DEGREE PROJECT, IN , SECOND LEVEL

STOCKHOLM, SWEDEN 2015

Vendor Lock-in in the transistion to aCloud Computing platform

MENATALLA ASHRAF FAWZY KAMEL

KTH ROYAL INSTITUTE OF TECHNOLOGY

DEGREE IN INFORMATION AND COMMUNICATION TECHNOLOGY

I

DEGREE PROJECT, IN COMMUNICATION SYSTEMS (IK223X), SECOND LEVEL

STOCKHOLM, SWEDEN 2015

Vendor Lock-in in the transition to a Cloud Computing platform

Student:

Menatalla Ashraf Fawzy Kamel

mafk@kth.se

Examiner:

Jan Markendahl

janmar@kth.se

Supervisor:

Amirhossein Ghanbari

amigha@kth.se

Industrial Manager:

Fredrik Husander

fredrik.husander@scania.com

Industrial Supervisor:

Jan Mäehans

jan.maehans@scania.com

II

Abstract

The thesis introduces a study about the vulnerabilities that a company as Scania IT faces towards

vendor lock-in in the transition to a cloud computing platform. Cloud computing is a term that

refers to a network of remote servers hosted on the internet to store, manage and process data,

rather than on a local server or a personal computer. Vendor lock-in is an outcome that causes

companies to pay a significant cost to move between cloud providers. The effects that cause

vendor lock-in that will be described are portability, interoperability and federation are called the

lock-in effects. The goal of the research is to help Scania IT understand the vendor lock-in and

the vulnerabilities they can face in the transition to the cloud as well as to clarify the concern that

they may have against falling in vendor lock-in. The main purpose of the research is to present

the various lock-in effects that are related to the transition from one cloud provider to another

and the vulnerabilities that cause companies to fall in vendor lock-in. The thesis presents the

reasons that motivates why Scania IT would consider using the cloud and the concerns that they

may have against usage of a cloud computing platform. The results will be based on a case study

of a similar company that has moved to a cloud provider and specifically Microsoft Azure and an

interview of Microsoft Azure point of view with the risk of vendor lock-in. Finally, a process of

interviews with different people from Scania IT to extract the current bottleneck in the

development process that caused the company to think of a cloud computing platform. The

results show that companies should consider many risks and factors while moving to the cloud,

as vendor lock-in, cloud maturity index and their IT strategies. As a result, the thesis gives

recommendations of the steps needed to minimize the risks of the cloud while maintaining the

positivity of the cloud.

Keywords: Cloud computing, vendor lock-in, lock-in effects, portability, interoperability,

federation, Software as a Service, Platform as a Service, Infrastructure as a Service.

III

Sammanfattning Uppsatsen presenterar en studie om de sårbarheter som ett företag som Scania IT har mot

inlåsning i övergången till molntjänster. Molntjänster är en term som hänvisar till ett nätverk av

servrar som finns på internet för att lagra, hantera och processa data, istället för på en lokal

server eller en persondator. Inlåsning är ett resultat i vilket orsakar att företagen behöver betala

en betydande kostnad för att flytta mellan molnleverantörer. De effekter som orsakar inlåsning

vilket kommer att beskrivas är portabilitet, interoperabilitet och federation, dessa kallas

inlåsningseffekter. Målet med forskningen är att hjälpa Scania IT att förstå inlåsning och

sårbarheter som de kan möta i övergången till molnet. Dessutom är målet att klarlägga riskerna

som de kan ha mot att falla i inlåsning. Det huvudsakliga syftet med forskningen är att presentera

de olika inlåsningseffekter som är relaterade till övergången från en molnleverantör till en annan

samt de sårbarheter som orsakar företagen att falla i inlåsning. Uppsatsen presenterar skäl som

motiverar varför Scania IT ska överväga att använda molnet samt den oro som de kan ha mot

användning av en molnleverantör. Resultaten kommer att baseras på en fallstudie av ett liknande

företag som har flyttat till en molnleverantör och specifikt Microsoft Azure samt en intervju av

Microsoft Azure synvinkel med risken för inlåsning. Slutligen, en rad av intervjuer med olika

personer från Scania IT för att extrahera den nuvarande flaskhalsen i utvecklingsprocessen som

orsakade företaget att tänka på molntjänster. Resultaten visar att företagen bör överväga många

risker och faktorer när de flyttar till molnet, som exempelvis inlåsning, cloud maturity index och

deras IT-strategier. Som ett resultat ger examensarbetet nödvändiga rekommendationer för att

minimera riskerna för molnet samtidigt som positivitet av molnet.

Nykelord: Cloud computing, vendor lock-in, lock-in effects, portability, interoperability,

federation, Software as a Service, Platform as a Service, Infrastructure as a Service.

IV

Acknowledgements

This Master thesis is the last part of my degree program in Information and Communication

Technology at the Royal Institute of Technology in Stockholm. First and foremost, I want to

thank my dear family for their continuous support and encouragement throughout my whole

education.

The study was performed at Scania CV AB in Södertälje in the department INWR .Net

development. I want to begin by thanking my manager Fredrik Husander and supervisor Jan

Mäehans in Scania CV AB for giving me the opportunity to do my thesis with them and the

continuous support they gave me under the thesis process. I want to thank the staff in Scania CV

AB that gave me their time to answer my questions and gave me valuable information through

the interviewing process.

I also want to express my gratitude to Amirhossein Ghanbari, not only for being my supervisor

from whom I have learned a lot but for his assistance and continuous feedback on guidance for

my work and report. Last but not least, I would like to thank my examiner Jan I Markendahl for

his advice and words of encouragement throughout the thesis period.

Menatalla Ashraf Fawzy Kamel

Stockholm, Sweden, 2015

V

Table of Contents

Abstract II

Sammanfattning III

Acknowledgements IV

List of Figures VI

List of Acronyms and Abbreviations VII

1. Introduction

1.1 Problem statement

1.2 Related work and contribution

1.3 Goal

1.3.1 Benefit of Society, Ethics and Sustainability

1.4 Delimitations

1.5 Outline of the thesis

2. Method

2.1 Methodology

2.2 Framework of the study

3. Cloud Computing Theory

3.1 What is Cloud Computing?

3.2 Cloud Service Models

3.3 Cloud Deployment Model

3.4 Cloud Providers

4. Current development process and bottleneck in Scania IT

4.1 Current development process

4.2 Bottleneck in Scania IT

5. Three types of lock-in effects that cause vendor lock-in

5.1 Lock-in effects

5.2 Vendor lock-in types in relation to different cloud models

6. Is Scania IT vulnerable to vendor lock-in?

6.1 Microsoft Azure view on vendor lock-in

6.2 Relation between Company X and vendor lock-in

6.3 Is Scania IT vulnerable in the transition to the cloud?

7. Conclusions, Implications and Future work

7.1 Conclusion

7.2 Implications for Scania IT

7.3 Future work

References

1

1

2

4

4

4

5

6

6

8

10

10

11

12

15

16

16

19

20

20

22

23

23

23

26

33

33

35

36

37

VI

List of Figures

Figure 1-1 Cloud computing pros and cons and some of the issues directed in the thesis 2

Figure 2-1 The framework that was used in the thesis work 9

Figure 3-1 Different models and what is managed by the company versus what is managed by

the cloud provider 12

Figure 3-2 Different delivery models and illustrates the Hybrid cloud and Hybrid IT 14

Figure 4-1 Development process of Scania IT 17

Figure 4-2 Barriers that DevOps are trying to eliminate 18

Figure 5-1 The risk level of different cloud service models 22

Figure 6-1 The method that can be used to minimize the risk of vendor lock-in 25

Figure 6-2 Cloud Maturity Index and the current situation of Scania CV AB 26

Figure 6-3 Hybrid IT strategy steps needed to adopt a cloud computing platform 28

Figure 6-4 Complexity integrations in relation to whether the producer and consumer exist

internally or externally 30

Figure 6-5 Classifications of information types followed by their risk level 31

Appendix- Figure 1-Magic Quadrant for Cloud Infrastructure as a Service (IaaS) 41

Appendix-Figure 2-Magic Quadrant for Enterprise Application Platform as a Service (PaaS) 42

VII

List of Acronyms and Abbreviation

API Application Programming Interface

CM Change Management

CMI Cloud Maturity Index

CR Change Request

DSL Domain Specific Languages

MM Maintenance Manager

IaaS Infrastructure as a Service

ISEC Information Security

ITDM IT Development Meeting

PaaS Platform as a Service

RFC Request For Change

SaaS Software as a Service

SAC Strategic Architecture Council

TOSCA Topology and Orchestration Specification

for Cloud Applications

TR Trouble Request

1

1. Introduction

Scania CV AB has a history over more than 100 years, they were founded in 1891 [1]. Since that

time, Scania has built and delivered more than 1,400,000 trucks and buses for heavy transport work

[1]. Scania IT is a part of Scania CV AB, which is responsible for the development of the

applications and handling infrastructure of Scania CV AB. Scania IT are currently having all their

work and infrastructure on-premises. So currently Scania IT is looking for a better economical and

flexible solution, with the aim to decrease time to market. Therefore Scania IT is considering

implementing a cloud computing platform, since they assume it will lead to reaching globally faster

and will contribute to continuous delivery, which is an important goal to Scania IT that they are

always striving to achieve with optimization. Many concerns are listed within Scania IT in the

transition to the cloud such as security issues, lack of control and reliability. However the main

concern that they want to analyze is vendor lock-in and the vulnerabilities that cause the companies

to fall in vendor lock-in. Vendor lock-in is the outcome that makes a customer dependent on a

specific vendor for products and services unable to use another vendor without substantial

switching costs. Therefore the thesis will present a study about this main concern to Scania IT in

moving to a cloud computing platform.

