Cloud // Platform as a Service
Commentary
9/4/2013
00:53 AM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft Is The Apple Of PaaS

If you follow risk assessment best practices, public platform-as-a-service is a no go. That is, unless you sign on with a control freak.

I believe that some form of PaaS is the future. But I'm also coming to believe that pure-play public PaaS -- that is, the Herokus and Google App Engines of the world -- are doomed as far as serious deployments go. They'll be the DreamHosts of tomorrow, great for people spending $10 a month or less on a small website, but essentially ignored by those with serious business needs. The exception: Microsoft's Azure, which, as a "full stack" provider, can meet the risk- and regulatory-driven patching requirements of those serious businesses.

The downfall of pure public PaaS is that, from a cloud security and risk perspective, it's a much more challenging model than either software-as-a-service or infrastructure-as-a-service. With both SaaS and IaaS, you delegate security, availability and compliance concerns to a single vendor, which in most cases will make contractual commitments about how it will meet those needs. With non-Azure pure public PaaS, however, you're using a stack (Web server, Web framework, database server, caching servers, supporting libraries) that the PaaS vendor does not develop or directly support -- and over which you, as a customer, do not have complete control, either.

A touted "benefit" of PaaS is that you don't have to worry about installing/configuring/patching the software in your stack. But that sword cuts the other way pretty badly when you consider the risk, security and compliance implications of handing responsibility for software bug fixes and making sure that updates don't break compliance or other obligations off to a company that doesn't develop or control the software (we discuss the compliance conundrum in much more depth in our "Audit Fail" cover story).

And the risk picture gets even bleaker for Heroku when you consider that it runs entirely on Amazon's hardware.

This is ultimately a real Catch-22. A service like Heroku or Google App Engine can either automatically upgrade software packages (say, from version 9.2.23 to 9.2.24) without customer permission, or it can wait until customers manually accept changes. In the former case, upgrades have the potential to break applications and compliance, because the PaaS provider is not the developer of the patched software and cannot control or guarantee the quality of the patch (see, for example, the story of Ruby 1.8.7-p173 or Cloud Foundry's Tomcat upgrade; for a more detailed analysis of this issue, read William Vambenepe's oldie but goodie blog post). In the latter case, the PaaS provider is pushing a responsibility on the customer that undermines one of the key selling points of PaaS: "You don't have to worry about configuring and patching software."

Fundamentally, because no vendor is going to take responsibility for -- and no one is truly in control of -- making sure that patches are put in place in a timely fashion and guaranteeing that they won't break your applications, you do, in fact, have to take control of patching. In that case, why not just use IaaS?

PaaS vendors may figure, just sell to organizations that don't concern themselves with vendor risk assessments (hello startups!). That'll be fine until a critical application runs into problems surrounding patching or some adjacent issue that just can't be ignored (see Adrian Holovaty's "Why I Left Heroku" for an example).

Indeed, I think the only remaining market question in the PaaS world is whether PaaS-enabling software or cloud configuration management software will be more dominant. In short, pure public PaaS is doomed -- with one notable exception.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
cbabcock
50%
50%
cbabcock,
User Rank: Strategist
9/12/2013 | 8:15:52 PM
re: Microsoft Is The Apple Of PaaS
Microsoft is trying to grow up as a PaaS provider. In some ways, PaaS represents the most mature thinking inside Microsoft. It's not chasing after other people's customers (a la touch screens) and it knows its business value. See Mark Russinovich remarks here.
jemison288
50%
50%
jemison288,
User Rank: Ninja
9/7/2013 | 12:57:38 AM
re: Microsoft Is The Apple Of PaaS
Yes, although I put those in a separate category ("Proprietary PaaS") and generally view them as a bad idea, unless you're getting something from the proprietary aspect. (e.g., PropertyBase, which leverages Salesforce's brand and contacts).
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
9/5/2013 | 4:29:44 PM
re: Microsoft Is The Apple Of PaaS
Wouldn't Salesforce Force.com have a similar integrated stack advantage, at least for the apps that fit within their framework?
cbabcock
50%
50%
cbabcock,
User Rank: Strategist
9/5/2013 | 12:33:55 AM
re: Microsoft Is The Apple Of PaaS
Joe is talking knowledgeably about where software responsibility lies (or doesn't lie) in the cloud, an issue that's not going away. It will become paramount as production systems move toward being hosted by cloud service providers. The cloud has to be a much more standard environment than the typical enterprise data center. Cloud providers other than Microsoft have a shot at this, but Microsoft has an inherent advantage when it comes to a standardized and well-maintained platform as a service. It's going to show in the long run.
jemison288
50%
50%
jemison288,
User Rank: Ninja
9/4/2013 | 11:42:48 PM
re: Microsoft Is The Apple Of PaaS
I'm actually making both points: I'm saying that (a) there isn't any PaaS provider (other than Microsoft) who will take responsibility today, and (b) I have a hard time believing that any PaaS provider is actually capable of doing so, because they don't develop the software in question (and if they don't control it, how could they take responsibility for it?)
jemison288
50%
50%
jemison288,
User Rank: Ninja
9/4/2013 | 11:41:20 PM
re: Microsoft Is The Apple Of PaaS
The point about DreamHost doesn't have anything to do with commoditization--it has to do with only being able to fulfill the bottom end of the market.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
9/4/2013 | 10:23:50 PM
re: Microsoft Is The Apple Of PaaS
Re: taking responsibility for the platform, my question is whether the issue is technical or contractual. Does it really need to be a single stack, or just a PaaS provider willing to take responsibility for making the pieces fit together?
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
9/4/2013 | 8:51:12 PM
re: Microsoft Is The Apple Of PaaS
To say that PaaS vendors are destined to become the DreamHosts of tomorrow is a given: Commoditization happens over time. PaaS vendors will either figure out ways to add value (and maintain margins) or they will be made obsolete by the inevitable march of technology.
jemison288
50%
50%
jemison288,
User Rank: Ninja
9/4/2013 | 4:51:33 PM
re: Microsoft Is The Apple Of PaaS
Putting applications in containers doesn't eliminate the problem of ownership over patching.
jemison288
50%
50%
jemison288,
User Rank: Ninja
9/4/2013 | 4:49:49 PM
re: Microsoft Is The Apple Of PaaS
Definitely good points here. My perspective is that, with something like Heroku, there is *no* ownership of stack components from a patch perspective. It's just left hanging in the breeze. So my point is just that if there is a walled garden, the vendor has to own the components, and so that is at least theoretically better. But, as I say in the piece, Microsoft can definitely still screw up Azure.
Page 1 / 2   >   >>
Google in the Enterprise Survey
Google in the Enterprise Survey
There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Tech Digest Oct. 27, 2014
To meet obligations -- and avoid accusations of cover-up and incompetence -- federal agencies must get serious about digitizing records.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of October 26, 2014 and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.