Rating and Certifying the Cloud Hosting and Web Application Providers. Part III I have been slowly morphing my consulting practice. I usually offer myself as a product sector strategy asset. Product Managers and VP's in the on-line applications business hire me to shoulder some of their burden when targeting specialist sectors - you know, industrial, technical, services, professional. These established clients usually have an idea of where their development efforts are heading. I came in to refine and prove the potential numbers. I developed approaches to paid subscriptions, industry specialty requirements, and I found innovative ways to exploit trade specific marketing. I was the product manager's helper, and It was a good gig until about 2007, when the economy got soft. Analysts are the first to have their contracts cut. Now I am delivering what I learned as an analyst, and applying this to evangelizing small and medium businesses. These folks are the end users I had quantified, targeted, and interviewed in my work for web applications providers. Small and medium bizfolks perceive the benefits of hosted services and cloud computing. They clearly perceive the benefits of fault tolerance, licensing advantages, and a simplified communications topology. These smaller accounts are certainly numerous. Can they abide having recurring computing fees forever? They certainly know that their internal server and workstation / mobile infrastructure (as traditionally delivered), costs them big time when things go bad. The SME / SMB, in other words, gets it. They get the benefits of Web based, cloud hosted stuff. They like getting out from under the local IT support guy, or the internal IT guy that they are held hostage to. They look forward to a time where individual routers with special configurations are replaced by safe, centralized fault tolerant networks, servers, and comm infrastructure that they can provision and pay for in a rational way. They just don't know if they can trust you and if you will be around long enough to justify the cut over. So, before I close this series, which might include one more post on the brokering of technical services between partners and competitors to backstop business continuity failures, I will talk briefly about ratings and certifications for any remote provider of compute and storage - out there in the cloud. Established utility computing providers, like AWS, are probably uninsureable as far as client's needs are concerned; they are too big, and any coverage they do have insures only their own facilities and operations, which does accrue somewhat to the client's benefit in the very long run, but does nothing when the downtime occurs. In the case of the big dogs, your insurance is their size and need to maintain a reputation. Eventually we will get our way, and instances of client computing services will get risk based pricing, preceded by business viability ratings, and of course, certifications for good facilities, operating procedures, and back office accounting standards. I'm willing to bet the ISO is working up something in their wild and crazy working groups as we speak. One more thing: Why is PAAS different? Briefly: clients using unitary applications or suites have invested a certain amount of time moving from thick client project management to a hosted solution (one example). They have probably identified ways of moving the data off the platform (I hope), and so on. They are using an application, and we have all changed applications. PAAS is like marrying your company to .Net or some other standard. There is an investment, a rather large one for the SME, actually. For the lone developer making web apps, it's ok. The PAAS landscape is made of some very innovative and funny systems. I think you know what I mean. Some remind me of 4GL, some will let you host a language and
framework, but not the integral database, some have language environments that are made from whole cloth. As a group they are fascinating and right on the cutting edge, and they are, as a group, under capitalized and illiquid. There are exceptions, but I will bet you the best dinner in Boston that one would be hard pressed to find a PAAS provider that would allow an industry ratings organization to inspect their capital and operations profile. If a SAAS application company is illiquid in its essence, then we find another, move the data. If a PAAS company is under capitalized, we have a larger set of problems. The way migration has been handled for PAAS failures has been shameful. Someone once asked me if the 25M round for an on-line storage provider places them in a well capitalized position; my answer was, "it depends, but generally, no, it is not considered well capitalized for the intended target and use case - 25M in a VC round ain't shit when rating a crucial service provider that has not attained sustained profitability and near perfect uptime." Now, on to ratings and certifications for the cloud.
What is the difference between a rating and a certification? For the purpose of underwriting the risks of business continuity failures due to computing failures, there is an assumed, informal distinction. Ratings are gathered from the outside in; companies are surveyed, their clients are surveyed, and they provide voluntary information. Also, performance data is collected in the wild - you know, up-time, availability, responsiveness to support tickets, and the like. Ratings take time to compile. Sometimes, ratings can derived from historical data and a large set of participating clients. Risk based underwriting may make use of industry ratings, but the primary use of ratings, particularly those blessed by trade groups and associations, are to make clients comfortable. Finally, only when ratings do not jibe with reality, does the following become apparent: Ratings imply no promise of performance. This may seem like a small thing, a semantic difference, but for those who price IT risk for third party payouts, it's the whole ball game. One can not rate a businesses operational viability, nor its ability to survive and thrive without invasive audits by trusted, confidential examiners from industry standards organizations. So, this where Certifications, capital C, come in. Certifications are invasive, involving on site auditing and live tests that determine specific functionality. ISO, SAS 70, and SystTrust, are some of the current examples of certs that are currently in vogue for typical data center assurances. Unfortunately, none of these standards, as good as they are, really addresses all of the issues underwriters need to individually insure a client of a cloud host, SAAS or PAAS provider. In the case of PAAS start ups, it's a messy process to accurately quantify risks when so much muscle and blood has been invested in cutting over incumbent processes - and the fact that for some reason, the PAAS providers, taken as a group, are some of the shakiest kids on the block. Big data centers can be certified, telecommunications can be certified, processes that handle customer data can be certified, etc. For these types of certs, AICPA is the best we have in SAS 70 and SysTrust. In order to indemnify clients using remote IT services (SAAS, Clouds, Grids, PAAS), we may need more. You want more that SAS 70, or other certifications can deliver? The insurance
underwriting industry in its forward looking moments knows that technology and operations are the least fragile variable in the total equation. In order to offer business continuity assurances to the Cloud's clients, the carriers want audited viability in the following areas: 1) Management Background ( The principals backgrounds and disclosures being free from deception). 2) Operations audits (GAAP, Records retention policies, maintenance procedures) 3) Operations Liquidity (Does the company pass the viability test for a "foreseeable period of operations that encompass an adequate time horizon, considering the industry's typical cycle of periodic upgrades and major technical watersheds)? 4) Security and Exposure to 3rd party liabilities. (Does the company operate in manner that would mitigate against common IT liabilities for data security, loss, and mishandling of customer information?). Once these broad systemic root certifications can be determined, either through existing industry organizations or via a new body, then the underwriters can start processing the risks involved. After the risk is priced, then measures to operationally offset the risk can be applied. And..... Once the risks are sufficiently offset and the risks are recalculated for those cloud offerings that voluntarily avail themselves of these aforementioned technically mitigated risks....then we can look forward to a developing insurance segment that can offer professional lines of coverage for could computing services. Finally, finally, we come to the technical, operational offsets of client risks, where I am more familiar and on home ground. We will discuss using brokered services and API's via blind third parties that will cover outages in the cloud. This is where the real work gets done. Without offsetting risks, there may never be adequate coverage options for clients of the cloud. Next post! Related articles by Zemanta * Iasta Achieves SAS 70 Type II Certification (seomashup.blogspot.com) * How to Turn Cloud Computing Into Big Business - A Peek Inside Amazon Web Services (xconomy.com) * 5 more fresh articles... Reblog this post [with Zemanta]