1.1 Problem statement Scania IT is seeking for improvement for the rate of delivering services and applications with

providing a faster delivery rate, which contributes to continuous delivery that tries to deliver

improvements to an application as often as possible while maintaining quality. Moreover, Scania IT

wants to investigate deeply the many unresolved and open problems related to the mature

technologies of cloud computing. One of these technologies is vendor lock-in, which is caused by

the lock-in effects that will be described in this thesis such as portability, which is the ability to

move applications, data, and tools from one cloud vendor to another in a company that wants to use

a cloud provider such as Scania IT. Another effect is the interoperability, which is the ability for

different clouds to communicate with each other. Portability and interoperability effects play a big

role in causing vendor lock-in, which causes companies to pay a significant cost to move between

cloud providers.

Moreover, Scania CV AB is a large international company where several countries are involved to

many applications that are found in Södertalje (The main office); therefore a goal they are always

striving to achieve is global accessibility from around the world.

2

1.2 Related work and contribution To accomplish the transition to the cloud, there are many factors that need to be taken into account

as shown in figure 1-1 below [2].

Figure 1-1 Cloud computing pros and cons and some of the issues directed in the thesis [2]

General studies in the field of deployment of cloud computing bring up some ongoing discussions.

Figure 1-1 above shows that there are four main cons to cloud computing which are security, lock-

in, lack of control and reliability [2].

Since cloud computing is a big technological aim to provide flexibility and economic improvement

to companies and customers. For companies to use cloud computing, they need to discuss and

research these benefits versus the risks of cloud computing. Therefore a literature study has been

conducted to provide an empirical investigation of cloud computing using multiple sources of

evidence and in-depth analysis of several previous studies.

Greenwood et al [3] showed that cloud computing can be significantly cheaper alternative to

purchasing and maintaining system infrastructure in-house. Despite these advantages, he showed

that there are some important socio-technical issues that need to be considered before organizations

would move their IT systems to the cloud [3]. Petcu et al [4] have proposed a layered set of APIs

that are offering a supplementary degree of freedom, from programming languages and style.

Kostoska et al [5] has proposed a new cloud portability service platform and gave an overview of

the current trends in the area of cloud service portability. Kostoska discussed that there are no

3

standard solutions for cloud service portability, mainly due to a huge number of various cloud

providers on the market. However, he named two approaches that are known in technology area to

cope with emerging markets and offer. The first approach is using the most successful provider,

which will “kill” the other in the concurrent market environment, and the other to establish a highly

recognized standard accepted by all market players [5]. The second approach is using Topology and

Orchestration Specification for Cloud Applications (TOSCA), which represents a first step towards

building a standard for portable deployment and the migration of existing applications onto a cloud

[5]. Guillen et al [6] proposed a framework which aims to favour cloud agnostic software

development, which helps companies continue building their applications without having to modify

their technology, and also without having to choose a single immovable cloud provider. Moreover,

Ranabahu et al [7] indicated that using Domain Specific Languages (DSL) shows a promise in

developing portable applications for the cloud and related platforms. They have done some tests and

the results shown were very promising for a portable cloud platform.

It can be concluded so far, almost all researches for cloud computing are pointed towards solutions

of portability and ways to overcome vendor lock-in. However not much has been discussed about

the vulnerabilities that make companies like Scania IT fall into vendor lock-in. Also, the reason

why it is a concern to companies considering the usage of cloud computing. Therefore, the

contribution that thesis aims to address is the existing gaps in the deployment of a cloud computing

and specifically Microsoft Azure in an International huge company like Scania IT and fills the

research gap, which is the lack of studies for the reasons and vulnerabilities that companies face in

the deployment of a cloud provider.

Furthermore, the thesis represents some ideas on how to resolve some problems faced when

deploying a cloud computing platform. It is believed that the thesis research questions will be filled

by the conclusions made on this project. Therefore, some research questions will be presented in

order to show what would be the direction of study during different steps of this project and

eventually by answering these questions the final conclusion will be made.

The main problem area is related to the title of the thesis:

Despite the fact that Cloud Computing is a popular evolved computing terminology based on the

consumption of computing resource and proven to be cost efficient and more flexible with a reduce

in the amount of physical infrastructure that a company have to keep and maintain. However some

downsides are security and vendor lock-in. So why such a technology has not been applied or

discussed in huge companies like Scania CV AB?

Since the previous statement is not easy to resolve, it should be cleaved:

4

(1) Why is the cloud a raised issue in Scania IT?

(2) Why is Scania IT vulnerable to vendor lock-in in the transition to a cloud computing

platform?

(3) Why is vendor lock-in a concern to Scania IT when using a cloud computing platform?

The above order was based on a sequence that would be easy to follow. The work would start by

answering the research question (1) that would lead companies to think of the positive side of the

cloud. However the drawbacks of the cloud such as vendor lock-in raised questions (2) and (3) to be

interesting to examine as most companies do not take into consideration the movement out of the

cloud. After identifying the missing gap and the research questions, it could be derived the goal and

purpose of the study in the following sub-sections.

1.3 Goals The goal of the study is to emphasize the reason why Scania IT needs to consider the deployment of

a cloud computing platform and to help Scania IT understand the vendor lock-in and the associated

vulnerabilities they can face in the transition to the cloud as well as to clarify the concern they may

have against falling into vendor lock-in and show what can be done to decrease the risks of cloud

computing.

1.3.1 Benefits and Sustainability

The audience of this document are companies that want to use a cloud computing platform and

want to understand more the risks rather than the benefits of cloud computing. They could use the

solution proposed in the thesis to minimize the risks of vendor lock-in and benefit from the steps

and ways to minimize the risks of cloud computing.

Sustainability aspects were also taken into account, which is reusing the work that had already been

analyzed in Scania and build on it what was missing to achieve a useful thesis that can help the

companies that are thinking of using a cloud computing platform. Moreover, the work submitted

and analyzed can be reused by other companies to minimize the risks of cloud computing and

improve companies maturity rate within cloud computing, which contributes to sustainability.

1.4 Delimitations The name of the company in the case study that has been done by interviewing the person who was

involved in this transition will be stayed anonymous, due to ethical reasons and request of the

owner of the information in the case study.

5

1.5 Outline of the thesis Chapter 2 presents the methodology used in performing the work. Also, gives the reader a more

insight of which methods are used in this research and why they are preferable methods. The

chapter gives more details of how data is collected and how the analysis of Vendor lock-in

vulnerabilities is performed.

Chapter 3 is the start of the author contribution and presents for the reader a history and a wide

introduction to cloud computing. Also, gives an introduction on the different service and

deployment models. Finally, it gives an idea about two main cloud providers.

Chapter 4 presents the investigations that are performed in the company to understand the

development process and bottlenecks that Scania IT is currently facing and give reasons why Scania

IT should consider the cloud.

Chapter 5 presents the lock-in effects that cause vendor lock-in and the different types of vendor

lock-in.

Chapter 6 presents the evaluations of investigations that were carried out to figure out if Scania IT

is vulnerable to vendor lock-in.

Chapter 7 presents the conclusion with the answer to the research questions and the future work that

can be done by other researchers and Scania IT.

6

2. Method

This chapter represents the methodology and the framework of the research, data collection,

selection, application and evaluation of the data collection method. The work with this thesis was

divided into several stages that contributed to the final conclusion.

2.1 Methodology To perform this thesis work, given the explorative nature of the research objectives, a qualitative

research method was chosen instead of quantitative method. The quantitative research method uses

experiments and large data sets to reach a conclusion, while the qualitative research method uses

investigations in an interpretative manner to create theories [8]. The thesis applies the qualitative

method because it helps to understand the vulnerabilities that companies such as Scania IT can fall

into and the lock-in effects that cause the difficulty of moving between different cloud

providers. Qualitative research method answers to questions, such as why, how and what [8].

Research approaches are needed to draw conclusion and to be clear whether these conclusions are

true or false. There are several methods that can be used, such as inductive, deductive or abductive

approach, which includes both the latter named methods. Inductive approach is when the research

resonate theories based on experiences and opinions. While, deductive approach resonate theories

to verify or falsify hypotheses. Inductive approach is often used when data is collected with

qualitative methods [8].

The thesis will apply inductive approach since there is no clear theory to verify or falsify

hypotheses, which applies in a deductive approach. However, a deep analysis is needed to gain an

understanding of the different cloud computing techniques and their effect on the company

specially the lock-in effects. Also, since the outcome is based on interviews of different employees

in the development process and getting an idea of how they work today when compared to working

with a cloud computing platform as Microsoft Azure.

The work contribution involved several stages:

1. Literature Study

2. Interviews internal and external

3. Analysis of Scania intranet system

4. Case Study

7

Starting with a literature study, this is needed to analyze the present situation of the company and

the current work done in this area. This analysis was performed by studying secondary data such as

reports, conference presentations, online information, user guides, press releases, white papers and

articles.

The second step was data collection for carrying out the study, which was by interviews. The

interviews of people in the current development process of Scania IT was performed to understand

the bottleneck in the process and motivate for reasons for the need of the cloud. The interviews

were done by carrying out unstructured or semi-structured data collection techniques i.e. individual

depth interviews and group discussions in this case. This field research consisted of interviewing

developers, testers and software oriented architecture experts. The exact interviewees for this

project were mainly addressed to three teams in one section of Scania IT. The process started by

interviewing maintenance managers of each department in one section of the company. Then the

process proceeded by interviewing a system developer and tester in that specific section. Finally,

the process of interview was directed to a higher rank, which is Change Management department.

Interviewing different people was done to understand the current process, then an analysis of

Scania’s intranet system was needed to provide a wider picture of the inner work of Scania and the

structure of how they work. Then an external interview was performed with the solution lead

principle for Microsoft Azure to understand their offerings for companies and their perspective on

vendor lock-in.

Furthermore, a case study of a company that has had the experience about transition to the cloud

provider and specifically Microsoft Azure. Case studies involved reading previous experience of the

adoption of the cloud and gathering information that will help make the analysis to Scania IT and

solve the worries that can be found. This case study has been deducted through a semi-structured

interview to one of the employees that was in charge of this transition and the questions were

directed to how this company dealt with vendor lock-in. Finally, the idea of the cloud maturity

index, showing how mature Scania IT is towards cloud computing led to the proposal of an IT

strategy to define applications in Scania IT moving to a cloud hence lead to a higher rank of cloud

maturity.

8

2.2 Framework of the study In order to make the work structured in a way that would be comprehensive and easy to follow. A

framework was created by the author with the steps need to answer the research questions. This

particular order of steps found in figure 2-1 was the order that was used to answer the research

questions, which are described below in details.

Problem: This is the first step in the thesis, where the problem was concluded from the current

situation of Scania IT and the reasons gathered behind the study of cloud computing.

Related Work: Following the problem, the work started by reading other researchers work and

extracting the related work and figuring out the thesis gap. From that literature study, the research

questions were introduced.

Cloud Computing Theory: Then following that a deep detailed analysis of the cloud computing

theory was needed to give the reader a broad understanding of cloud computing, which will be

needed to understand the rest of the work.

Interviews: After representing the data about cloud theory, 14 interviews from within Scania IT

have been performed to understand their current development process and discuss the work and

tools that are needed in each process. From these interviews, it was concluded as well the

bottlenecks that Scania IT are currently facing. Ethics was taken into account in this interview

research. That being said, in all interviews that were conducted it was asked to the interviewees

whether it was allowed to use and reference the data given in the interview and if it was allowed to

use their name and position in the thesis if needed.

Microsoft Azure Interview: That included an interview for a Principal Solutions Lead – Azure in

Microsoft. That was to better understand their services and their view on vendor lock-in as leading

cloud providers in both IaaS and PaaS service models.

Case Study Company X: That was an important step to gather the company’s opinion on vendor

lock-in, where the author interviewed the person responsible about the movement to the cloud in

company X. This was used to evaluate if Scania IT can follow the same pattern and avoid vendor

lock-in.

Cloud Maturity Index: This analysis step was to evaluate what was Scania IT current situation

with cloud maturity and how to move to a higher stage. Therefore a Hybrid IT strategy was created

as a flowchart guideline for companies to follow in order to achieve a high maturity stage.

9

Figure 2-1 The framework that was used in the thesis work

The green arrows illustrate that all the work performed results to the answer the research questions.

The red arrows illustrate the order of the steps taken to answer the research question starting with

problem, all the way to the cloud maturity index analysis.

10

3. Cloud Computing Theory

This chapter presents a background theory on cloud computing, cloud service models, cloud

deployment models and top three cloud providers. Moreover, there will be a clarification about the

difference between vendor lock-in and lock-in effects.

3.1 What is Cloud Computing? Cloud computing is a new terminology that was added to the IT industry in early 2007 [9]. Cloud

Computing is the practice of using a network of remote servers hosted on the Internet to store,

manage, and process data, rather than a local server or a personal computer [12].

The national Institute of Standards & Technology has defined Cloud Computing as follows [10]:

“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a

shared pool of configurable computing resources (e.g., networks, servers, storage, applications,

and services) that can be rapidly provisioned and released with minimal management effort or

service provider interaction. This cloud model is composed of five essential characteristics, three

service models, and four deployment models.”

These cloud service and deployment models will be discussed in the next section. However the five

essential characteristics will be listed below and described [10].

1. On-demand self-service: A consumer can use computing capabilities, such as server time

and network storage without requiring human interaction with each service provider.

2. Broad network access: Computing capabilities are available over the network and can be

accessed by any device (e.g., mobile phones, tablets, laptops, and workstations).

3. Resource pooling: Computing resources that are owned by the cloud provider are pooled

to serve multiple consumers using a multi-tenant model, with different physical and virtual

resources dynamically assigned and reassigned according to consumer demand. Examples

of resources include storage, processing, memory, and network bandwidth.

4. Rapid elasticity: Capabilities can be elastically provisioned and released, in some cases

automatically, to scale rapidly outward and inward commensurate with demand. To the

consumer, the capabilities available for provisioning often appear to be unlimited and can

be appropriated in any quantity at any time.

11

5. Measured service: Cloud systems automatically control and optimize resource use by

leveraging a metering capability at some level of abstraction appropriate to the type of

service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can

be monitored, controlled, and reported so providing transparency for both the provider and

consumer of the utilized service.

3.2 Cloud Service Models There are three common service models that are represented in relation to cloud computing, which

are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service

(SaaS). These models will be represented in details below.

Infrastructure as a Service (IaaS)

Infrastructure as a Service is a service offering a focus towards those who have knowledge of how

to configure the software portion of the technology stack, but do not want to manage the hardware

[14]. Infrastructure is the base of the stack and provides all the raw computing resources.

Platform as a Service (PaaS)

Platform as a Service is a service aimed to developers that help them develop and test applications

without having to worry about the underlying infrastructure. Developers do not want to have to

worry about provisioning the servers, storage and backup associated with developing and launching

an application [15]. The platform services provide users with software, virtual machines (VMs) and

usually handle all aspects of system administration for the user. On the other hand, the customers

would need only to handle the applications and data as illustrated in figure 3-1.

Software as a Service (SaaS)

Another type of cloud computing model is Software as a Service, which is a service that means that

the cloud computing provider is in charge of applications, data, operating system, storage, service

and the rest as shown in the figure 3-1 [2]. The consumer buys the services without worrying about

the customization or maintenance of the hardware. They need to just stay connected to the cloud

provider.

12

Figure 3-1 Different models and what is managed by the company versus what is managed by the

cloud provider

Figure 3-1 illustrates the separation of responsibilities for on-premises versus three service models,

IaaS, PaaS and SaaS, where it presents what is manageable by the cloud provider versus what is

managed by the customer. So, Other manages illustrates the cloud providers as Microsoft Azure or

Amazon. While You Manage, illustrates the customer as Scania IT.

3.3 Cloud Deployment Models There are five common deployment models that are represented in relation to cloud computing,

which are public cloud, private cloud, private virtual cloud, community cloud and hybrid cloud.

Public Cloud

A public cloud is available to the public or a large industry group and is owned by the organization

selling cloud services [16]. Public cloud resources are normally provisioned on demand or on

dynamic basis over the internet [16]. In the public cloud, the servers are the same for all companies

in the cloud but with different structures, where different companies can share the servers. This can

be shown in figure 3-2. The limitation of the public cloud is the security concerns that the cloud

servers are shared by many companies. This can be motivated since many cloud servers are in the

13

same cloud infrastructure and therefore there is a lot of resources that are shared among the

different companies that can be found in the cloud.

