
AB that gave me their time to answer my questions and gave me valuable information through
the interviewing process.
I also want to express my gratitude to Amirhossein Ghanbari, not only for being my supervisor
from whom I have learned a lot but for his assistance and continuous feedback on guidance for
my work and report. Last but not least, I would like to thank my examiner Jan I Markendahl for
his advice and words of encouragement throughout the thesis period.
Menatalla Ashraf Fawzy Kamel
Stockholm, Sweden, 2015
V
Table of Contents
Abstract II
Sammanfattning III
Acknowledgements IV
List of Figures VI
List of Acronyms and Abbreviations VII
1. Introduction
1.1 Problem statement
1.2 Related work and contribution
1.3 Goal
1.3.1 Benefit of Society, Ethics and Sustainability
1.4 Delimitations
1.5 Outline of the thesis
2. Method
2.1 Methodology
2.2 Framework of the study
3. Cloud Computing Theory
3.1 What is Cloud Computing?
3.2 Cloud Service Models
3.3 Cloud Deployment Model
3.4 Cloud Providers
4. Current development process and bottleneck in Scania IT
4.1 Current development process
4.2 Bottleneck in Scania IT
5. Three types of lock-in effects that cause vendor lock-in
5.1 Lock-in effects
5.2 Vendor lock-in types in relation to different cloud models
6. Is Scania IT vulnerable to vendor lock-in?
6.1 Microsoft Azure view on vendor lock-in
6.2 Relation between Company X and vendor lock-in
6.3 Is Scania IT vulnerable in the transition to the cloud?
7. Conclusions, Implications and Future work
7.1 Conclusion
7.2 Implications for Scania IT
7.3 Future work
References
1
1
2
4
4
4
5
6
6
8
10
10
11
12
15
16
16
19
20
20
22
23
23
23
26
33
33
35
36
37
VI
List of Figures
Figure 1-1 Cloud computing pros and cons and some of the issues directed in the thesis 2
Figure 2-1 The framework that was used in the thesis work 9
Figure 3-1 Different models and what is managed by the company versus what is managed by
the cloud provider 12
Figure 3-2 Different delivery models and illustrates the Hybrid cloud and Hybrid IT 14
Figure 4-1 Development process of Scania IT 17
Figure 4-2 Barriers that DevOps are trying to eliminate 18
Figure 5-1 The risk level of different cloud service models 22
Figure 6-1 The method that can be used to minimize the risk of vendor lock-in 25
Figure 6-2 Cloud Maturity Index and the current situation of Scania CV AB 26
Figure 6-3 Hybrid IT strategy steps needed to adopt a cloud computing platform 28
Figure 6-4 Complexity integrations in relation to whether the producer and consumer exist
internally or externally 30
Figure 6-5 Classifications of information types followed by their risk level 31
Appendix- Figure 1-Magic Quadrant for Cloud Infrastructure as a Service (IaaS) 41
Appendix-Figure 2-Magic Quadrant for Enterprise Application Platform as a Service (PaaS) 42
VII
List of Acronyms and Abbreviation
API Application Programming Interface
CM Change Management
CMI Cloud Maturity Index
CR Change Request
DSL Domain Specific Languages
MM Maintenance Manager
IaaS Infrastructure as a Service
ISEC Information Security
ITDM IT Development Meeting
PaaS Platform as a Service
RFC Request For Change
SaaS Software as a Service
SAC Strategic Architecture Council
TOSCA Topology and Orchestration Specification
for Cloud Applications
TR Trouble Request
1
1. Introduction
Scania CV AB has a history over more than 100 years, they were founded in 1891 [1]. Since that
time, Scania has built and delivered more than 1,400,000 trucks and buses for heavy transport work
[1]. Scania IT is a part of Scania CV AB, which is responsible for the development of the
applications and handling infrastructure of Scania CV AB. Scania IT are currently having all their
work and infrastructure on-premises. So currently Scania IT is looking for a better economical and
flexible solution, with the aim to decrease time to market. Therefore Scania IT is considering
implementing a cloud computing platform, since they assume it will lead to reaching globally faster
and will contribute to continuous delivery, which is an important goal to Scania IT that they are
always striving to achieve with optimization. Many concerns are listed within Scania IT in the
transition to the cloud such as security issues, lack of control and reliability. However the main
concern that they want to analyze is vendor lock-in and the vulnerabilities that cause the companies
to fall in vendor lock-in. Vendor lock-in is the outcome that makes a customer dependent on a
specific vendor for products and services unable to use another vendor without substantial
switching costs. Therefore the thesis will present a study about this main concern to Scania IT in
moving to a cloud computing platform.
1.1 Problem statement Scania IT is seeking for improvement for the rate of delivering services and applications with
providing a faster delivery rate, which contributes to continuous delivery that tries to deliver
improvements to an application as often as possible while maintaining quality. Moreover, Scania IT
wants to investigate deeply the many unresolved and open problems related to the mature
technologies of cloud computing. One of these technologies is vendor lock-in, which is caused by
the lock-in effects that will be described in this thesis such as portability, which is the ability to
move applications, data, and tools from one cloud vendor to another in a company that wants to use
a cloud provider such as Scania IT. Another effect is the interoperability, which is the ability for
different clouds to communicate with each other. Portability and interoperability effects play a big
role in causing vendor lock-in, which causes companies to pay a significant cost to move between
cloud providers.
Moreover, Scania CV AB is a large international company where several countries are involved to
many applications that are found in Södertalje (The main office); therefore a goal they are always
striving to achieve is global accessibility from around the world.
2
1.2 Related work and contribution To accomplish the transition to the cloud, there are many factors that need to be taken into account
as shown in figure 1-1 below [2].
Figure 1-1 Cloud computing pros and cons and some of the issues directed in the thesis [2]
General studies in the field of deployment of cloud computing bring up some ongoing discussions.
Figure 1-1 above shows that there are four main cons to cloud computing which are security, lock-
in, lack of control and reliability [2].
Since cloud computing is a big technological aim to provide flexibility and economic improvement
to companies and customers. For companies to use cloud computing, they need to discuss and
research these benefits versus the risks of cloud computing. Therefore a literature study has been
conducted to provide an empirical investigation of cloud computing using multiple sources of
evidence and in-depth analysis of several previous studies.
Greenwood et al [3] showed that cloud computing can be significantly cheaper alternative to
purchasing and maintaining system infrastructure in-house. Despite these advantages, he showed
that there are some important socio-technical issues that need to be considered before organizations
would move their IT systems to the cloud [3]. Petcu et al [4] have proposed a layered set of APIs
that are offering a supplementary degree of freedom, from programming languages and style.
Kostoska et al [5] has proposed a new cloud portability service platform and gave an overview of
the current trends in the area of cloud service portability. Kostoska discussed that there are no
3
standard solutions for cloud service portability, mainly due to a huge number of various cloud
providers on the market. However, he named two approaches that are known in technology area to
cope with emerging markets and offer. The first approach is using the most successful provider,
which will “kill” the other in the concurrent market environment, and the other to establish a highly
recognized standard accepted by all market players [5]. The second approach is using Topology and
Orchestration Specification for Cloud Applications (TOSCA), which represents a first step towards
building a standard for portable deployment and the migration of existing applications onto a cloud
[5]. Guillen et al [6] proposed a framework which aims to favour cloud agnostic software
development, which helps companies continue building their applications without having to modify
their technology, and also without having to choose a single immovable cloud provider. Moreover,
Ranabahu et al [7] indicated that using Domain Specific Languages (DSL) shows a promise in
developing portable applications for the cloud and related platforms. They have done some tests and
the results shown were very promising for a portable cloud platform.
It can be concluded so far, almost all researches for cloud computing are pointed towards solutions
of portability and ways to overcome vendor lock-in. However not much has been discussed about
the vulnerabilities that make companies like Scania IT fall into vendor lock-in. Also, the reason
why it is a concern to companies considering the usage of cloud computing. Therefore, the
contribution that thesis aims to address is the existing gaps in the deployment of a cloud computing
and specifically Microsoft Azure in an International huge company like Scania IT and fills the
research gap, which is the lack of studies for the reasons and vulnerabilities that companies face in
the deployment of a cloud provider.
