Image via Wikipedia

There is an overwhelming view among the pundits that PaaS is the future of cloud services and IaaS will slowly go into the background. In fact, in my opinion, PaaS is the idea of cloud computing that comes closer to the utility comparison made by Nick Carr in his book “The Big Switch”. In this series I am going to dig deeper into the future of PaaS and how various companies are positioning themselves to meet this future. In this first post of the series, I am going to dig deeper into the general idea and then take a look at how different players from the entire cloud stack, IaaS to SaaS, are playing the game. In the next post, I will talk about one of the interesting companies in the mix, Heroku, and briefly touch upon a recent news that came out recently.

Why PaaS and Why Not IaaS?

The poster boy (girl) of cloud computing is Amazon Web Services and they are basically an IaaS player offering compute and storage services. Their huge success is one of the reasons why cloud computing is gaining so much traction with everyone from individual developers to small businesses to enterprises. They completely altered the way we do computing by cutting down the costs drastically empowering the startups and small business to have IT similar to that of enterprises. Their success has lead many more providers to jump into the infrastructure game making IaaS the pretty girl (handsome boy) in the cloud computing block.

IaaS completely changed the way developers deployed their applications. Instead of spending big with their own datacenters or managed hosting companies or colocation services and then hiring operations staff to get it going, they can just go to Amazon Web Services or one of the other IaaS providers, get a virtual server running in minutes and pay only for the resources they use. With cloud brokers like Rightscale, enStratus, etc., they could easily grow big without worrying about things like scaling and additional security. In short, IaaS and other associated services has enabled startups and other businesses focus on their core competencies without worrying much about provisioning and management of infrastructure. IaaS completely abstracted the hardware beneath it and allowed users to consume infrastructure as a service without bothering anything about the underlying complexities.

Even though IaaS made it easy for developers to go to the market fast with their applications and other services, it still required them to have some operational expertise. In the case of startups and other small companies, the use of IaaS still required the developers to know a bit about managing the virtual servers, OSes, middleware stack, etc.. If the developers didn’t have much expertise, they had to hire sysadmins who could take care of managing the infrastructure. On the enterprise level, it needed significant investments in operations workforce. In short, it was not the cloud which Nick Carr made us all to imagine.

This is where PaaS came in handy. PaaS is one layer above IaaS on the stack and abstracts away everything up to OS, middleware, etc.. This offers an integrated set of developer environment that a developer can tap to build their applications without having any clue about what is going on underneath the service. It offers developers a service that provides a complete software development lifecycle management, from planning to design to building apps to deployment to testing to maintenance. Everything else is abstracted away from the “view” of the developers. In short, PaaS takes operations out of the picture and gives the developers a complete peace of mind. With IaaS, a developer with no help on operations from people with sysadmin skills is very likely to botch up the application either at its inception or while scaling. PaaS makes developers succeed even if they are completely “operations blind”. This makes PaaS ver attractive for the future of cloud computing.

The advantages of PaaS are

• Complete abstraction all the way up to development environments and other middleware components, taking the operations out of the picture
• Considerable cost savings and faster time to market
• Better security. As Chris Hoff pointed out,  one could enforce sanitary programmatic practices across the derivate works built upon PaaS

Does it mean end of road for IaaS?

Not really. PaaS will not kill off IaaS. Rather, it pushes IaaS completely into the background. Even in a PaaS dominated world, IaaS is still important because

• PaaS will not be dominated entirely by big players like Google or Microsoft. There will be many smaller level players, some of whom offer some niche platforms. For example, PaaS companies like Heroku and Engine Yard can’t afford their own datacenters. Such players will run on top of IaaS
• There are other component services that extend core PaaS platforms. These players will run on top of IaaS while integrating with PaaS players
• There may be many developers who want custom platform stack for their needs. Such developers will always need IaaS

There are many other reasons why IaaS will exist in the background ceding limelight to PaaS.

The Future Of IaaS Vendors Are Gloomy. Huh?

Not exactly. Many IaaS vendors are understanding the PaaS based world in the future. That is why they are already planning to move up the stack. Whether it is public cloud providers like Amazon or players who are strong in the private cloud space like VMware, they are already moving up the stack. We will continue to see this trend where these originally IaaS players differentiate themselves in the PaaS layer. It is not just the IaaS vendors who are moving up the stack but we are also seeing SaaS vendors moving down the stack. For example, we have seen how Salesforce is trying to make their Force.com platform attractive for the developers. SaaS vendors are also seeing a PaaS future and are repositioning themselves to take advantage of such a future.

In the future posts in this series, I will take individual providers and dig deep into their offerings, strategies, etc.. The next post in this series will feature Heroku and I will follow it up with other players in the coming weeks.