Private Cloud

A private cloud provides an easy, flexible and effective way to request, use and deploy IT

resources, applications and virtual machines (VMs) on hardware that is dedicated to a single

organization [11]. It can exist on premises or off premises [16]. The private cloud is an emulation of

the public cloud, typically on a private network, and exists to support the goals of the organization,

rather than to generically support resources for multiple organizations [16]. Private cloud customers

have their own servers and ports. This is illustrated in figure 3-2. The limitation of the private cloud

is that it can be more expensive than a public cloud. Since each cloud infrastructure is particularly

to one cloud consumer and therefore nothing is shared with other consumers making it more

expensive when compared to the public cloud.

Virtual private cloud

An alternative solution to addressing the limitations of both public and private clouds is called

Virtual Private Cloud (VPC). VPC is where the cloud is present in a cloud provider data center such

as Amazon, Azure data center, where each server has its own network of companies’ information. It

uses a multi-tenant shared services model as the public cloud but the partitions a single instance of

resources are for an individual customer. VPC customers “share” the core cloud platform but the

virtual machines they use are dedicated for their own private use, which makes it more isolated than

the public cloud and the user has complete control over their virtual networking environment,

including selection of their own IP address range, creation of subnets. This also allows customers to

design their own security firewalls when compared to the public cloud limitation. However the

limitation in VPC is the use multi-tenant, while many customers prefer the use of single-tenant.

Since there is a fear of sharing other customers the core cloud platform.

Community Cloud

A Community cloud is shared by several organizations to support a specific community, which is

only accessible for these organizations [10]. The infrastructure can be operated and owned by the

cloud provider or the organization. These communities would most probably share privacy and

14

performance requirements. The limitation that can be found is the sharing of the cloud platform as

the public and virtual private cloud. If there is no trust between the organizations using the cloud,

there can be a risk of information leakage. Also, to provide resources and a cloud computing

infrastructure to the community requires a huge amount of investment, which can limit the

resources to the organization making them less wanting to share the cloud and use the community

cloud.

Hybrid Cloud

A Hybrid cloud is the combination of two different methods of resource pooling; it could be two

cloud deployment models like public with community [10]. This combination of two or more cloud

providers is remained as a unique entity that is bound together by standardized technology that

allows data and applications portability [16]. Hybrid cloud is one of the best solutions, where it

includes many deployment models with the benefits and limitations of each.

While a Hybrid IT is the result of combining internal and external services, usually from a

combination of internal and public clouds, in support of a business outcome [33]. The comparison

can be better illustrated in figure 3-2. Hybrid IT includes traditional IT with all the cloud

deployment models (Hybrid cloud) shown below.

Figure 3-2 Different delivery models and illustrates the Hybrid cloud and Hybrid IT [31]

15

3.4 Cloud Providers Cloud providers are a company that provides cloud computing services and solutions to customers,

which can be individuals or businesses. The cloud provider delivers solutions that are pay-as-you -

go, meaning that the customers need only to pay while using such services. These solutions are the

ones named in the previous chapter, which are IaaS, PaaS, and SaaS. The two providers that are

discussed are Microsoft Azure and Amazon Web Services (AWS) are top leading providers in

different cloud models. Amazon is leading in IaaS services and Microsoft Azure has become a

leader since 2014 in both IaaS and PaaS services [25; 26]. This information was published by

Gartner [25; 26] and the charts can be found in appendix A.

Microsoft Azure

Microsoft Azure is the cloud provider that Scania IT wants to adopt. Microsoft Azure is Microsoft's

cloud platform [34], which is a growing collection of integrated service such as compute, storage,

data, networking, and applications that help the customer move faster, do more, and save money

[34]. Azure is an industry leader for both IaaS and PaaS services as ranked by Gartner [25; 26; 34].

IaaS and PaaS combined together give services that let customers build, deploy, and manage

applications any way you like for unmatched productivity [34].

Amazon Web services (AWS)

Amazon web services were founded by Bezo in 1994 as an online book store [27] and in year 2002,

it was officially one of the top 500 companies in US [27]. Amazon is the leading provider in IaaS

services as ranked by Gartner [25; 26]. They have several PaaS services that have been introduced

in 2011 such as “elastic beanstalk” [28], which allow users to create application and push them into

a defined set of AWS services.

16

4. Current development process and bottleneck in Scania IT

This chapter is done by investigating the current development process that Scania IT is currently

going through all the way to production. Then, concludes with the bottlenecks that have made

Scania IT think about the adoption of the cloud platform. The aim of this chapter was to understand

the development process and the vulnerabilities that Scania IT is currently facing and whether it can

be solved by using the cloud.

4.1 Current development process A study of the current development process of Scania IT was needed to evaluate the process that

Scania IT is currently using and the tools they use for their applications. The current development

process was gathered by interviewing a group of people working in Scania IT and in the process of

change management process which is name of the process that Scania IT is working with to deliver

products.

The development process goes through several procedures. The development process starts by

having a Change Request (CR), meaning that a request to change for an application served to a

customer, which is Scania. The CR can be a change in an application or an upgrade of Scania’s

database. Then after figuring out the start of the process, the work started by interviewing three

different maintenance managers (MM), which are responsible for handling the CR. MM are also in

charge of the control of installation, repair and upkeep of employers' property, including machines

and mechanical systems. They may also take on more administrative tasks, depending on the

specifics of their job. Then moving to a higher rank that is change management department. MM

currently uses a system called “Jira”, which is an issue tracking product on Scania that is used for

Trouble Reports (TRs) and Change Requests (CRs) made during software development,

maintenances and projects alike. MM handles CRs within the team, which means that the MM has

discussed with the developers and testers who will be responsible about that specific change.

A Request for Change (RFC) is issued by the MM on a system called “Remedy”, which is handled

by the Change management (CM), responsible. Therefore an interview to the person responsible

was conducted to understand more about their system and their process. CM is in charge of

minimizing the number, and impact, of incidents caused by planned changes to the Scania IT

service production environment. Also, to ensure that all IT services are carefully prepared for a safe

and secure operation. When the CM has agreed on the change, the application needed to be changed

17

is done and moves to the stage of production. This is shown in details in figure 4-1 below. The

steps can be summarized with respect to the figure:

1. Scania CV AB, the customer issues a change request (CR) to Maintenance Managers (MM).

2. After MM register in”Jira” system, they issue a Request for Change (RFC) through a system

called “Remedy” to the Change Management team (CM).

3. The CM looks at the editing and does the necessary things as written in the figure 4-1. After

approval about the quality, risk analysis and other things, they send the CR to production to take

care of it.

Figure 4-1 Development process of Scania IT

In between the MM and the CM, DevOps can be found as shown in the figure 4-2. Two DevOps in

the Scania IT were interviewed to understand their role in the process. DevOps comes from the

combinations of the initials of Developers and Operations. They are in charge of decreasing the gap

between developers and operations by synchronizing the methods and tools used between both. As

seen in figure No. There was a further interview conducted to the creator of this process and the one

responsible about continuous updates to the process. He talked about his continuous effort along

18

with his team to optimize the change management process and ease the process to help Scania IT

workers to delivery faster with the aim of continuous delivery.

To better illustrate the DevOps aim and their work effort, the following figure can be created.

Figure 4-2 Barriers that DevOps are trying to eliminate

Figure 4-2 shows the sequence that developers use to develop a product, they always strive to

achieve continuous integration, which is a software development practice where developers

integrate their work frequently, leading to multiple integrations per day [30]. This has shown a

progress in code management within teams and a more rapid development of software. Moreover

Scania IT strives to achieve continuous delivery, which is to continuously deliver improvements to

an application as often as possible while maintaining quality. Lastly, is continuous deployment,

which is the next step of continuous delivery. Every change that passes the automated tests is

deployed to production automatically. It leads to minimizing the overall lead time. However there

are several bottlenecks that will be presented below that cannot be helped with DevOps but needs

the intervention of a cloud computing platform.

19

4.2 Bottleneck in Scania IT After interviewing different employees in the company and understanding their current

development process, it could be concluded the bottlenecks they have in the current process that

they believe will be solved by adopting the cloud.

1. No standardized tool between Maintenance Managers (MM) and Change Managers (CM).

Since MM are using “Jira”, while CM are using “Remedy”.

2. Time needed to deliver/setup a server/database is 3 weeks, since the hosting servers team

must provide the servers and deliver the infrastructure which takes times.

3. Access Management, they are responsible for granting access to server, servers’ accounts,

and active directory groups. Every order typically takes 3 days to complete. This adds to lead

time.

4. The CM process often takes a lot of time before the RFC’s get approved

5. Involved Dependencies. Often in the development of an application, there are other teams

involved in the development e.g. Integrations. They follow different time plans for

development & tests and which does not necessarily match with the owner of the application

time plans. This adds to lead time.

6. In the change management process, the MM has a duty to send an RFC request to the

Change management (CM). However there are several types of RFC that are available in the

system “Remedy”. One of the bottlenecks is the wrong usage of the RFC type that can make

conflicts in the process and prolong the process.