Furthermore, the thesis represents some ideas on how to resolve some problems faced when
deploying a cloud computing platform. It is believed that the thesis research questions will be filled
by the conclusions made on this project. Therefore, some research questions will be presented in
order to show what would be the direction of study during different steps of this project and
eventually by answering these questions the final conclusion will be made.
The main problem area is related to the title of the thesis:
Despite the fact that Cloud Computing is a popular evolved computing terminology based on the
consumption of computing resource and proven to be cost efficient and more flexible with a reduce
in the amount of physical infrastructure that a company have to keep and maintain. However some
downsides are security and vendor lock-in. So why such a technology has not been applied or
discussed in huge companies like Scania CV AB?
Since the previous statement is not easy to resolve, it should be cleaved:
4
(1) Why is the cloud a raised issue in Scania IT?
(2) Why is Scania IT vulnerable to vendor lock-in in the transition to a cloud computing
platform?
(3) Why is vendor lock-in a concern to Scania IT when using a cloud computing platform?
The above order was based on a sequence that would be easy to follow. The work would start by
answering the research question (1) that would lead companies to think of the positive side of the
cloud. However the drawbacks of the cloud such as vendor lock-in raised questions (2) and (3) to be
interesting to examine as most companies do not take into consideration the movement out of the
cloud. After identifying the missing gap and the research questions, it could be derived the goal and
purpose of the study in the following sub-sections.
1.3 Goals The goal of the study is to emphasize the reason why Scania IT needs to consider the deployment of
a cloud computing platform and to help Scania IT understand the vendor lock-in and the associated
vulnerabilities they can face in the transition to the cloud as well as to clarify the concern they may
have against falling into vendor lock-in and show what can be done to decrease the risks of cloud
computing.
1.3.1 Benefits and Sustainability
The audience of this document are companies that want to use a cloud computing platform and
want to understand more the risks rather than the benefits of cloud computing. They could use the
solution proposed in the thesis to minimize the risks of vendor lock-in and benefit from the steps
and ways to minimize the risks of cloud computing.
Sustainability aspects were also taken into account, which is reusing the work that had already been
analyzed in Scania and build on it what was missing to achieve a useful thesis that can help the
companies that are thinking of using a cloud computing platform. Moreover, the work submitted
and analyzed can be reused by other companies to minimize the risks of cloud computing and
improve companies maturity rate within cloud computing, which contributes to sustainability.
1.4 Delimitations The name of the company in the case study that has been done by interviewing the person who was
involved in this transition will be stayed anonymous, due to ethical reasons and request of the
owner of the information in the case study.
5
1.5 Outline of the thesis Chapter 2 presents the methodology used in performing the work. Also, gives the reader a more
insight of which methods are used in this research and why they are preferable methods. The
chapter gives more details of how data is collected and how the analysis of Vendor lock-in
vulnerabilities is performed.
Chapter 3 is the start of the author contribution and presents for the reader a history and a wide
introduction to cloud computing. Also, gives an introduction on the different service and
deployment models. Finally, it gives an idea about two main cloud providers.
Chapter 4 presents the investigations that are performed in the company to understand the
development process and bottlenecks that Scania IT is currently facing and give reasons why Scania
IT should consider the cloud.
Chapter 5 presents the lock-in effects that cause vendor lock-in and the different types of vendor
lock-in.
Chapter 6 presents the evaluations of investigations that were carried out to figure out if Scania IT
is vulnerable to vendor lock-in.
Chapter 7 presents the conclusion with the answer to the research questions and the future work that
can be done by other researchers and Scania IT.
6
2. Method
This chapter represents the methodology and the framework of the research, data collection,
selection, application and evaluation of the data collection method. The work with this thesis was
divided into several stages that contributed to the final conclusion.
2.1 Methodology To perform this thesis work, given the explorative nature of the research objectives, a qualitative
research method was chosen instead of quantitative method. The quantitative research method uses
experiments and large data sets to reach a conclusion, while the qualitative research method uses
investigations in an interpretative manner to create theories [8]. The thesis applies the qualitative
method because it helps to understand the vulnerabilities that companies such as Scania IT can fall
into and the lock-in effects that cause the difficulty of moving between different cloud
providers. Qualitative research method answers to questions, such as why, how and what [8].
Research approaches are needed to draw conclusion and to be clear whether these conclusions are
true or false. There are several methods that can be used, such as inductive, deductive or abductive
approach, which includes both the latter named methods. Inductive approach is when the research
resonate theories based on experiences and opinions. While, deductive approach resonate theories
to verify or falsify hypotheses. Inductive approach is often used when data is collected with
qualitative methods [8].
The thesis will apply inductive approach since there is no clear theory to verify or falsify
hypotheses, which applies in a deductive approach. However, a deep analysis is needed to gain an
understanding of the different cloud computing techniques and their effect on the company
specially the lock-in effects. Also, since the outcome is based on interviews of different employees
in the development process and getting an idea of how they work today when compared to working
with a cloud computing platform as Microsoft Azure.
The work contribution involved several stages:
1. Literature Study
2. Interviews internal and external
3. Analysis of Scania intranet system
4. Case Study
7
Starting with a literature study, this is needed to analyze the present situation of the company and
the current work done in this area. This analysis was performed by studying secondary data such as
reports, conference presentations, online information, user guides, press releases, white papers and
articles.
The second step was data collection for carrying out the study, which was by interviews. The
interviews of people in the current development process of Scania IT was performed to understand
the bottleneck in the process and motivate for reasons for the need of the cloud. The interviews
were done by carrying out unstructured or semi-structured data collection techniques i.e. individual
depth interviews and group discussions in this case. This field research consisted of interviewing
developers, testers and software oriented architecture experts. The exact interviewees for this
project were mainly addressed to three teams in one section of Scania IT. The process started by
interviewing maintenance managers of each department in one section of the company. Then the
process proceeded by interviewing a system developer and tester in that specific section. Finally,
the process of interview was directed to a higher rank, which is Change Management department.
Interviewing different people was done to understand the current process, then an analysis of
Scania’s intranet system was needed to provide a wider picture of the inner work of Scania and the
structure of how they work. Then an external interview was performed with the solution lead
principle for Microsoft Azure to understand their offerings for companies and their perspective on
vendor lock-in.
Furthermore, a case study of a company that has had the experience about transition to the cloud
provider and specifically Microsoft Azure. Case studies involved reading previous experience of the
adoption of the cloud and gathering information that will help make the analysis to Scania IT and
solve the worries that can be found. This case study has been deducted through a semi-structured
interview to one of the employees that was in charge of this transition and the questions were
directed to how this company dealt with vendor lock-in. Finally, the idea of the cloud maturity
index, showing how mature Scania IT is towards cloud computing led to the proposal of an IT
strategy to define applications in Scania IT moving to a cloud hence lead to a higher rank of cloud
maturity.
8
2.2 Framework of the study In order to make the work structured in a way that would be comprehensive and easy to follow. A
framework was created by the author with the steps need to answer the research questions. This
particular order of steps found in figure 2-1 was the order that was used to answer the research
questions, which are described below in details.
Problem: This is the first step in the thesis, where the problem was concluded from the current
situation of Scania IT and the reasons gathered behind the study of cloud computing.
Related Work: Following the problem, the work started by reading other researchers work and
extracting the related work and figuring out the thesis gap. From that literature study, the research
questions were introduced.
Cloud Computing Theory: Then following that a deep detailed analysis of the cloud computing
theory was needed to give the reader a broad understanding of cloud computing, which will be
needed to understand the rest of the work.
Interviews: After representing the data about cloud theory, 14 interviews from within Scania IT
have been performed to understand their current development process and discuss the work and
tools that are needed in each process. From these interviews, it was concluded as well the
bottlenecks that Scania IT are currently facing. Ethics was taken into account in this interview
research. That being said, in all interviews that were conducted it was asked to the interviewees
whether it was allowed to use and reference the data given in the interview and if it was allowed to
use their name and position in the thesis if needed.
Microsoft Azure Interview: That included an interview for a Principal Solutions Lead – Azure in
Microsoft. That was to better understand their services and their view on vendor lock-in as leading
cloud providers in both IaaS and PaaS service models.