Image via CrunchBase

In the weekend, Meebo, along with companies like Google, Yahoo, Myspace, Disqus, Janrain, etc., announced the release of an open identity platform called XAuth. For Meebo, it gives an option to make their Meebo Bar more relevant among the publishers. For Google, this gives them another stick to beat Facebook Connect and Twitter’s identity system after they botched their OpenSocial plans. For users, this is supposed to give a better user experience with online authentication systems as it taps into the web services they use the most. In this post, I am going to briefly discuss about this new platform and see how it affects the SaaS users.

Definition Of The Problem:

One of the unique characteristics of the SaaS world is the mushrooming of vertical SaaS applications. Unlike the traditional software world, SaaS vendors focus on one niche area and do it well. The low cost of setting up a service in the current cloud based world has contributed to the mushrooming of services across many different verticals. This has lead to serious problems for both individual users and business organizations in terms of their identity and management. The problems range from issues like how the users’ are going to manage multiple usernames and passwords to how enterprises can ensure the credibility in authentication, authorization, etc.. Essentially, identity problem has become the biggest speed bump for the SaaS adoption.

From the individual users’ perspective, the myriad of SaaS applications poses a big problem with the handling of usernames and passwords as they have to remember too many of them. From an enterprise perspective, not only the proliferation of multiple usernames and passwords a big hassle, it also tears down their security because there is no way for them to enforce their security policies in this situation. On top of it, enterprises have to take care of regulatory requirements related to user access and any access to critical information. For example, Sarbanes-Oaxley requires an enterprise to implement stringent policy, processes and audit to regulate employee and non-employee access to critical business information. This makes SaaS identity problem a difficult one for the enterprises. In fact, this problem has turned away many users from SaaS, making this one of the most urgent problems facing the SaaS vendor community.

This is not just an issue of handling multiple identities but also an issue of lack of interoperability and presence of data silos. The lack of a single identity system to tie up multiple SaaS vendors/services makes interoperability and integration a more difficult problem to solve.

Potential Solutions and related issues:

One of the solutions is the federation of identity services. SaaS providers could outsource the identity and its management to third party providers and focus on their core competency. This way they could offer better rich functionality in their applications and better security. A federated system allows SaaS vendors to deploy stronger authentication, give SaaS users a choice of identity management services for authentication and, also, a way to enforce their authorization policies more effectively. There are many ways of doing implementing such a system, from a centralized provider like Facebook Connect to a more distributed option like OpenID.

Some users and organizations prefer a centralized approach because it is easy to use and manage. Plus, they will have a single throat to choke in case of a problem. However, this approach puts the user (or organization) at the mercy of the identity providers and it doesn’t bode well from a risk reduction perspective. On the other end of the spectrum is the OpenID, a distributed approach to identity and management. OpenID and OAuth could turn out to be the kind of solution we are looking for to solve the identity problems and interoperability issues. OpenID provides a single identity for the users with a distributed authentication system and OAuth provides a way to give access to users data without giving any access to the identity information. A combination of these two could offer a reliable and more secure authentication for the SaaS applications. However, the user experience with OpenID is very bad compared to, say, Facebook Connect. It leaves a lot to be desired and, hence, relatively lower adoption than what many originally envisioned. 

The problem with OpenID and OAuth based implementations is that it is too daunting for average users. They are both overwhelmed and confused by the choices offered to them from a myriad of identity providers. This discourages them from using SaaS based applications even though they don’t have to create yet another username and password. In fact, the difficulty with OpenID based implementations also poses considerable problems for enterprises wanting to implement an OpenID-OAuth based system for their users.

XAuth to the rescue?

XAuth is being pitched as a perfect solution to solve this problem. XAuth stands between the identity provider and SaaS applications and offers the users just a handful of identity providers based on their usage patterns. By observing the services they access regularly, XAuth offers the identity system of the most used services. This cuts down on the confusion and offers the users the service they are comfortable with. This solution greatly simplifies the identity management and has the potential to make SaaS interesting to them. In short, XAuth could increase SaaS adoption because

• It greatly simplifies the login experience of users by offering them to use the providers they are already using regularly
• Being open source, it makes it easy for SaaS vendors to implement XAuth

However, there is one potential problem that could make XAuth a non-starter. The way in which it observes the access patters of users is really creepy. It has the potential to create a backlash from the users. However, users can disable it completely by visiting XAuth.org from their browser. Personally, I would have preferred an opt-in mechanism rather than an opt-out mechanism. But I don’t see it as a roadblock either. We saw how user backlash on Gmail’s implementation of contextual text ads vanished once users started experiencing the superior user experience of Gmail. If XAuth manages to offer the users similar satisfying experience, their concerns about privacy will eventually go away.

if done right, XAuth could make SaaS more palatable to both consumers and enterprises. But, it is too early to predict how it will turn out. XAuth is not the miracle pill needed to solve the SaaS identity management problem but it is a neat trick to enhance the user experience. I would love to hear from the SaaS vendors to learn more about what they think of XAuth and whether they consider it to be part of their future plans. Feel free to post your comments or send me an email.