These bottlenecks have made the teams such as the .net development team, which is responsible for

several applications that use the .net development tool to think about the cloud computing solution.

Since all these lead times have affected the continuous delivery that the teams are trying to achieve,

the cloud seems to be a perfect solution. The cloud can decrease the lead time with both hosting

server team that takes up to 3 weeks to deliver/setup a sever or database and time for the access

management that takes 3days/request to grant access for the employees to their servers. Since if a

company buys IaaS, then they have the servers delivered by the cloud provider instantly and the

access is also done automatically. So it could be concluded that the cloud would decrease the lead

time with the fast delivery of the servers and granting access automatically.

However in the next chapter, there will be a discussion about the risks of the cloud with a focus on

vendor lock-in and the lock-in effects.

20

5. Three types of lock-in effects that cause vendor lock-in

Most companies look at the positive side of the cloud and the ways to move into the cloud, but

never take into consideration the ways out of the cloud. In order to evaluate the way out of the

cloud, the vendor lock-in and lock-in effects need to be described.

Vendor lock-in is the situation that makes customers who are adopting a cloud platform from a

cloud vendor to be locked-in to that specific vendor. This situation can cause complications for the

customer to move to another vendor in terms of cost, effort and time. On the other hand, the lock-in

effects are the effects that cause vendor lock-in. These effects are portability, interoperability and

federation.

5.1 Lock-in effects There are several cloud providers that offer different services, storage, infrastructure, API and

etcetera. Therefore, there must be a way to identify the most suitable cloud provider to a specific

company such as Scania IT. A cloud provider can be chosen according to many factors such as

security related to that cloud provider; another main issue is the cloud portability and

interoperability. Most companies think about the advantages and the ease to the adoption of the

cloud but never take into consideration their way out of the cloud and the difficulty it could cause

for the companies in terms of time, effort and money. Therefore cloud portability and

interoperability are the important issues discussed in this chapter since many cloud customers forget

taking this into account when adopting cloud providers. Therefore, it is needed for cloud customers

to consider the lock-in effects that cause vendor lock-in to try to avoid them, where the risk is being

tied to a particular cloud service provider due to the difficulty and costs of switching to another

cloud provider to use the equivalent cloud services [18].

Cloud computing often relates to data, application, platform, and infrastructure components. Data is

the machine-processable representation of information, which is found in the computer storage [17].

Applications are software programs that perform functions that are related to business problems

[17]. Platforms are programs that support the applications and perform generic functions that are

not business-related. Infrastructure is a collection of physical computation, storage, and

communication resources [17].

21

Portability

Portability is the ability to move applications, data, and tools from one cloud provider to another so

that it is usable in the target provider. This is found in a company that wants to adopt a cloud

provider such as like Scania IT. There are several types of portability such as data, application and

platform portability.

Interoperability

IEEE [20] and ISO [21] define interoperability as the ability for public clouds, private clouds or

other more systems within a company to exchange information and mutually use the information

that has been exchanged.

In cloud computing, the most important thing with interoperability is the ability of cloud customers’

service to interact with cloud provider services and be able to communicate with the components on

both sides [18]. They usually interact and communicate using a specific interface or an API. The

problem is that cloud providers have different interfaces for each cloud service, which deal with

different functions for example administration interfaces, billing interfaces, and many more

interfaces. There are many types of interoperability such as application interoperability, platform

interoperability and management interoperability.

Cloud Federation

Federation is when several cloud providers are brought together to create a solution for a company.

Federation is referred to the unionization of software, infrastructure and platform services from

different networks that are accessed by the customer though the internet [35]. Federation of the

cloud resources are facilitated through network gateways that connect public or external clouds,

private or internal clouds to create a hybrid cloud computing environment.

22

5.2 Vendor lock-in types in relation to different cloud models Vendor lock-in is a risk that companies need to take into consideration when adopting a cloud

provider. The risk can be found in different cloud service models, in IaaS, PaaS and SaaS. The risk

varies greatly depending on the cloud service model as shown in the figure 5-1. This depends

greatly on the number of hardware and software the vendor provides to the customer.

Figure 5-1 The risk level of different cloud service models

IaaS depends on the specific infrastructure services that are used. For example, if the customer uses

cloud storage, they will not be impacted by the non-compatible virtual machine formats [36]. IaaS

vendor lock-in has the lowest risk involved because most vendors use the same virtualization

environments, which makes it easier for customers to move between cloud providers [29].

The risk increases with PaaS, since the vendor providers both hardware and software applications

[29]. PaaS lock-in occurs at both the API layer and at the component level. For example, PaaS

providers offers highly efficient back-end data store, that makes forces customer to develop code

using the custom APIs offered by the provider and code data access routines in a way that is

compatible with the back-end data store [36]. Accordingly, even if the APIs that are offered are

compatible, the access model may be different, making the code unportable across PaaS providers.

Moreover, PaaS lock-in at the API layer happens as different providers offer different APIs. Finally,

the highest risk is with SaaS, since the vendor controls all the key components of the customers

system [29].

0

15

30

45

60

75

IaaS PaaS SaaS

High risk

Low risk

23

6. Is Scania IT vulnerable to vendor lock-in?

This chapter is concluding whether Scania IT is vulnerable to vendor lock-in and gathering

information that can be used to evaluate why Scania IT might be vulnerable. This is done by

analyzing the cloud provider they want to adopt, which is Microsoft Azure and having an interview

to a similar company, in such of the same motivation to use cloud computing, and the current

components that are being used. This analysis has been done to learn what the greatest challenge to

make this move was and how they handled the vendor lock-in situation.

6.1 Microsoft Azure view on vendor lock-in It was mainly focused on the lock-in effects and how a company falls in vendor lock-in. The issues

that can be concluded from the meeting was that vendor lock-in should be included in a risk

analysis of any company and vendor lock-in is valid regardless of whether the system is running on

a physical data room of an organization or in a public cloud service such as Azure.

Azure is a platform with very many different services where it varies how easy it is to move in a

solution. In Azure, they are always working to minimize the lock-in effects. Azure’s Cloud OS

strategy is built to be able to manage their platforms in the same way as if it is on-premises, a

partner cloud provider or in Azure. In Azure IaaS deals mostly with virtual machines and these are

simple to be copied to other environments, i.e. no more vendor lock-in than the equivalent in its

own or partner’s hall. Maybe even less as Azure have well-defined public APIs. When it comes to

various PaaS services, so it varies how easy it is to migrate. Everything is going to migrate but the

thing to consider is how big or small the stakes are. For example Azure websites are very easy to

move to a regular web server on premises.

6.2 Relation between Company X and vendor lock-in Company X

1 begin their thoughts of the transition of cloud computing and the most convenient

provider was Microsoft Azure, since the company only used Microsoft components. Company X

decided not to put everything in the cloud. But accordingly to the information classifications and

how important the information is and whether it is dependent on another application or not, they

would decide whether it is applicable to be put in the cloud. After choosing the most convenient

1 Company X is an international company that wanted to stay anonymous due to their privacy

concerns

24

cloud provider, they had a testing period through which a practical test of cloud services was made

and evaluation of what would the shift mean for the organization?

They found that the usage of the cloud gave them:

1) Better user experience.

2) They could store information that is accessible to the other branches in the company in other

countries.

3) Web acceleration is more effective with continues loading of new process and information.

4) The same process is shared to everyone in the company.

However, some of the concerns that made the people responsible on the transition make more

efforts in examining is both security issues with a public cloud and the risk of falling into vendor

lock-in. In order to decrease this risk of vendor lock-in, the company thought of the idea of

mirroring. This following described method was conducted to be independent on a specific cloud

provider and decrease the vulnerability to fall in vendor lock-in by making an own copy of the

cloud internally offering the same services with the public cloud they have bought services that are

non-vendor proprietary components such as SQL Server, Oracle, Tomcat, JBoss, IIS, Apache,

etcetera that can either run:

1. In IaaS cloud, where the company take care of them but run them on an instance in the cloud or

spin up a complete "image" of the IaaS provider's application list.

2. At PaaS provider, where the components are handled by the provider and is running on one of

their servers, such as Oracle, IBM and others have this kind of PaaS based on standard products

that can also be run at home in a company’s own data center or in the company’s own data

centers (in private IaaS, PaaS or traditional IT).

However Proprietary PaaS components such as Azure Blobs, Tables Azure, Azure Machine

Learning, Azure Message Bus, etcetera, or AWS corresponding components can only be used in the

provider's data center and you cannot move the applications that use them either to another cloud or

home to the companies own data center. With this solution, the company can save data on-premises

but in case of crashing there will be no way to run the data without creating an application that can

take out data. Therefore company X choose to buy non-vendor proprietary cloud that is handled by

the provider and based on standard components. The PaaS services are mapped in both internal and

external IaaS to achieve mirroring and redundancy. Also, in case of a crash or that the operator

agreement is no longer suitable. There is always a copy of data available on-premises. This is

25

illustrated in figure 6-1. Each application (App) has a runtime environment to make the customer

have the possibility to stop and restart the environment as seen in the figure 6-1.