Case Study Company X: That was an important step to gather the company’s opinion on vendor
lock-in, where the author interviewed the person responsible about the movement to the cloud in
company X. This was used to evaluate if Scania IT can follow the same pattern and avoid vendor
lock-in.
Cloud Maturity Index: This analysis step was to evaluate what was Scania IT current situation
with cloud maturity and how to move to a higher stage. Therefore a Hybrid IT strategy was created
as a flowchart guideline for companies to follow in order to achieve a high maturity stage.
9
Figure 2-1 The framework that was used in the thesis work
The green arrows illustrate that all the work performed results to the answer the research questions.
The red arrows illustrate the order of the steps taken to answer the research question starting with
problem, all the way to the cloud maturity index analysis.
10
3. Cloud Computing Theory
This chapter presents a background theory on cloud computing, cloud service models, cloud
deployment models and top three cloud providers. Moreover, there will be a clarification about the
difference between vendor lock-in and lock-in effects.
3.1 What is Cloud Computing? Cloud computing is a new terminology that was added to the IT industry in early 2007 [9]. Cloud
Computing is the practice of using a network of remote servers hosted on the Internet to store,
manage, and process data, rather than a local server or a personal computer [12].
The national Institute of Standards & Technology has defined Cloud Computing as follows [10]:
“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a
shared pool of configurable computing resources (e.g., networks, servers, storage, applications,
and services) that can be rapidly provisioned and released with minimal management effort or
service provider interaction. This cloud model is composed of five essential characteristics, three
service models, and four deployment models.”
These cloud service and deployment models will be discussed in the next section. However the five
essential characteristics will be listed below and described [10].
1. On-demand self-service: A consumer can use computing capabilities, such as server time
and network storage without requiring human interaction with each service provider.
2. Broad network access: Computing capabilities are available over the network and can be
accessed by any device (e.g., mobile phones, tablets, laptops, and workstations).
3. Resource pooling: Computing resources that are owned by the cloud provider are pooled
to serve multiple consumers using a multi-tenant model, with different physical and virtual
resources dynamically assigned and reassigned according to consumer demand. Examples
of resources include storage, processing, memory, and network bandwidth.
4. Rapid elasticity: Capabilities can be elastically provisioned and released, in some cases
automatically, to scale rapidly outward and inward commensurate with demand. To the
consumer, the capabilities available for provisioning often appear to be unlimited and can
be appropriated in any quantity at any time.
11
5. Measured service: Cloud systems automatically control and optimize resource use by
leveraging a metering capability at some level of abstraction appropriate to the type of
service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can
be monitored, controlled, and reported so providing transparency for both the provider and
consumer of the utilized service.
3.2 Cloud Service Models There are three common service models that are represented in relation to cloud computing, which
are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service
(SaaS). These models will be represented in details below.
Infrastructure as a Service (IaaS)
Infrastructure as a Service is a service offering a focus towards those who have knowledge of how
to configure the software portion of the technology stack, but do not want to manage the hardware
[14]. Infrastructure is the base of the stack and provides all the raw computing resources.
Platform as a Service (PaaS)
Platform as a Service is a service aimed to developers that help them develop and test applications
without having to worry about the underlying infrastructure. Developers do not want to have to
worry about provisioning the servers, storage and backup associated with developing and launching
an application [15]. The platform services provide users with software, virtual machines (VMs) and
usually handle all aspects of system administration for the user. On the other hand, the customers
would need only to handle the applications and data as illustrated in figure 3-1.
Software as a Service (SaaS)
Another type of cloud computing model is Software as a Service, which is a service that means that
the cloud computing provider is in charge of applications, data, operating system, storage, service
and the rest as shown in the figure 3-1 [2]. The consumer buys the services without worrying about
the customization or maintenance of the hardware. They need to just stay connected to the cloud
provider.
12
Figure 3-1 Different models and what is managed by the company versus what is managed by the
cloud provider
Figure 3-1 illustrates the separation of responsibilities for on-premises versus three service models,
IaaS, PaaS and SaaS, where it presents what is manageable by the cloud provider versus what is
managed by the customer. So, Other manages illustrates the cloud providers as Microsoft Azure or
Amazon. While You Manage, illustrates the customer as Scania IT.
3.3 Cloud Deployment Models There are five common deployment models that are represented in relation to cloud computing,
which are public cloud, private cloud, private virtual cloud, community cloud and hybrid cloud.
Public Cloud
A public cloud is available to the public or a large industry group and is owned by the organization
selling cloud services [16]. Public cloud resources are normally provisioned on demand or on
dynamic basis over the internet [16]. In the public cloud, the servers are the same for all companies
in the cloud but with different structures, where different companies can share the servers. This can
be shown in figure 3-2. The limitation of the public cloud is the security concerns that the cloud
servers are shared by many companies. This can be motivated since many cloud servers are in the
13
same cloud infrastructure and therefore there is a lot of resources that are shared among the
different companies that can be found in the cloud.
Private Cloud
A private cloud provides an easy, flexible and effective way to request, use and deploy IT
resources, applications and virtual machines (VMs) on hardware that is dedicated to a single
organization [11]. It can exist on premises or off premises [16]. The private cloud is an emulation of
the public cloud, typically on a private network, and exists to support the goals of the organization,
rather than to generically support resources for multiple organizations [16]. Private cloud customers
have their own servers and ports. This is illustrated in figure 3-2. The limitation of the private cloud
is that it can be more expensive than a public cloud. Since each cloud infrastructure is particularly
to one cloud consumer and therefore nothing is shared with other consumers making it more
expensive when compared to the public cloud.
Virtual private cloud
An alternative solution to addressing the limitations of both public and private clouds is called
Virtual Private Cloud (VPC). VPC is where the cloud is present in a cloud provider data center such
as Amazon, Azure data center, where each server has its own network of companies’ information. It
uses a multi-tenant shared services model as the public cloud but the partitions a single instance of
resources are for an individual customer. VPC customers “share” the core cloud platform but the
virtual machines they use are dedicated for their own private use, which makes it more isolated than
the public cloud and the user has complete control over their virtual networking environment,
including selection of their own IP address range, creation of subnets. This also allows customers to
design their own security firewalls when compared to the public cloud limitation. However the
limitation in VPC is the use multi-tenant, while many customers prefer the use of single-tenant.
Since there is a fear of sharing other customers the core cloud platform.
Community Cloud
A Community cloud is shared by several organizations to support a specific community, which is
only accessible for these organizations [10]. The infrastructure can be operated and owned by the
cloud provider or the organization. These communities would most probably share privacy and
14
performance requirements. The limitation that can be found is the sharing of the cloud platform as
the public and virtual private cloud. If there is no trust between the organizations using the cloud,
there can be a risk of information leakage. Also, to provide resources and a cloud computing
infrastructure to the community requires a huge amount of investment, which can limit the
resources to the organization making them less wanting to share the cloud and use the community
cloud.
Hybrid Cloud
A Hybrid cloud is the combination of two different methods of resource pooling; it could be two
cloud deployment models like public with community [10]. This combination of two or more cloud
providers is remained as a unique entity that is bound together by standardized technology that
allows data and applications portability [16]. Hybrid cloud is one of the best solutions, where it
includes many deployment models with the benefits and limitations of each.
While a Hybrid IT is the result of combining internal and external services, usually from a
combination of internal and public clouds, in support of a business outcome [33]. The comparison
can be better illustrated in figure 3-2. Hybrid IT includes traditional IT with all the cloud
deployment models (Hybrid cloud) shown below.
Figure 3-2 Different delivery models and illustrates the Hybrid cloud and Hybrid IT [31]
15
3.4 Cloud Providers Cloud providers are a company that provides cloud computing services and solutions to customers,
which can be individuals or businesses. The cloud provider delivers solutions that are pay-as-you -
go, meaning that the customers need only to pay while using such services. These solutions are the
ones named in the previous chapter, which are IaaS, PaaS, and SaaS. The two providers that are
discussed are Microsoft Azure and Amazon Web Services (AWS) are top leading providers in
different cloud models. Amazon is leading in IaaS services and Microsoft Azure has become a
leader since 2014 in both IaaS and PaaS services [25; 26]. This information was published by
Gartner [25; 26] and the charts can be found in appendix A.
Microsoft Azure
Microsoft Azure is the cloud provider that Scania IT wants to adopt. Microsoft Azure is Microsoft's
cloud platform [34], which is a growing collection of integrated service such as compute, storage,
data, networking, and applications that help the customer move faster, do more, and save money
[34]. Azure is an industry leader for both IaaS and PaaS services as ranked by Gartner [25; 26; 34].
IaaS and PaaS combined together give services that let customers build, deploy, and manage
applications any way you like for unmatched productivity [34].
Amazon Web services (AWS)
Amazon web services were founded by Bezo in 1994 as an online book store [27] and in year 2002,
it was officially one of the top 500 companies in US [27]. Amazon is the leading provider in IaaS
services as ranked by Gartner [25; 26]. They have several PaaS services that have been introduced
in 2011 such as “elastic beanstalk” [28], which allow users to create application and push them into
a defined set of AWS services.
16
4. Current development process and bottleneck in Scania IT
This chapter is done by investigating the current development process that Scania IT is currently
going through all the way to production. Then, concludes with the bottlenecks that have made
Scania IT think about the adoption of the cloud platform. The aim of this chapter was to understand
the development process and the vulnerabilities that Scania IT is currently facing and whether it can
be solved by using the cloud.
4.1 Current development process A study of the current development process of Scania IT was needed to evaluate the process that
Scania IT is currently using and the tools they use for their applications. The current development
process was gathered by interviewing a group of people working in Scania IT and in the process of
change management process which is name of the process that Scania IT is working with to deliver
products.
The development process goes through several procedures. The development process starts by
having a Change Request (CR), meaning that a request to change for an application served to a
customer, which is Scania. The CR can be a change in an application or an upgrade of Scania’s
database. Then after figuring out the start of the process, the work started by interviewing three
different maintenance managers (MM), which are responsible for handling the CR. MM are also in
charge of the control of installation, repair and upkeep of employers' property, including machines
and mechanical systems. They may also take on more administrative tasks, depending on the
specifics of their job. Then moving to a higher rank that is change management department. MM
currently uses a system called “Jira”, which is an issue tracking product on Scania that is used for
Trouble Reports (TRs) and Change Requests (CRs) made during software development,
maintenances and projects alike. MM handles CRs within the team, which means that the MM has
discussed with the developers and testers who will be responsible about that specific change.
A Request for Change (RFC) is issued by the MM on a system called “Remedy”, which is handled
by the Change management (CM), responsible. Therefore an interview to the person responsible
was conducted to understand more about their system and their process. CM is in charge of
minimizing the number, and impact, of incidents caused by planned changes to the Scania IT
service production environment. Also, to ensure that all IT services are carefully prepared for a safe
and secure operation. When the CM has agreed on the change, the application needed to be changed
17
is done and moves to the stage of production. This is shown in details in figure 4-1 below. The
steps can be summarized with respect to the figure:
1. Scania CV AB, the customer issues a change request (CR) to Maintenance Managers (MM).
2. After MM register in”Jira” system, they issue a Request for Change (RFC) through a system
called “Remedy” to the Change Management team (CM).
3. The CM looks at the editing and does the necessary things as written in the figure 4-1. After
approval about the quality, risk analysis and other things, they send the CR to production to take
care of it.
Figure 4-1 Development process of Scania IT
In between the MM and the CM, DevOps can be found as shown in the figure 4-2. Two DevOps in
the Scania IT were interviewed to understand their role in the process. DevOps comes from the
combinations of the initials of Developers and Operations. They are in charge of decreasing the gap
between developers and operations by synchronizing the methods and tools used between both. As
seen in figure No. There was a further interview conducted to the creator of this process and the one
responsible about continuous updates to the process. He talked about his continuous effort along
18
with his team to optimize the change management process and ease the process to help Scania IT
workers to delivery faster with the aim of continuous delivery.
To better illustrate the DevOps aim and their work effort, the following figure can be created.
Figure 4-2 Barriers that DevOps are trying to eliminate
Figure 4-2 shows the sequence that developers use to develop a product, they always strive to
achieve continuous integration, which is a software development practice where developers
integrate their work frequently, leading to multiple integrations per day [30]. This has shown a
progress in code management within teams and a more rapid development of software. Moreover
Scania IT strives to achieve continuous delivery, which is to continuously deliver improvements to
an application as often as possible while maintaining quality. Lastly, is continuous deployment,
which is the next step of continuous delivery. Every change that passes the automated tests is
deployed to production automatically. It leads to minimizing the overall lead time. However there
are several bottlenecks that will be presented below that cannot be helped with DevOps but needs
the intervention of a cloud computing platform.
19
4.2 Bottleneck in Scania IT After interviewing different employees in the company and understanding their current
development process, it could be concluded the bottlenecks they have in the current process that
they believe will be solved by adopting the cloud.
1. No standardized tool between Maintenance Managers (MM) and Change Managers (CM).
Since MM are using “Jira”, while CM are using “Remedy”.
2. Time needed to deliver/setup a server/database is 3 weeks, since the hosting servers team
must provide the servers and deliver the infrastructure which takes times.
3. Access Management, they are responsible for granting access to server, servers’ accounts,
and active directory groups. Every order typically takes 3 days to complete. This adds to lead
time.
4. The CM process often takes a lot of time before the RFC’s get approved
5. Involved Dependencies. Often in the development of an application, there are other teams
involved in the development e.g. Integrations. They follow different time plans for
development & tests and which does not necessarily match with the owner of the application
time plans. This adds to lead time.
6. In the change management process, the MM has a duty to send an RFC request to the
Change management (CM). However there are several types of RFC that are available in the
system “Remedy”. One of the bottlenecks is the wrong usage of the RFC type that can make
conflicts in the process and prolong the process.
These bottlenecks have made the teams such as the .net development team, which is responsible for
several applications that use the .net development tool to think about the cloud computing solution.
Since all these lead times have affected the continuous delivery that the teams are trying to achieve,
the cloud seems to be a perfect solution. The cloud can decrease the lead time with both hosting
server team that takes up to 3 weeks to deliver/setup a sever or database and time for the access
management that takes 3days/request to grant access for the employees to their servers. Since if a
company buys IaaS, then they have the servers delivered by the cloud provider instantly and the
access is also done automatically. So it could be concluded that the cloud would decrease the lead
time with the fast delivery of the servers and granting access automatically.
However in the next chapter, there will be a discussion about the risks of the cloud with a focus on
vendor lock-in and the lock-in effects.
20
5. Three types of lock-in effects that cause vendor lock-in
Most companies look at the positive side of the cloud and the ways to move into the cloud, but
never take into consideration the ways out of the cloud. In order to evaluate the way out of the
cloud, the vendor lock-in and lock-in effects need to be described.
Vendor lock-in is the situation that makes customers who are adopting a cloud platform from a
cloud vendor to be locked-in to that specific vendor. This situation can cause complications for the
customer to move to another vendor in terms of cost, effort and time. On the other hand, the lock-in
effects are the effects that cause vendor lock-in. These effects are portability, interoperability and
federation.
5.1 Lock-in effects There are several cloud providers that offer different services, storage, infrastructure, API and
etcetera. Therefore, there must be a way to identify the most suitable cloud provider to a specific
company such as Scania IT. A cloud provider can be chosen according to many factors such as
security related to that cloud provider; another main issue is the cloud portability and
interoperability. Most companies think about the advantages and the ease to the adoption of the
cloud but never take into consideration their way out of the cloud and the difficulty it could cause
for the companies in terms of time, effort and money. Therefore cloud portability and
interoperability are the important issues discussed in this chapter since many cloud customers forget
taking this into account when adopting cloud providers. Therefore, it is needed for cloud customers
to consider the lock-in effects that cause vendor lock-in to try to avoid them, where the risk is being
tied to a particular cloud service provider due to the difficulty and costs of switching to another
cloud provider to use the equivalent cloud services [18].
Cloud computing often relates to data, application, platform, and infrastructure components. Data is
the machine-processable representation of information, which is found in the computer storage [17].
Applications are software programs that perform functions that are related to business problems
[17]. Platforms are programs that support the applications and perform generic functions that are
not business-related. Infrastructure is a collection of physical computation, storage, and
communication resources [17].
