The Strategist: Certification Services for the Cloud - Reliability, Continuity,

and Indemnification Against Outages

Fog envelops the Golden Gate Bridge and approa...Image via Wikipedia

I am going to write about a project that got stranded on my research pile when a
well funded client decided that they did not wish to complete the contractual
research allocation. The research directives encompassed finding a preliminary
business model for underwriting business continuity risk within the rubric of
cloud applications and hosting services. A concomitant directive was to research
new and existing technological models that would offset the risk of such
underwriting programs.

So there was an insurance underwriting and actuarial side, and a real systems
side. I was to uncover the insurance industry's perspective on underwriting SAAS
/PAAS / Cloud, etc. I was to bring to the partner underwriters technical proposals
that would offset the risk. The project was on a roll and then still birthed. I
think it still has merit. I think that the failure of several VC funded net
storage start ups points to this, and that even recent hours-long outages in the
'clouds of the mighty', should indicate that this analysis was not a complete
waste of time. I certainly uncovered gaping holes in the standard insurance
industry lines when underwriting business interruptions and continuity for
advanced hosting and SAAS.

I am under NDA as to the identity and specific plans of the client, but what I
learned, and the contacts I made, cannot encumber my portfolio of analysis and
career endeavors. I have that in writing, and the former client, admitting to the
invocation of an early termination clause, is cool with that - bigger crises on
the home front and all.

We analysts wouldn't be worth much if we couldn't (at least sometimes) feel things
coming 'round the bend. Before the words "economic crisis" became a meme for all
subsequent business failures, many esteemed colleagues felt there was excess
capital flowing into redundant business models (YASN and YAVSS, for the
initiated). This was an evil wind with bad portents. Too much VC cake was handed
over to the 'Valley Undertakers", i.e., entrepreneurs who had fostered serial
failures, break-evens, and maybe one or two small M&A's, but who in the big
picture had no business getting that much access to capital. So that's the
tableaux we have set at around 3/07.

I was working for an R&D lab in South San Francisco when my self-billed services
(product strategy under contract) started softening. I was counting on an implied
renewal to extend a six month term to 18-24 months. Well, they said they loved
me.I was not alone in the exodus from Gateway Blvd.

I also had several quotes out around the Valley, and performed several live
pitches for real make-money product strategies based on bedrock research. But
something was in the air, a whiff of fear in the faces of those I was pitching,
even at the most august institutions. I've always been a realist, and this was
well prior to the words 'economic meltdown' becoming CNBC's daily mantra. Many of
my analyst-contractor colleagues in the Northern CA high technology sector also
started to feel the chill.

So it happened to me a little before it happened to many of you. Despite accolades

for the stellar work I performed, my contract was not renewed, and all my pitches
and proposals in and near the city of San Francisco were not closing at the usual
pace I was accustomed to. Until 2006ish, I could close in a month or two. Now in
'07 I was being braced by the clients to be ready to sit on contracts for up to
90+ days. One of them closed and was aborted after 120 days. That project, hosted
solutions business continuity underwriting and preemptive outage prevention, was a
real money machine, with potential users, a realistic existing market model, and
had reality baked-in. You get the idea. Sound business models are sometimes not
enough when fear is in the air.

I researched market strategies for services offerings to rate, certify, and offer
business continuity solution services for....."The Cloud". I want you all now to
recall that in late '06 mid '07 "cloud" meant many things and had not yet gained
that buzz cachet that it has now.

Cloud, ASP, SAAS, Hosted solution - all it means to the small and medium business
owner is, "no in-house infrastructure or software', or put more simply, "no stuff
here". Oh, throw in the poorly defined term, "Grid". The subtle and not so subtle
distinctions of transparent scalability, fault tolerance, and configure-ability
are lost on most bread and butter businesses. I try where possible to avoid these
distinctions with my clients, except to point out that a dedicated or multi-tenant
web host or erstwhile server used for whatever purpose is not cloud like - in that
we expect a certain amount of inherent scalability or flexible options for
configuration with Cloud or Hosted grid offerings.

In other words: If you can point to the machine and its downtime or a request for
upgrades in capacity generates a ticket, that's not "Cloud-like". If you can
expect a certain level of independence from single point failures and have the
ability to remotely configure additional capacity, well then, there you go.

SAAS and PAAS solutions; well, since we usually don't get to choose the hardware
for these applications, we usually almost never know if the provider of say,
project management or accounting web services is Cloud like or not. These services
may be running on infrastructure that is decidedly vulnerable to single point
failures and scalability deficits. I'm fairly certian that many of the early
entrants to the SAAS space were quite pedestrian in their hardware systems. But we
never will know these things about a 37 Signals, or a Salesforce - what they run
is what they run. But, their services are, "out there", as opposed to "here", and
we pay by the month...so there you go again.

Shoot, that was a long preamble to an article on third party certification and
business continuity services for hosted applications, cloud services, and
customers of SAAS / PAAS, etc.

My work uncovered much ugliness in the arena of newly minted SAAS start ups
offering webs apps covering accounting, project management, document management,
etc. These sincere folks, many of them, did not have the legs to weather any
storm. Being cockeyed optimists, they never conveyed their worst case scenarios to
clients that considered the service mission critical. Who's fault is that? - the
customers for lack of due diligence, or the SAAS vendor? My early investigations
pointed to a real thorny issue: Are any of these New Age SAAS providers, save for
the select few, worthy of being underwritten against disruptions to client
continuity?

In order to mitigate against a panoply of risk factors (such as under

capitalization, under provisioning, etc.) I had to come up with some benchmark
program requirements. I did this in concert with some other analysts who work in
the more narrow field of recovery and fault tolerance. I had to find a way to get
insurers involved in the actuarial portion of the solution so we could price the
risk, and I had to get offsetting technological solutions to solve 90% or so of
the most common technical / strategic disruptions to operations. There was, as
well, a component of financial analysis that addressed transient issues of
reinsurance that would stave off the kind of unnecessary business failures that in
turn morph into technical failures. All of these issues are thorny and
interconnected.

One of the most interesting areas of provisioning services for ensuring continuity
of Cloud Hosting services was the use of competitive services for backstopping
outages. This entailed proposals for mutual anonymity, competitive protections,
etc., all while making sure that services would continue and that data would be
protected without endangering a provider's relationship with a client. Fascinating
stuff.

The study of mutually reinforcing the interlocking forces of business viability on

the part of the services providers, and the needs of the clients who are buying
into this pool of insurance products, was a wild research docket that should have
lasted well into 2009, but got stalled at day 120; it was just enough to whet my
appetite. Ratings, certifications, standards, reinsurance, double blind technical
services coverage by and for competitors (cost effectively and confidentially
provisioned!) - This was a juicy assignment and an analyst's dream.

I wonder if the concept still has legs? In my next post, I will list some of the
actual programs and concerns that the research entailed. Or, maybe I will extend
the current post.
Related articles by Zemanta

* CloudNews for February 6th, 2009 (cloudave.com)

* 5 more fresh articles...

Zemanta Pixie