Vous êtes sur la page 1sur 3

Rating and Certifying the Cloud Hosting and Web Application Providers.

Part III

I have been slowly morphing my consulting practice. I usually offer myself as a

product sector strategy asset. Product Managers and VP's in the on-line
applications business hire me to shoulder some of their burden when targeting
specialist sectors - you know, industrial, technical, services, professional.
These established clients usually have an idea of where their development efforts
are heading. I came in to refine and prove the potential numbers. I developed
approaches to paid subscriptions, industry specialty requirements, and I found
innovative ways to exploit trade specific marketing. I was the product manager's
helper, and It was a good gig until about 2007, when the economy got soft.
Analysts are the first to have their contracts cut.

Now I am delivering what I learned as an analyst, and applying this to

evangelizing small and medium businesses. These folks are the end users I had
quantified, targeted, and interviewed in my work for web applications providers.
Small and medium bizfolks perceive the benefits of hosted services and cloud
computing. They clearly perceive the benefits of fault tolerance, licensing
advantages, and a simplified communications topology. These smaller accounts are
certainly numerous. Can they abide having recurring computing fees forever? They
certainly know that their internal server and workstation / mobile infrastructure
(as traditionally delivered), costs them big time when things go bad.
The SME / SMB, in other words, gets it. They get the benefits of Web based, cloud
hosted stuff. They like getting out from under the local IT support guy, or the
internal IT guy that they are held hostage to. They look forward to a time where
individual routers with special configurations are replaced by safe, centralized
fault tolerant networks, servers, and comm infrastructure that they can provision
and pay for in a rational way. They just don't know if they can trust you and if
you will be around long enough to justify the cut over.

So, before I close this series, which might include one more post on the brokering
of technical services between partners and competitors to backstop business
continuity failures, I will talk briefly about ratings and certifications for any
remote provider of compute and storage - out there in the cloud.

Established utility computing providers, like AWS, are probably uninsureable as

far as client's needs are concerned; they are too big, and any coverage they do
have insures only their own facilities and operations, which does accrue somewhat
to the client's benefit in the very long run, but does nothing when the downtime
occurs. In the case of the big dogs, your insurance is their size and need to
maintain a reputation. Eventually we will get our way, and instances of client
computing services will get risk based pricing, preceded by business viability
ratings, and of course, certifications for good facilities, operating procedures,
and back office accounting standards. I'm willing to bet the ISO is working up
something in their wild and crazy working groups as we speak.

One more thing: Why is PAAS different?

Briefly: clients using unitary applications or suites have invested a certain

amount of time moving from thick client project management to a hosted solution
(one example). They have probably identified ways of moving the data off the
platform (I hope), and so on. They are using an application, and we have all
changed applications. PAAS is like marrying your company to .Net or some other
standard. There is an investment, a rather large one for the SME, actually. For
the lone developer making web apps, it's ok.

The PAAS landscape is made of some very innovative and funny systems. I think you
know what I mean. Some remind me of 4GL, some will let you host a language and
framework, but not the integral database, some have language environments that are
made from whole cloth. As a group they are fascinating and right on the cutting
edge, and they are, as a group, under capitalized and illiquid. There are
exceptions, but I will bet you the best dinner in Boston that one would be hard
pressed to find a PAAS provider that would allow an industry ratings organization
to inspect their capital and operations profile.

If a SAAS application company is illiquid in its essence, then we find another,

move the data. If a PAAS company is under capitalized, we have a larger set of
problems. The way migration has been handled for PAAS failures has been shameful.

Someone once asked me if the 25M round for an on-line storage provider places them
in a well capitalized position; my answer was, "it depends, but generally, no, it
is not considered well capitalized for the intended target and use case - 25M in a
VC round ain't shit when rating a crucial service provider that has not attained
sustained profitability and near perfect uptime."

Now, on to ratings and certifications for the cloud.

What is the difference between a rating and a certification? For the purpose of
underwriting the risks of business continuity failures due to computing failures,
there is an assumed, informal distinction.

Ratings are gathered from the outside in; companies are surveyed, their clients
are surveyed, and they provide voluntary information. Also, performance data is
collected in the wild - you know, up-time, availability, responsiveness to support
tickets, and the like. Ratings take time to compile. Sometimes, ratings can
derived from historical data and a large set of participating clients. Risk based
underwriting may make use of industry ratings, but the primary use of ratings,
particularly those blessed by trade groups and associations, are to make clients

Finally, only when ratings do not jibe with reality, does the following become
apparent: Ratings imply no promise of performance. This may seem like a small
thing, a semantic difference, but for those who price IT risk for third party
payouts, it's the whole ball game. One can not rate a businesses operational
viability, nor its ability to survive and thrive without invasive audits by
trusted, confidential examiners from industry standards organizations.

So, this where Certifications, capital C, come in. Certifications are invasive,
involving on site auditing and live tests that determine specific functionality.
ISO, SAS 70, and SystTrust, are some of the current examples of certs that are
currently in vogue for typical data center assurances. Unfortunately, none of
these standards, as good as they are, really addresses all of the issues
underwriters need to individually insure a client of a cloud host, SAAS or PAAS
provider. In the case of PAAS start ups, it's a messy process to accurately
quantify risks when so much muscle and blood has been invested in cutting over
incumbent processes - and the fact that for some reason, the PAAS providers, taken
as a group, are some of the shakiest kids on the block.

Big data centers can be certified, telecommunications can be certified, processes

that handle customer data can be certified, etc. For these types of certs, AICPA
is the best we have in SAS 70 and SysTrust. In order to indemnify clients using
remote IT services (SAAS, Clouds, Grids, PAAS), we may need more.

You want more that SAS 70, or other certifications can deliver? The insurance
underwriting industry in its forward looking moments knows that technology and
operations are the least fragile variable in the total equation. In order to offer
business continuity assurances to the Cloud's clients, the carriers want audited
viability in the following areas:

1) Management Background ( The principals backgrounds and disclosures being free

from deception).

2) Operations audits (GAAP, Records retention policies, maintenance procedures)

3) Operations Liquidity (Does the company pass the viability test for a
"foreseeable period of operations that encompass an adequate time horizon,
considering the industry's typical cycle of periodic upgrades and major technical

4) Security and Exposure to 3rd party liabilities. (Does the company operate in
manner that would mitigate against common IT liabilities for data security, loss,
and mishandling of customer information?).

Once these broad systemic root certifications can be determined, either through
existing industry organizations or via a new body, then the underwriters can start
processing the risks involved. After the risk is priced, then measures to
operationally offset the risk can be applied. And.....

Once the risks are sufficiently offset and the risks are recalculated for those
cloud offerings that voluntarily avail themselves of these aforementioned
technically mitigated risks....then we can look forward to a developing insurance
segment that can offer professional lines of coverage for could computing

Finally, finally, we come to the technical, operational offsets of client risks,

where I am more familiar and on home ground. We will discuss using brokered
services and API's via blind third parties that will cover outages in the cloud.
This is where the real work gets done. Without offsetting risks, there may never
be adequate coverage options for clients of the cloud.

Next post!

Related articles by Zemanta

* Iasta Achieves SAS 70 Type II Certification (seomashup.blogspot.com)

* How to Turn Cloud Computing Into Big Business - A Peek Inside Amazon Web
Services (xconomy.com)
* 5 more fresh articles...

Reblog this post [with Zemanta]