21
Portability
Portability is the ability to move applications, data, and tools from one cloud provider to another so
that it is usable in the target provider. This is found in a company that wants to adopt a cloud
provider such as like Scania IT. There are several types of portability such as data, application and
platform portability.
Interoperability
IEEE [20] and ISO [21] define interoperability as the ability for public clouds, private clouds or
other more systems within a company to exchange information and mutually use the information
that has been exchanged.
In cloud computing, the most important thing with interoperability is the ability of cloud customers’
service to interact with cloud provider services and be able to communicate with the components on
both sides [18]. They usually interact and communicate using a specific interface or an API. The
problem is that cloud providers have different interfaces for each cloud service, which deal with
different functions for example administration interfaces, billing interfaces, and many more
interfaces. There are many types of interoperability such as application interoperability, platform
interoperability and management interoperability.
Cloud Federation
Federation is when several cloud providers are brought together to create a solution for a company.
Federation is referred to the unionization of software, infrastructure and platform services from
different networks that are accessed by the customer though the internet [35]. Federation of the
cloud resources are facilitated through network gateways that connect public or external clouds,
private or internal clouds to create a hybrid cloud computing environment.
22
5.2 Vendor lock-in types in relation to different cloud models Vendor lock-in is a risk that companies need to take into consideration when adopting a cloud
provider. The risk can be found in different cloud service models, in IaaS, PaaS and SaaS. The risk
varies greatly depending on the cloud service model as shown in the figure 5-1. This depends
greatly on the number of hardware and software the vendor provides to the customer.
Figure 5-1 The risk level of different cloud service models
IaaS depends on the specific infrastructure services that are used. For example, if the customer uses
cloud storage, they will not be impacted by the non-compatible virtual machine formats [36]. IaaS
vendor lock-in has the lowest risk involved because most vendors use the same virtualization
environments, which makes it easier for customers to move between cloud providers [29].
The risk increases with PaaS, since the vendor providers both hardware and software applications
[29]. PaaS lock-in occurs at both the API layer and at the component level. For example, PaaS
providers offers highly efficient back-end data store, that makes forces customer to develop code
using the custom APIs offered by the provider and code data access routines in a way that is
compatible with the back-end data store [36]. Accordingly, even if the APIs that are offered are
compatible, the access model may be different, making the code unportable across PaaS providers.
Moreover, PaaS lock-in at the API layer happens as different providers offer different APIs. Finally,
the highest risk is with SaaS, since the vendor controls all the key components of the customers
system [29].
0
15
30
45
60
75
IaaS PaaS SaaS
High risk
Low risk
23
6. Is Scania IT vulnerable to vendor lock-in?
This chapter is concluding whether Scania IT is vulnerable to vendor lock-in and gathering
information that can be used to evaluate why Scania IT might be vulnerable. This is done by
analyzing the cloud provider they want to adopt, which is Microsoft Azure and having an interview
to a similar company, in such of the same motivation to use cloud computing, and the current
components that are being used. This analysis has been done to learn what the greatest challenge to
make this move was and how they handled the vendor lock-in situation.
6.1 Microsoft Azure view on vendor lock-in It was mainly focused on the lock-in effects and how a company falls in vendor lock-in. The issues
that can be concluded from the meeting was that vendor lock-in should be included in a risk
analysis of any company and vendor lock-in is valid regardless of whether the system is running on
a physical data room of an organization or in a public cloud service such as Azure.
Azure is a platform with very many different services where it varies how easy it is to move in a
solution. In Azure, they are always working to minimize the lock-in effects. Azure’s Cloud OS
strategy is built to be able to manage their platforms in the same way as if it is on-premises, a
partner cloud provider or in Azure. In Azure IaaS deals mostly with virtual machines and these are
simple to be copied to other environments, i.e. no more vendor lock-in than the equivalent in its
own or partner’s hall. Maybe even less as Azure have well-defined public APIs. When it comes to
various PaaS services, so it varies how easy it is to migrate. Everything is going to migrate but the
thing to consider is how big or small the stakes are. For example Azure websites are very easy to
move to a regular web server on premises.
6.2 Relation between Company X and vendor lock-in Company X
1 begin their thoughts of the transition of cloud computing and the most convenient
provider was Microsoft Azure, since the company only used Microsoft components. Company X
decided not to put everything in the cloud. But accordingly to the information classifications and
how important the information is and whether it is dependent on another application or not, they
would decide whether it is applicable to be put in the cloud. After choosing the most convenient
1 Company X is an international company that wanted to stay anonymous due to their privacy
concerns
24
cloud provider, they had a testing period through which a practical test of cloud services was made
and evaluation of what would the shift mean for the organization?
They found that the usage of the cloud gave them:
1) Better user experience.
2) They could store information that is accessible to the other branches in the company in other
countries.
3) Web acceleration is more effective with continues loading of new process and information.
4) The same process is shared to everyone in the company.
However, some of the concerns that made the people responsible on the transition make more
efforts in examining is both security issues with a public cloud and the risk of falling into vendor
lock-in. In order to decrease this risk of vendor lock-in, the company thought of the idea of
mirroring. This following described method was conducted to be independent on a specific cloud
provider and decrease the vulnerability to fall in vendor lock-in by making an own copy of the
cloud internally offering the same services with the public cloud they have bought services that are
non-vendor proprietary components such as SQL Server, Oracle, Tomcat, JBoss, IIS, Apache,
etcetera that can either run:
1. In IaaS cloud, where the company take care of them but run them on an instance in the cloud or
spin up a complete "image" of the IaaS provider's application list.
2. At PaaS provider, where the components are handled by the provider and is running on one of
their servers, such as Oracle, IBM and others have this kind of PaaS based on standard products
that can also be run at home in a company’s own data center or in the company’s own data
centers (in private IaaS, PaaS or traditional IT).
However Proprietary PaaS components such as Azure Blobs, Tables Azure, Azure Machine
Learning, Azure Message Bus, etcetera, or AWS corresponding components can only be used in the
provider's data center and you cannot move the applications that use them either to another cloud or
home to the companies own data center. With this solution, the company can save data on-premises
but in case of crashing there will be no way to run the data without creating an application that can
take out data. Therefore company X choose to buy non-vendor proprietary cloud that is handled by
the provider and based on standard components. The PaaS services are mapped in both internal and
external IaaS to achieve mirroring and redundancy. Also, in case of a crash or that the operator
agreement is no longer suitable. There is always a copy of data available on-premises. This is
25
illustrated in figure 6-1. Each application (App) has a runtime environment to make the customer
have the possibility to stop and restart the environment as seen in the figure 6-1.
Figure 6-1 The method that can be used to minimize the risk of vendor lock-in
Some characteristic that need to be applied in both the internal and external cloud are:
• Resource management: for IaaS in cloud computing offers benefits such as scalability, quality
of service, optimal utility, reduced overheads, improved throughput, reduced latency, specialized
environment, cost effectiveness and simplified interface [22]. Also customer demands services
and features and gets an environment in public or private cloud depending on current available
resources.
• Automated provisioning: it is the ability to deploy information technology by using predefined
procedures that are carried out electronically without human intervention [23].
• Adapters for different providers: it is the ability that makes different software’s to transfer
information from a local office to different cloud providers.
26
6.3 Is Scania IT Vulnerable in the transition to the cloud?
The most important question was whether Scania IT is vulnerable in the transition to the cloud was
analyzed through the previous case study mentioned and the view of the cloud provider. It can be
seen from the case study of the similar company previous situation before adopting the cloud, it can
be seen the similarities in both companies. Scania IT is also an international company that has the
same motivation to use the cloud, which is global accessibility, that the same process can be shared
to everyone in the company. Moreover continuous delivery importance can be thought to be helped
by the cloud through web acceleration in loading of new process and information. The decrease of
time to market was an important factor to both companies, company X and Scania IT. All these
factors made it interesting to learn from company X the ways they tried to solve issues with the
cloud. Their main issues were security and the fear of vendor lock-in. However our main focus was
on vendor lock-in and their perspective on solving it. The study has shown the way to minimize the
risk of vendor lock-in by providing two Infrastructure services both internally in Scania IT and
externally in the cloud provider. However, another factor that needs to be considered is the Cloud
Maturity Index (CMI), how mature Scania IT is in cloud computing services. Therefore figure 6-2
below shows the different factors that have been considered to set Scania IT in Stage 1 in CMI.