Figure 6-1 The method that can be used to minimize the risk of vendor lock-in

Some characteristic that need to be applied in both the internal and external cloud are:

• Resource management: for IaaS in cloud computing offers benefits such as scalability, quality

of service, optimal utility, reduced overheads, improved throughput, reduced latency, specialized

environment, cost effectiveness and simplified interface [22]. Also customer demands services

and features and gets an environment in public or private cloud depending on current available

resources.

• Automated provisioning: it is the ability to deploy information technology by using predefined

procedures that are carried out electronically without human intervention [23].

• Adapters for different providers: it is the ability that makes different software’s to transfer

information from a local office to different cloud providers.

26

6.3 Is Scania IT Vulnerable in the transition to the cloud?

The most important question was whether Scania IT is vulnerable in the transition to the cloud was

analyzed through the previous case study mentioned and the view of the cloud provider. It can be

seen from the case study of the similar company previous situation before adopting the cloud, it can

be seen the similarities in both companies. Scania IT is also an international company that has the

same motivation to use the cloud, which is global accessibility, that the same process can be shared

to everyone in the company. Moreover continuous delivery importance can be thought to be helped

by the cloud through web acceleration in loading of new process and information. The decrease of

time to market was an important factor to both companies, company X and Scania IT. All these

factors made it interesting to learn from company X the ways they tried to solve issues with the

cloud. Their main issues were security and the fear of vendor lock-in. However our main focus was

on vendor lock-in and their perspective on solving it. The study has shown the way to minimize the

risk of vendor lock-in by providing two Infrastructure services both internally in Scania IT and

externally in the cloud provider. However, another factor that needs to be considered is the Cloud

Maturity Index (CMI), how mature Scania IT is in cloud computing services. Therefore figure 6-2

below shows the different factors that have been considered to set Scania IT in Stage 1 in CMI.

Figure 6-2 Cloud Maturity Index and the current situation of Scania CV AB

27

In stage 1 (Immature): The cloud services are not used at all or very little. There is no strategy for

the cloud services and the level of knowledge and ability is low. Finally there is no application

consolidation, which means there is no strategy about the amount applications should move to the

cloud. It is an important factor, since it decreases the number of vendors you deal with, and the

number of licenses or home-built apps you manage, which can reduce complexity.

In stage 2 (Basic): There is a basic knowledge of cloud services. The use of services is purchased

when the need arises and very little integration to other IT environment without a strategy.

In stage 3 (Mature): There is a strategy for cloud services and purchases are partially in accordance

with it. There is probably more than one type of cloud service and perhaps more than one

distribution model used. Cloud services are a natural part of the IT portfolio.

In stage 4 (Leading): The differences between cloud services and other forms of delivery are clearly

defined. It includes whether an analysis of the existing IT portfolio has been implemented. Purchase

of cloud services is in accordance with a defined strategy. Several types of cloud services and

distribution models are used, depending on what is best for each area. The drivers of cloud services

is particularly change, innovation and development. After the detailed view of the stages, the author

of the report views Scania IT as in stage 1, since there is no use of cloud services yet. Moreover

there is no defined strategy of the applications needed to move to the cloud. However it can be

concluded that stage 3 can be reached fast and easily if there is a cloud defined strategy and

purchases are done according to that strategy.

To clarify the current strategies in Scania IT, a flowchart has been made in figure 6-3 to ease what

is needed from organizations. To be able to create a strategy, an IT strategy must be clarified. Once

that is done, companies need to set their applications to be cloud defined. Cloud defined means that

the applications requirements are specified and clarified with which service model suits these

applications. Another requirement is the application consolidation, which is to bring several

applications together to benefit of the decrease of number of vendors the company would deal with,

and the number of licenses or home-built apps the company manage, can reduce complexity.

Finally the last point was to clarify which requirements are needed when moving application from

on-premises to the cloud, whether there are any guidelines set in a company or not.

It has been concluded that within Scania IT there are few guidelines that state which applications

are most suitable to be put on the cloud in terms of simplicity, flexibility and information

classification. However there are some points missing such as the need for the applications, whether

they will need IaaS, PaaS or SaaS. The number of application needed to move to the cloud. It can

be seen in the flowchart in figure 6-3, with the “No” in cloud defined, that if Scania IT does not

28

have a fully defined cloud strategy, they should do it to decrease the risk of cloud immaturity, have

power of negotiation when they have several cloud moving to the cloud and could request an own

shell in the cloud from any cloud provider.

Figure 6-3 Hybrid IT strategy steps needed to adopt a cloud computing platform

These guidelines that are listed below would minimize the risk of the usage of the cloud. It is

advisable for companies to work with improving their strategies before using the cloud services.

Some of the guidelines currently being looked at are listed in the next subsection.

29

Guidelines

Scania IT has a Hybrid IT strategy focus that is managed by Strategic Architecture Council (SAC).

SAC is a part of Scania’s Enterprise Architecture Governance structure. This council is responsible

for Principles and strategies, Enterprise Architecture Roadmap Strategic. Some guidelines and

thought by Magnus Eriksson, who is a senior Enterprise and IT-Architect at the Enterprise

Architecture Office in Scania IT AB. He has performed proactive strategy and technology

investigations.

The guidelines that will be discussed below are still not accepted by the IT Development Meeting

(ITDM), which is part of the Scania IT Technology Architecture decision structure. The meeting is

facilitated by Scania Enterprise Architecture Office. They are responsible to accept and decide on

new strategic plans.

Simplicity Guidelines

One of the important features that should be considered when choosing a deployment model and IT

architecture is Simplicity. Two factors are most important when considering deployment models,

which are the number and complexity of integration, and location of data producer and consumer

[31]. In case of the existence of both the producer and consumer of data for a particular system are

internal itself adds unnecessary complexity to deploy the system externally and vice versa for a

system with external producers and consumers [31]. As seen in figure 6-4, the high risk is noticed to

be when many/complex integration are in a system and the producer and consumer are not

externally , then it is not a good idea to put the system externally. Also there is high risk when the

producer and consumer are internal, and the systems with some/normal integrations are put

externally. In most other cases there is no risk or medium risk to put the system internal or external

depending on the integration complexity. So to conclude, if both the producer and consumer of data

for a particular system are internal it adds unnecessary complexity to deploy the system externally

and vice versa for a system with external producers and consumers [31].

30

Producer and consumer are external

Producer external and consumer are Internal

Producer internal and consumer are external

Producer and consumer internal

Many/complex integrations

External External External External

Internal Internal Internal Internal

Some/normal integrations

External External External External

Internal Internal Internal Internal

Few/simple integrations

External External External External

Internal Internal Internal Internal

Green: Proceed. Take this as the default approach and move forward on the basis of why wouldn't you do it.

Amber: Medium risk. Pause and review the options available moving forward on the basis of why would you do it.

Red: High-risk and/or not a good fit. Stop and consider the implications carefully before proceeding.

Figure 6-4 Complexity integrations in relation to whether the producer and consumer exist

internally or externally.

Flexibility Guidelines

Flexibility, which is the main focus of our topic since it is related to portability of moving

applications between cloud vendors with as little effort and cost as possible [31].

Therefore, the following priorities of guidelines are essential to when buying or reusing

components/systems [31]:

1. Available for both internal and external deployment (outsourced, SaaS, PaaS or using IaaS).

The greater the number of available external providers the better.

2. Available for external deployment from two or more external provider (outsourced, SaaS, PaaS

or deployable using IaaS). The greater the number of external providers the better

3. Available only internally.

4. Available only from one external provider.

To sum up, the priority is that several components/systems are found in both external and internal

deployment models, with a great number of available external providers. Then for less priority the

components/systems would be available only for several external providers. After that it is

preferable that components/systems are available only internally rather than externally.

31

Information Security (ISEC) Guidelines

The information Classification in Scania IT is classified into four main classes:

1. Secret

2. Confidential

3. Internal

4. Public

Both Secret and Public are rarely used in Scania IT. However when choosing a deployment model,

it can be stated that a high risk application that needs to carefully be looked into to whether move to

a cloud or not is in the Secret class. While in the Confidential class, it is a medium risk and options

of the external providers available must be examined properly. For both Internal and Public class,

both external and internal deployment models are of no risk. This can be seen in figure 6-5 [31].

Confidentiality Delivery Model

Secret External

Internal

Confidential External

Internal

Internal External

Internal

Public External

Internal

Green: Proceed. Take this as the default approach and move forward on the basis of why wouldn't you do it.

Amber: Medium risk. Pause and review the options available moving forward on the basis of why would you do it.

