Cloud // Platform as a Service
Commentary
9/4/2013
12:53 AM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft Is The Apple Of PaaS

If you follow risk assessment best practices, public platform-as-a-service is a no go. That is, unless you sign on with a control freak.

I believe that some form of PaaS is the future. But I'm also coming to believe that pure-play public PaaS -- that is, the Herokus and Google App Engines of the world -- are doomed as far as serious deployments go. They'll be the DreamHosts of tomorrow, great for people spending $10 a month or less on a small website, but essentially ignored by those with serious business needs. The exception: Microsoft's Azure, which, as a "full stack" provider, can meet the risk- and regulatory-driven patching requirements of those serious businesses.

The downfall of pure public PaaS is that, from a cloud security and risk perspective, it's a much more challenging model than either software-as-a-service or infrastructure-as-a-service. With both SaaS and IaaS, you delegate security, availability and compliance concerns to a single vendor, which in most cases will make contractual commitments about how it will meet those needs. With non-Azure pure public PaaS, however, you're using a stack (Web server, Web framework, database server, caching servers, supporting libraries) that the PaaS vendor does not develop or directly support -- and over which you, as a customer, do not have complete control, either.

A touted "benefit" of PaaS is that you don't have to worry about installing/configuring/patching the software in your stack. But that sword cuts the other way pretty badly when you consider the risk, security and compliance implications of handing responsibility for software bug fixes and making sure that updates don't break compliance or other obligations off to a company that doesn't develop or control the software (we discuss the compliance conundrum in much more depth in our "Audit Fail" cover story).

And the risk picture gets even bleaker for Heroku when you consider that it runs entirely on Amazon's hardware.

This is ultimately a real Catch-22. A service like Heroku or Google App Engine can either automatically upgrade software packages (say, from version 9.2.23 to 9.2.24) without customer permission, or it can wait until customers manually accept changes. In the former case, upgrades have the potential to break applications and compliance, because the PaaS provider is not the developer of the patched software and cannot control or guarantee the quality of the patch (see, for example, the story of Ruby 1.8.7-p173 or Cloud Foundry's Tomcat upgrade; for a more detailed analysis of this issue, read William Vambenepe's oldie but goodie blog post). In the latter case, the PaaS provider is pushing a responsibility on the customer that undermines one of the key selling points of PaaS: "You don't have to worry about configuring and patching software."

Fundamentally, because no vendor is going to take responsibility for -- and no one is truly in control of -- making sure that patches are put in place in a timely fashion and guaranteeing that they won't break your applications, you do, in fact, have to take control of patching. In that case, why not just use IaaS?

PaaS vendors may figure, just sell to organizations that don't concern themselves with vendor risk assessments (hello startups!). That'll be fine until a critical application runs into problems surrounding patching or some adjacent issue that just can't be ignored (see Adrian Holovaty's "Why I Left Heroku" for an example).

Indeed, I think the only remaining market question in the PaaS world is whether PaaS-enabling software or cloud configuration management software will be more dominant. In short, pure public PaaS is doomed -- with one notable exception.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
9/4/2013 | 2:31:06 PM
re: Microsoft Is The Apple Of PaaS
Joe, Do you see any moves by bigger PaaS players, like IBM, Red Hat and Google, to try and get their own internal stacks, whether by acquisition or in-house dev? I mean, besides being a compliance pain point for customers, you know the PaaS provider has to deal with finger pointing every time a patch hits. Something *always* breaks.
D. Henschen
50%
50%
D. Henschen,
User Rank: Author
9/4/2013 | 2:44:28 PM
re: Microsoft Is The Apple Of PaaS
This analysis puts a lot of faith in sole ownership of stack components, but I suspect the biggest challenges in running a reliable PaaS have a lot more to do with flawless operational execution and proactive communications with customers about changes that might impact their applications. Even walled gardens are known to harbor a few weeds. I also question whether the Apply-style control analogy can apply to enterprise IT, where diversity generally rules.
StefanF055
50%
50%
StefanF055,
User Rank: Apprentice
9/4/2013 | 3:18:03 PM
re: Microsoft Is The Apple Of PaaS
You have missed an emerging variant of PaaSes based on the container concept. Check out the Docker project. No solid full blown PaaS based on this available yet, but many in the creation phase. Cloud Foundry v2 has embedded support for warden which is similar.

By packaging apps into containers the infrastructure provider becomes increasingly irrelevant from an application functionality point-of-view, but very relevant from a deployment scalability/robustness perspective. That's the right balance. To marry your app to the PaaS is just looking for trouble down the line
jemison288
50%
50%
jemison288,
User Rank: Ninja
9/4/2013 | 4:47:44 PM
re: Microsoft Is The Apple Of PaaS
I would at least hope that Red Hat takes some of its expertise from RHEL to build some guarantees around a specific OpenShift stack. But I would doubt that IBM has the expertise (or attention) to do such a maintenance task itself, and Google is fine with perpetual beta / giving customers 95% of what they need at 5% of the cost and letting the people who need the 100% solution go elsewhere. But I do think that Red Hat has a chance of mitigating some of the issues I raise here.
jemison288
50%
50%
jemison288,
User Rank: Ninja
9/4/2013 | 4:49:49 PM
re: Microsoft Is The Apple Of PaaS
Definitely good points here. My perspective is that, with something like Heroku, there is *no* ownership of stack components from a patch perspective. It's just left hanging in the breeze. So my point is just that if there is a walled garden, the vendor has to own the components, and so that is at least theoretically better. But, as I say in the piece, Microsoft can definitely still screw up Azure.
jemison288
50%
50%
jemison288,
User Rank: Ninja
9/4/2013 | 4:51:33 PM
re: Microsoft Is The Apple Of PaaS
Putting applications in containers doesn't eliminate the problem of ownership over patching.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
9/4/2013 | 8:51:12 PM
re: Microsoft Is The Apple Of PaaS
To say that PaaS vendors are destined to become the DreamHosts of tomorrow is a given: Commoditization happens over time. PaaS vendors will either figure out ways to add value (and maintain margins) or they will be made obsolete by the inevitable march of technology.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
9/4/2013 | 10:23:50 PM
re: Microsoft Is The Apple Of PaaS
Re: taking responsibility for the platform, my question is whether the issue is technical or contractual. Does it really need to be a single stack, or just a PaaS provider willing to take responsibility for making the pieces fit together?
jemison288
50%
50%
jemison288,
User Rank: Ninja
9/4/2013 | 11:41:20 PM
re: Microsoft Is The Apple Of PaaS
The point about DreamHost doesn't have anything to do with commoditization--it has to do with only being able to fulfill the bottom end of the market.
jemison288
50%
50%
jemison288,
User Rank: Ninja
9/4/2013 | 11:42:48 PM
re: Microsoft Is The Apple Of PaaS
I'm actually making both points: I'm saying that (a) there isn't any PaaS provider (other than Microsoft) who will take responsibility today, and (b) I have a hard time believing that any PaaS provider is actually capable of doing so, because they don't develop the software in question (and if they don't control it, how could they take responsibility for it?)
Page 1 / 2   >   >>
Google in the Enterprise Survey
Google in the Enterprise Survey
There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.