Figure 6-2 Cloud Maturity Index and the current situation of Scania CV AB
27
In stage 1 (Immature): The cloud services are not used at all or very little. There is no strategy for
the cloud services and the level of knowledge and ability is low. Finally there is no application
consolidation, which means there is no strategy about the amount applications should move to the
cloud. It is an important factor, since it decreases the number of vendors you deal with, and the
number of licenses or home-built apps you manage, which can reduce complexity.
In stage 2 (Basic): There is a basic knowledge of cloud services. The use of services is purchased
when the need arises and very little integration to other IT environment without a strategy.
In stage 3 (Mature): There is a strategy for cloud services and purchases are partially in accordance
with it. There is probably more than one type of cloud service and perhaps more than one
distribution model used. Cloud services are a natural part of the IT portfolio.
In stage 4 (Leading): The differences between cloud services and other forms of delivery are clearly
defined. It includes whether an analysis of the existing IT portfolio has been implemented. Purchase
of cloud services is in accordance with a defined strategy. Several types of cloud services and
distribution models are used, depending on what is best for each area. The drivers of cloud services
is particularly change, innovation and development. After the detailed view of the stages, the author
of the report views Scania IT as in stage 1, since there is no use of cloud services yet. Moreover
there is no defined strategy of the applications needed to move to the cloud. However it can be
concluded that stage 3 can be reached fast and easily if there is a cloud defined strategy and
purchases are done according to that strategy.
To clarify the current strategies in Scania IT, a flowchart has been made in figure 6-3 to ease what
is needed from organizations. To be able to create a strategy, an IT strategy must be clarified. Once
that is done, companies need to set their applications to be cloud defined. Cloud defined means that
the applications requirements are specified and clarified with which service model suits these
applications. Another requirement is the application consolidation, which is to bring several
applications together to benefit of the decrease of number of vendors the company would deal with,
and the number of licenses or home-built apps the company manage, can reduce complexity.
Finally the last point was to clarify which requirements are needed when moving application from
on-premises to the cloud, whether there are any guidelines set in a company or not.
It has been concluded that within Scania IT there are few guidelines that state which applications
are most suitable to be put on the cloud in terms of simplicity, flexibility and information
classification. However there are some points missing such as the need for the applications, whether
they will need IaaS, PaaS or SaaS. The number of application needed to move to the cloud. It can
be seen in the flowchart in figure 6-3, with the “No” in cloud defined, that if Scania IT does not
28
have a fully defined cloud strategy, they should do it to decrease the risk of cloud immaturity, have
power of negotiation when they have several cloud moving to the cloud and could request an own
shell in the cloud from any cloud provider.
Figure 6-3 Hybrid IT strategy steps needed to adopt a cloud computing platform
These guidelines that are listed below would minimize the risk of the usage of the cloud. It is
advisable for companies to work with improving their strategies before using the cloud services.
Some of the guidelines currently being looked at are listed in the next subsection.
29
Guidelines
Scania IT has a Hybrid IT strategy focus that is managed by Strategic Architecture Council (SAC).
SAC is a part of Scania’s Enterprise Architecture Governance structure. This council is responsible
for Principles and strategies, Enterprise Architecture Roadmap Strategic. Some guidelines and
thought by Magnus Eriksson, who is a senior Enterprise and IT-Architect at the Enterprise
Architecture Office in Scania IT AB. He has performed proactive strategy and technology
investigations.
The guidelines that will be discussed below are still not accepted by the IT Development Meeting
(ITDM), which is part of the Scania IT Technology Architecture decision structure. The meeting is
facilitated by Scania Enterprise Architecture Office. They are responsible to accept and decide on
new strategic plans.
Simplicity Guidelines
One of the important features that should be considered when choosing a deployment model and IT
architecture is Simplicity. Two factors are most important when considering deployment models,
which are the number and complexity of integration, and location of data producer and consumer
[31]. In case of the existence of both the producer and consumer of data for a particular system are
internal itself adds unnecessary complexity to deploy the system externally and vice versa for a
system with external producers and consumers [31]. As seen in figure 6-4, the high risk is noticed to
be when many/complex integration are in a system and the producer and consumer are not
externally , then it is not a good idea to put the system externally. Also there is high risk when the
producer and consumer are internal, and the systems with some/normal integrations are put
externally. In most other cases there is no risk or medium risk to put the system internal or external
depending on the integration complexity. So to conclude, if both the producer and consumer of data
for a particular system are internal it adds unnecessary complexity to deploy the system externally
and vice versa for a system with external producers and consumers [31].
30
Producer and consumer are external
Producer external and consumer are Internal
Producer internal and consumer are external
Producer and consumer internal
Many/complex integrations
External External External External
Internal Internal Internal Internal
Some/normal integrations
External External External External
Internal Internal Internal Internal
Few/simple integrations
External External External External
Internal Internal Internal Internal
Green: Proceed. Take this as the default approach and move forward on the basis of why wouldn't you do it.
Amber: Medium risk. Pause and review the options available moving forward on the basis of why would you do it.
Red: High-risk and/or not a good fit. Stop and consider the implications carefully before proceeding.
Figure 6-4 Complexity integrations in relation to whether the producer and consumer exist
internally or externally.
Flexibility Guidelines
Flexibility, which is the main focus of our topic since it is related to portability of moving
applications between cloud vendors with as little effort and cost as possible [31].
Therefore, the following priorities of guidelines are essential to when buying or reusing
components/systems [31]:
1. Available for both internal and external deployment (outsourced, SaaS, PaaS or using IaaS).
The greater the number of available external providers the better.
2. Available for external deployment from two or more external provider (outsourced, SaaS, PaaS
or deployable using IaaS). The greater the number of external providers the better
3. Available only internally.
4. Available only from one external provider.
To sum up, the priority is that several components/systems are found in both external and internal
deployment models, with a great number of available external providers. Then for less priority the
components/systems would be available only for several external providers. After that it is
preferable that components/systems are available only internally rather than externally.
31
Information Security (ISEC) Guidelines
The information Classification in Scania IT is classified into four main classes:
1. Secret
2. Confidential
3. Internal
4. Public
Both Secret and Public are rarely used in Scania IT. However when choosing a deployment model,
it can be stated that a high risk application that needs to carefully be looked into to whether move to
a cloud or not is in the Secret class. While in the Confidential class, it is a medium risk and options
of the external providers available must be examined properly. For both Internal and Public class,
both external and internal deployment models are of no risk. This can be seen in figure 6-5 [31].
Confidentiality Delivery Model
Secret External
Internal
Confidential External
Internal
Internal External
Internal
Public External
Internal
Green: Proceed. Take this as the default approach and move forward on the basis of why wouldn't you do it.
Amber: Medium risk. Pause and review the options available moving forward on the basis of why would you do it.
Red: High-risk and/or not a good fit. Stop and consider the implications carefully before proceeding.
6-5 Classifications of information types followed by their risk level [31]
According to the strategies that were stated above it can be concluded that the hybrid IT cloud is the
main focus of the company. It can be noted that “Hybrid IT is transforming IT architectures and the
role of IT itself”, according to Gartner, Inc. [32]. Hybrid IT is the result of combing traditional IT
with Hybrid Cloud, which can include public clouds, private clouds and community clouds. Hybrid
32
IT is new and IT organization such as Scania IT need to use a hybrid IT strategy that not only build
internal clouds to house critical IT services but also utilities the external cloud to house noncritical
IT services to minimize the risk of vendor lock-in by having both internal and external applications,
data and information. Also further strategies are needed to minimize vulnerabilities that cause
companies to fall in vendor lock-in and in the same way take the advantages that the cloud would
give the company.
33
7. Conclusion, Implications and Future work
This final chapter concludes and summarizes the study conducted in Scania CV AB with the goal to
help Scania IT understand the vendor lock-in and the vulnerabilities they can face in the transition
to the cloud. Then further work is clarified with ideas of how the work can progress.
