If you follow risk assessment best practices, public platform-as-a-service is a no go. That is, unless you sign on with a control freak.
Why Microsoft Is The Apple Of PaaS
Apple's ascendency over the past decade is often attributed to the maniacal control it exercises over hardware and software. Because of that near-complete dominance, Apple can take responsibility for the full user experience, and that leads to better products. Take, for example, the fact that my 2011 MacBook Air always resumes from standby in a second, whereas my Lenovo ThinkPad running Windows 7 often takes more than a minute -- and sometimes doesn't ever properly resume at all. Yes, the number of options that Apple provides is limited, but it darn well makes sure they work together properly.
There's a strong parallel between my Apple vs. Lenovo laptops and Microsoft Azure vs. pure public PaaS. If you select the Microsoft stack (.NET, SQL Server, IIS) and you run it on Azure, then (from a risk assessment standpoint, at least) Microsoft can take control for patching and updates across your full application stack. In fact, updating the host OS is a key selling point of Azure, and problems resulting from those updates are covered by the Azure service-level agreement. So, unlike with Google App Engine or Heroku or other pure public PaaS players, Azure should pass a standard vendor risk assessment without issue, provided you're using the pure Microsoft stack.
Now, I'm not saying Azure is bulletproof. Microsoft could certainly screw up patching and do other things to undermine it from a risk management standpoint. Azure can run non-Microsoft stack elements (see touting of such support in a recent blog post), but in doing so, it enters the messy risk management world of other public PaaS offerings.
There are also many selection criteria outside of vendor risk assessment, as we discuss in our PaaS Buyer's Guide, among them a few good reasons not to use Azure. But there's no getting around the fact that, for mission-critical applications, passing a vendor risk assessment is a necessary evil.
The Future Of PaaS
I see two types of platforms that can sit on top of either private clouds (OpenStack, CloudStack) or public IaaS (or both) as the future the PaaS. PaaS-enabling software, like Apprenda, Cloud Foundry or OpenShift, allows organizations to provide the benefits of PaaS to their developers while maintaining control over the stack (including patching). And cloud configuration management software and services like Enstratius, RightScale, SaltStack and Scalr allow organizations to template-ize servers in a way that's more free-form than PaaS, but with many of the same benefits of making server launches repeatable and simple, and developer code testing and deployment painless.
I don't have a strong sense which of these will win. It's ultimately a question of whether PaaS-enabling software can build in enough flexibility to support the many different ways that developers end up having to configure their stacks, and/or whether cloud configuration management software and services can provide enough structure around configuration management to keep server definitions from devolving into the equivalent of brownfield code.
Oh, and I expect to see Microsoft Azure in the future of PaaS as well, at the very least supporting its own walled garden for public, private and hybrid clouds.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.