Red: High-risk and/or not a good fit. Stop and consider the implications carefully before proceeding.

6-5 Classifications of information types followed by their risk level [31]

According to the strategies that were stated above it can be concluded that the hybrid IT cloud is the

main focus of the company. It can be noted that “Hybrid IT is transforming IT architectures and the

role of IT itself”, according to Gartner, Inc. [32]. Hybrid IT is the result of combing traditional IT

with Hybrid Cloud, which can include public clouds, private clouds and community clouds. Hybrid

32

IT is new and IT organization such as Scania IT need to use a hybrid IT strategy that not only build

internal clouds to house critical IT services but also utilities the external cloud to house noncritical

IT services to minimize the risk of vendor lock-in by having both internal and external applications,

data and information. Also further strategies are needed to minimize vulnerabilities that cause

companies to fall in vendor lock-in and in the same way take the advantages that the cloud would

give the company.

33

7. Conclusion, Implications and Future work

This final chapter concludes and summarizes the study conducted in Scania CV AB with the goal to

help Scania IT understand the vendor lock-in and the vulnerabilities they can face in the transition

to the cloud. Then further work is clarified with ideas of how the work can progress.

7.1 Conclusion Scania CV AB has a history over 100 years. Throughout the years, Scania has delivered heavy

transport and buses with continuous development and innovations. The goal of the thesis was to

emphasize the reason why Scania IT needs to consider the deployment of a cloud computing

platform and to help Scania IT understand the vulnerabilities towards vendor lock-in in the

transition to the cloud as well as to clarify the concern that they may have against falling in vendor

lock-in and show what can be done to decrease the risks of cloud computing. The following was the

research questions that were researched in the thesis.

(1) Why is cloud computing a raised issue in Scania IT?

(2) Why is Scania IT vulnerable to vendor lock-in in the transition to a cloud computing

platform?

(3) Why is vendor lock-in a concern to Scania IT when using a cloud computing

platform?

The requirement of a cloud computing platform was needed to minimize the lead-time caused in the

current development process. The cloud computing platform is the technology where the servers

and applications are hosted on the internet rather than internally on premises. The advantages of a

cloud computing platform is flexibility, innovation, development and less IT costs that are due to

reduced amount of physical infrastructure that they have to keep and maintain. There are several

characteristics of the cloud, which are service models IaaS, PaaS and SaaS. Also a set of

deployment models public cloud, virtual private cloud, private cloud and hybrid cloud that can be

chosen from. These characteristics can be chosen depending on the companies’ requirement that

they have set on their applications. The development process that Scania IT is going through all the

way to production was to conclude the bottlenecks that Scania IT was facing and the benefits of

moving the cloud.

Most companies like Scania IT have seen the advantages and positive side of moving to the cloud

and the ways into the cloud, but never have taken into consideration the ways out of the cloud.

Therefore the study was mainly focused on the vulnerabilities causing vendor lock-in, which is the

34

situation that causes companies to be locked to a specific cloud provider and moving to another

provider will cause the company to pay significant switching costs. The situation of vendor lock-in

was examined by analyzing a similar company with the same criteria and motivation to move to the

cloud and from that analysis, it was concluded that vendor lock-in can be minimized by creating

two infrastructures as a service, one internally and one externally to have duplicate of the data and

avoiding using proprietary cloud provider components. Other risks were taken into account and that

was the cloud maturity index (CMI) and how mature Scania IT can be seen in cloud computing.

The conclusion was that Scania IT needs to improve their knowledge about cloud services and

decide which cloud deployment model is most appropriate to their companies business. The index

of cloud maturity is an important factor since companies with high CMI has in average 34 % less

costs for IT and spend three times more on innovation and development.

Moreover it could be concluded that the most suitable deployment model is the Hybrid IT, instead

of only using one development model. Thus the benefits and limitations of all deployment models

are taken. However a study of the Hybrid IT strategies in Scania IT is needed to evaluate how

mature Scania IT is in cloud computing. Strategies has shown that deploying the Infrastructure with

the help of the cloud, is the much more beneficial for Scania IT than to deploy platform services,

which will increase their risk to vendor lock-in and would not give so huge gain in the company but

more risk.

Scania IT needs to consider the risk of vendor lock-in and the lock-in effects as portability,

interoperability and federation that causes the applications not to be runnable at another cloud

provider. By solving the lock-in effects, the company is minimizing the vendor lock-in since that is

solving portability of data from one cloud provider to another, or interoperability, that the

applications from different vendors are communicating to each other or federation, where different

applications from different providers form a solution for a company.

However, it might be necessary to first move the data back to the customer’s site and then move it

to the new provider’s environment using a data migration plan. In this migration plan, there must be

a way to switch data format and syntax to another form to be suitable to be used by another

provider. Since Scania IT is a huge international company with much valuable data and

information, it would be recommended according to their classification of data to avoid putting any

secret or confidential data on the cloud. The companies as Scania IT need to study and research all

the cloud possibilities with the advantages and disadvantages of the cloud to avoid falling in vendor

lock-in. Also by reaching a leading stage in the CMI that can help the company be aware of all the

cloud elements, risks and follow a defined strategy. The vulnerabilities that Scania IT can face

towards vendor lock-in is lack of standard technologies and solutions, poor provider selection, lack

35

of supplier redundancy, lack of completeness and transparency in terms of use. Since all the cloud

providers want to lock their customers to their own components and do not support standardization

of technologies and solutions. Also, cloud providers do not provide all the information to their

customer which contributes to lack of transparency.

7.2 Implications for Scania IT Scania CV AB is an international company, which seeks innovations and continuous development

in their trucks and buses for heavy transport work. As stated before the study was particularly done

in Scania IT, which is the part of Scania CV AB that is responsible for the development of the

applications and their infrastructure.

Their need for the cloud was concluded from their bottlenecks that were derived from the

development process. The study clarified the need for the cloud for Scania IT and made them

realize the advantages of the movement of the cloud. However, the cons of the cloud as vendor

lock-in was noticed as a risk for the company that they fear in using cloud computing. Despite of

this fear, the clarifications of the different lock-in effects were helpful for Scania IT to understand

what they need to discuss with cloud providers. Furthermore Scania IT needs to further work on the

steps for their exit strategy of moving out of the cloud computing platform if needed.

The case study of company X that has similar characteristics as Scania IT, gave Scania IT a solution

that would minimize the risk of vendor lock-in while maintaining the advantages of the cloud as

flexibility and lower IT costs. Scania IT thought the idea of using two infrastructures as service was

brilliant and would be minimize their concern about vendor lock-in as they would have their data

on-premises. This is seen as an advantage since IaaS has a fixed fee that can expand easily with

minimal operational and maintenance expenditure. So for a big company as Scania IT with 42,100

employees, it will be much easier to automate by saving on the public IaaS and a private IaaS to

protect data either by security propose if the public cloud will have any break in or something and

Scania IT wants to get their data or by the private cloud, where Scania IT can just take their data

and use it on another PaaS.

Another important aspect for Scania IT was the cloud maturity index, that shows how mature a

company is in using cloud computing. This index has shown Scania IT their current position and

what is needed for them to reach a higher mature stage and minimize their risks. This index led to

the discussion whether Scania IT has a cloud defined strategy. Cloud defined strategy was an

important issue for Scania IT to follow in order to reach their goal to use cloud computing platform.

36

7.3 Future work Cloud computing is a broad developing topic with a lot of room for further research and analysis.

There are two approaches for future work, one for Scania IT and one for general researchers.

For Scania IT, this study concludes an overview for the reasons that can cause the company Scania

IT to think about the usage of cloud computing platform and the risk of vendor lock-in. This work

can be continued in different aspects. One of these aspects is to further study the Hybrid IT

strategies in terms of the applications needed to move to the cloud. Besides that, they need to

consider each application requirement, whether it requires the implementation of IaaS, PaaS or

SaaS. Another aspect that needs further research is the guideline of different cloud provider in terms

of their offering for portability and interoperability of data and applications.

For general researchers, this study is the ways to minimize the risk of vendor lock-in and strategies

that can be worked upon to achieve a higher leading CMI. This work can be continued by

evaluating the different cloud provider’s capabilities of offerings for portability and interoperability.

Also, to further look into further solutions of vendor lock-in and the new technologies and

standardization techniques that are striving to make vendor lock-in a decreased risk for companies.