7.1 Conclusion Scania CV AB has a history over 100 years. Throughout the years, Scania has delivered heavy
transport and buses with continuous development and innovations. The goal of the thesis was to
emphasize the reason why Scania IT needs to consider the deployment of a cloud computing
platform and to help Scania IT understand the vulnerabilities towards vendor lock-in in the
transition to the cloud as well as to clarify the concern that they may have against falling in vendor
lock-in and show what can be done to decrease the risks of cloud computing. The following was the
research questions that were researched in the thesis.
(1) Why is cloud computing a raised issue in Scania IT?
(2) Why is Scania IT vulnerable to vendor lock-in in the transition to a cloud computing
platform?
(3) Why is vendor lock-in a concern to Scania IT when using a cloud computing
platform?
The requirement of a cloud computing platform was needed to minimize the lead-time caused in the
current development process. The cloud computing platform is the technology where the servers
and applications are hosted on the internet rather than internally on premises. The advantages of a
cloud computing platform is flexibility, innovation, development and less IT costs that are due to
reduced amount of physical infrastructure that they have to keep and maintain. There are several
characteristics of the cloud, which are service models IaaS, PaaS and SaaS. Also a set of
deployment models public cloud, virtual private cloud, private cloud and hybrid cloud that can be
chosen from. These characteristics can be chosen depending on the companies’ requirement that
they have set on their applications. The development process that Scania IT is going through all the
way to production was to conclude the bottlenecks that Scania IT was facing and the benefits of
moving the cloud.
Most companies like Scania IT have seen the advantages and positive side of moving to the cloud
and the ways into the cloud, but never have taken into consideration the ways out of the cloud.
Therefore the study was mainly focused on the vulnerabilities causing vendor lock-in, which is the
34
situation that causes companies to be locked to a specific cloud provider and moving to another
provider will cause the company to pay significant switching costs. The situation of vendor lock-in
was examined by analyzing a similar company with the same criteria and motivation to move to the
cloud and from that analysis, it was concluded that vendor lock-in can be minimized by creating
two infrastructures as a service, one internally and one externally to have duplicate of the data and
avoiding using proprietary cloud provider components. Other risks were taken into account and that
was the cloud maturity index (CMI) and how mature Scania IT can be seen in cloud computing.
The conclusion was that Scania IT needs to improve their knowledge about cloud services and
decide which cloud deployment model is most appropriate to their companies business. The index
of cloud maturity is an important factor since companies with high CMI has in average 34 % less
costs for IT and spend three times more on innovation and development.
Moreover it could be concluded that the most suitable deployment model is the Hybrid IT, instead
of only using one development model. Thus the benefits and limitations of all deployment models
are taken. However a study of the Hybrid IT strategies in Scania IT is needed to evaluate how
mature Scania IT is in cloud computing. Strategies has shown that deploying the Infrastructure with
the help of the cloud, is the much more beneficial for Scania IT than to deploy platform services,
which will increase their risk to vendor lock-in and would not give so huge gain in the company but
more risk.
Scania IT needs to consider the risk of vendor lock-in and the lock-in effects as portability,
interoperability and federation that causes the applications not to be runnable at another cloud
provider. By solving the lock-in effects, the company is minimizing the vendor lock-in since that is
solving portability of data from one cloud provider to another, or interoperability, that the
applications from different vendors are communicating to each other or federation, where different
applications from different providers form a solution for a company.
However, it might be necessary to first move the data back to the customer’s site and then move it
to the new provider’s environment using a data migration plan. In this migration plan, there must be
a way to switch data format and syntax to another form to be suitable to be used by another
provider. Since Scania IT is a huge international company with much valuable data and
information, it would be recommended according to their classification of data to avoid putting any
secret or confidential data on the cloud. The companies as Scania IT need to study and research all
the cloud possibilities with the advantages and disadvantages of the cloud to avoid falling in vendor
lock-in. Also by reaching a leading stage in the CMI that can help the company be aware of all the
cloud elements, risks and follow a defined strategy. The vulnerabilities that Scania IT can face
towards vendor lock-in is lack of standard technologies and solutions, poor provider selection, lack
35
of supplier redundancy, lack of completeness and transparency in terms of use. Since all the cloud
providers want to lock their customers to their own components and do not support standardization
of technologies and solutions. Also, cloud providers do not provide all the information to their
customer which contributes to lack of transparency.
7.2 Implications for Scania IT Scania CV AB is an international company, which seeks innovations and continuous development
in their trucks and buses for heavy transport work. As stated before the study was particularly done
in Scania IT, which is the part of Scania CV AB that is responsible for the development of the
applications and their infrastructure.
Their need for the cloud was concluded from their bottlenecks that were derived from the
development process. The study clarified the need for the cloud for Scania IT and made them
realize the advantages of the movement of the cloud. However, the cons of the cloud as vendor
lock-in was noticed as a risk for the company that they fear in using cloud computing. Despite of
this fear, the clarifications of the different lock-in effects were helpful for Scania IT to understand
what they need to discuss with cloud providers. Furthermore Scania IT needs to further work on the
steps for their exit strategy of moving out of the cloud computing platform if needed.
The case study of company X that has similar characteristics as Scania IT, gave Scania IT a solution
that would minimize the risk of vendor lock-in while maintaining the advantages of the cloud as
flexibility and lower IT costs. Scania IT thought the idea of using two infrastructures as service was
brilliant and would be minimize their concern about vendor lock-in as they would have their data
on-premises. This is seen as an advantage since IaaS has a fixed fee that can expand easily with
minimal operational and maintenance expenditure. So for a big company as Scania IT with 42,100
employees, it will be much easier to automate by saving on the public IaaS and a private IaaS to
protect data either by security propose if the public cloud will have any break in or something and
Scania IT wants to get their data or by the private cloud, where Scania IT can just take their data
and use it on another PaaS.
Another important aspect for Scania IT was the cloud maturity index, that shows how mature a
company is in using cloud computing. This index has shown Scania IT their current position and
what is needed for them to reach a higher mature stage and minimize their risks. This index led to
the discussion whether Scania IT has a cloud defined strategy. Cloud defined strategy was an
important issue for Scania IT to follow in order to reach their goal to use cloud computing platform.
36
7.3 Future work Cloud computing is a broad developing topic with a lot of room for further research and analysis.
There are two approaches for future work, one for Scania IT and one for general researchers.
For Scania IT, this study concludes an overview for the reasons that can cause the company Scania
IT to think about the usage of cloud computing platform and the risk of vendor lock-in. This work
can be continued in different aspects. One of these aspects is to further study the Hybrid IT
strategies in terms of the applications needed to move to the cloud. Besides that, they need to
consider each application requirement, whether it requires the implementation of IaaS, PaaS or
SaaS. Another aspect that needs further research is the guideline of different cloud provider in terms
of their offering for portability and interoperability of data and applications.
For general researchers, this study is the ways to minimize the risk of vendor lock-in and strategies
that can be worked upon to achieve a higher leading CMI. This work can be continued by
evaluating the different cloud provider’s capabilities of offerings for portability and interoperability.
Also, to further look into further solutions of vendor lock-in and the new technologies and
standardization techniques that are striving to make vendor lock-in a decreased risk for companies.
37
References
[1] Scania. (Retrieved Feb 2015). Available from: http://www.scania.com/scania-group/history-of-
scania/
[2] Emma Jackson, Pro and Cons of Cloud Computing, December 19th, 2014. (Retrieved Feb
2015). Available from: http://techinfo.website/pro-and-cons-of-cloud-computing/
[3] David Greenwood, Ali Khajeh-Hosseini, Ian Sommerville, Cloud Migration: A Case Study of
Migrating an Enterprise IT System to IaaS, Cloud Computing Co-laboratory School of Computer
Science, University of St Andrews, UK. (Retrieved Feb 2015). Available from:
http://arxiv.org/ftp/arxiv/papers/1002/1002.3492.pdf
[4] Dana Petcu, Georgiana Macariu, Silviu Panica, Ciprian Crăciun, Portable Cloud applications-
From theory to practice. (Retrieved March 2015). Available from:
http://ac.els-cdn.com.focus.lib.kth.se/S0167739X12000210/1-s2.0-S0167739X12000210-
main.pdf?_tid=0a05fe52-ce36-11e4-96fb-
00000aacb35d&acdnat=1426769402_75d0ff846e970c8bc1ff4ceba348dd40
[5] Fullerton, R. Cloud Services, May, 2012. (Retrieved Feb 2015). Available from CBC Sync:
http://cbc.radio-canada.ca/en/reporting-to-canadians/sync/sync-issue-1-2012/cloud-services/.
