From my blog post in Aug’07 (see http://blog.gardeviance.org/2007/08/commoditisation-and-web-20-worth-part.html) discussing the “cloud” …

“Low risk in this context would mean multiple providers of the same service which you can swap between, as opposed to the details [infrastructure architecture] of any one provider. To be able to swap between services you need not only standardised services but multiple providers and the freedom to move data, application or framework (depending upon which level of the stack you are talking about) between the providers.

In this context open source is a necessity to provide not only the base standards but also an operational means of implementing that standard. It is neither a tactic or a strategy.

However, open source (and in this context I mean GPLv3) is not sufficient, you also need some form of additional information to ensure the users of such services that they aren’t being locked-in, or that this provider is really compatible with another or they can run their own installation should they wish to.

This can only be achieved through monitoring and the use of trademarking, by an authoritative group providing assurance to end users that this provider meets the standard, that any primitives have not been modified and that what you run with one provider will work on another.”

The issue of risk & auditing are all connected to the lack of second sourcing options, transparency and standards. We need both portability and assurance (or trust if we must) for the cloud.

As for SaaS != Cloud etc. Cloud computing is simply a manifestation of the shift of IT from a product to a service based economy. It effects each layer of the computing stack from the software we write, to the frameworks we build in to the hardware / virtualisation / operating systems we build upon.

There’s an online video of my OSCON’07 talk which covered this if you’re interested (see http://blog.gardeviance.org/2007/10/previous-talk.html )

Anyway, my take on the compliance issue even for SaaS is that you still need to monitor the data flows. I don’t care whether it is coming from a real box or a virtual machine, either way, you need to mirror that data to a compliance auditor to cover that part. It’s also crucial to adopt IDP or one of the older security devices to maintain full coverage. Regardless of SPAN/TAP shortages (you can fix that with tool and port aggregation anyway).

So tell me – where do each of you draw the line on what “cloud computing” is anyway?

[Note: this same comment was posted on the GoGrid blog article]

Thanks for the response. True, the auditing and compliance portion probably needs to go much further. For the short term, many providers will be self-auditing until the standards are truly brought up to speed and the independent auditors fully understand what is involved. It’s a great extension for their business model actually and I think they will reap the benefits of being able to fully audit “the Cloud.” SAS70 (an acronym that you mentioned) is just an example. GoGrid is one of the few (only?) Cloud providers that can say that.

In terms of your other points:
1) I don’t fully agree with that statement that the business model is sustainable only for someone selling excess capacity. It is a shift in many different models. Who would have thought that SaaS would be so wildly successful? The billing models fit better to a time where budgets are tight. Data Centers could convert over to providing Cloud services (smaller footprint, less power, etc.). However, doing ONLY Cloud might be a bit dangerous, so I somewhat agree. Diversification is critical. This is part of the reason why we offer traditional datacenter (ServePath/ColoServe) services as well as CloudCenter (GoGrid) services. User then have the ability to pick and choose their solution, one or the other or both together (Cloud Connect).
1a) I don’t think this is any different than traditional hosting. You have to, as a provider, be ready to scale one way or another. Planning, whether traditional or cloud, needs to take place, so I don’t really understand the concern as being only with the Cloud.

2) Sorry, but I still do view SaaS as a Cloud segment (Cloud Applications). However, I do think that there are some SaaS providers that don’t quite fit in. Cloud Computing, in general, is a term that is very broad and general, but we are seeing the fine-tuning taking place.

Thanks for the thoughtful discussion.
-Michael Sheehan

Your original post covered a lot of ground. I think the business model is an interesting question, and one that has to be on the minds of cloud providers and their investors. The capital issues you identify are real, but vary from provider to provider. Some “cloud” providers actually own their own data centers, others appear to use colo space, and some simply run stuff atop AWS or another third-party platform.

On the provider side, it boils down to a hardware utilization game. Amazon started AWS to monetize surplus capacity, since it had the hardware available to manage the Christmas traffic crush. Rackspace thinks it can make more money per server in the cloud, but it’s also repurposing retired servers to wring more revenue out of each piece of hardware. Not everyone in this space can do that.

What then about my other points?

1. The business model of “cloud provider” is only sustainable for somebody selling excess capacity. It is unlikely that a “cloud provider” can succeed in a stand-alone fashion.

1a: What happens when that excess capacity is needed for its primary purpose? Or, what happens when the application running in the cloud succeeds far beyond the cloud’s ability to support it? How can you financially survive the former event as a user, or the latter event as a cloud provider?

2. The media needs to demand clarity of terminology. ASP/SaaS!=Cloud. “Cloud” is really a lower-level concept independent of the application layer. Perhaps I’m being pedantic but I find it irritating when the terminology is used interchangeably.

–chuck