37

References

[1] Scania. (Retrieved Feb 2015). Available from: http://www.scania.com/scania-group/history-of-

scania/

[2] Emma Jackson, Pro and Cons of Cloud Computing, December 19th, 2014. (Retrieved Feb

2015). Available from: http://techinfo.website/pro-and-cons-of-cloud-computing/

[3] David Greenwood, Ali Khajeh-Hosseini, Ian Sommerville, Cloud Migration: A Case Study of

Migrating an Enterprise IT System to IaaS, Cloud Computing Co-laboratory School of Computer

Science, University of St Andrews, UK. (Retrieved Feb 2015). Available from:

http://arxiv.org/ftp/arxiv/papers/1002/1002.3492.pdf

[4] Dana Petcu, Georgiana Macariu, Silviu Panica, Ciprian Crăciun, Portable Cloud applications-

From theory to practice. (Retrieved March 2015). Available from:

http://ac.els-cdn.com.focus.lib.kth.se/S0167739X12000210/1-s2.0-S0167739X12000210-

main.pdf?_tid=0a05fe52-ce36-11e4-96fb-

00000aacb35d&acdnat=1426769402_75d0ff846e970c8bc1ff4ceba348dd40

[5] Fullerton, R. Cloud Services, May, 2012. (Retrieved Feb 2015). Available from CBC Sync:

http://cbc.radio-canada.ca/en/reporting-to-canadians/sync/sync-issue-1-2012/cloud-services/.

[6] Joaquín Guillén, Javier Miranda, Juan Manuel Murillo, Carlos Canal, A service-oriented

framework for developing cross cloud migratable software, September 2013. (Retrieved March

2015).

[7] Ajith Ranabahu and Amit Sheth, Semantics Centric Solutions for Application and Data

Portability in Cloud Computing. (Retrieved May 2015). Available from:

http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5708456

[8] Håkansson, Anne, Portal of Research Methods and Methodologies for Research Projects and

Degree Projects, 2013, Department of s Software and Computer Systems, The Royal Institute of

Technology, KTH, Kista, Sweden. (Retrieved Feb 2015). Available from: http://worldcomp-

proceedings.com/proc/p2013/FEC2979.pdf

[9] Qusay F. Hassan, Demystifying Cloud Computing, Faculty of Computers and Information,

Mansoura University, Egypt, Jan/Feb 2011. (Retrieved Feb 2015). Available from:

http://www.crosstalkonline.org/storage/issue-archives/2011/201101/201101-Hassan.pdf

38

[10] Peter Mell, Timothy Grance, The NIST Definition of Cloud Computing, September 2011.

(Retrieved Feb 2015). Available from: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-

145.pdf

[11] David Chappell, THE MICROSOFT PRIVATE CLOUD: A TECHNOLOGY OVERVIEW,

August 2011. (Retrieved Feb 2015). Available from:

http://www.davidchappell.com/writing/white_papers/The_Microsoft_Private_Cloud_v1.0--

Chappell.pdf

[12] Oxford University Press, (n.d.), Cloud computing. (Retrieved Feb 2015, from Oxford

Dictionaries). Available from: http://oxforddictionaries.com/definition/cloud+computing

[13] Cloud Computing, First international Conference, CloudCom2009, Beijing, China. (Retrieved

Feb 2015)

[14] Magdalena Kostoska,

, Marjan Gusev, Sasko Ristov, A New Cloud Services Portability

Platform. (Retrieved March 2015). Available from:

http://www.sciencedirect.com.focus.lib.kth.se/science/article/pii/S1877705814003646#

[15] Brandon Butler, PaaS Primer: What is platform as a service and why does it matter?, Feb

11th, 2013. (Retrieved Feb 2015). Available

from: http://www.networkworld.com/article/2163430/cloud-computing/paas-primer--what-is-

platform-as-a-service-and-why-does-it-matter-.html

[16] Stephan R. Smoot, Nam K.Tam, Private Cloud Computing: Consolidation, Virtualization, and

Service-Oriented Infrastructure. (Retrieved March 2015). Available from:

http://proquest.safaribooksonline.com.focus.lib.kth.se/book/operating-systems-and-server-

administration/virtualization/9780123849199/cover-image/navpoint-0-

11#X2ludGVybmFsX0h0bWxWaWV3P3htbGlkPTk3ODAxMjM4NDkxOTklMkZzdDAwMTBfY

jk3ODAxMjM4NDkxOTkwMDAxODAmcXVlcnk9

[17] The Open Group. (Retrieved March 2015). Available from:

http://www.opengroup.org/cloud/cloud/cloud_iop/cloud_port.htm.

[18] Cloud Standards Customer Council, Interoperability and Portability for Cloud Computing: A

Guide, November, 2014.(Retrieved March 2015). Available from: http://www.cloud-

council.org/CSCC-Cloud-Interoperability-and-Portability.pdf

[20] IEEE. (Retrieved March 2015). Available from:

https://www.ieee.org/education_careers/education/standards/standards_glossary.html

39

[21] ISO/IEC, 13066-1:2011Information technology -- Interoperability with assistive technology

(AT) -- Part 1: Requirements and recommendations for interoperability. (Retrieved April 2015).

(Retrieved March 2015). Available from: http://www.iso.org/iso/catalogue_detail?csnumber=53770

[22] Sunilkumar S. Manvi, Gopal Krishna Shyam, Resource management for Infrastructure as a

Service (IaaS) in cloud computing: A survey, 14 October 2013. (Retrieved April 2015).

[23] Margaret Rouse, Automated Provisioning. (Retrieved April 2015). Available from:

http://searchcloudprovider.techtarget.com/definition/automated-provisioning

[24] Majid Ali, WHAT IS CLOUD COMPUTING STACK (SAAS, PAAS, IAAS), Jun 16th, 2014.

(Retrieved April 2015).

[25] Gartner, GARTNER RELEASES MAGIC QUADRANT FOR CLOUD INFRASTRUCTURE AS

A SERVICE. MICROSOFT AZURE NOW A LEADER, 30 May 2014. (Retrieved April 2015).

Available from: http://up2v.nl/2014/05/30/gartner-releases-magic-quadrant-for-cloud-

infrastructure-as-a-service-microsoft-azure-now-a-leader/

[26] Marcel van den Berg, Windows Azure now Leader in Gartner Magic Quadrant for Enterprise

Application Platform as a Service, January 10th, 2014. (Retrieved April 2015). Available

from: http://cloudcomputing.info/en/news/2014/01/windows-azure-now-leader-in-gartner-magic-

quadrant-for-enterprise-application-platform-as-a-service.html

[27] Amazon, AMAZON ENTERS THE CLOUD COMPUTING BUSINESS STANFORD

UNIVERSITY, SCHOOL OF ENGINEERING, May 20, 2008. (Retrieved April 2015). Available

from: http://web.stanford.edu/class/ee204/Publications/Amazon-EE353-2008-1.pdf

[28] Amazon, Introducing AWS Elastic Beanstalk (Beta), Jan 19, 2011. (Retrieved April 2015).

Available form: http://aws.amazon.com/about-aws/whats-new/2011/01/19/introducing-aws-elastic-

beanstalk-beta/

[29] Stephen D. Burd, Systems architecture: Hardware and software in business information

systems (6th ed.), Boston, MA: Course Technology, Cengage Learning.(Retrieved April 2015).

[30] Martin Fowler, Continuous Integration, May 01, 2006, (Retrieved May 2015). Available from:

http://www.dccia.ua.es/dccia/inf/asignaturas/MADS/2013-

14/lecturas/10_Fowler_Continuous_Integration.pdf

[31] Magnus Eriksson, Hybrid IT (flexible delivery models), Scania CV AB, Stockholm, Sweden.

(Retrieved May 2015).

40

[32] STAMFORD, Gartner Says Hybrid IT is Transforming the Role of I, March 5th, 2012.

(Retrieved May 2015). Available from: http://www.gartner.com/newsroom/id/1940715

[33] Gartner, Hybrid IT: How Internal and External Cloud Services Are Transforming IT.

(Retrieved May 2015). Available from: https://www.gartner.com/doc/1918214/hybrid-it-internal-

external-cloud

[34] Microsoft Azure. (Retrieved Feb 2015). Available from: http://azure.microsoft.com/en-

us/overview/what-is-azure/.

[35] Apprenda, Cloud Federation. (Retrieved May 2015). Available from:

http://apprenda.com/library/glossary/definition-cloud-federation/

[36] European Union Agency for Network and Information Security, Cloud Computing Risk

Assessment, Nov 20th, 2009. (Retrieved June 2015). Available from:

https://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-

assessment

41

Appendix A - Shows the leading cloud providers in both IaaS and PaaS

Figure 1. Magic Quadrant for Cloud Infrastructure as a Service (IaaS). This figure shows the two

leading IaaS cloud providers that were discussed in the thesis, Amazon Web Services (AWS) and

Microsoft Azure. The leading provider in between the yellow stars is Amazon Web Services and

the one after in the blue stars is Microsoft Azure.

Figure 1

42

Figure 2. Magic Quadrant for Enterprise Application Platform as a Service (PaaS). This figure

shows the leading PaaS cloud providers salesforce.com and Microsoft Azure. The leading provider

in between the yellow stars is salesforce.com and the one after in blue stars is Microsoft Azure.

Figure 2

TRITA TRITA-ICT-EX-2015:127

www.kth.se