[6] Joaquín Guillén, Javier Miranda, Juan Manuel Murillo, Carlos Canal, A service-oriented
framework for developing cross cloud migratable software, September 2013. (Retrieved March
2015).
[7] Ajith Ranabahu and Amit Sheth, Semantics Centric Solutions for Application and Data
Portability in Cloud Computing. (Retrieved May 2015). Available from:
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5708456
[8] Håkansson, Anne, Portal of Research Methods and Methodologies for Research Projects and
Degree Projects, 2013, Department of s Software and Computer Systems, The Royal Institute of
Technology, KTH, Kista, Sweden. (Retrieved Feb 2015). Available from: http://worldcomp-
proceedings.com/proc/p2013/FEC2979.pdf
[9] Qusay F. Hassan, Demystifying Cloud Computing, Faculty of Computers and Information,
Mansoura University, Egypt, Jan/Feb 2011. (Retrieved Feb 2015). Available from:
http://www.crosstalkonline.org/storage/issue-archives/2011/201101/201101-Hassan.pdf
38
[10] Peter Mell, Timothy Grance, The NIST Definition of Cloud Computing, September 2011.
(Retrieved Feb 2015). Available from: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-
145.pdf
[11] David Chappell, THE MICROSOFT PRIVATE CLOUD: A TECHNOLOGY OVERVIEW,
August 2011. (Retrieved Feb 2015). Available from:
http://www.davidchappell.com/writing/white_papers/The_Microsoft_Private_Cloud_v1.0--
Chappell.pdf
[12] Oxford University Press, (n.d.), Cloud computing. (Retrieved Feb 2015, from Oxford
Dictionaries). Available from: http://oxforddictionaries.com/definition/cloud+computing
[13] Cloud Computing, First international Conference, CloudCom2009, Beijing, China. (Retrieved
Feb 2015)
[14] Magdalena Kostoska,
, Marjan Gusev, Sasko Ristov, A New Cloud Services Portability
Platform. (Retrieved March 2015). Available from:
http://www.sciencedirect.com.focus.lib.kth.se/science/article/pii/S1877705814003646#
[15] Brandon Butler, PaaS Primer: What is platform as a service and why does it matter?, Feb
11th, 2013. (Retrieved Feb 2015). Available
from: http://www.networkworld.com/article/2163430/cloud-computing/paas-primer--what-is-
platform-as-a-service-and-why-does-it-matter-.html
[16] Stephan R. Smoot, Nam K.Tam, Private Cloud Computing: Consolidation, Virtualization, and
Service-Oriented Infrastructure. (Retrieved March 2015). Available from:
http://proquest.safaribooksonline.com.focus.lib.kth.se/book/operating-systems-and-server-
administration/virtualization/9780123849199/cover-image/navpoint-0-
11#X2ludGVybmFsX0h0bWxWaWV3P3htbGlkPTk3ODAxMjM4NDkxOTklMkZzdDAwMTBfY
jk3ODAxMjM4NDkxOTkwMDAxODAmcXVlcnk9
[17] The Open Group. (Retrieved March 2015). Available from:
http://www.opengroup.org/cloud/cloud/cloud_iop/cloud_port.htm.
[18] Cloud Standards Customer Council, Interoperability and Portability for Cloud Computing: A
Guide, November, 2014.(Retrieved March 2015). Available from: http://www.cloud-
council.org/CSCC-Cloud-Interoperability-and-Portability.pdf
[20] IEEE. (Retrieved March 2015). Available from:
https://www.ieee.org/education_careers/education/standards/standards_glossary.html
39
[21] ISO/IEC, 13066-1:2011Information technology -- Interoperability with assistive technology
(AT) -- Part 1: Requirements and recommendations for interoperability. (Retrieved April 2015).
(Retrieved March 2015). Available from: http://www.iso.org/iso/catalogue_detail?csnumber=53770
[22] Sunilkumar S. Manvi, Gopal Krishna Shyam, Resource management for Infrastructure as a
Service (IaaS) in cloud computing: A survey, 14 October 2013. (Retrieved April 2015).
[23] Margaret Rouse, Automated Provisioning. (Retrieved April 2015). Available from:
http://searchcloudprovider.techtarget.com/definition/automated-provisioning
[24] Majid Ali, WHAT IS CLOUD COMPUTING STACK (SAAS, PAAS, IAAS), Jun 16th, 2014.
(Retrieved April 2015).
[25] Gartner, GARTNER RELEASES MAGIC QUADRANT FOR CLOUD INFRASTRUCTURE AS
A SERVICE. MICROSOFT AZURE NOW A LEADER, 30 May 2014. (Retrieved April 2015).
Available from: http://up2v.nl/2014/05/30/gartner-releases-magic-quadrant-for-cloud-
infrastructure-as-a-service-microsoft-azure-now-a-leader/
[26] Marcel van den Berg, Windows Azure now Leader in Gartner Magic Quadrant for Enterprise
Application Platform as a Service, January 10th, 2014. (Retrieved April 2015). Available
from: http://cloudcomputing.info/en/news/2014/01/windows-azure-now-leader-in-gartner-magic-
quadrant-for-enterprise-application-platform-as-a-service.html
[27] Amazon, AMAZON ENTERS THE CLOUD COMPUTING BUSINESS STANFORD
UNIVERSITY, SCHOOL OF ENGINEERING, May 20, 2008. (Retrieved April 2015). Available
from: http://web.stanford.edu/class/ee204/Publications/Amazon-EE353-2008-1.pdf
[28] Amazon, Introducing AWS Elastic Beanstalk (Beta), Jan 19, 2011. (Retrieved April 2015).
Available form: http://aws.amazon.com/about-aws/whats-new/2011/01/19/introducing-aws-elastic-
beanstalk-beta/
[29] Stephen D. Burd, Systems architecture: Hardware and software in business information
systems (6th ed.), Boston, MA: Course Technology, Cengage Learning.(Retrieved April 2015).
[30] Martin Fowler, Continuous Integration, May 01, 2006, (Retrieved May 2015). Available from:
http://www.dccia.ua.es/dccia/inf/asignaturas/MADS/2013-
14/lecturas/10_Fowler_Continuous_Integration.pdf
[31] Magnus Eriksson, Hybrid IT (flexible delivery models), Scania CV AB, Stockholm, Sweden.
(Retrieved May 2015).
40
[32] STAMFORD, Gartner Says Hybrid IT is Transforming the Role of I, March 5th, 2012.
(Retrieved May 2015). Available from: http://www.gartner.com/newsroom/id/1940715
[33] Gartner, Hybrid IT: How Internal and External Cloud Services Are Transforming IT.
(Retrieved May 2015). Available from: https://www.gartner.com/doc/1918214/hybrid-it-internal-
external-cloud
[34] Microsoft Azure. (Retrieved Feb 2015). Available from: http://azure.microsoft.com/en-
us/overview/what-is-azure/.
[35] Apprenda, Cloud Federation. (Retrieved May 2015). Available from:
http://apprenda.com/library/glossary/definition-cloud-federation/
[36] European Union Agency for Network and Information Security, Cloud Computing Risk
Assessment, Nov 20th, 2009. (Retrieved June 2015). Available from:
https://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-
assessment
41
Appendix A - Shows the leading cloud providers in both IaaS and PaaS
Figure 1. Magic Quadrant for Cloud Infrastructure as a Service (IaaS). This figure shows the two
leading IaaS cloud providers that were discussed in the thesis, Amazon Web Services (AWS) and
Microsoft Azure. The leading provider in between the yellow stars is Amazon Web Services and
the one after in the blue stars is Microsoft Azure.
Figure 1
42
Figure 2. Magic Quadrant for Enterprise Application Platform as a Service (PaaS). This figure
shows the leading PaaS cloud providers salesforce.com and Microsoft Azure. The leading provider
in between the yellow stars is salesforce.com and the one after in blue stars is Microsoft Azure.
Figure 2
TRITA TRITA-ICT-EX-2015:127
www.kth.se