Microsoft Is The Apple Of PaaS - InformationWeek
Cloud // Platform as a Service
12:53 AM
Connect Directly
Faster, More Effective Response With Threat Intelligence & Orchestration Playboo
Aug 31, 2017
Finding ways to increase speed, accuracy, and efficiency when responding to threats should be the ...Read More>>

Microsoft Is The Apple Of PaaS

If you follow risk assessment best practices, public platform-as-a-service is a no go. That is, unless you sign on with a control freak.

I believe that some form of PaaS is the future. But I'm also coming to believe that pure-play public PaaS -- that is, the Herokus and Google App Engines of the world -- are doomed as far as serious deployments go. They'll be the DreamHosts of tomorrow, great for people spending $10 a month or less on a small website, but essentially ignored by those with serious business needs. The exception: Microsoft's Azure, which, as a "full stack" provider, can meet the risk- and regulatory-driven patching requirements of those serious businesses.

The downfall of pure public PaaS is that, from a cloud security and risk perspective, it's a much more challenging model than either software-as-a-service or infrastructure-as-a-service. With both SaaS and IaaS, you delegate security, availability and compliance concerns to a single vendor, which in most cases will make contractual commitments about how it will meet those needs. With non-Azure pure public PaaS, however, you're using a stack (Web server, Web framework, database server, caching servers, supporting libraries) that the PaaS vendor does not develop or directly support -- and over which you, as a customer, do not have complete control, either.

A touted "benefit" of PaaS is that you don't have to worry about installing/configuring/patching the software in your stack. But that sword cuts the other way pretty badly when you consider the risk, security and compliance implications of handing responsibility for software bug fixes and making sure that updates don't break compliance or other obligations off to a company that doesn't develop or control the software (we discuss the compliance conundrum in much more depth in our "Audit Fail" cover story).

And the risk picture gets even bleaker for Heroku when you consider that it runs entirely on Amazon's hardware.

This is ultimately a real Catch-22. A service like Heroku or Google App Engine can either automatically upgrade software packages (say, from version 9.2.23 to 9.2.24) without customer permission, or it can wait until customers manually accept changes. In the former case, upgrades have the potential to break applications and compliance, because the PaaS provider is not the developer of the patched software and cannot control or guarantee the quality of the patch (see, for example, the story of Ruby 1.8.7-p173 or Cloud Foundry's Tomcat upgrade; for a more detailed analysis of this issue, read William Vambenepe's oldie but goodie blog post). In the latter case, the PaaS provider is pushing a responsibility on the customer that undermines one of the key selling points of PaaS: "You don't have to worry about configuring and patching software."

Fundamentally, because no vendor is going to take responsibility for -- and no one is truly in control of -- making sure that patches are put in place in a timely fashion and guaranteeing that they won't break your applications, you do, in fact, have to take control of patching. In that case, why not just use IaaS?

PaaS vendors may figure, just sell to organizations that don't concern themselves with vendor risk assessments (hello startups!). That'll be fine until a critical application runs into problems surrounding patching or some adjacent issue that just can't be ignored (see Adrian Holovaty's "Why I Left Heroku" for an example).

Indeed, I think the only remaining market question in the PaaS world is whether PaaS-enabling software or cloud configuration management software will be more dominant. In short, pure public PaaS is doomed -- with one notable exception.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Ninja
9/4/2013 | 4:47:44 PM
re: Microsoft Is The Apple Of PaaS
I would at least hope that Red Hat takes some of its expertise from RHEL to build some guarantees around a specific OpenShift stack. But I would doubt that IBM has the expertise (or attention) to do such a maintenance task itself, and Google is fine with perpetual beta / giving customers 95% of what they need at 5% of the cost and letting the people who need the 100% solution go elsewhere. But I do think that Red Hat has a chance of mitigating some of the issues I raise here.
User Rank: Apprentice
9/4/2013 | 3:18:03 PM
re: Microsoft Is The Apple Of PaaS
You have missed an emerging variant of PaaSes based on the container concept. Check out the Docker project. No solid full blown PaaS based on this available yet, but many in the creation phase. Cloud Foundry v2 has embedded support for warden which is similar.

By packaging apps into containers the infrastructure provider becomes increasingly irrelevant from an application functionality point-of-view, but very relevant from a deployment scalability/robustness perspective. That's the right balance. To marry your app to the PaaS is just looking for trouble down the line
D. Henschen
D. Henschen,
User Rank: Author
9/4/2013 | 2:44:28 PM
re: Microsoft Is The Apple Of PaaS
This analysis puts a lot of faith in sole ownership of stack components, but I suspect the biggest challenges in running a reliable PaaS have a lot more to do with flawless operational execution and proactive communications with customers about changes that might impact their applications. Even walled gardens are known to harbor a few weeds. I also question whether the Apply-style control analogy can apply to enterprise IT, where diversity generally rules.
Lorna Garey
Lorna Garey,
User Rank: Author
9/4/2013 | 2:31:06 PM
re: Microsoft Is The Apple Of PaaS
Joe, Do you see any moves by bigger PaaS players, like IBM, Red Hat and Google, to try and get their own internal stacks, whether by acquisition or in-house dev? I mean, besides being a compliance pain point for customers, you know the PaaS provider has to deal with finger pointing every time a patch hits. Something *always* breaks.
<<   <   Page 2 / 2
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll